Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. Or the other way around - by having the trailing dot in the HSTS cache and *not* using the trailing dot in the URL.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):