Test ID:	1.3.6.1.4.1.25623.1.0.871690
Category:	Red Hat Local Security Checks
Title:	RedHat Update for curl RHSA-2016:2575-02
Summary:	The remote host is missing an update for the 'curl'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the 'curl' package(s) announced via the referenced advisory. Vulnerability Insight: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5419) * It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5420) * It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-7141) Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. Affected Software/OS: curl on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-5419 BugTraq ID: 92292 http://www.securityfocus.com/bid/92292 BugTraq ID: 92319 http://www.securityfocus.com/bid/92319 Debian Security Information: DSA-3638 (Google Search) http://www.debian.org/security/2016/dsa-3638 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/ https://security.gentoo.org/glsa/201701-47 https://curl.haxx.se/docs/adv_20160803A.html RedHat Security Advisories: RHSA-2016:2575 http://rhn.redhat.com/errata/RHSA-2016-2575.html RedHat Security Advisories: RHSA-2016:2957 http://rhn.redhat.com/errata/RHSA-2016-2957.html RedHat Security Advisories: RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 http://www.securitytracker.com/id/1036538 http://www.securitytracker.com/id/1038341 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059 SuSE Security Announcement: openSUSE-SU-2016:2227 (Google Search) http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html SuSE Security Announcement: openSUSE-SU-2016:2379 (Google Search) http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html http://www.ubuntu.com/usn/USN-3048-1 Common Vulnerability Exposure (CVE) ID: CVE-2016-5420 BugTraq ID: 92309 http://www.securityfocus.com/bid/92309 https://curl.haxx.se/docs/adv_20160803B.html http://www.securitytracker.com/id/1036537 http://www.securitytracker.com/id/1036739 Common Vulnerability Exposure (CVE) ID: CVE-2016-7141 BugTraq ID: 92754 http://www.securityfocus.com/bid/92754 https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html
Copyright	Copyright (C) 2016 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.