[SECURITY] [DLA 3763-1] curl security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3763-1] curl security update
From: rouca@debian.org
Date: Sun, 17 Mar 2024 10:44:57 +0000
Message-id: <[🔎] 65b013b857110a419d0c9191b80683ce.rouca@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3763-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
March 17, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : curl
Version        : 7.64.0-4+deb10u9
CVE ID         : CVE-2023-27534

curl was affected by a path traversal vulnerability.
SFTP implementation causes the tilde (~) character to be wrongly
replaced when used as a prefix in the first path element,
in addition to its intended use as the first element to indicate
a path relative to the user's home directory. Attackers can exploit
this flaw to bypass filtering or execute arbitrary code by
crafting a path like /~2/foo while accessing a server with
a specific user.

For Debian 10 buster, this problem has been fixed in version
7.64.0-4+deb10u9.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmX2yagRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/sbxAAjDWy4DGq1CUWgHiMKKE6mP+RO9xZhR0E
Cr6yxOF5Pz2CC+GxvgFnPa1VCEH/lphDaxpilLhq85VXOfGAuTexv2D6df7wgPPx
aR7EhT4JT60CTjZ8ItwYJHassxzl6ZiiIARIIljwfu6jvC5qLl7r6a4zNJLsMMBV
EADl55qA8W6d4jYem3GOkQBtUyVHqsi9ZFgU3BU+/uxEzJEs00jnXJocVOeMLA++
+MXNP95eEsOQWsAgu9keudouhGqlgJ7KPSPIyYu030sEdpSyxQsErxhKDltn8gP+
P0VGjIHkFg+x2v68N//ep9eDRtwogmpoRIXYgAQUqah0sgfOGeZOcZTO3U3/isTd
+OC2IFLPmq1YaXmR04v6CdFj0kAjtw4s4u4jjEbiDnhFRnwXjwaIzfo3R2BXI7FP
YHIPqMtN3+cdOyISlUYHk8v9Xe6RnIXqCAxe5bZVn5rB2WTZnXWcib18cVTDXPZ+
egVcBsnyJVeOFA/WYI0eSj59dlqGM6yZ1rg6u5FeaIHkvXDhdQDxwcJWinJ1oD/6
SuHFeuRuqJ3sDhKmCxsEdeS91WvevSTg2iVUghz16CWosITZpXDh7/ZM0GYAkn1K
5UKGY9HjgY65dkY0hXwEbv0L1XvEfqUiIfHNPzQV3VeriKkMV/3dmIXimbd8CKXW
wuKLAwTx6IM=
=bCeZ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3762-1] unadf security update
Next by Date: [SECURITY] [DLA 3764-1] postgresql-11 security update
Previous by thread: [SECURITY] [DLA 3762-1] unadf security update
Next by thread: [SECURITY] [DLA 3764-1] postgresql-11 security update
Index(es):
- Date
- Thread