openSUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:2379-1 Rating: moderate References: #991389 #991390 #991391 #991746 #997420 Cross-References: CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 CVE-2016-7141 Affected Products: openSUSE Leap 42.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) This update was imported from the SUSE:SLE-12:Update update project. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-1124=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.1 (i586 x86_64): curl-7.37.0-13.1 curl-debuginfo-7.37.0-13.1 curl-debugsource-7.37.0-13.1 libcurl-devel-7.37.0-13.1 libcurl4-7.37.0-13.1 libcurl4-debuginfo-7.37.0-13.1 - openSUSE Leap 42.1 (x86_64): libcurl-devel-32bit-7.37.0-13.1 libcurl4-32bit-7.37.0-13.1 libcurl4-debuginfo-32bit-7.37.0-13.1 References: https://www.suse.com/security/cve/CVE-2016-5419.html https://www.suse.com/security/cve/CVE-2016-5420.html https://www.suse.com/security/cve/CVE-2016-5421.html https://www.suse.com/security/cve/CVE-2016-7141.html https://bugzilla.suse.com/991389 https://bugzilla.suse.com/991390 https://bugzilla.suse.com/991391 https://bugzilla.suse.com/991746 https://bugzilla.suse.com/997420