CVE-2017-2629

NameCVE-2017-2629
Descriptioncurl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie7.38.0-4+deb8u11fixed
jessie (security)7.38.0-4+deb8u16fixed
stretch7.52.1-5+deb9u9fixed
stretch (security)7.52.1-5+deb9u10fixed
buster, buster (security)7.64.0-4+deb10u1fixed
bullseye, sid7.68.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsource(unstable)7.52.1-3
curlsourcejessie(not affected)
curlsourcewheezy(not affected)

Notes

[jessie] - curl <not-affected> (Vulnerable code introduced later)
[wheezy] - curl <not-affected> (Vulnerable code introduced later)
https://github.com/curl/curl/commit/ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0
Patch: https://curl.haxx.se/CVE-2017-2629.patch
https://curl.haxx.se/docs/adv_20170222.html

Search for package or bug name: Reporting problems