-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3763-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès March 17, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : curl Version : 7.64.0-4+deb10u9 CVE ID : CVE-2023-27534 curl was affected by a path traversal vulnerability. SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. For Debian 10 buster, this problem has been fixed in version 7.64.0-4+deb10u9. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmX2yagRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF/sbxAAjDWy4DGq1CUWgHiMKKE6mP+RO9xZhR0E Cr6yxOF5Pz2CC+GxvgFnPa1VCEH/lphDaxpilLhq85VXOfGAuTexv2D6df7wgPPx aR7EhT4JT60CTjZ8ItwYJHassxzl6ZiiIARIIljwfu6jvC5qLl7r6a4zNJLsMMBV EADl55qA8W6d4jYem3GOkQBtUyVHqsi9ZFgU3BU+/uxEzJEs00jnXJocVOeMLA++ +MXNP95eEsOQWsAgu9keudouhGqlgJ7KPSPIyYu030sEdpSyxQsErxhKDltn8gP+ P0VGjIHkFg+x2v68N//ep9eDRtwogmpoRIXYgAQUqah0sgfOGeZOcZTO3U3/isTd +OC2IFLPmq1YaXmR04v6CdFj0kAjtw4s4u4jjEbiDnhFRnwXjwaIzfo3R2BXI7FP YHIPqMtN3+cdOyISlUYHk8v9Xe6RnIXqCAxe5bZVn5rB2WTZnXWcib18cVTDXPZ+ egVcBsnyJVeOFA/WYI0eSj59dlqGM6yZ1rg6u5FeaIHkvXDhdQDxwcJWinJ1oD/6 SuHFeuRuqJ3sDhKmCxsEdeS91WvevSTg2iVUghz16CWosITZpXDh7/ZM0GYAkn1K 5UKGY9HjgY65dkY0hXwEbv0L1XvEfqUiIfHNPzQV3VeriKkMV/3dmIXimbd8CKXW wuKLAwTx6IM= =bCeZ -----END PGP SIGNATURE-----
