From 5.57 NEWS:
The "redirect" option was fixed to properly handle "verifyChain = yes" (thx to Rob Hoes)."
From 5.58 NEWS:
The "redirect" option was fixed to properly handle unauthenticated requests (thx to Martin Stein).
Fixed a double free with OpenSSL older than 1.1.0 (thx to Petr Strukov)."
(In reply to Sam James from comment #0)
> From 5.58 NEWS:
> "Security bugfixes
> The "redirect" option was fixed to properly handle unauthenticated requests
> (thx to Martin Stein).
I believe this is CVE-2021-20230.
FYI: I bumped after speaking to blueness to 5.58.
(In reply to Conrad Kostecki from comment #2)
> FYI: I bumped after speaking to blueness to 5.58.
Thanks! Please proceed with stabilization when ready.
all arches done
cleanup of vulnerable version done
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202105-02 at https://security.gentoo.org/glsa/202105-02
by GLSA coordinator Thomas Deutschmann (whissi).