NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2023-23915
• https://hackerone.com/reports/1874716
• https://hackerone.com/reports/1826048
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230309-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host.

(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)

When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2024-9681
• https://curl.se/docs/CVE-2024-9681.html
• https://curl.se/docs/CVE-2024-9681.json
• https://hackerone.com/reports/2764830
• http://www.openwall.com/lists/oss-security/2024/11/06/2
• https://security.netapp.com/advisory/ntap-20241213-0006/
• http://seclists.org/fulldisclosure/2025/Apr/13
• http://seclists.org/fulldisclosure/2025/Apr/10
• http://seclists.org/fulldisclosure/2025/Apr/11
• http://seclists.org/fulldisclosure/2025/Apr/12
• http://seclists.org/fulldisclosure/2025/Apr/4
• http://seclists.org/fulldisclosure/2025/Apr/5
• http://seclists.org/fulldisclosure/2025/Apr/8
• http://seclists.org/fulldisclosure/2025/Apr/9

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

Remediation

There is no fixed version for Debian:11 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4813
• http://www.openwall.com/lists/oss-security/2023/10/03/8
• https://security.netapp.com/advisory/ntap-20231110-0003/
• https://access.redhat.com/errata/RHBA-2024:2413
• https://access.redhat.com/errata/RHSA-2023:5453
• https://access.redhat.com/errata/RHSA-2023:5455
• https://access.redhat.com/errata/RHSA-2023:7409
• https://access.redhat.com/security/cve/CVE-2023-4813
• https://bugzilla.redhat.com/show_bug.cgi?id=2237798

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Remediation

There is no fixed version for Debian:11 apr.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49582
• https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4
• http://www.openwall.com/lists/oss-security/2024/08/26/1
• https://security.netapp.com/advisory/ntap-20241101-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

Remediation

There is no fixed version for Debian:11 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-10911
• https://access.redhat.com/security/cve/CVE-2025-10911
• https://bugzilla.redhat.com/show_bug.cgi?id=2397838
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
• https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/77

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

Remediation

There is no fixed version for Debian:11 glib2.0.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1489
• https://access.redhat.com/security/cve/CVE-2026-1489
• https://bugzilla.redhat.com/show_bug.cgi?id=2433348

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2023-46219
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
• https://curl.se/docs/CVE-2023-46219.html
• https://hackerone.com/reports/2236133
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
• https://security.netapp.com/advisory/ntap-20240119-0007/
• https://www.debian.org/security/2023/dsa-5587

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Remediation

There is no fixed version for Debian:11 gnutls28.

References

• https://security-tracker.debian.org/tracker/CVE-2025-14831
• https://access.redhat.com/security/cve/CVE-2025-14831
• https://bugzilla.redhat.com/show_bug.cgi?id=2423177

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.

Remediation

There is no fixed version for Debian:11 glib2.0.

References

• https://security-tracker.debian.org/tracker/CVE-2026-1484
• https://access.redhat.com/security/cve/CVE-2026-1484
• https://bugzilla.redhat.com/show_bug.cgi?id=2433259