Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.2293
curl security update
24 April 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: curl
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2023-27538 CVE-2023-27536 CVE-2023-27535
CVE-2023-27533 CVE-2023-2753
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
Comment: CVSS (Max): 9.8 CVE-2023-27536 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3398-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 21, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : curl
Version : 7.64.0-4+deb10u6
CVE ID : CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538
Several security vulnerabilities have been found in cURL, an easy-to-use
client-side URL transfer library.
CVE-2023-27533
A vulnerability in input validation exists in curl during
communication using the TELNET protocol may allow an attacker to pass on
maliciously crafted user name and "telnet options" during server
negotiation. The lack of proper input scrubbing allows an attacker to send
content or perform option negotiation without the application's intent.
This vulnerability could be exploited if an application allows user input,
thereby enabling attackers to execute arbitrary code on the system.
CVE-2023-27535
An authentication bypass vulnerability exists in libcurl in the FTP
connection reuse feature that can result in wrong credentials being used
during subsequent transfers. Previously created connections are kept in a
connection pool for reuse if they match the current setup. However, certain
FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the
configuration match checks, causing them to match too easily. This could
lead to libcurl using the wrong credentials when performing a transfer,
potentially allowing unauthorized access to sensitive information.
CVE-2023-27536
An authentication bypass vulnerability exists in libcurl in the
connection reuse feature which can reuse previously established connections
with incorrect user permissions due to a failure to check for changes in
the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects
krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in
unauthorized access to sensitive information. The safest option is to not
reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
CVE-2023-27538
An authentication bypass vulnerability exists in libcurl where it
reuses a previously established SSH connection despite the fact that an SSH
option was modified, which should have prevented reuse. libcurl maintains a
pool of previously used connections to reuse them for subsequent transfers
if the configurations match. However, two SSH settings were omitted from
the configuration check, allowing them to match easily, potentially leading
to the reuse of an inappropriate connection.
For Debian 10 buster, these problems have been fixed in version
7.64.0-4+deb10u6.
We recommend that you upgrade your curl packages.
For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmRC7FxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRegw//ZOUUw4F7u1bbvZ9MYBIZ1j5AE3MemClqYPlSbkvTZH6rM47wXOT7WPjX
/vUVuFhqttvPeI+69JeBuMpt7AmrOrJy4IKMtwxsKhzswZ8XgTl2fAghC8ZaBg5Z
Lb/74FGPgVDvbGoi4gou9ltDvCdfZVExmkrBkFTR6kMGm3ZbdRpC1x2LvThrCyUH
Y8Ll1F0BBSvD3ILh1dzF3tXxkyorEQgDEGFPEiQKFGurDsHkZve5Y13BmqOVcOKQ
1ejTrvMgWjYGhDBn41udZAokUrR899Kkb8u5czSI6CgBMuyUtg0vk0JhkdMa/vjy
ydpiUJmH2TVKoOduOI4u/f0+VpskFQbwoTcWjoGVnkzMo0YQQyQhqGpvE2dSQFJ8
SnOE51Cc4cVb23T7QSmzEOk5ZR7uMmatlrezNPzo70SH/MLKyCfUZ9spP+orhXMK
9SsTZoF37MGnBnDDWgPJgoUIbB6iBv26hlH53FcecTphlu3hsu/9BTb1IZAtk/64
K4QnVNDQqSbyoglwAMWDHuVf1YzP0u9+i6wvXWJjiX68P1ZpTfUK5+DKTYUbaSPa
JTi1EXZbfiNc+NvSy8Fq+YZBmF8Ha33E/8lxMgjKpB8VyLKl9tW7JupcMlUmkLio
JNsUow9mGcFHKS2Dolrx5qEoUTU1sgmuR6rLzuhw3rWjlKx8Xgo=
=XV6q
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZEXgc8kNZI30y1K9AQjW8hAAg/ISHK+j8tyrBzSUwQ3Uf5D5eRSxXOpG
iGxNNLCvDUp+/0dKN2/o6SR72UbmGKKhQEN2Wpp0balYQvxoXUBQo37dEnOBhOeN
SahyAo0Tb+IaUSqdxWEA5GNwSnA5XPu6VQijcw1eARYcQNKNvFb6xDsYSqkop0ZY
Mb7WQcjxjmGLfaUdOWYgQjRIWY/JyV7GTZqv1UHz9vRWOasHrt859opQCnyp4wnL
HB46mWLGt8XNzSOL+FaSui977AkKrV6PGRt53WHpjdTXw2laEx3tro07RHW06glN
PtOkKo6r8I1symDXYo9JUXPPP5IhDcs6raj58/jLWFce6t42s7YjbU/wl2LEt/Qr
TDZpEGOu7ChfpZ1UKpvMpFvzdCn5YXxv6cVffXfe1ZgHe7dQoWUApqgiCtIaKCED
MCKXPrwYgbDWXAkQfGpinM+j6sKjVwyREx2tjzOqAuezJWHd+fKvS/0mdtQae/JE
vPGBGhGzPHCXg1y8Yl4rd3rwRW6YzOJC7L64ojz0SUwkmHq8M06kU1jgQdSnXJDf
uEQAzboI3q/GN7YzioOyUoYXkPOJhe1jghposLcYM42N0X1uUlJqPcBqK+YIc3eU
W61y83wt2t//ko+qpX3Baa6GbsXBlR3mJ+zt3ImIwLdkKaM6YNbW6ccAL6mJofAI
BcS2j8f8mLI=
=aKYp
-----END PGP SIGNATURE-----