Ubuntu Security Notice 6237-1 - Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service.
51f46d8ba4e11574eb483e508710565644dc207c352aed8e601c8ec28e6a4ba4
==========================================================================
Ubuntu Security Notice USN-6237-1
July 19, 2023
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Hiroki Kurosawa discovered that curl incorrectly handled validating certain
certificate wildcards. A remote attacker could possibly use this issue to
spoof certain website certificates using IDN hosts. (CVE-2023-28321)
Hiroki Kurosawa discovered that curl incorrectly handled callbacks when
certain options are set by applications. This could cause applications
using curl to misbehave, resulting in information disclosure, or a denial
of service. (CVE-2023-28322)
It was discovered that curl incorrectly handled saving cookies to files. A
local attacker could possibly use this issue to create or overwrite files.
This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
curl 7.88.1-8ubuntu2.1
libcurl3-gnutls 7.88.1-8ubuntu2.1
libcurl3-nss 7.88.1-8ubuntu2.1
libcurl4 7.88.1-8ubuntu2.1
Ubuntu 22.10:
curl 7.85.0-1ubuntu0.6
libcurl3-gnutls 7.85.0-1ubuntu0.6
libcurl3-nss 7.85.0-1ubuntu0.6
libcurl4 7.85.0-1ubuntu0.6
Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.11
libcurl3-gnutls 7.81.0-1ubuntu1.11
libcurl3-nss 7.81.0-1ubuntu1.11
libcurl4 7.81.0-1ubuntu1.11
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.19
libcurl3-gnutls 7.68.0-1ubuntu2.19
libcurl3-nss 7.68.0-1ubuntu2.19
libcurl4 7.68.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6237-1
CVE-2023-28321, CVE-2023-28322, CVE-2023-32001
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.88.1-8ubuntu2.1
https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.6
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.11
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.19