Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2293 curl security update 24 April 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2023-27538 CVE-2023-27536 CVE-2023-27535 CVE-2023-27533 CVE-2023-2753 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html Comment: CVSS (Max): 9.8 CVE-2023-27536 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3398-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 21, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : curl Version : 7.64.0-4+deb10u6 CVE ID : CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 Several security vulnerabilities have been found in cURL, an easy-to-use client-side URL transfer library. CVE-2023-27533 A vulnerability in input validation exists in curl during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. CVE-2023-27535 An authentication bypass vulnerability exists in libcurl in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. CVE-2023-27536 An authentication bypass vulnerability exists in libcurl in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. CVE-2023-27538 An authentication bypass vulnerability exists in libcurl where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. For Debian 10 buster, these problems have been fixed in version 7.64.0-4+deb10u6. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmRC7FxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRegw//ZOUUw4F7u1bbvZ9MYBIZ1j5AE3MemClqYPlSbkvTZH6rM47wXOT7WPjX /vUVuFhqttvPeI+69JeBuMpt7AmrOrJy4IKMtwxsKhzswZ8XgTl2fAghC8ZaBg5Z Lb/74FGPgVDvbGoi4gou9ltDvCdfZVExmkrBkFTR6kMGm3ZbdRpC1x2LvThrCyUH Y8Ll1F0BBSvD3ILh1dzF3tXxkyorEQgDEGFPEiQKFGurDsHkZve5Y13BmqOVcOKQ 1ejTrvMgWjYGhDBn41udZAokUrR899Kkb8u5czSI6CgBMuyUtg0vk0JhkdMa/vjy ydpiUJmH2TVKoOduOI4u/f0+VpskFQbwoTcWjoGVnkzMo0YQQyQhqGpvE2dSQFJ8 SnOE51Cc4cVb23T7QSmzEOk5ZR7uMmatlrezNPzo70SH/MLKyCfUZ9spP+orhXMK 9SsTZoF37MGnBnDDWgPJgoUIbB6iBv26hlH53FcecTphlu3hsu/9BTb1IZAtk/64 K4QnVNDQqSbyoglwAMWDHuVf1YzP0u9+i6wvXWJjiX68P1ZpTfUK5+DKTYUbaSPa JTi1EXZbfiNc+NvSy8Fq+YZBmF8Ha33E/8lxMgjKpB8VyLKl9tW7JupcMlUmkLio JNsUow9mGcFHKS2Dolrx5qEoUTU1sgmuR6rLzuhw3rWjlKx8Xgo= =XV6q - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZEXgc8kNZI30y1K9AQjW8hAAg/ISHK+j8tyrBzSUwQ3Uf5D5eRSxXOpG iGxNNLCvDUp+/0dKN2/o6SR72UbmGKKhQEN2Wpp0balYQvxoXUBQo37dEnOBhOeN SahyAo0Tb+IaUSqdxWEA5GNwSnA5XPu6VQijcw1eARYcQNKNvFb6xDsYSqkop0ZY Mb7WQcjxjmGLfaUdOWYgQjRIWY/JyV7GTZqv1UHz9vRWOasHrt859opQCnyp4wnL HB46mWLGt8XNzSOL+FaSui977AkKrV6PGRt53WHpjdTXw2laEx3tro07RHW06glN PtOkKo6r8I1symDXYo9JUXPPP5IhDcs6raj58/jLWFce6t42s7YjbU/wl2LEt/Qr TDZpEGOu7ChfpZ1UKpvMpFvzdCn5YXxv6cVffXfe1ZgHe7dQoWUApqgiCtIaKCED MCKXPrwYgbDWXAkQfGpinM+j6sKjVwyREx2tjzOqAuezJWHd+fKvS/0mdtQae/JE vPGBGhGzPHCXg1y8Yl4rd3rwRW6YzOJC7L64ojz0SUwkmHq8M06kU1jgQdSnXJDf uEQAzboI3q/GN7YzioOyUoYXkPOJhe1jghposLcYM42N0X1uUlJqPcBqK+YIc3eU W61y83wt2t//ko+qpX3Baa6GbsXBlR3mJ+zt3ImIwLdkKaM6YNbW6ccAL6mJofAI BcS2j8f8mLI= =aKYp -----END PGP SIGNATURE-----