CVE-2021-22901 log

Severity High
Remote Yes
Type Arbitrary code execution
libcurl before version 7.77.0 can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. The flaw can only happen in libcurl built to use OpenSSL.
Group Package Affected Fixed Severity Status Ticket
AVG-1998 lib32-libcurl-compat 7.76.1-1 7.77.0-1 High Fixed
AVG-1997 libcurl-compat 7.76.1-1 7.77.0-1 High Fixed
AVG-1996 lib32-curl 7.76.1-1 7.77.0-1 High Fixed
AVG-1995 curl 7.76.1-1 7.77.0-1 High Fixed
Date Advisory Group Package Severity Type
01 Jun 2021 ASA-202106-7 AVG-1998 lib32-libcurl-compat High multiple issues
01 Jun 2021 ASA-202106-6 AVG-1997 libcurl-compat High multiple issues
01 Jun 2021 ASA-202106-5 AVG-1996 lib32-curl High multiple issues
01 Jun 2021 ASA-202106-4 AVG-1995 curl High multiple issues