[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3763-1] curl security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3763-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
March 17, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : curl
Version        : 7.64.0-4+deb10u9
CVE ID         : CVE-2023-27534

curl was affected by a path traversal vulnerability.
SFTP implementation causes the tilde (~) character to be wrongly
replaced when used as a prefix in the first path element,
in addition to its intended use as the first element to indicate
a path relative to the user's home directory. Attackers can exploit
this flaw to bypass filtering or execute arbitrary code by
crafting a path like /~2/foo while accessing a server with
a specific user.

For Debian 10 buster, this problem has been fixed in version
7.64.0-4+deb10u9.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmX2yagRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/sbxAAjDWy4DGq1CUWgHiMKKE6mP+RO9xZhR0E
Cr6yxOF5Pz2CC+GxvgFnPa1VCEH/lphDaxpilLhq85VXOfGAuTexv2D6df7wgPPx
aR7EhT4JT60CTjZ8ItwYJHassxzl6ZiiIARIIljwfu6jvC5qLl7r6a4zNJLsMMBV
EADl55qA8W6d4jYem3GOkQBtUyVHqsi9ZFgU3BU+/uxEzJEs00jnXJocVOeMLA++
+MXNP95eEsOQWsAgu9keudouhGqlgJ7KPSPIyYu030sEdpSyxQsErxhKDltn8gP+
P0VGjIHkFg+x2v68N//ep9eDRtwogmpoRIXYgAQUqah0sgfOGeZOcZTO3U3/isTd
+OC2IFLPmq1YaXmR04v6CdFj0kAjtw4s4u4jjEbiDnhFRnwXjwaIzfo3R2BXI7FP
YHIPqMtN3+cdOyISlUYHk8v9Xe6RnIXqCAxe5bZVn5rB2WTZnXWcib18cVTDXPZ+
egVcBsnyJVeOFA/WYI0eSj59dlqGM6yZ1rg6u5FeaIHkvXDhdQDxwcJWinJ1oD/6
SuHFeuRuqJ3sDhKmCxsEdeS91WvevSTg2iVUghz16CWosITZpXDh7/ZM0GYAkn1K
5UKGY9HjgY65dkY0hXwEbv0L1XvEfqUiIfHNPzQV3VeriKkMV/3dmIXimbd8CKXW
wuKLAwTx6IM=
=bCeZ
-----END PGP SIGNATURE-----


Reply to: