curl -- multiple vulnerabilities

Harry Sintonen reports:

CVE-2023-27533

      curl supports communicating using the TELNET protocol
      and as a part of this it offers users to pass on user
      name and "telnet options" for the server
      negotiation.

      Due to lack of proper input scrubbing and without it
      being the documented functionality, curl would pass on
      user name and telnet options to the server as
      provided. This could allow users to pass in carefully
      crafted content that pass on content or do option
      negotiation without the application intending to do
      so. In particular if an application for example allows
      users to provide the data or parts of the data.

CVE-2023-27534

      curl supports SFTP transfers. curl's SFTP implementation
      offers a special feature in the path component of URLs:
      a tilde (~) character as the first path element in the
      path to denotes a path relative to the user's home
      directory. This is supported because of wording in the
      once proposed to-become RFC draft that was to dictate
      how SFTP URLs work.

      Due to a bug, the handling of the tilde in SFTP path did
      however not only replace it when it is used stand-alone
      as the first path element but also wrongly when used as
      a mere prefix in the first element.

      Using a path like /~2/foo when accessing a server using
      the user dan (with home directory /home/dan) would then
      quite surprisingly access the file /home/dan2/foo.

      This can be taken advantage of to circumvent filtering
      or worse.

CVE-2023-27535

      libcurl would reuse a previously created FTP connection
      even when one or more options had been changed that
      could have made the effective user a very different one,
      thus leading to the doing the second transfer with wrong
      credentials.

      libcurl keeps previously used connections in a
      connection pool for subsequent transfers to reuse if one
      of them matches the setup. However, several FTP settings
      were left out from the configuration match checks,
      making them match too easily. The settings in questions
      are CURLOPT_FTP_ACCOUNT,
      CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and
      CURLOPT_USE_SSL level.

CVE-2023-27536

      ibcurl would reuse a previously created connection even
      when the GSS delegation (CURLOPT_GSSAPI_DELEGATION)
      option had been changed that could have changed the
      user's permissions in a second transfer.

      libcurl keeps previously used connections in a
      connection pool for subsequent transfers to reuse if one
      of them matches the setup. However, this GSS delegation
      setting was left out from the configuration match
      checks, making them match too easily, affecting
      krb5/kerberos/negotiate/GSSAPI transfers.

CVE-2023-27537

      libcurl supports sharing HSTS data between separate
      "handles". This sharing was introduced without
      considerations for do this sharing across separate
      threads but there was no indication of this fact in the
      documentation.

      Due to missing mutexes or thread locks, two threads
      sharing the same HSTS data could end up doing a
      double-free or use-after-free.

CVE-2023-27538

      libcurl would reuse a previously created connection even
      when an SSH related option had been changed that should
      have prohibited reuse.

      libcurl keeps previously used connections in a
      connection pool for subsequent transfers to reuse if one
      of them matches the setup. However, two SSH settings
      were left out from the configuration match checks,
      making them match too easily.