Source: curl Version: 8.10.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 7.88.1-10+deb12u8 Control: found -1 7.88.1-10
Hi, The following vulnerability was published for curl. CVE-2024-9681[0]: | When curl is asked to use HSTS, the expiry time for a subdomain | might overwrite a parent domain's cache entry, making it end sooner | or later than otherwise intended. This affects curl using | applications that enable HSTS and use URLs with the insecure | `HTTP://` scheme and perform transfers with hosts like | `x.example.com` as well as `example.com` where the first host is a | subdomain of the second host. (The HSTS cache either needs to have | been populated manually or there needs to have been previous HTTPS | accesses done as the cache needs to have entries for the domains | involved to trigger this problem.) When `x.example.com` responds | with `Strict-Transport-Security:` headers, this bug can make the | subdomain's expiry timeout *bleed over* and get set for the parent | domain `example.com` in curl's HSTS cache. The result of a | triggered bug is that HTTP accesses to `example.com` get converted | to HTTPS for a different period of time than what was asked for by | the origin server. If `example.com` for example stops supporting | HTTPS at its expiry time, curl might then fail to access | `http://example.com` until the (wrongly set) timeout expires. This | bug can also expire the parent's entry *earlier*, thus making curl | inadvertently switch back to insecure HTTP earlier than otherwise | intended. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-9681 https://www.cve.org/CVERecord?id=CVE-2024-9681 [1] https://curl.se/docs/CVE-2024-9681.html Regards, Salvatore
