CVE-2021-22924

NameCVE-2021-22924
Descriptionlibcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2734-1
NVD severitymedium
Debian Bugs991492

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)stretch7.52.1-5+deb9u10vulnerable
stretch (security)7.52.1-5+deb9u16fixed
buster, buster (security)7.64.0-4+deb10u2vulnerable
bookworm, sid, bullseye7.74.0-1.3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcestretch7.52.1-5+deb9u15DLA-2734-1
curlsource(unstable)(unfixed)991492

Notes

[bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <no-dsa> (Minor issue)
https://curl.se/docs/CVE-2021-22924.html
Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4)
Fixed by: https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 (curl-7_78_0)
https://www.openwall.com/lists/oss-security/2021/07/21/3

Search for package or bug name: Reporting problems