[Git][security-tracker-team/security-tracker][master] Add further upstream information for curl issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Mar 20 17:04:28 GMT 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d514554b by Salvatore Bonaccorso at 2023-03-20T18:03:54+01:00
Add further upstream information for curl issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3451,42 +3451,48 @@ CVE-2023-27539
 	NOTE: https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c (v3.0.6.1)
 	NOTE: https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff (v2.2.6.4)
 	NOTE: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
-CVE-2023-27538
+CVE-2023-27538 [SSH connection too eager reuse still]
 	RESERVED
 	- curl <unfixed>
 	[bullseye] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2023-27538.html
-	NOTE: https://github.com/curl/curl/commit/af369db4d3833272b8ed
-CVE-2023-27537
+	NOTE: Fixed by: https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb (curl-8_0_0)
+CVE-2023-27537 [HSTS double-free]
 	RESERVED
 	- curl <unfixed>
-	[bullseye] - curl <ignored> (curl is not built with HSTS support)
+	[bullseye] - curl <not-affected> (Vulnerable code introduced later)
+	[buster] - curl <not-affected> (Vulnerable code introduced later)
 	NOTE: https://curl.se/docs/CVE-2023-27537.html
-	NOTE: https://github.com/curl/curl/commit/dca4cdf071be0
-CVE-2023-27536
+	NOTE: Introduced by: https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a (curl-7_88_0)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/dca4cdf071be095bcdc7126eaa77a8946ea4790b (curl-8_0_0)
+CVE-2023-27536 [GSS delegation too eager connection re-use]
 	RESERVED
 	- curl <unfixed>
 	[bullseye] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2023-27536.html
-	NOTE: https://github.com/curl/curl/commit/cb49e67303dba
-CVE-2023-27535
+	NOTE: Introduced by: https://github.com/curl/curl/commit/ebf42c4be76df40ec6d3bf32f229bbb274e2c32f (curl-7_22_0)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 (curl-8_0_0)
+CVE-2023-27535 [FTP too eager connection reuse]
 	RESERVED
 	- curl <unfixed>
 	[bullseye] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2023-27535.html
-	NOTE: https://github.com/curl/curl/commit/8f4608468b890dc
-CVE-2023-27534
+	NOTE: Introduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0)
+CVE-2023-27534 [SFTP path ~ resolving discrepancy]
 	RESERVED
 	- curl <unfixed>
 	[bullseye] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2023-27534.html
-	NOTE: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a
-CVE-2023-27533
+	NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 (curl-8_0_0)
+CVE-2023-27533 [TELNET option IAC injection]
 	RESERVED
 	- curl <unfixed>
 	[bullseye] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2023-27533.html
-	NOTE: https://github.com/curl/curl/commit/538b1e79a6e7b
+	NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2)
+	NOTE: Fixed by: https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 (curl-8_0_0)
 CVE-2023-27532 (Vulnerability in Veeam Backup & Replication component allows encry ...)
 	NOT-FOR-US: Veeam
 CVE-2023-27531



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d514554b49ed804a0bfd39f0432a90370085a927

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d514554b49ed804a0bfd39f0432a90370085a927
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230320/9ee067fa/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list