Univention Bugzilla – Bug 53868
curl: Multiple issues (4.4)
Last modified: 2021-10-06 17:05:55 CEST
New Debian curl 7.52.1-5+deb9u16 fixes: This update addresses the following issues: * protocol downgrade required TLS bypassed (CVE-2021-22946) * STARTTLS protocol injection via MITM (CVE-2021-22947)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/curl_7.52.1-5+deb9u15.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/curl_7.52.1-5+deb9u16.dsc @@ -1,3 +1,15 @@ +7.52.1-5+deb9u16 [Wed, 29 Sep 2021 21:03:02 +0200] Thorsten Alteholz <debian@alteholz.de>: + + * Non-maintainer upload by the LTS Team. + * CVE-2021-22946 + Crafted answers from a server might force clients to not use TLS on + connections though TLS was required and expected. + * CVE-2021-22947 + When using STARTTLS to initiate a TLS connection, the server might + send multiple answers before the TLS upgrade and such the client + would handle them as being trusted. This could be used by a + MITM-attacker to inject fake response data. + 7.52.1-5+deb9u15 [Sun, 08 Aug 2021 22:57:19 +0300] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload by the LTS team. <http://piuparts.knut.univention.de/4.4-8/#8640689909869575997>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 7a19d3140c Bug #53868: curl 7.52.1-5+deb9u16 doc/errata/staging/curl.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1062>