Detections
Analytics
GLSA-201703-04 : cURL: Certificate validation error
medium Nessus Plugin ID 99011
Language:
Synopsis
The remote Gentoo host is missing one or more security-related patches.Description
The remote host is affected by the vulnerability described in GLSA-201703-04 (cURL: Certificate validation error)cURL and applications linked against libcurl support “OCSP stapling”, also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use this feature, it uses that TLS extension to ask for a fresh proof of the server’s certificate’s validity. If the server doesn’t support the extension, or fails to provide said proof, cURL is expected to return an error.
Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there’s valid proof, even when there is none or if the server doesn’t support the TLS extension in question.
Impact :
Due to the error, a user maybe does not detect when a server’s certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.
Workaround :
There is no known workaround at this time.
Solution
All cURL users should upgrade to the latest version:# emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/curl-7.53.0'
See Also
Plugin Details
Severity: Medium
ID: 99011
File Name: gentoo_GLSA-201703-04.nasl
Version: 3.3
Type: local
Family: Gentoo Local Security Checks
Published: 3/28/2017
Updated: 1/11/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Information
CPE: p-cpe:/a:gentoo:linux:curl, cpe:/o:gentoo:linux
Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list
Patch Publication Date: 3/28/2017
Reference Information
CVE: CVE-2017-2629
GLSA: 201703-04