Tuesday, October 17, 2023

[USN-6429-3] curl vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmUuhe4ACgkQZWnYVadE
vpM41hAAtLrKdgtUX1x+lTuLvnnBZoH0He/lI7/D2/fe5ELc+AAh+0Z9Vcj+/pK7
90QBLS46YnfP8jfFNn1FEe0rHlFUropocpt0VR7qiBHcauHF3ssD/WiQaifIpg/D
VvBCI66QBVNVp7LzrqDCZiECumJ/DwWOnWpNey15dbqEAbQUojN3APgNO76S5tr+
9RVDORXa2m8iQs9UMU9jxVe7B/G+pegBJIj6bEgk7Wy6Xz5361HzEO5ZTwQHlF1h
cwcRd5Lp5eFZfspzOsYT3vmNrR33jeXjHu9zONgYZ13j0WJZMEqkcE7fpeGrycPr
Ah4gZ6r0cFNYjF7FTN7LW8krWTbLKrKnjWHkATg1lAyNAgYnGb3NuLcrUm3/b0Nz
Ya3pIF8r/UAIS+Slt4MHIcOq8k+NP6Nl1Rklrf+01sW5aYbkGH4/uFKaA47T6XPz
A2SuF6ia0PK/Bcv25Excj/UxZcpArl1NWLdmtsyVlY0hwbOBh/idK8iCmIK0OCqp
sPwXG1LFck5qK4Aphh0h2s9qRULcLsszvjnnbsQ7SDkXp0NYh3A8c4TGLFKd/sgI
Y8Ht2+m4bo2bQRJl3/VNkgE6vWKStEIF68gq2CK8wSUXrTdkBlE0ee+MSj8xXFfY
OvfGoBL7xmnCbX0QTzB9CzAJrN2ILZ+Dc82hvUthO9axq/w98gY=
=CaQQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-6429-3
October 17, 2023

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:


Summary:

Several security issues were fixed in curl.

Software Description:

Details:

USN-6429-1 fixed vulnerabilities in curl. This update provides the
corresponding updates for Ubuntu 23.10.

Original advisory details:

Jay Satiro discovered that curl incorrectly handled hostnames when using a
SOCKS5 proxy. In environments where curl is configured to use a SOCKS5
proxy, a remote attacker could possibly use this issue to execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2023-38545)
It was discovered that curl incorrectly handled cookies when an application
duplicated certain handles. A local attacker could possibly create a cookie
file and inject arbitrary cookies into subsequent connections.
(CVE-2023-38546)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6429-3
https://ubuntu.com/security/notices/USN-6429-1
CVE-2023-38545, CVE-2023-38546

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)