Ubuntu Security Notification for Curl Vulnerabilities (USN-3048-1)——漏洞银行丨0DAY BANK

It was discovered that curl incorrectly handled client certificates when resuming a TLS session.

It was discovered that curl incorrectly handled client certificates when reusing TLS connections.

It was discovered that curl incorrectly reused a connection struct, contrary to expectations.

An attacker can exploit these issues to affect confidentiality, integrity and availability of the system. (CVE-2016-5419) (CVE-2016-5420)

This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421)

Refer to Ubuntu advisory USN-3048-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3048-1: 16.04 (Xenial) on src (libcurl3-nss)

USN-3048-1: 14.04 (Kylin) on src (libcurl3-gnutls)

USN-3048-1: 14.04 (Kylin) on src (libcurl3-nss)

USN-3048-1: 16.04 (Xenial) on src (libcurl3-gnutls)

USN-3048-1: 16.04 (Xenial) on src (libcurl3)

USN-3048-1: 12.04 (Precise) on src (libcurl3)

USN-3048-1: 12.04 (Precise) on src (libcurl3-nss)

USN-3048-1: 14.04 (Kylin) on src (libcurl3)

USN-3048-1: 12.04 (Precise) on src (libcurl3-gnutls)