CVE-2024-2466

NameCVE-2024-2466
Descriptionlibcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)buster7.64.0-4+deb10u2fixed
buster (security)7.64.0-4+deb10u9fixed
bullseye (security), bullseye7.74.0-1.3+deb11u11fixed
bookworm, bookworm (security)7.88.1-10+deb12u5fixed
trixie8.5.0-2vulnerable
sid8.7.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebuster(not affected)
curlsourcebullseye(not affected)
curlsourcebookworm(not affected)
curlsource(unstable)8.7.1-1unimportant

Notes

[bookworm] - curl <not-affected> (Vulnerable code not present)
[bullseye] - curl <not-affected> (Vulnerable code not present)
[buster] - curl <not-affected> (Vulnerable code not present)
https://curl.se/docs/CVE-2024-2466.html
Introduced by: https://github.com/curl/curl/commit/fa714830e92cba7b16b9d3f2cc92a72ee9d821fa (curl-8_5_0)
Fixed by: https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 (curl-8_7_0)
curl in Debian not built with mbedTLS support

Search for package or bug name: Reporting problems