ALAS-2016-742


Amazon Linux AMI Security Advisory: ALAS-2016-742
Advisory Release Date: 2016-09-27 10:30 Pacific
Severity: Low

Issue Overview:

After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection.


Affected Packages:

curl


Issue Correction:
Run yum update curl to update your system.

New Packages:
i686:
    libcurl-devel-7.47.1-8.65.amzn1.i686
    curl-7.47.1-8.65.amzn1.i686
    libcurl-7.47.1-8.65.amzn1.i686
    curl-debuginfo-7.47.1-8.65.amzn1.i686

src:
    curl-7.47.1-8.65.amzn1.src

x86_64:
    curl-debuginfo-7.47.1-8.65.amzn1.x86_64
    libcurl-7.47.1-8.65.amzn1.x86_64
    libcurl-devel-7.47.1-8.65.amzn1.x86_64
    curl-7.47.1-8.65.amzn1.x86_64