Lucene search

K
debianDebianDEBIAN:DSA-5523-1:7664C
HistoryOct 11, 2023 - 6:58 a.m.

[SECURITY] [DSA 5523-1] curl security update

2023-10-1106:58:41
lists.debian.org
140
update
buffer overflow
debian
cookie injection
vulnerabilities
advisory
patch
security
curl

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.8%


Debian Security Advisory DSA-5523-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
October 11, 2023 https://www.debian.org/security/faq


Package : curl
CVE ID : CVE-2023-38545 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL
transfer library and command line tool:

CVE-2023-38545

Jay Satiro discovered a buffer overflow in the SOCKS5 proxy handshake.

CVE-2023-38546

It was discovered that under some circumstances libcurl was
susceptible to cookie injection.

For the oldstable distribution (bullseye), these problems have been fixed
in version 7.74.0-1.3+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in
version 7.88.1-10+deb12u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

70.8%