Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 601
Alerts This Week
Warning Icon 1 601

Ubuntu 23.04: USN-6237-1 Critical: Curl Certificate Spoofing Issues

ubuntu
Calendar Grey July 19, 2023
Dist Ubuntu Esm H88
Keep your Ubuntu system secure by updating the curl package to mitigate vulnerabilities. Follow these steps for a successful update and verification
Several security issues were fixed in curl.

Summary

Several security issues were fixed in curl.

Software Description:

- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Hiroki Kurosawa discovered that curl incorrectly handled validating certain

certificate wildcards. A remote attacker could possibly use this issue to

spoof certain website certificates using IDN hosts. (CVE-2023-28321)

Hiroki Kurosawa discovered that curl incorrectly handled callbacks when

certain options are set by applications. This could cause applications

using curl to misbehave, resulting in information disclosure, or a denial

of service. (CVE-2023-28322)

It was discovered that curl incorrectly handled saving cookies to files. A

local attacker could possibly use this issue to create or overwrite files.

This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
   curl                            7.88.1-8ubuntu2.1
   libcurl3-gnutls                 7.88.1-8ubuntu2.1
   libcurl3-nss                    7.88.1-8ubuntu2.1
   libcurl4                        7.88.1-8ubuntu2.1

Ubuntu 22.10:
   curl                            7.85.0-1ubuntu0.6
   libcurl3-gnutls                 7.85.0-1ubuntu0.6
   libcurl3-nss                    7.85.0-1ubuntu0.6
   libcurl4                        7.85.0-1ubuntu0.6

Ubuntu 22.04 LTS:
   curl                            7.81.0-1ubuntu1.11
   libcurl3-gnutls                 7.81.0-1ubuntu1.11
   libcurl3-nss                    7.81.0-1ubuntu1.11
   libcurl4                        7.81.0-1ubuntu1.11

Ubuntu 20.04 LTS:
   curl                            7.68.0-1ubuntu2.19
   libcurl3-gnutls                 7.68.0-1ubuntu2.19
   libcurl3-nss                    7.68.0-1ubuntu2.19
   libcurl4                        7.68.0-1ubuntu2.19

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6237-1

CVE-2023-28321, CVE-2023-28322, CVE-2023-32001

Severity
critical
Lowest
Low
Medium
High
Critical

July 19, 2023

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.