CVE-2024-2379
Published: 27 March 2024
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
Notes
Author | Note |
---|---|
Priority reason: Upstream developers consider this a low severity issue |
|
mdeslaur | Ubuntu package does not use the wolfSSL backend. Only affects 8.6.0. |
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not compiled)
|
focal |
Not vulnerable
(code not compiled)
|
|
jammy |
Not vulnerable
(code not compiled)
|
|
mantic |
Not vulnerable
(code not compiled)
|
|
noble |
Not vulnerable
(code not compiled)
|
|
trusty |
Not vulnerable
(code not compiled)
|
|
upstream |
Released
(8.7.0)
|
|
xenial |
Not vulnerable
(code not compiled)
|
|
Patches: upstream: https://github.com/curl/curl/commit/aedbbdf18e689a5eee8dc396 |