Search for packages
| purl | pkg:alpm/archlinux/curl@7.77.0-1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-61j5-aj1z-aaaq
Aliases: CVE-2021-22924 |
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. |
Affected by 3 other vulnerabilities. |
|
VCID-6qjg-v45t-aaam
Aliases: CVE-2021-22925 |
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. |
Affected by 3 other vulnerabilities. |
|
VCID-9ee5-xkhm-aaad
Aliases: CVE-2021-22923 |
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. |
Affected by 3 other vulnerabilities. |
|
VCID-naz1-7t8w-aaar
Aliases: CVE-2021-22922 |
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2zq2-qsgf-aaaj | curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. |
CVE-2021-22898
|
| VCID-ngzd-mupw-aaas | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. |
CVE-2021-22897
|
| VCID-tz5z-xncu-aaaf | curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. |
CVE-2021-22901
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-03-28T07:47:04.011980+00:00 | Arch Linux Importer | Fixing | VCID-ngzd-mupw-aaas | https://security.archlinux.org/AVG-2016 | 36.0.0 |
| 2025-03-28T07:46:31.783343+00:00 | Arch Linux Importer | Affected by | VCID-naz1-7t8w-aaar | https://security.archlinux.org/AVG-2194 | 36.0.0 |
| 2025-03-28T07:46:31.762754+00:00 | Arch Linux Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security.archlinux.org/AVG-2194 | 36.0.0 |
| 2025-03-28T07:46:31.739799+00:00 | Arch Linux Importer | Affected by | VCID-61j5-aj1z-aaaq | https://security.archlinux.org/AVG-2194 | 36.0.0 |
| 2025-03-28T07:46:31.719370+00:00 | Arch Linux Importer | Affected by | VCID-6qjg-v45t-aaam | https://security.archlinux.org/AVG-2194 | 36.0.0 |
| 2025-03-28T07:45:36.694882+00:00 | Arch Linux Importer | Fixing | VCID-2zq2-qsgf-aaaj | https://security.archlinux.org/AVG-1995 | 36.0.0 |
| 2025-03-28T07:45:36.675694+00:00 | Arch Linux Importer | Fixing | VCID-tz5z-xncu-aaaf | https://security.archlinux.org/AVG-1995 | 36.0.0 |
| 2024-10-20T17:34:02.664778+00:00 | Arch Linux Importer | Affected by | VCID-naz1-7t8w-aaar | https://security.archlinux.org/AVG-2194 | 34.0.2 |
| 2024-10-20T17:34:02.638815+00:00 | Arch Linux Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security.archlinux.org/AVG-2194 | 34.0.2 |
| 2024-10-20T17:34:02.615248+00:00 | Arch Linux Importer | Affected by | VCID-61j5-aj1z-aaaq | https://security.archlinux.org/AVG-2194 | 34.0.2 |
| 2024-10-20T17:34:02.590282+00:00 | Arch Linux Importer | Affected by | VCID-6qjg-v45t-aaam | https://security.archlinux.org/AVG-2194 | 34.0.2 |
| 2024-10-20T17:34:01.293655+00:00 | Arch Linux Importer | Fixing | VCID-2zq2-qsgf-aaaj | https://security.archlinux.org/AVG-1995 | 34.0.2 |
| 2024-10-20T17:34:01.267880+00:00 | Arch Linux Importer | Fixing | VCID-tz5z-xncu-aaaf | https://security.archlinux.org/AVG-1995 | 34.0.2 |
| 2024-09-18T02:02:27.149637+00:00 | Arch Linux Importer | Fixing | VCID-ngzd-mupw-aaas | https://security.archlinux.org/AVG-2016 | 34.0.1 |
| 2024-09-18T02:01:49.587266+00:00 | Arch Linux Importer | Affected by | VCID-naz1-7t8w-aaar | https://security.archlinux.org/AVG-2194 | 34.0.1 |
| 2024-09-18T02:01:49.561025+00:00 | Arch Linux Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security.archlinux.org/AVG-2194 | 34.0.1 |
| 2024-09-18T02:01:49.534047+00:00 | Arch Linux Importer | Affected by | VCID-61j5-aj1z-aaaq | https://security.archlinux.org/AVG-2194 | 34.0.1 |
| 2024-09-18T02:01:49.499331+00:00 | Arch Linux Importer | Affected by | VCID-6qjg-v45t-aaam | https://security.archlinux.org/AVG-2194 | 34.0.1 |
| 2024-09-18T02:00:35.011920+00:00 | Arch Linux Importer | Fixing | VCID-2zq2-qsgf-aaaj | https://security.archlinux.org/AVG-1995 | 34.0.1 |
| 2024-09-18T02:00:34.984693+00:00 | Arch Linux Importer | Fixing | VCID-tz5z-xncu-aaaf | https://security.archlinux.org/AVG-1995 | 34.0.1 |
| 2024-01-31T12:09:59.743857+00:00 | Arch Linux Importer | Affected by | VCID-naz1-7t8w-aaar | https://security.archlinux.org/AVG-2194 | 34.0.0rc2 |
| 2024-01-31T12:09:59.721919+00:00 | Arch Linux Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security.archlinux.org/AVG-2194 | 34.0.0rc2 |
| 2024-01-31T12:09:59.700068+00:00 | Arch Linux Importer | Affected by | VCID-61j5-aj1z-aaaq | https://security.archlinux.org/AVG-2194 | 34.0.0rc2 |
| 2024-01-31T12:09:59.677968+00:00 | Arch Linux Importer | Affected by | VCID-6qjg-v45t-aaam | https://security.archlinux.org/AVG-2194 | 34.0.0rc2 |
| 2024-01-31T12:09:56.211751+00:00 | Arch Linux Importer | Fixing | VCID-2zq2-qsgf-aaaj | https://security.archlinux.org/AVG-1995 | 34.0.0rc2 |
| 2024-01-31T12:09:56.189783+00:00 | Arch Linux Importer | Fixing | VCID-tz5z-xncu-aaaf | https://security.archlinux.org/AVG-1995 | 34.0.0rc2 |
| 2024-01-03T22:28:28.152136+00:00 | Arch Linux Importer | Fixing | VCID-ngzd-mupw-aaas | https://security.archlinux.org/AVG-2016 | 34.0.0rc1 |
| 2024-01-03T22:27:54.616950+00:00 | Arch Linux Importer | Affected by | VCID-naz1-7t8w-aaar | https://security.archlinux.org/AVG-2194 | 34.0.0rc1 |
| 2024-01-03T22:27:54.592761+00:00 | Arch Linux Importer | Affected by | VCID-9ee5-xkhm-aaad | https://security.archlinux.org/AVG-2194 | 34.0.0rc1 |
| 2024-01-03T22:27:54.566202+00:00 | Arch Linux Importer | Affected by | VCID-61j5-aj1z-aaaq | https://security.archlinux.org/AVG-2194 | 34.0.0rc1 |
| 2024-01-03T22:27:54.539653+00:00 | Arch Linux Importer | Affected by | VCID-6qjg-v45t-aaam | https://security.archlinux.org/AVG-2194 | 34.0.0rc1 |
| 2024-01-03T22:26:51.629607+00:00 | Arch Linux Importer | Fixing | VCID-2zq2-qsgf-aaaj | https://security.archlinux.org/AVG-1995 | 34.0.0rc1 |
| 2024-01-03T22:26:51.607600+00:00 | Arch Linux Importer | Fixing | VCID-tz5z-xncu-aaaf | https://security.archlinux.org/AVG-1995 | 34.0.0rc1 |