Ubuntu Security Notice 6429-2 - USN-6429-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections.
211a76272374a882b7a467a4ffd2ecb79519a76199cb3aad13e8f2d5864a2e82
==========================================================================
Ubuntu Security Notice USN-6429-2
October 11, 2023
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-6429-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when an application
duplicated certain handles. A local attacker could possibly create a cookie
file and inject arbitrary cookies into subsequent connections.
(CVE-2023-38546)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
curl 7.58.0-2ubuntu3.24+esm2
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm2
libcurl3-nss 7.58.0-2ubuntu3.24+esm2
libcurl4 7.58.0-2ubuntu3.24+esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
curl 7.47.0-1ubuntu2.19+esm10
libcurl3 7.47.0-1ubuntu2.19+esm10
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm10
libcurl3-nss 7.47.0-1ubuntu2.19+esm10
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
curl 7.35.0-1ubuntu2.20+esm17
libcurl3 7.35.0-1ubuntu2.20+esm17
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm17
libcurl3-nss 7.35.0-1ubuntu2.20+esm17
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6429-2
https://ubuntu.com/security/notices/USN-6429-1
CVE-2023-38546