[SECURITY] [DLA 3951-1] curl security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3951-1] curl security update
From: Abhijith PA <abhijith@debian.org>
Date: Thu, 14 Nov 2024 20:44:57 +0530
Message-id: <[🔎] ZzYT8UJRmxbU2yOY@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3951-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
November 14, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : curl
Version        : 7.74.0-1.3+deb11u14
CVE ID         : CVE-2024-8096


curl a command line tool for transferring data with URL syntax was
affected by CVE-2024-8096. When the TLS backend is GnuTLS, curl may
incorrectly handle OCSP stapling. If the OCSP status reports an error
other than "revoked" (e.g., "unauthorized"), it is not treated as a
bad certificate, potentially allowing invalid certificates to be
considered valid.

For Debian 11 bullseye, this problem has been fixed in version
7.74.0-1.3+deb11u14.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmc2E/AACgkQhj1N8u2c
KO/lgA/+LrSQ3tWHlLIKWfc34SjXo4Q0C/aWa9fcSfqDOmKvQH50dPmAFDn0SVkk
yJ+hh23ipAcENsBSbUIDbkLsFCBtrRK2hopL/K9ifMKbhbi7IdByA1fVn3ZieA4k
SJRl3QGFiXdjiMrWFFIDlEsjYmm3auqSd4LrfMEs1KH16lJ880KAcjpIG5VQy5tb
pmmmwaDavS8QX6ch/8wNEqGhGlPlw6kZg9e1fqzH5zpG4l7STVHl9PgFCM/ZJ4fj
eulcqDBeUUwt6+yfShfklscKpdCfIh9szqmZOO+tvLw5M1YUq9QJH+IIuS9Jg+6B
1UN6ILROUSgJczdpahbHU0t06CXoLPTpW1Lv7PlyYYE4EI+aC/FqjZm9uOd1nQjv
EqCdyGd2oMVq110uEwMJ7BovBFYaa//ZeDmwlCgSxyULrmH5AUoqtqG/h66iYiDI
9CJ9un26GlSpsj3AcGWET0XWVZbfxu+bMTPP7EODXrQvdzVT8Xn6Cmm/k9wvZb4i
AZHv5LI5D2qXlr4tIefGJ8PC+vE8eDE+DsrN1yybxhkB61Qf2LdrQHWjf1JJ/mIy
6ZkrawSpVj4PsCLlitzyGYF7NqZrAqK97RY/8CWSaG4q8A9ifWqXXVsS4ddfeIDQ
/Xx+TAbRqu06M8qTGEtwHr1kRuZVqVPGPsza5GBXqmeMPg2xNLQ=
=Z7Da
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3950-1] libarchive security update
Next by Date: [SECURITY] [DLA 3952-1] unbound security update
Previous by thread: [SECURITY] [DLA 3950-1] libarchive security update
Next by thread: [SECURITY] [DLA 3952-1] unbound security update
Index(es):
- Date
- Thread