VulnerableCode Package Details - pkg:alpm/archlinux/lib32-libcurl-gnutls@7.77.0-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-61j5-aj1z-aaaq Aliases: CVE-2021-22924	libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.	7.78.0-1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-6qjg-v45t-aaam Aliases: CVE-2021-22925	curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.	7.78.0-1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-61j5-aj1z-aaaq
Aliases:
CVE-2021-22924

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

7.78.0-1
Affected by 3 other vulnerabilities.

VCID-6qjg-v45t-aaam
Aliases:
CVE-2021-22925

curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.

7.78.0-1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2zq2-qsgf-aaaj	curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.	CVE-2021-22898

Vulnerability

Summary

Aliases

VCID-2zq2-qsgf-aaaj

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

CVE-2021-22898

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:46:34.722138+00:00	Arch Linux Importer	Fixing	VCID-2zq2-qsgf-aaaj	https://security.archlinux.org/AVG-2000	36.0.0
2025-03-28T07:46:31.533883+00:00	Arch Linux Importer	Affected by	VCID-61j5-aj1z-aaaq	https://security.archlinux.org/AVG-2199	36.0.0
2025-03-28T07:46:31.513023+00:00	Arch Linux Importer	Affected by	VCID-6qjg-v45t-aaam	https://security.archlinux.org/AVG-2199	36.0.0
2024-12-11T10:54:34.188910+00:00	Arch Linux Importer	Fixing	VCID-2zq2-qsgf-aaaj	https://security.archlinux.org/AVG-2000	35.0.0
2024-12-11T10:54:32.332160+00:00	Arch Linux Importer	Affected by	VCID-61j5-aj1z-aaaq	https://security.archlinux.org/AVG-2199	35.0.0
2024-12-11T10:54:31.950656+00:00	Arch Linux Importer	Affected by	VCID-6qjg-v45t-aaam	https://security.archlinux.org/AVG-2199	35.0.0
2024-09-18T02:01:53.724812+00:00	Arch Linux Importer	Fixing	VCID-2zq2-qsgf-aaaj	https://security.archlinux.org/AVG-2000	34.0.1
2024-09-18T02:01:49.266009+00:00	Arch Linux Importer	Affected by	VCID-61j5-aj1z-aaaq	https://security.archlinux.org/AVG-2199	34.0.1
2024-09-18T02:01:49.239107+00:00	Arch Linux Importer	Affected by	VCID-6qjg-v45t-aaam	https://security.archlinux.org/AVG-2199	34.0.1
2024-01-31T12:09:59.770331+00:00	Arch Linux Importer	Fixing	VCID-2zq2-qsgf-aaaj	https://security.archlinux.org/AVG-2000	34.0.0rc2
2024-01-31T12:09:59.480695+00:00	Arch Linux Importer	Affected by	VCID-61j5-aj1z-aaaq	https://security.archlinux.org/AVG-2199	34.0.0rc2
2024-01-31T12:09:59.458187+00:00	Arch Linux Importer	Affected by	VCID-6qjg-v45t-aaam	https://security.archlinux.org/AVG-2199	34.0.0rc2
2024-01-03T22:27:58.105973+00:00	Arch Linux Importer	Fixing	VCID-2zq2-qsgf-aaaj	https://security.archlinux.org/AVG-2000	34.0.0rc1
2024-01-03T22:27:54.317222+00:00	Arch Linux Importer	Affected by	VCID-61j5-aj1z-aaaq	https://security.archlinux.org/AVG-2199	34.0.0rc1
2024-01-03T22:27:54.295891+00:00	Arch Linux Importer	Affected by	VCID-6qjg-v45t-aaam	https://security.archlinux.org/AVG-2199	34.0.0rc1