CVE-2021-22924

NameCVE-2021-22924
Descriptionlibcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2734-1, DLA-3085-1, DSA-5197-1
Debian Bugs991492

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u14fixed
bookworm7.88.1-10+deb12u8fixed
bookworm (security)7.88.1-10+deb12u5fixed
sid, trixie8.11.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcestretch7.52.1-5+deb9u15DLA-2734-1
curlsourcebuster7.64.0-4+deb10u3DLA-3085-1
curlsourcebullseye7.74.0-1.3+deb11u2DSA-5197-1
curlsource(unstable)7.79.1-1991492

Notes

https://curl.se/docs/CVE-2021-22924.html
Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4)
Fixed by: https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 (curl-7_78_0)
https://www.openwall.com/lists/oss-security/2021/07/21/3
Search for package or bug name: Reporting problems