{"id":"CURL-CVE-2016-5419","summary":"TLS session resumption client cert bypass","details":"libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster.","aliases":["CVE-2016-5419"],"modified":"2024-06-07T13:53:51Z","published":"2016-08-03T08:00:00Z","database_specific":{"package":"curl","CWE":{"desc":"Authentication Bypass by Primary Weakness","id":"CWE-305"},"severity":"High","last_affected":"7.50.0","affects":"both","www":"https://curl.se/docs/CVE-2016-5419.html","URL":"https://curl.se/docs/CVE-2016-5419.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"5.0"},{"fixed":"7.50.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"247d890da88f9ee817079e246c59f3d7d12fde5f"}]}],"versions":["7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["70602983156883555501678400459011738830","192206273867007874966841254626412384031","199674410225803025015737343867245628091","156152138281087692854390963424805415050"]},"deprecated":false,"signature_version":"v1","target":{"file":"lib/url.c"},"id":"CURL-CVE-2016-5419-48db3bae","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Line"},{"digest":{"length":204,"function_hash":"5164278074713622136204647028204665132"},"deprecated":false,"signature_version":"v1","target":{"file":"lib/vtls/vtls.c","function":"Curl_free_ssl_config"},"id":"CURL-CVE-2016-5419-64e4d9b9","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Function"},{"digest":{"length":1029,"function_hash":"288805794638662842747289587723569494299"},"deprecated":false,"signature_version":"v1","target":{"file":"lib/vtls/vtls.c","function":"Curl_clone_ssl_config"},"id":"CURL-CVE-2016-5419-8f82e0b3","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Function"},{"digest":{"length":9502,"function_hash":"165095557050142476170675936569687352024"},"deprecated":false,"signature_version":"v1","target":{"file":"lib/url.c","function":"create_conn"},"id":"CURL-CVE-2016-5419-c1408a2b","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["721553728817097252051965212312889387","310296420673524903970476156166525179002","145128848286185426903688224993316251024","175336607430241342224846987055290755423","164569230032924018897203957951227353888","328974664950857452203189501341482285892","13361445277107355669358339870219415331"]},"deprecated":false,"signature_version":"v1","target":{"file":"lib/vtls/vtls.c"},"id":"CURL-CVE-2016-5419-e9165a57","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["232118607043507461080754511630523191910","335136721390014663370533995119370967883","186864921133587538447220880308462244511","205303330499427913315546665852374302002"]},"deprecated":false,"signature_version":"v1","target":{"file":"lib/urldata.h"},"id":"CURL-CVE-2016-5419-fde9f6c2","source":"https://github.com/curl/curl.git/commit/247d890da88f9ee817079e246c59f3d7d12fde5f","signature_type":"Line"}],"source":"https://curl.se/docs/CURL-CVE-2016-5419.json"}}],"schema_version":"1.7.3","credits":[{"name":"Bru Rom","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"},{"name":"Eric Rescorla","type":"OTHER"},{"name":"Ray Satiro","type":"OTHER"}]}