USN-6535-1: curl vulnerabilities
6 December 2023
Several security issues were fixed in curl.
Releases
Packages
- curl - HTTP, HTTPS, and FTP client and client libraries
Details
Harry Sintonen discovered that curl incorrectly handled mixed case cookie
domains. A remote attacker could possibly use this issue to set cookies
that get sent to different and unrelated sites and domains.
(CVE-2023-46218)
Maksymilian Arciemowicz discovered that curl incorrectly handled long file
names when saving HSTS data. This could result in curl losing HSTS data,
and subsequent requests to a site would be done without it, contrary to
expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
(CVE-2023-46219)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10
-
curl
-
8.2.1-1ubuntu3.2
-
libcurl3-gnutls
-
8.2.1-1ubuntu3.2
-
libcurl3-nss
-
8.2.1-1ubuntu3.2
-
libcurl4
-
8.2.1-1ubuntu3.2
Ubuntu 23.04
-
curl
-
7.88.1-8ubuntu2.4
-
libcurl3-gnutls
-
7.88.1-8ubuntu2.4
-
libcurl3-nss
-
7.88.1-8ubuntu2.4
-
libcurl4
-
7.88.1-8ubuntu2.4
Ubuntu 22.04
-
curl
-
7.81.0-1ubuntu1.15
-
libcurl3-gnutls
-
7.81.0-1ubuntu1.15
-
libcurl3-nss
-
7.81.0-1ubuntu1.15
-
libcurl4
-
7.81.0-1ubuntu1.15
Ubuntu 20.04
-
curl
-
7.68.0-1ubuntu2.21
-
libcurl3-gnutls
-
7.68.0-1ubuntu2.21
-
libcurl3-nss
-
7.68.0-1ubuntu2.21
-
libcurl4
-
7.68.0-1ubuntu2.21
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6641-1: libcurl4, libcurl3-nss, libcurl4-doc, curl, libcurl4-openssl-dev, libcurl4-nss-dev, libcurl3, libcurl4-gnutls-dev, libcurl3-gnutls