A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The problematic settings are CURLOPT_FTP_ACCOUNT
, CURLOPT_FTP_ALTERNATIVE_TO_USER
, CURLOPT_FTP_SSL_CCC
and CURLOPT_USE_SSL
level.