Monday, December 16, 2024

[USN-7162-1] curl vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmdgSooACgkQZWnYVadE
vpM2mRAAqU8y/TXN/42EL7zguHKYqN6VnIfSbDGCS8Hcu/wMoVisahCSi/drYHXB
dHdPfexRyV95GLUzqc9ezmklx5o8MRg6vYeBRMWwD41W4GMfJAzHt+FNKvj5A3dA
p8T8zro6Ogay7IWMN6Ygo3iCk4dK3bACBPHzzEiA2JDXU6N+7/HiPRCV1M1TiRjs
h+RfY03exjpV5KHrbd6rz48FHnVC0t3/Y5DgcwHtNPpQga5uTAcHah889vIJ8ykm
utZuRjGTCq/etCEoV+ndPl5guNnnR1M/ePfGrYfQmHhs0WzkYe10Z7H654eqKwe4
OEOTDatKsqOw18h5dWOjUMc8DXlk6/8uyoqLrz9/DCCi+MMN2JOKZJywv79DbtJa
v0LcY9pwvtmI6MF6CWeKWi0SEf7QTU2t1iGnv+2RIi0EvPL5ffJsmoBCWFsq1ouw
BRNEvLC5EAxVmZAcijYAXDg/2uzoRM20lCcQjjee4T8rfikvRJDgkhwATUhLB2Tr
3eODfGGE06jKXz0cJ7HHBCCnfFrfPl0U1vplZZr4I89R93fCKCAV1Wa8KpgUZcH+
c5ySWeOOtGFaDL11p3uGkI23uBAYjolOYZcQJ6rVsOQGza0FbVLXm5kzEkZrFhC+
uX+j79l71t4fe4CLo940kSvIcdz60m8k5hM3had8OC21zjoBl+Y=
=z+/D
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7162-1
December 16, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

curl could be made to expose sensitive information.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled credentials from
.netrc files when following HTTP redirects. In certain configurations, the
password for the first host could be leaked to the followed-to host,
contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
curl 8.9.1-2ubuntu2.2
libcurl3t64-gnutls 8.9.1-2ubuntu2.2
libcurl4t64 8.9.1-2ubuntu2.2

Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.6
libcurl3t64-gnutls 8.5.0-2ubuntu10.6
libcurl4t64 8.5.0-2ubuntu10.6

Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.20
libcurl3-gnutls 7.81.0-1ubuntu1.20
libcurl3-nss 7.81.0-1ubuntu1.20
libcurl4 7.81.0-1ubuntu1.20

Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.25
libcurl3-gnutls 7.68.0-1ubuntu2.25
libcurl3-nss 7.68.0-1ubuntu2.25
libcurl4 7.68.0-1ubuntu2.25

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7162-1
CVE-2024-11053

Package Information:
https://launchpad.net/ubuntu/+source/curl/8.9.1-2ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.6
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.20
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.25

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)