FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

curl -- OCSP verification bypass with TLS session reuse

Affected packages
curl < 8.6.0


VuXML ID 02e33cd1-c655-11ee-8613-08002784c58d
Discovery 2024-01-31
Entry 2024-02-28

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.


CVE Name CVE-2024-0853