svn commit: r434577 - head/security/vuxml

Bernard Spil brnrd at FreeBSD.org
Wed Feb 22 11:09:13 UTC 2017 

Author: brnrd
Date: Wed Feb 22 11:09:11 2017
New Revision: 434577
URL: https://svnweb.freebsd.org/changeset/ports/434577

Log:
  security/vuxml: Document cURL vulnerability

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Feb 22 10:54:59 2017	(r434576)
+++ head/security/vuxml/vuln.xml	Wed Feb 22 11:09:11 2017	(r434577)
@@ -58,6 +58,47 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="311e4b1c-f8ee-11e6-9940-b499baebfeaf">
+    <topic>cURL -- ocsp status validation error</topic>
+    <affects>
+      <package>
+	<name>curl</name>
+	<range><lt>7.53.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The cURL project reports:</p>
+	<blockquote cite="https://curl.haxx.se/docs/adv_20170222.html">
+	  <p>SSL_VERIFYSTATUS ignored<br/>
+	    curl and libcurl support "OCSP stapling", also known as the TLS
+	    Certificate Status Request extension (using the
+	    CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this
+	    feature, it uses that TLS extension to ask for a fresh proof of
+	    the server's certificate's validity. If the server doesn't support
+	    the extension, or fails to provide said proof, curl is expected to
+	    return an error.<br/>
+	    Due to a coding mistake, the code that checks for a test success or
+	    failure, ends up always thinking there's valid proof, even when
+	    there is none or if the server doesn't support the TLS extension in
+	    question. Contrary to how it used to function and contrary to how
+	    this feature is documented to work.<br/>
+	    This could lead to users not detecting when a server's certificate
+	    goes invalid or otherwise be mislead that the server is in a better
+	    shape than it is in reality.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://curl.haxx.se/docs/adv_20170222.html</url>
+      <cvename>CVE-2017-2629</cvename>
+    </references>
+    <dates>
+      <discovery>2017-02-22</discovery>
+      <entry>2017-02-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="8cbd9c08-f8b9-11e6-ae1b-002590263bf5">
     <topic>xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe</topic>
     <affects>

More information about the svn-ports-all mailing list