ELA-494-1 curl security update
Package curl
ELA-494-1 curl security update
Version 7.38.0-4+deb8u22
Related CVEs CVE-2021-22946 CVE-2021-22947
Two issues have been found in curl, a command line tool and an easy-to-use client-side library for transferring data with URL syntax.
CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected.
CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data.
For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u22.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A curl security update has been released for Debian GNU/Linux 8 Extended LTS to address two issues.
