ELA-1455-1 curl security update

multiple vulnerabilities

2025-06-09

Package	curl
Version	7.38.0-4+deb8u29 (jessie)
Related CVEs	CVE-2023-27534 CVE-2023-28321 CVE-2023-28322

Three security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:

CVE-2023-27534

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation
causes the tilde (~) character to be wrongly replaced when used as a prefix
in the first path element, in addition to its intended use as the first
element to indicate a path relative to the user's home directory. Attackers
can exploit this flaw to bypass filtering or execute arbitrary code by
crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-28321

An improper certificate validation vulnerability exists in curl <v8.1.0 in
the way it supports matching of wildcard patterns when listed as "Subject
Alternative Name" in TLS server certificates. curl can be built to use its
own name matching function for TLS rather than one provided by a TLS
library. This private wildcard matching function would match IDN
(International Domain Name) hosts incorrectly and could as a result accept
patterns that otherwise should mismatch. IDN hostnames are converted to
puny code before used for certificate checks. Puny coded names always start
with `xn--` and should not be allowed to pattern match, but the wildcard
check in curl could still check for `x*`, which would match even though the
IDN name most likely contained nothing even resembling an `x`.

CVE-2023-28322

An information disclosure vulnerability exists in curl <v8.1.0 when doing
HTTP(S) transfers, libcurl might erroneously use the read callback
(`CURLOPT_READFUNCTION`) to ask for data to send, even when the
`CURLOPT_POSTFIELDS` option has been set, if the same handle previously
was used to issue a `PUT` request which used that callback. This flaw may
surprise the application and cause it to misbehave and either send off the
wrong data or use memory after free or similar in the second transfer. The
problem exists in the logic for a reused handle when it is (expected to be)
changed from a PUT to a POST.

For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u29.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.