As both of these specific CVEs are covered by security updates, the default auto security updates in TurnKey should have already installed them. The versions explicitly noted by Timmy match what I'm seeing and should be the ones installed depending on the TurnKey version in use. I.e.: TKL v16.x = Debian 10/Buster; TKL v17.x = Debian 11/Bullseye; TKL v18.x = Debian 12/Bookworm.
If you have a version of TurnKey earlier than that (i.e. v15.x or earlier) then I would recommend upgrading; either via transferring your data to a newer instance, or doing an "in place" Debian style OS upgrade.
Timmy is on the money!
Timmy is right! :)
FYI, you can view status of packages and/or specific CVEs via the Debian security bug tracker. E.g. you can search for all CVEs related to curl and/or the specific CVEs; CVE-2023-38545 & CVE-2023-38546. You can read more about the Security Tracker and how CVEs are handled in Debian.
As both of these specific CVEs are covered by security updates, the default auto security updates in TurnKey should have already installed them. The versions explicitly noted by Timmy match what I'm seeing and should be the ones installed depending on the TurnKey version in use. I.e.: TKL v16.x = Debian 10/Buster; TKL v17.x = Debian 11/Bullseye; TKL v18.x = Debian 12/Bookworm.
If you have a version of TurnKey earlier than that (i.e. v15.x or earlier) then I would recommend upgrading; either via transferring your data to a newer instance, or doing an "in place" Debian style OS upgrade.