Your submission was sent successfully! Close

CVE-2022-27781

Published: 11 May 2022

[libcurl provides the `CURLOPT_CERTINFO` option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]

Mitigation

Do not use the `CURLOPT_CERTINFO` option
Priority

Low

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian 		bionic
Released (7.58.0-2ubuntu3.18)
focal
Released (7.68.0-1ubuntu2.11)
impish
Released (7.74.0-1.3ubuntu2.2)
jammy
Released (7.81.0-1ubuntu1.2)
trusty Needed

upstream
Released (7.83.1)
xenial Needed

Notes

AuthorNote
amurray 
Affects curl versions 7.34.0 up to and include 7.83.0

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading