CVE-2023-28319: UAF in SSH sha256 fingerprint check

libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. Affected versions: curl 7.81.0 to and including 8.0.1 Not affected versions: curl < 7.81.0 and curl >= 8.1.0 The original submission can be found here: https://hackerone.com/reports/1913733 ## Impact This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.