Jump to:

CVE-2024-8096

Jump to:

CVE-2024-8096

Package curl updated to version 8.10.0-alt1 for branch c10f2 in task 357273.

Published: 2024-09-11
Modified: 2024-11-21

CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

References:

http://www.openwall.com/lists/oss-security/2024/09/11/1
www
json
issue
https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html
https://security.netapp.com/advisory/ntap-20241011-0005/

Version: 2.1.0

Package curl update in c10f2 on 2024-09-13

ALT-PU-2024-12468-2

Closed vulnerabilities

CVE-2024-8096