CVE-2017-2628

Name	CVE-2017-2628
Description	curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	jessie, jessie (lts)	7.38.0-4+deb8u27	fixed
	stretch (security)	7.52.1-5+deb9u16	fixed
	stretch (lts), stretch	7.52.1-5+deb9u21	fixed
	buster	7.64.0-4+deb10u2	fixed
	buster (security)	7.64.0-4+deb10u9	fixed
	bullseye (security), bullseye	7.74.0-1.3+deb11u11	fixed
	bookworm (security), bookworm	7.88.1-10+deb12u5	fixed
	sid, trixie	8.7.1-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
curl	source	(unstable)	(not affected)

- curl <not-affected> (Red Hat specific backport issue)