Package curl updated to version 8.11.1-alt1 for branch p10 in task 366396.

Published: 2024-11-08

BDU:2024-11106

Уязвимость обработчика netrc-файлов утилиты командной строки cURL, позволяющая нарушителю получить доступ к учётным данным

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

CVE-2024-11053

Published: 2024-12-11
Modified: 2025-01-31

CVE-2024-11053

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

References:

http://www.openwall.com/lists/oss-security/2024/12/11/1
www
json
issue
https://security.netapp.com/advisory/ntap-20250124-0012/
https://security.netapp.com/advisory/ntap-20250131-0003/

Version: 2.1.0

Package curl update in p10 on 2024-12-28

ALT-PU-2024-17523-2

Closed vulnerabilities

BDU:2024-11106

CVE-2024-11053