[Git][security-tracker-team/security-tracker][master] Update status and info for CVE-2024-11053/curl: bullseye not affected

Carlos Henrique Lima Melara (@charles) gitlab at salsa.debian.org
Wed Apr 16 16:21:49 BST 2025 


Carlos Henrique Lima Melara pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f10e119d by Carlos Henrique Lima Melara at 2025-04-16T12:14:57-03:00
Update status and info for CVE-2024-11053/curl: bullseye not affected

Initially upstream advisory marked affected versions since 6.5, but then
it was updated to mark 7.76.0 as the first vulnerable version [1]. I've
also double checked by trying to reproduce the vulnerability using the
vulnerable curl version from bookworm (7.88.1-10+deb12u9), the fixed one
(7.88.1-10+deb12u12) and the bullseye version (7.74.0-1.3+deb11u14). As
expected, only the vulnerable version from bookworm leaked the password
from the first host to the second one.

[1] https://github.com/curl/curl-www/commit/d58e4ebf47d88e3eeaaea62b150ec0609a82518e

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -41330,9 +41330,9 @@ CVE-2023-37395 (IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user t
 CVE-2024-11053 (When asked to both use a `.netrc` file for credentials and to follow H ...)
 	- curl 8.11.1-1 (bug #1089682)
 	[bookworm] - curl 7.88.1-10+deb12u10
-	[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
+	[bullseye] - curl <not-affected> (Vulnerable code only introduced in 7.76.0)
 	NOTE: https://curl.se/docs/CVE-2024-11053.html
-	NOTE: Introduced by: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d937826c9fe83ec96c4d (curl-6_5)
+	NOTE: Introduced by: https://github.com/curl/curl/commit/46620b97431e19c53ce82e55055c85830f088cf4 (curl-7_76_0)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 (curl-8_11_1)
 CVE-2024-12397 (A flaw was found in Quarkus-HTTP, which incorrectly parses cookies wit ...)
 	NOT-FOR-US: Quarkus



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f10e119d863ce97d242080104093b9027c492600

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f10e119d863ce97d242080104093b9027c492600
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250416/24f30e41/attachment.htm>

More information about the debian-security-tracker-commits mailing list