[Git][security-tracker-team/security-tracker][master] Update status and info for CVE-2024-11053/curl: bullseye not affected

Wed, 16 Apr 2025 08:22:00 -0700 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker 
/ security-tracker


Commits:
f10e119d by Carlos Henrique Lima Melara at 2025-04-16T12:14:57-03:00
Update status and info for CVE-2024-11053/curl: bullseye not affected

Initially upstream advisory marked affected versions since 6.5, but then
it was updated to mark 7.76.0 as the first vulnerable version [1]. I've
also double checked by trying to reproduce the vulnerability using the
vulnerable curl version from bookworm (7.88.1-10+deb12u9), the fixed one
(7.88.1-10+deb12u12) and the bullseye version (7.74.0-1.3+deb11u14). As
expected, only the vulnerable version from bookworm leaked the password
from the first host to the second one.

[1] 
https://github.com/curl/curl-www/commit/d58e4ebf47d88e3eeaaea62b150ec0609a82518e

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -41330,9 +41330,9 @@ CVE-2023-37395 (IBM Aspera Faspex 5.0.0 through 5.0.7 
could allow a local user t
 CVE-2024-11053 (When asked to both use a `.netrc` file for credentials and to 
follow H ...)
        - curl 8.11.1-1 (bug #1089682)
        [bookworm] - curl 7.88.1-10+deb12u10
-       [bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
+       [bullseye] - curl <not-affected> (Vulnerable code only introduced in 
7.76.0)
        NOTE: https://curl.se/docs/CVE-2024-11053.html
-       NOTE: Introduced by: 
https://github.com/curl/curl/commit/ae1912cb0d494b48d514d937826c9fe83ec96c4d 
(curl-6_5)
+       NOTE: Introduced by: 
https://github.com/curl/curl/commit/46620b97431e19c53ce82e55055c85830f088cf4 
(curl-7_76_0)
        NOTE: Fixed by: 
https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 
(curl-8_11_1)
 CVE-2024-12397 (A flaw was found in Quarkus-HTTP, which incorrectly parses 
cookies wit ...)
        NOT-FOR-US: Quarkus



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f10e119d863ce97d242080104093b9027c492600

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f10e119d863ce97d242080104093b9027c492600
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to