CVE-2021-22897 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Incorrect calculation
Description	A security issue has been found in curl before version 7.77.0. libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. This flaw can only trigger when Schannel is used, which is the native TLS library in Microsoft Windows.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2016	curl	7.76.1-1	7.77.0-1	Low	Not affected

References
https://curl.se/docs/CVE-2021-22897.html https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511

Notes
Workaround ========== The issue can be mitigated by avoiding the use of CURLOPT_SSL_CIPHER_LIST.