CVE-2024-2466

NameCVE-2024-2466
Descriptionlibcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)jessie, jessie (lts)7.38.0-4+deb8u28fixed
stretch (security)7.52.1-5+deb9u16fixed
stretch (lts), stretch7.52.1-5+deb9u22fixed
buster, buster (lts)7.64.0-4+deb10u10fixed
buster (security)7.64.0-4+deb10u9fixed
bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u14fixed
bookworm7.88.1-10+deb12u8fixed
bookworm (security)7.88.1-10+deb12u5fixed
sid, trixie8.11.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcejessie(not affected)
curlsourcestretch(not affected)
curlsourcebuster(not affected)
curlsourcebullseye(not affected)
curlsourcebookworm(not affected)
curlsource(unstable)8.7.1-1unimportant

Notes

[bookworm] - curl <not-affected> (Vulnerable code not present)
[bullseye] - curl <not-affected> (Vulnerable code not present)
[buster] - curl <not-affected> (Vulnerable code not present)
https://curl.se/docs/CVE-2024-2466.html
Introduced by: https://github.com/curl/curl/commit/fa714830e92cba7b16b9d3f2cc92a72ee9d821fa (curl-8_5_0)
Fixed by: https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7eb04dfdd43538 (curl-8_7_0)
curl in Debian not built with mbedTLS support
[stretch] - curl <not-affected> (The vulnerable code was introduced later)
[jessie] - curl <not-affected> (The vulnerable code was introduced later)

Search for package or bug name: Reporting problems