Debian 10026 Published by

A curl security update has been released for Debian GNU/Linux 9 Extended LTS to address multiple security vulnerabilities.

ELA-664-1 curl security update

Package curl
Version 7.38.0-4+deb8u23 (jessie), 7.52.1-5+deb9u17 (stretch)
Related CVEs CVE-2022-22576 CVE-2022-27776 CVE-2022-27781 CVE-2022-32208

Multiple security vulnerabilities have been discovered in cURL, an URL transfer library. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack.

The following CVE has been additionally addressed in Debian 9 “Stretch”.


libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse. libcurl
keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several TLS and
SSH settings were left out from the configuration match checks, making them
match too easily.
For Debian 8 jessie, these problems have been fixed in version 7.38.0-4+deb8u23.

For Debian 9 stretch, these problems have been fixed in version 7.52.1-5+deb9u17.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found at:

  ELA-664-1 curl security update