ELA-664-1 curl security update
Package curl
ELA-664-1 curl security update
Version 7.38.0-4+deb8u23 (jessie), 7.52.1-5+deb9u17 (stretch)
Related CVEs CVE-2022-22576 CVE-2022-27776 CVE-2022-27781 CVE-2022-32208
Multiple security vulnerabilities have been discovered in cURL, an URL transfer library. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack.
The following CVE has been additionally addressed in Debian 9 “Stretch”.
CVE-2022-27782
libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse. libcurl
keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several TLS and
SSH settings were left out from the configuration match checks, making them
match too easily.
For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u23.
For Debian 9 stretch, these problems have been fixed in version 7.52.1-5+deb9u17.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A curl security update has been released for Debian GNU/Linux 9 Extended LTS to address multiple security vulnerabilities.
