Bug 1906096 (CVE-2020-8286) - CVE-2020-8286 curl: Inferior OCSP verification
Summary: CVE-2020-8286 curl: Inferior OCSP verification
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906098 1906099 1908402 1908403
Blocks: 1906107
TreeView+ depends on / blocked
 
Reported: 2020-12-09 16:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-17 11:45 UTC (History)
35 users (show)

See Also:
Fixed In Version: curl 7.74.0
Doc Type: If docs needed, set a value
Doc Text:
Libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.
Clone Of:
Environment:
Last Closed: 2021-05-18 20:37:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2471 0 None None None 2021-06-17 11:35:59 UTC
Red Hat Product Errata RHSA-2021:2472 0 None None None 2021-06-17 11:45:39 UTC

Description Guilherme de Almeida Suckevicz 2020-12-09 16:53:14 UTC 
libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.

Reference:
https://curl.se/docs/CVE-2020-8286.html
Comment 1 Guilherme de Almeida Suckevicz 2020-12-09 16:55:36 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1906098]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 1906099]
Comment 4 Sage McTaggart 2020-12-11 23:28:58 UTC 
External References:

https://curl.se/docs/CVE-2020-8286.html
Comment 8 Tomas Hoger 2021-04-07 07:50:24 UTC 
Upstream commit:

https://github.com/curl/curl/commit/d9d01672785b
Comment 9 errata-xmlrpc 2021-05-18 13:40:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610
Comment 10 Product Security DevOps Team 2021-05-18 20:37:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8286
Comment 11 Product Security DevOps Team 2021-05-19 02:33:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8286
Comment 12 errata-xmlrpc 2021-06-17 11:35:52 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
Comment 13 errata-xmlrpc 2021-06-17 11:45:30 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
Note You need to log in before you can comment on or make changes to this bug.