Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 568
Alerts This Week
Warning Icon 1 568

Ubuntu 20.10 Security Notice USN-4665-1: Curl DoS and Info Leak

ubuntu
Calendar Grey December 9, 2020
Dist Ubuntu Esm H88
Numerous vulnerabilities were addressed in wget across various Ubuntu versions, affecting the management of confidential information.
Several security issues were fixed in curl.

Summary

Several security issues were fixed in curl.

Software Description:

- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Marc Aldorasi discovered that curl incorrectly handled the libcurl

CURLOPT_CONNECT_ONLY option. This could result in data being sent to the

wrong destination, possibly exposing sensitive information. This issue only

affected Ubuntu 20.10. (CVE-2020-8231)

Varnavas Papaioannou discovered that curl incorrectly handled FTP PASV

responses. An attacker could possibly use this issue to trick curl into

connecting to an arbitrary IP address and be used to perform port scanner

and other information gathering. (CVE-2020-8284)

It was discovered that curl incorrectly handled FTP wildcard matchins. A

remote attacker could possibly use this issue to cause curl to consume

resources and crash, resulting in a denial of service. (CVE-2020-8285)

It was discovered that curl incorrectly handled OCSP response verification.

A remote attacker could...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
  curl                            7.68.0-1ubuntu4.2
  libcurl3-gnutls                 7.68.0-1ubuntu4.2
  libcurl3-nss                    7.68.0-1ubuntu4.2
  libcurl4                        7.68.0-1ubuntu4.2

Ubuntu 20.04 LTS:
  curl                            7.68.0-1ubuntu2.4
  libcurl3-gnutls                 7.68.0-1ubuntu2.4
  libcurl3-nss                    7.68.0-1ubuntu2.4
  libcurl4                        7.68.0-1ubuntu2.4

Ubuntu 18.04 LTS:
  curl                            7.58.0-2ubuntu3.12
  libcurl3-gnutls                 7.58.0-2ubuntu3.12
  libcurl3-nss                    7.58.0-2ubuntu3.12
  libcurl4                        7.58.0-2ubuntu3.12

Ubuntu 16.04 LTS:
  curl                            7.47.0-1ubuntu2.18
  libcurl3                        7.47.0-1ubuntu2.18
  libcurl3-gnutls                 7.47.0-1ubuntu2.18
  libcurl3-nss                    7.47.0-1ubuntu2.18

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4665-1

CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286

Severity
critical
Lowest
Low
Medium
High
Critical

December 09, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.