Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Ubuntu 21.04 and LTS: 5079-1 Critical Curl DoS and Code Execution

ubuntu
Calendar Grey September 15, 2021
Dist Ubuntu Esm H88
Ubuntu has released updates fixing several critical vulnerabilities in curl. It's crucial to upgrade immediately to protect against remote attacks and prevent service outages
Several security issues were fixed in curl.

Summary

Several security issues were fixed in curl.

Software Description:

- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

It was discovered that curl incorrect handled memory when sending data to

an MQTT server. A remote attacker could use this issue to cause curl to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2021-22945)

Patrick Monnerat discovered that curl incorrectly handled upgrades to TLS.

When receiving certain responses from servers, curl would continue without

TLS even when the option to require a successful upgrade to TLS was

specified. (CVE-2021-22946)

Patrick Monnerat discovered that curl incorrectly handled responses

received before STARTTLS. A remote attacker could possibly use this issue

to inject responses and intercept communications. (CVE-2021-22947)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
  curl                            7.74.0-1ubuntu2.3
  libcurl3-gnutls                 7.74.0-1ubuntu2.3
  libcurl3-nss                    7.74.0-1ubuntu2.3
  libcurl4                        7.74.0-1ubuntu2.3

Ubuntu 20.04 LTS:
  curl                            7.68.0-1ubuntu2.7
  libcurl3-gnutls                 7.68.0-1ubuntu2.7
  libcurl3-nss                    7.68.0-1ubuntu2.7
  libcurl4                        7.68.0-1ubuntu2.7

Ubuntu 18.04 LTS:
  curl                            7.58.0-2ubuntu3.15
  libcurl3-gnutls                 7.58.0-2ubuntu3.15
  libcurl3-nss                    7.58.0-2ubuntu3.15
  libcurl4                        7.58.0-2ubuntu3.15

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5079-1

CVE-2021-22945, CVE-2021-22946, CVE-2021-22947

Severity
critical
Lowest
Low
Medium
High
Critical

September 15, 2021

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.