Synopsis: Moderate: curl security, bug fix, and enhancement update Advisory ID: SLSA-2016:2575-2 Issue Date: 2016-11-03 CVE Numbers: CVE-2016-5419 CVE-2016-5420 CVE-2016-7141 -- Security Fix(es): * It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5419) * It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-5420) * It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. (CVE-2016-7141) Additional Changes: -- SL7 x86_64 curl-7.29.0-35.el7.x86_64.rpm curl-debuginfo-7.29.0-35.el7.i686.rpm curl-debuginfo-7.29.0-35.el7.x86_64.rpm libcurl-7.29.0-35.el7.i686.rpm libcurl-7.29.0-35.el7.x86_64.rpm libcurl-devel-7.29.0-35.el7.i686.rpm libcurl-devel-7.29.0-35.el7.x86_64.rpm - Scientific Linux Development Team