Bug 1906096 (CVE-2020-8286)
Summary: | CVE-2020-8286 curl: Inferior OCSP verification | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, andrew.slice, anharris, bniver, bodavis, csutherl, dbhole, erik-fedora, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kaycoth, kdudka, krathod, luhliari, mbabacek, mbenjamin, mhackett, mike, msekleta, mturk, omajid, paul, pjindal, rwagner, sgrubb, sostapov, svashisht, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/JBCS-1047 | ||
Whiteboard: | |||
Fixed In Version: | curl 7.74.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
Libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 20:37:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1906098, 1906099, 1908402, 1908403 | ||
Bug Blocks: | 1906107 |
Description
Guilherme de Almeida Suckevicz
2020-12-09 16:53:14 UTC
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1906098] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1906099] External References: https://curl.se/docs/CVE-2020-8286.html Upstream commit: https://github.com/curl/curl/commit/d9d01672785b This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8286 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8286 This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 |