PublicDateAtUSN: 2021-03-31 06:00:00 UTC
Candidate: CVE-2021-22890
CRD: 2021-03-31 06:00:00 UTC
PublicDate: 2021-04-01 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890
 https://curl.se/docs/CVE-2021-22890.html
 https://ubuntu.com/security/notices/USN-4898-1
Description:
 curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a
 malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3
 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse
 session tickets arriving from the HTTPS proxy but work as if they arrived
 from the remote server and then wrongly "short-cut" the host handshake.
 When confusing the tickets, a HTTPS proxy can trick libcurl to use the
 wrong session ticket resume for the host and thereby circumvent the server
 TLS certificate check and make a MITM attack to be possible to perform
 unnoticed. Note that such a malicious HTTPS proxy needs to provide a
 certificate that curl will accept for the MITMed server for an attack to
 work - unless curl has been told to ignore the server certificate check.
Ubuntu-Description:
Notes:
 amurray| affects curl versions between 7.63.0 and 7.75.0
Mitigation:
Bugs:
Priority: medium
Discovered-by: Mingtao Yang
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N [3.7 LOW]


Patches_curl:
 vendor: https://curl.se/EQo2A9nBnMI68.patch
upstream_curl: needs-triage
precise/esm_curl: not-affected (code not present)
trusty_curl: ignored (out of standard support)
trusty/esm_curl: not-affected (code not present)
xenial_curl: not-affected (code not present)
esm-infra/xenial_curl: not-affected (code not present)
bionic_curl: not-affected (code not present)
focal_curl: released (7.68.0-1ubuntu2.5)
groovy_curl: released (7.68.0-1ubuntu4.3)
devel_curl: released (7.74.0-1ubuntu2)