Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Ubuntu 23.10 USN-6535-1 moderate: curl handling cookie threats

ubuntu
Calendar Grey December 6, 2023
Dist Ubuntu Esm H88
Updates for Ubuntu versions 23.04 and 23.10 address vulnerabilities with curl; it's crucial to install the most recent fixes to safeguard your sensitive information and cookies.
Several security issues were fixed in curl.

Summary

Several security issues were fixed in curl.

Software Description:

- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled mixed case cookie

domains. A remote attacker could possibly use this issue to set cookies

that get sent to different and unrelated sites and domains.

(CVE-2023-46218)

Maksymilian Arciemowicz discovered that curl incorrectly handled long file

names when saving HSTS data. This could result in curl losing HSTS data,

and subsequent requests to a site would be done without it, contrary to

expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.

(CVE-2023-46219)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
   curl                            8.2.1-1ubuntu3.2
   libcurl3-gnutls                 8.2.1-1ubuntu3.2
   libcurl3-nss                    8.2.1-1ubuntu3.2
   libcurl4                        8.2.1-1ubuntu3.2

Ubuntu 23.04:
   curl                            7.88.1-8ubuntu2.4
   libcurl3-gnutls                 7.88.1-8ubuntu2.4
   libcurl3-nss                    7.88.1-8ubuntu2.4
   libcurl4                        7.88.1-8ubuntu2.4

Ubuntu 22.04 LTS:
   curl                            7.81.0-1ubuntu1.15
   libcurl3-gnutls                 7.81.0-1ubuntu1.15
   libcurl3-nss                    7.81.0-1ubuntu1.15
   libcurl4                        7.81.0-1ubuntu1.15

Ubuntu 20.04 LTS:
   curl                            7.68.0-1ubuntu2.21
   libcurl3-gnutls                 7.68.0-1ubuntu2.21
   libcurl3-nss                    7.68.0-1ubuntu2.21
   libcurl4                        7.68.0-1ubuntu2.21

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6535-1

CVE-2023-46218, CVE-2023-46219

Ubuntu Security Notice USN-6535-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here