CVE-2017-2629

NameCVE-2017-2629
Descriptioncurl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2fixed
buster (security)7.64.0-4+deb10u9fixed
bullseye (security), bullseye7.74.0-1.3+deb11u11fixed
bookworm, bookworm (security)7.88.1-10+deb12u5fixed
trixie8.5.0-2fixed
sid8.7.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcewheezy(not affected)
curlsourcejessie(not affected)
curlsource(unstable)7.52.1-3

Notes

[jessie] - curl <not-affected> (Vulnerable code introduced later)
[wheezy] - curl <not-affected> (Vulnerable code introduced later)
https://github.com/curl/curl/commit/ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0
Patch: https://curl.haxx.se/CVE-2017-2629.patch
https://curl.haxx.se/docs/adv_20170222.html

Search for package or bug name: Reporting problems