FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

curl -- OCSP verification bypass with TLS session reuse

Affected packages
curl < 8.6.0

Details

VuXML ID 02e33cd1-c655-11ee-8613-08002784c58d
Discovery 2024-01-31
Entry 2024-02-28

Hiroki Kurosawa reports:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

[source]

References

CVE Name CVE-2024-0853
URL https://curl.se/docs/CVE-2024-0853.html

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.