When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPTSSHHOSTPUBLICKEYSHA256 and CURLOPTSSHKNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPTDEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
{
"availability": "No subscription required",
"priority_reason": "Upstream defined this as low severity",
"binaries": [
{
"binary_name": "curl",
"binary_version": "8.14.1-2ubuntu1.5"
},
{
"binary_name": "libcurl3t64-gnutls",
"binary_version": "8.14.1-2ubuntu1.5"
},
{
"binary_name": "libcurl4t64",
"binary_version": "8.14.1-2ubuntu1.5"
}
]
}
{
"availability": "No subscription required",
"priority_reason": "Upstream defined this as low severity",
"binaries": [
{
"binary_name": "curl",
"binary_version": "8.18.0-1ubuntu2.3"
},
{
"binary_name": "libcurl3t64-gnutls",
"binary_version": "8.18.0-1ubuntu2.3"
},
{
"binary_name": "libcurl4t64",
"binary_version": "8.18.0-1ubuntu2.3"
}
]
}