Monday, November 18, 2024

[USN-7104-1] curl vulnerability

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELOLXZEFYQHcSWEHiyfW2m9Ldu6sFAmc7hR4FAwAAAAAACgkQyfW2m9Ldu6vS
yhAAu8HZ7Pu62C3292NEA/Fb4fDdGV3zNJDZnz8ps7SFZrtFevfqmggwSPdp5nqwZfFfHq27D1Iu
w+k65rHlYKHqyRRpnAjhFXEUMx4TID1Nn1i8mFvrXArlF3gcOiUwO+J84W4Pra//vryeb64pZCvb
xVa/oKfpnuB5dGh2dukX31c6SprW5GIZDWGJ+tgS96w2+t7W8dB8KIQoEIxmV/SrAm08ln5KGNmo
v7E1pm1Qy1a53YE2EyDjYRf4/Vkj56FZjOZcC2fS35oiCF3/rfWs7kZNnO9MZsS0t3JDGXg3iENP
RL9tL7q+EuJaT24JAfD6j3frnntdkly7BN6GJ1Ya3y97LP7uA+wV6hfApy2Y+uuEbSq5TPB+Fx7e
/ZwZht/gNzGpIiWYGlgi629Nj7lrBD0rz87lDnni8iH4P0fJd/VNufo6HQxQlos4oTVasRF/aNRT
IdVa8WX9li2iXpQ/gx5xrK4AcywCQC/36+2O7/ch7hnO4EAsrkyeu5P8TWP5Qi/H2lanTePWdFtL
37cYQSH5BmKMaOeuSKf5Roywk6PV7NxLYBEyysmR/a6i1NnYladBiGUjJHtVpuao0vScgU7pJaEI
taJO3GuI/V5+C1Dv2ez3jS54tKdXD+RN53A7+ymsBt/pmJBA39NQhXr0Au6w0g0UnnGSeNPScYBR
u/4=
=jPUX
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7104-1
November 18, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

curl could be made to expose sensitive information over the network.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

It was discovered that curl could overwrite the HSTS expiry of the parent
domain with the subdomain's HSTS entry. This could lead to curl switching
back to insecure HTTP earlier than otherwise intended, resulting in
information exposure.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
  curl                            8.9.1-2ubuntu2.1
  libcurl3t64-gnutls              8.9.1-2ubuntu2.1
  libcurl4t64                     8.9.1-2ubuntu2.1

Ubuntu 24.04 LTS
  curl                            8.5.0-2ubuntu10.5
  libcurl3t64-gnutls              8.5.0-2ubuntu10.5
  libcurl4t64                     8.5.0-2ubuntu10.5

Ubuntu 22.04 LTS
  curl                            7.81.0-1ubuntu1.19
  libcurl3-gnutls                 7.81.0-1ubuntu1.19
  libcurl3-nss                    7.81.0-1ubuntu1.19
  libcurl4                        7.81.0-1ubuntu1.19

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7104-1
  CVE-2024-9681

Package Information:
  https://launchpad.net/ubuntu/+source/curl/8.9.1-2ubuntu2.1
  https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.5
  https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.19

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)