A flaw was found in libcurl from versions 7.29.0 to and including 7.71.1. An application that performs multiple requests with libcurl's multi API and sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection. Introducing commit: https://github.com/curl/curl/commit/c43127414d Upstream patch: https://curl.haxx.se/2020-8231.patch References: https://curl.haxx.se/docs/CVE-2020-8231.html
Acknowledgments: Name: the Curl project Upstream: Marc Aldorasi
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1870092] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1870093]
The patch provided by curl upstream applies on curl-7.71.1 whereas RHEL-7 uses curl-7.29.0, which was released in 2013. 10242 commits landed upstream in between the 7.29.0 release and the commit that fixed CVE-2020-8231. Adapting the fix on a 7 years old code base is a risky task. Bug #1683292 is a good example of what happens when such a backport goes wrong. In this case it is also difficult to verify that backported fix actually works. Is there any reproducer for the security issue in question?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8231