ELA-1145-1 curl security update

denial of service

2024-08-05
Packagecurl
Version7.38.0-4+deb8u28 (jessie), 7.52.1-5+deb9u22 (stretch), 7.64.0-4+deb10u10 (buster)
Related CVEs CVE-2024-7264


A denial-of-service vulnerability was found in cURL, an easy-to-use client-side URL transfer library. libcurl’s ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up crashing but this flaw can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.



For Debian 10 buster, these problems have been fixed in version 7.64.0-4+deb10u10.

For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u28.

For Debian 9 stretch, these problems have been fixed in version 7.52.1-5+deb9u22.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.