Hi Samuel, I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as ignored for Buster because I believe those are minor issues. Since you expressed interest as the maintainer of curl to fix potential security vulnerabilities, I am asking you for your assessment. Are you (or someone else reading the list) interested in fixing those CVE? My reasoning to ignore CVE-2023-28322 is, it does not affect the command line tool and even a use after free is not present in libcurl. CVE-2023-27534 requires the new internal dynbuf functions which are not present in Buster's curl version. The described scenario is unlikely because sftp users are usually restricted by the ssh server and a buggy client can't just simply access a file in another user's home directory provided the SSH server does not facilitate such an attack. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part