DescriptionMetalink download sends credentials
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)stretch7.52.1-5+deb9u10vulnerable
stretch (security)7.52.1-5+deb9u14vulnerable
buster, buster (security)7.64.0-4+deb10u2vulnerable
bullseye, sid7.74.0-1.3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

The fix for earlier versions is to rebuild curl with the metalink support
switched off.
Metalink support not enabled in Debian builds.

Search for package or bug name: Reporting problems