Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2023-27534: Regression fix for SFTP path ~ resolving discrepancy (bsc#1219273)
Список пакетов
Container suse/ltss/sle12.5/sles12sp5:latest
libcurl4-8.0.1-11.117.1
libnghttp2-14-1.39.2-3.20.1
SUSE Linux Enterprise Server 12 SP5-LTSS
curl-8.0.1-11.117.1
libcurl-devel-8.0.1-11.117.1
libcurl4-8.0.1-11.117.1
libcurl4-32bit-8.0.1-11.117.1
libnghttp2-14-1.39.2-3.20.1
libnghttp2-14-32bit-1.39.2-3.20.1
libnghttp2-devel-1.39.2-3.20.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
curl-8.0.1-11.117.1
libcurl-devel-8.0.1-11.117.1
libcurl4-8.0.1-11.117.1
libcurl4-32bit-8.0.1-11.117.1
libnghttp2-14-1.39.2-3.20.1
libnghttp2-14-32bit-1.39.2-3.20.1
libnghttp2-devel-1.39.2-3.20.1
Ссылки
- Link for SUSE-SU-2026:0494-1
- E-Mail link for SUSE-SU-2026:0494-1
- SUSE Security Ratings
- SUSE Bug 1219273
- SUSE CVE CVE-2023-27534 page
Описание
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
Затронутые продукты
Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-8.0.1-11.117.1
Container suse/ltss/sle12.5/sles12sp5:latest:libnghttp2-14-1.39.2-3.20.1
SUSE Linux Enterprise Server 12 SP5-LTSS:curl-8.0.1-11.117.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libcurl-devel-8.0.1-11.117.1
Ссылки
- CVE-2023-27534
- SUSE Bug 1209210