Ervik's picture



What is the upgrade path for these Curl and libcurl CVEs?

Timmy's picture

If I'm reading the curl package info right, versions updated for this CVE:
Debian 10 package is 7.64.0-4+deb10u7
Debian 11 package is 7.74.0-1.3+deb11u10
Debian 12 package is 7.88.1-10+deb12u4

I can confirm I see 7.74.0-1.3+deb11u10 available for Debian 11.

Jeremy Davis's picture

Timmy is right! :)

FYI, you can view status of packages and/or specific CVEs via the Debian security bug tracker. E.g. you can search for all CVEs related to curl and/or the specific CVEs; CVE-2023-38545 & CVE-2023-38546. You can read more about the Security Tracker and how CVEs are handled in Debian.

As both of these specific CVEs are covered by security updates, the default auto security updates in TurnKey should have already installed them. The versions explicitly noted by Timmy match what I'm seeing and should be the ones installed depending on the TurnKey version in use. I.e.: TKL v16.x = Debian 10/Buster; TKL v17.x = Debian 11/Bullseye; TKL v18.x = Debian 12/Bookworm.

If you have a version of TurnKey earlier than that (i.e. v15.x or earlier) then I would recommend upgrading; either via transferring your data to a newer instance, or doing an "in place" Debian style OS upgrade.

Add new comment