CVE-2017-7468— Haxx curl/libcurl 安全漏洞

N/A

In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

N/A

证书验证不恰当

Haxx curl/libcurl 安全漏洞

Haxx curl和libcurl都是瑞典Haxx公司的产品。curl是一套利用URL语法在命令行下工作的文件传输工具。libcurl是一个免费、开源的客户端URL传输库。 Haxx curl和libcurl 7.52.0版本至7.53.1版本中存在安全漏洞，该漏洞源于在客户端证书被更改后，程序仍继续使用TLS会话。攻击者可利用该漏洞绕过安全限制。

N/A

N/A