Comment 11 for bug 1940528

1) downgraded openssl to 1.1.1f-1ubuntu2.9 such that it doesn't have double free fix that was released in https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.10

2) installed old pka module from commit b0f32fa05298bf9e3997ea43fc1c11b90e0d662f

3) installed focal-updates version of curl

Observed double free core dump:

# dpkg-query -W | grep -e 1.1.1f -e curl -e pka
curl 7.68.0-1ubuntu2.7
libcurl3-gnutls:arm64 7.68.0-1ubuntu2.7
libcurl4:arm64 7.68.0-1ubuntu2.7
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9

# curl -o /dev/null https://start.ubuntu.com/connectivity-check.html
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 2117 0 --:--:-- --:--:-- --:--:-- 2117
double free or corruption (out)
Aborted (core dumped)

Upgraded to new curl:

# dpkg-query -W | grep -e 1.1.1f -e curl -e pka
curl 7.68.0-1ubuntu2.8
libcurl3-gnutls:arm64 7.68.0-1ubuntu2.8
libcurl4:arm64 7.68.0-1ubuntu2.8
libpka1:arm64 1.3-1
libssl-dev:arm64 1.1.1f-1ubuntu2.9
libssl1.1:arm64 1.1.1f-1ubuntu2.9
openssl 1.1.1f-1ubuntu2.9

# curl -o /dev/null https://start.ubuntu.com/connectivity-check.html
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
PKA_ENGINE: PKA instance is invalid
PKA_ENGINE: failed to retrieve valid instance
100 576 100 576 0 0 1894 0 --:--:-- --:--:-- --:--:-- 1888

Observed success without any double-free or segfault in openssl.

Although this particular issue has already been fixed in openssl, it still makes sense to release this update of curl which includes correct openssl engine API usage.