Source: curl Version: 7.74.0-1.1 Severity: serious Tags: security upstream Justification: security regression from stable X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 7.64.0-4 Control: fixed -1 7.64.0-4+deb10u2
Hi, The following vulnerability was published for curl, filling as RC so it appears on list of issues to be fixed before bullseye release. CVE-2021-22890[0]: | curl 7.63.0 to and including 7.75.0 includes vulnerability that allows | a malicious HTTPS proxy to MITM a connection due to bad handling of | TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl | can confuse session tickets arriving from the HTTPS proxy but work as | if they arrived from the remote server and then wrongly "short-cut" | the host handshake. When confusing the tickets, a HTTPS proxy can | trick libcurl to use the wrong session ticket resume for the host and | thereby circumvent the server TLS certificate check and make a MITM | attack to be possible to perform unnoticed. Note that such a malicious | HTTPS proxy needs to provide a certificate that curl will accept for | the MITMed server for an attack to work - unless curl has been told to | ignore the server certificate check. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 [1] https://curl.se/docs/CVE-2021-22890.html Regards, Salvatore
