| Package | curl |
|---|---|
| Version | 7.52.1-5+deb9u23 (stretch), 7.64.0-4+deb10u11 (buster) |
| Related CVEs | CVE-2024-2398 CVE-2024-8096 |
Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:
CVE-2024-2398
When an application tells libcurl it wants to allow HTTP/2 server push, and
the amount of received headers for the push surpasses the maximum allowed
limit (1000), libcurl aborts the server push. When aborting, libcurl
inadvertently does not free all the previously allocated headers and
instead leaks the memory.
Further, this error condition fails silently and is therefore not easily
detected by an application.
CVE-2024-8096
When curl is told to use the Certificate Status Request TLS extension,
often referred to as OCSP stapling, to verify that the server certificate
is valid, it might fail to detect some OCSP problems and instead wrongly
consider the response as fine.
If the returned status reports another error than "revoked" (like for
example "unauthorized") it is not treated as a bad certificate.
For Debian 10 buster, these problems have been fixed in version 7.64.0-4+deb10u11.
For Debian 9 stretch, these problems have been fixed in version 7.52.1-5+deb9u23.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.