2310519 – (CVE-2024-8096) CVE-2024-8096 curl: OCSP stapling bypass with GnuTLS

Bug 2310519 (CVE-2024-8096) - CVE-2024-8096 curl: OCSP stapling bypass with GnuTLS

Summary: CVE-2024-8096 curl: OCSP stapling bypass with GnuTLS

Keywords:
Status:	NEW
Alias:	CVE-2024-8096
Deadline:	2024-09-11
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-06 20:40 UTC by OSIDB Bzimport
Modified:	2024-09-11 17:42 UTC (History)
CC List:	43 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-06 20:40:39 UTC

This issue only exists when curl is built to use the GnuTLS library. curl can
be made to use a large variety of TLS libraries and GnuTLS is not the most
common choice.

OCSP stapling is not a widely used feature on the open web, perhaps partly
because so many big name sites do not support it.

This bug is **not** considered a *C mistake* (likely to have been avoided had
we not been using C).

This flaw also affects the curl command line tool.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
asdas
bdettelb
bmontgom
caswilli
cmoore
csutherl
dfreiber
doconnor
dpaolell
drow
eparis
gmccullo
jahealy
jburrell
jclere
jdelft
jmitchel
jtanner
jupierce
kaycoth
kshier
lgarciaa
lphiri
mbiarnes
mturk
npecka
nstielau
omaciel
pjindal
plodge
security-response-team
sidsharm
sponnaga
stcannon
szappis
talessio
teagle
vkumar
vlaad
ximhan
yguenane
yuxzhu