Your submission was sent successfully! Close

CVE-2022-27781

Published: 11 May 2022

[libcurl provides the `CURLOPT_CERTINFO` option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]

Mitigation

Do not use the `CURLOPT_CERTINFO` option
Priority

Low

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic
Released (7.58.0-2ubuntu3.18)
focal
Released (7.68.0-1ubuntu2.11)
impish
Released (7.74.0-1.3ubuntu2.2)
jammy
Released (7.81.0-1ubuntu1.2)
trusty Needed

upstream
Released (7.83.1)
xenial Needed