{"id":"MGASA-2024-0391","summary":"Updated curl packages fix security vulnerability","details":"When asked to both use a .netrc file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\nThis flaw only manifests itself if the netrc file has an entry that\nmatches the redirect target hostname but the entry either omits just the\npassword or omits both login and password.\nThis update fixes this logic to avoid sending a password to the wrong\nhost.\n","modified":"2026-04-16T00:11:53.277892562Z","published":"2024-12-17T19:42:28Z","upstream":["CVE-2024-11053"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0391.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33844"},{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2024-11053.html"}],"affected":[{"package":{"name":"curl","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.88.1-4.5.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0391.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}