After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. The original patch for CVE-2016-5420 has been amended to also contain the attached patch: https://curl.haxx.se/CVE-2016-5420.patch
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1373230]
Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1373231] Affects: epel-7 [bug 1373232]
CVE assignment: http://seclists.org/oss-sec/2016/q3/419
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2575 https://rhn.redhat.com/errata/RHSA-2016-2575.html
This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
External References: https://curl.haxx.se/docs/adv_20160907.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558