The curl project disclosed a bug, CVE-2016-7141 [0]: --- libcurl built on top of NSS (Network Security Services) incorrectly re-used client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong client cert), this vulnerability was caused by an implementation detail of the NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420. --- As far as I can tell, our curl package does not use NSS, but people who use Guix as a source of free software source code (`guix build --source`) may be vulnerable. [0] http://seclists.org/oss-sec/2016/q3/433 https://curl.haxx.se/docs/vuln-7.50.1.html Leo Famulari (1): gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141]. gnu/packages/curl.scm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.10.0
