Monday, September 16, 2024

[USN-7012-1] curl vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmboQp0ACgkQZWnYVadE
vpM2Tw/8CRvYweFKnDz+EoPCPk/1oBozG9qiAwxviuDweCopfZnURpz3011Rt+fn
4jRY1RUaSoQ3iEumVBj95j3WkplBjA3I2IL1zSOkdgPP4ZsM15TfNSs8PWsFBplz
egXoEu1qppu+Mryj5t5AJsB0bEZGQLlm/CfAnRUpovqWaKCJINtE1w3CO7Nb2zNE
b7CDy6/RsMaXU2g9lpfDAkGRDF4bhei9OoeQFmraNQ79EHRPKLs0eyXb0p5oiLsI
KVdyDpR9o2hFjeo2dtxo9O5RCOPuHvFu09+N/G8kIKQsXRRXB/6o/sGZYqFF/9P8
LCM5mR86mgQ7dUncjUmPwSoABgDHILTgTMRP7QjoIrmIOmKxADt3CP+zIoz3AYYb
MgQw0WVACiaP/1rYqzW4fpBdixxu8PtTAaW72nazgR5r37jp5rbl3spJ81LpNmEO
mjBk9b9xovKE5CuV4qLhph6Dqug1HVEcHfo7c9GqC8umeHMHAvK2zhn3WTCRdXOh
NQcZkJbZm8qGCsuIegRHSDPti4XD5Q1Nqbzwt9wFcfIz2ImbclTZQ6+MbVPIQHhO
veDLNlzUka0F9+nEhuoNfIghzvpAXAi2S/67R3jGwLz4edUBR5YX4raJ7fwxGei+
+ug68REZlxoWN4wNeemZGUFmJDqTRk6jjWLE5Uop5awFSn8n7PI=
=LB3k
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7012-1
September 16, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

curl could incorrectly check bad certificates when OCSP stapling is in use.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Hiroki Kurosawa discovered that curl incorrectly handled certain OCSP
responses. This could result in bad certificates not being checked
properly, contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.4
libcurl3t64-gnutls 8.5.0-2ubuntu10.4
libcurl4t64 8.5.0-2ubuntu10.4

Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.18
libcurl3-gnutls 7.81.0-1ubuntu1.18
libcurl3-nss 7.81.0-1ubuntu1.18
libcurl4 7.81.0-1ubuntu1.18

Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.24
libcurl3-gnutls 7.68.0-1ubuntu2.24
libcurl3-nss 7.68.0-1ubuntu2.24
libcurl4 7.68.0-1ubuntu2.24

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7012-1
CVE-2024-8096

Package Information:
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.4
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.18
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.24

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)