Name | CVE-2024-11053 |
Description | When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1089682 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
curl (PTS) | jessie, jessie (lts) | 7.38.0-4+deb8u28 | vulnerable |
| stretch (security) | 7.52.1-5+deb9u16 | vulnerable |
| stretch (lts), stretch | 7.52.1-5+deb9u22 | vulnerable |
| buster, buster (lts) | 7.64.0-4+deb10u10 | vulnerable |
| buster (security) | 7.64.0-4+deb10u9 | vulnerable |
| bullseye | 7.74.0-1.3+deb11u13 | vulnerable |
| bullseye (security) | 7.74.0-1.3+deb11u14 | vulnerable |
| bookworm | 7.88.1-10+deb12u8 | vulnerable |
| bookworm (security) | 7.88.1-10+deb12u5 | vulnerable |
| sid, trixie | 8.11.1-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
curl | source | (unstable) | 8.11.1-1 | | | 1089682 |
Notes
[bookworm] - curl <no-dsa> (Minor issue)
[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
https://curl.se/docs/CVE-2024-11053.html
Introduced by: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d937826c9fe83ec96c4d (curl-6_5)
Fixed by: https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 (curl-8_11_1)
[buster] - curl <postponed> (Minor issue; can be fixed in next update)
[stretch] - curl <postponed> (Minor issue; can be fixed in next update)
[jessie] - curl <postponed> (Minor issue; can be fixed in next update)