Ubuntu Security Notice 6237-3 - USN-6237-1 fixed several vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts.
4aab60fd32ca66bfe087d6a307e821248cd1fc2c9b55fb50ae6a43d6c19b5921
==========================================================================
Ubuntu Security Notice USN-6237-3
September 11, 2023
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-6237-1 fixed several vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and
Ubuntu 18.04 LTS.
Original advisory details:
Hiroki Kurosawa discovered that curl incorrectly handled validating
certain
certificate wildcards. A remote attacker could possibly use this issue to
spoof certain website certificates using IDN hosts. (CVE-2023-28321)
Hiroki Kurosawa discovered that curl incorrectly handled callbacks when
certain options are set by applications. This could cause applications
using curl to misbehave, resulting in information disclosure, or a denial
of service. (CVE-2023-28322)
It was discovered that curl incorrectly handled saving cookies to files. A
local attacker could possibly use this issue to create or overwrite files.
This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
curl 7.58.0-2ubuntu3.24+esm1
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm1
libcurl3-nss 7.58.0-2ubuntu3.24+esm1
libcurl4 7.58.0-2ubuntu3.24+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
curl 7.47.0-1ubuntu2.19+esm9
libcurl3 7.47.0-1ubuntu2.19+esm9
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm9
libcurl3-nss 7.47.0-1ubuntu2.19+esm9
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
curl 7.35.0-1ubuntu2.20+esm16
libcurl3 7.35.0-1ubuntu2.20+esm16
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm16
libcurl3-nss 7.35.0-1ubuntu2.20+esm16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6237-3
https://ubuntu.com/security/notices/USN-6237-1
CVE-2023-28321, CVE-2023-28322