Univention Bugzilla – Bug 57160
curl: Multiple issues (5.0)
Last modified: 2024-03-27 13:56:45 CET
New Debian curl 7.64.0-4+deb10u9 fixes: This update addresses the following issue: 7.64.0-4+deb10u9 (Sun, 28 Jan 2024 21:15:21 +0000) * Non-maintainer upload by the LTS Team. * CVE-2023-27534: A path traversal vulnerability existed. SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
--- mirror/ftp/pool/main/c/curl/curl_7.64.0-4+deb10u8.dsc +++ apt/ucs_5.0-0-errata5.0-7/source/curl_7.64.0-4+deb10u9.dsc @@ -1,3 +1,16 @@ +7.64.0-4+deb10u9 [Sun, 28 Jan 2024 21:15:21 +0000] Bastien Roucariès <rouca@debian.org>: + + * Non-maintainer upload by the LTS Team. + * CVE-2023-27534: A path traversal vulnerability existed. + SFTP implementation causes the tilde (~) character to be + wrongly replaced when used as a prefix in the first path + element, in addition to its intended use as the first + element to indicate a path relative to the user's home + directory. Attackers can exploit this flaw to bypass + filtering or execute arbitrary code by crafting a + path like /~2/foo while accessing a server with + a specific user. + 7.64.0-4+deb10u8 [Sun, 17 Dec 2023 23:18:25 +0200] Adrian Bunk <bunk@debian.org>: * Non-maintainer upload by the LTS Team. <http://piuparts.knut.univention.de/5.0-7/#4054040737355574572>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-7] 4a5239d733 Bug #57160: curl 7.64.0-4+deb10u9 doc/errata/staging/curl.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) [5.0-7] 630878e69b Bug #57160: curl 7.64.0-4+deb10u9 doc/errata/staging/curl.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x999>