Описание
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| curl | fixed | 8.14.0-1 | package | |
| curl | not-affected | bookworm | package | |
| curl | not-affected | bullseye | package |
Примечания
https://curl.se/docs/CVE-2025-4947.html
Introduced by: https://github.com/curl/curl/commit/4c46e277b2a0c0489de0e0fcb91f315c62f0369c (curl-8_8_0)
Fixed by: https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e712537b41afeafbd3 (curl-8_14_0)
curl in Debian not built with wolfSSL support
Связанные уязвимости
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.
libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.