vulnerability
Arch Linux: Certificate verification bypass (CVE-2017-7468)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Jul 16, 2018 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Jul 16, 2018
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).
This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
Solution
arch-linux-upgrade-latest
References
- CVE-2017-7468
- https://attackerkb.com/topics/CVE-2017-7468
- URL-http://www.securityfocus.com/bid/97962
- URL-http://www.securitytracker.com/id/1038341
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468
- URL-https://curl.haxx.se/docs/adv_20170419.html
- URL-https://security.archlinux.org/ASA-201704-12
- URL-https://security.gentoo.org/glsa/201709-14
- CWE-295
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.