Bug 2310519 (CVE-2024-8096)
| Summary: | CVE-2024-8096 curl: OCSP stapling bypass with GnuTLS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, asdas, bdettelb, bmontgom, caswilli, cmoore, csutherl, dfreiber, doconnor, dpaolell, drow, eparis, gmccullo, jahealy, jburrell, jclere, jdelft, jmitchel, jtanner, jupierce, kaycoth, kshier, lgarciaa, lphiri, mbiarnes, mturk, npecka, nstielau, omaciel, pjindal, plodge, security-response-team, sidsharm, sponnaga, stcannon, szappis, talessio, teagle, vkumar, vlaad, ximhan, yguenane, yuxzhu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A vulnerability was found in Curl. When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and incorrectly consider the response as fine instead. If the returned status reports an error other than "revoked", such as "unauthorized", it is not treated as a bad certificate.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2024-09-11 | ||
|
Description
OSIDB Bzimport
2024-09-06 20:40:39 UTC
|