Ubuntu Security Notice 6535-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains. Maksymilian Arciemowicz discovered that curl incorrectly handled long file names when saving HSTS data. This could result in curl losing HSTS data, and subsequent requests to a site would be done without it, contrary to expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
ca215c083aa04234eeac9747474bc5e11097cdc295d4a17e21b08c44522bcfd5
==========================================================================
Ubuntu Security Notice USN-6535-1
December 06, 2023
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Harry Sintonen discovered that curl incorrectly handled mixed case cookie
domains. A remote attacker could possibly use this issue to set cookies
that get sent to different and unrelated sites and domains.
(CVE-2023-46218)
Maksymilian Arciemowicz discovered that curl incorrectly handled long file
names when saving HSTS data. This could result in curl losing HSTS data,
and subsequent requests to a site would be done without it, contrary to
expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
(CVE-2023-46219)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
curl 8.2.1-1ubuntu3.2
libcurl3-gnutls 8.2.1-1ubuntu3.2
libcurl3-nss 8.2.1-1ubuntu3.2
libcurl4 8.2.1-1ubuntu3.2
Ubuntu 23.04:
curl 7.88.1-8ubuntu2.4
libcurl3-gnutls 7.88.1-8ubuntu2.4
libcurl3-nss 7.88.1-8ubuntu2.4
libcurl4 7.88.1-8ubuntu2.4
Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.15
libcurl3-gnutls 7.81.0-1ubuntu1.15
libcurl3-nss 7.81.0-1ubuntu1.15
libcurl4 7.81.0-1ubuntu1.15
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.21
libcurl3-gnutls 7.68.0-1ubuntu2.21
libcurl3-nss 7.68.0-1ubuntu2.21
libcurl4 7.68.0-1ubuntu2.21
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6535-1
CVE-2023-46218, CVE-2023-46219
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.2.1-1ubuntu3.2
https://launchpad.net/ubuntu/+source/curl/7.88.1-8ubuntu2.4
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.15
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.21