Univention Bugzilla – Bug 56011
curl: Multiple issues (5.0)
Last modified: 2023-05-03 15:40:41 CEST
New Debian curl 7.64.0-4+deb10u6 fixes: This update addresses the following issues: * TELNET option IAC injection (CVE-2023-27533) * FTP too eager connection reuse (CVE-2023-27535) * GSS delegation too eager connection re-use (CVE-2023-27536) * SSH connection too eager reuse still (CVE-2023-27538)
--- mirror/ftp/pool/main/c/curl/curl_7.64.0-4+deb10u5.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/curl_7.64.0-4+deb10u6.dsc @@ -1,3 +1,41 @@ +7.64.0-4+deb10u6 [Fri, 21 Apr 2023 20:08:17 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2023-27533: + A vulnerability in input validation exists in curl during + communication using the TELNET protocol may allow an attacker to pass on + maliciously crafted user name and "telnet options" during server + negotiation. The lack of proper input scrubbing allows an attacker to send + content or perform option negotiation without the application's intent. + This vulnerability could be exploited if an application allows user input, + thereby enabling attackers to execute arbitrary code on the system. + * Fix CVE-2023-27535: + An authentication bypass vulnerability exists in libcurl in the FTP + connection reuse feature that can result in wrong credentials being used + during subsequent transfers. Previously created connections are kept in a + connection pool for reuse if they match the current setup. However, certain + FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, + CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the + configuration match checks, causing them to match too easily. This could + lead to libcurl using the wrong credentials when performing a transfer, + potentially allowing unauthorized access to sensitive information. + * CVE-2023-27536: + An authentication bypass vulnerability exists in libcurl in the + connection reuse feature which can reuse previously established connections + with incorrect user permissions due to a failure to check for changes in + the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects + krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in + unauthorized access to sensitive information. The safest option is to not + reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. + * Fix CVE-2023-27538: + An authentication bypass vulnerability exists in libcurl where it + reuses a previously established SSH connection despite the fact that an SSH + option was modified, which should have prevented reuse. libcurl maintains a + pool of previously used connections to reuse them for subsequent transfers + if the configurations match. However, two SSH settings were omitted from + the configuration check, allowing them to match easily, potentially leading + to the reuse of an inappropriate connection. + 7.64.0-4+deb10u5 [Fri, 24 Feb 2023 09:25:01 +0200] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/5.0-3/#358382355043712807>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] df52f79448 Bug #56011: curl 7.64.0-4+deb10u6 doc/errata/staging/curl.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x651>