Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 77 articles for you...
172
security advisoryinformation exposureubuntuUbuntu 24.10: USN-7104-1 critical: curl information exposure issue
curl could be made to expose sensitive information over the network.. ========================================================================== Ubuntu Security Notice USN-7104-1 November 18, 2024 curl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: curl could be made to expose sensitive information over the network. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: It was discovered that curl could overwrite the HSTS expiry of the parent domain with the subdomain's HSTS entry. This could lead to curl switching back to insecure HTTP earlier than otherwise intended, resulting in information exposure. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 curl 8.9.1-2ubuntu2.1 libcurl3t64-gnutls 8.9.1-2ubuntu2.1 libcurl4t64 8.9.1-2ubuntu2.1 Ubuntu 24.04 LTS curl 8.5.0-2ubuntu10.5 libcurl3t64-gnutls 8.5.0-2ubuntu10.5 libcurl4t64 8.5.0-2ubuntu10.5 Ubuntu 22.04 LTS curl 7.81.0-1ubuntu1.19 libcurl3-gnutls 7.81.0-1ubuntu1.19 libcurl3-nss 7.81.0-1ubuntu1.19 libcurl4 7.81.0-1ubuntu1.19 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7104-1 CVE-2024-9681 Package Information: https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.5 . Ubuntu Security Alert USN-7105-1 regarding a curl flaw that could leak confidential data during transmission; prompt action advised.. curl update, ubuntu security, network threat, information exposure, curl vulnerability. . Severity: Critical. LinuxSecurity.com Team
Nov 18, 2024
•Critical
Ubuntu
100
security advisorymoderate threatsecurity patchSUSE Linux Enterprise Micro 5.5 Security Update: Curl Threat Fix
* bsc#1221665 * bsc#1221667 Cross-References: * CVE-2024-2004 . # Security update for curl Announcement ID: SUSE-SU-2024:1151-3 Rating: moderate References: * bsc#1221665 * bsc#1221667 Cross-References: * CVE-2024-2004 * CVE-2024-2398 CVSS scores: * CVE-2024-2004 ( SUSE ): 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N * CVE-2024-2398 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Micro 5.5 An update that solves two vulnerabilities can now be installed. ## Description: This update for curl fixes the following issues: * CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) * CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-1151=1 ## Package List: * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * curl-8.0.1-150400.5.44.1 * curl-debugsource-8.0.1-150400.5.44.1 * curl-debuginfo-8.0.1-150400.5.44.1 * libcurl4-8.0.1-150400.5.44.1 * libcurl4-debuginfo-8.0.1-150400.5.44.1 ## References: * https://www.suse.com/security/cve/CVE-2024-2004.html * https://www.suse.com/security/cve/CVE-2024-2398.html * https://bugzilla.suse.com/show_bug.cgi?id=1221665 * https://bugzilla.suse.com/show_bug.cgi?id=1221667 . Upgrading curl to at least version 7.79.0 is essential for security. Refresh your repo using "sudo zypper refresh" then update with "sudo zypper update curl". SUSE Linux Security Update, Curl Update, Security Patch, Vulnerability Management. . LinuxSecurity.com Team
Aug 19, 2024
SuSE
100
security advisorymoderate severitysoftware fixSUSE: 2024:1120-1 Moderate: Solution for Curl Memory Leak Issue
* bsc#1221665 * bsc#1221667 Cross-References: * CVE-2024-2004 . # Security update for curl Announcement ID: SUSE-SU-2024:1120-1 Rating: moderate References: * bsc#1221665 * bsc#1221667 Cross-References: * CVE-2024-2004 * CVE-2024-2398 CVSS scores: * CVE-2024-2004 ( SUSE ): 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N * CVE-2024-2398 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro for Rancher 5.2 An update that solves two vulnerabilities can now be installed. ## Description: This update for curl fixes the following issues: * CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) * CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-1120=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-1120=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-1120=1 ## Package List: * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * libcurl4-7.66.0-150200.4.69.1 * libcurl4-debuginfo-7.66.0-150200.4.69.1 * curl-7.66.0-150200.4.69.1 * curl-debuginfo-7.66.0-150200.4.69.1 * curl-debugsource-7.66.0-150200.4.69.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * libcurl4-7.66.0-150200.4.69.1 * libcurl4-debuginfo-7.66.0-150200.4.69.1 * curl-7.66.0-150200.4.69.1 * curl-debuginfo-7.66.0-150200.4.69.1 * curl-debugsource-7.66.0-150200.4.69.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * libcurl4-7.66.0-150200.4.69.1 *libcurl4-debuginfo-7.66.0-150200.4.69.1 * curl-7.66.0-150200.4.69.1 * curl-debuginfo-7.66.0-150200.4.69.1 * curl-debugsource-7.66.0-150200.4.69.1 ## References: * https://www.suse.com/security/cve/CVE-2024-2004.html * https://www.suse.com/security/cve/CVE-2024-2398.html * https://bugzilla.suse.com/show_bug.cgi?id=1221665 * https://bugzilla.suse.com/show_bug.cgi?id=1221667 . Notice regarding curl addressing moderate vulnerabilities affecting SUSE Linux Micro offerings. Prompt measures advised.. curl Security Update,SUSE Linux Enterprise,Moderate Severity Fix,SUSE Micro Patch. . LinuxSecurity.com Team
Apr 05, 2024
SuSE
219
security advisorysecurity fixmoderate severityRocky Linux 8 RLSA-2024:1601 Moderate Curl Security Update
Moderate: curl security and bug fix update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2024:1601", "synopsis": "Moderate: curl security and bug fix update", "severity": "SEVERITY_MODERATE", "topic": "An update is available for curl.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.\n\nSecurity Fix(es):\n\n* curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)\n\n* curl: more POST-after-PUT confusion (CVE-2023-28322)\n\n* curl: cookie injection with none file (CVE-2023-38546)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* libssh (curl sftp) not trying password auth (BZ#2240033)\n\n* libssh: cap SFTP packet size sent (Rocky Linux-5485)", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2196793", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2196793", "description": ""}, {"ticket": "2240033", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2240033", "description": "* libssh (curl sftp) not trying password auth"}, {"ticket": "2241938", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2241938", "description": ""}, {"ticket": "2252030", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2252030", "description": ""}], "cves": [{"name": "CVE-2023-28322", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-28322", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2023-38546","sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-38546", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2023-46218", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-46218", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}], "references": [], "publishedAt": "2024-04-05T14:55:53.600745Z", "rpms": {"Rocky Linux 8": {"nvras": ["curl-0:7.61.1-33.el8_9.5.aarch64.rpm", "curl-0:7.61.1-33.el8_9.5.src.rpm", "curl-0:7.61.1-33.el8_9.5.x86_64.rpm", "curl-debuginfo-0:7.61.1-33.el8_9.5.aarch64.rpm", "curl-debuginfo-0:7.61.1-33.el8_9.5.i686.rpm", "curl-debuginfo-0:7.61.1-33.el8_9.5.x86_64.rpm", "curl-debugsource-0:7.61.1-33.el8_9.5.aarch64.rpm", "curl-debugsource-0:7.61.1-33.el8_9.5.i686.rpm", "curl-debugsource-0:7.61.1-33.el8_9.5.x86_64.rpm", "libcurl-0:7.61.1-33.el8_9.5.aarch64.rpm", "libcurl-0:7.61.1-33.el8_9.5.i686.rpm", "libcurl-0:7.61.1-33.el8_9.5.x86_64.rpm", "libcurl-debuginfo-0:7.61.1-33.el8_9.5.aarch64.rpm", "libcurl-debuginfo-0:7.61.1-33.el8_9.5.i686.rpm", "libcurl-debuginfo-0:7.61.1-33.el8_9.5.x86_64.rpm", "libcurl-devel-0:7.61.1-33.el8_9.5.aarch64.rpm", "libcurl-devel-0:7.61.1-33.el8_9.5.i686.rpm", "libcurl-devel-0:7.61.1-33.el8_9.5.x86_64.rpm", "libcurl-minimal-0:7.61.1-33.el8_9.5.aarch64.rpm", "libcurl-minimal-0:7.61.1-33.el8_9.5.i686.rpm", "libcurl-minimal-0:7.61.1-33.el8_9.5.x86_64.rpm", "libcurl-minimal-debuginfo-0:7.61.1-33.el8_9.5.aarch64.rpm", "libcurl-minimal-debuginfo-0:7.61.1-33.el8_9.5.i686.rpm", "libcurl-minimal-debuginfo-0:7.61.1-33.el8_9.5.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Unveil the latest enhancement for Rocky Linux, featuring an essential curl update that resolves significant vulnerabilities and brings various improvements.. Curl Update, Bug Fixes, Rocky Linux Security, Moderate Severity Advisory. . LinuxSecurity.com Team
Apr 05, 2024
Rocky Linux
89
security advisorycritical issueFedoraFedora 38: FEDORA-2023-2121eca964 critical: curl HSTS & Cookie Issues
- fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-2121eca964 2023-12-15 02:18:14.322411 -------------------------------------------------------------------------------- Name : curl Product : Fedora 38 Version : 8.0.1 Release : 6.fc38 URL : https://curl.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others) Description : curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. -------------------------------------------------------------------------------- Update Information: - fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 6 2023 Jan Macku - 8.0.1-6 - fix HSTS long file name clears contents (CVE-2023-46219) - fix cookie mixed case PSL bypass (CVE-2023-46218) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2252030 - CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw https://bugzilla.redhat.com/show_bug.cgi?id=2252030 [ 2 ] Bug #2252034 - CVE-2023-46219 curl: excessively long file name may lead to unknown HSTS status https://bugzilla.redhat.com/show_bug.cgi?id=2252034 -------------------------------------------------------------------------------- This update can be installed with the"dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-2121eca964' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Dec 15, 2023
•Critical
Fedora
217
security advisorybuffer overflowcriticalOracle Linux 9: ELSA-2023-5763 Critical: Curl Buffer Overflow
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2023-5763 https://linux.oracle.com/errata/ELSA-2023-5763.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: curl-7.76.1-23.el9_2.4.x86_64.rpm curl-minimal-7.76.1-23.el9_2.4.x86_64.rpm libcurl-7.76.1-23.el9_2.4.i686.rpm libcurl-7.76.1-23.el9_2.4.x86_64.rpm libcurl-devel-7.76.1-23.el9_2.4.i686.rpm libcurl-devel-7.76.1-23.el9_2.4.x86_64.rpm libcurl-minimal-7.76.1-23.el9_2.4.i686.rpm libcurl-minimal-7.76.1-23.el9_2.4.x86_64.rpm aarch64: curl-7.76.1-23.el9_2.4.aarch64.rpm curl-minimal-7.76.1-23.el9_2.4.aarch64.rpm libcurl-7.76.1-23.el9_2.4.aarch64.rpm libcurl-devel-7.76.1-23.el9_2.4.aarch64.rpm libcurl-minimal-7.76.1-23.el9_2.4.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol9/SRPMS-updates//curl-7.76.1-23.el9_2.4.src.rpm Related CVEs: CVE-2023-38545 CVE-2023-38546 Description of changes: [7.76.1-23.el9_2.4] - curl: a heap-based buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545) - curl: cookie injection with none file (CVE-2023-38546) _______________________________________________ El-errata mailing list
Oct 19, 2023
•Critical
Oracle
100
security advisoryremote code executionimportantSUSE: 2023:3388-1 Important: bci/php-fpm Remote Code Execution
The container bci/php-fpm was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3388-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8-8.10 Container Release : 8.10 Severity : important Type : security References : 1214806 1215859 1215888 1215889 CVE-2023-38545 CVE-2023-38546 CVE-2023-43655 CVE-2023-4641 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4024-1 Released: Tue Oct 10 13:24:40 2023 Summary: Security update for shadow Type: security Severity: low References: 1214806,CVE-2023-4641 This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4041-1 Released: Tue Oct 10 18:28:16 2023 Summary: Security update for php-composer2 Type: security Severity: moderate References: 1215859,CVE-2023-43655 This update for php-composer2 fixes the following issues: - CVE-2023-43655: Fixed a remote code execution issue that could be triggered if users published a web-accessible composer.phar file (bsc#1215859). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4044-1 Released: Wed Oct 11 09:01:14 2023 Summary: Security update for curl Type: security Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) The followingpackage changes have been done: - login_defs-4.8.1-150400.10.12.1 updated - libcurl4-8.0.1-150400.5.32.1 updated - shadow-4.8.1-150400.10.12.1 updated - php-composer2-2.2.3-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.41 updated . Explore the latest security enhancements for SUSE's bci/php-fpm that tackle critical vulnerabilities, particularly those related to the risk of remote command execution.. SUSE Container,bci/php-fpm,remote Execution Threats,security Update. . Severity: Important. LinuxSecurity.com Team
Oct 13, 2023
•Important
SuSE
100
security advisorysecurity issueSUSESUSE: 2023:3390-1 Critical: bci/php-apache Security Update
The container bci/php-apache was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3387-1 Container Tags : bci/php-apache:8 , bci/php-apache:8-8.9 Container Release : 8.9 Severity : important Type : security References : 1214806 1215859 1215888 1215889 CVE-2023-38545 CVE-2023-38546 CVE-2023-43655 CVE-2023-4641 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4024-1 Released: Tue Oct 10 13:24:40 2023 Summary: Security update for shadow Type: security Severity: low References: 1214806,CVE-2023-4641 This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4041-1 Released: Tue Oct 10 18:28:16 2023 Summary: Security update for php-composer2 Type: security Severity: moderate References: 1215859,CVE-2023-43655 This update for php-composer2 fixes the following issues: - CVE-2023-43655: Fixed a remote code execution issue that could be triggered if users published a web-accessible composer.phar file (bsc#1215859). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4044-1 Released: Wed Oct 11 09:01:14 2023 Summary: Security update for curl Type: security Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) Thefollowing package changes have been done: - login_defs-4.8.1-150400.10.12.1 updated - libcurl4-8.0.1-150400.5.32.1 updated - shadow-4.8.1-150400.10.12.1 updated - php-composer2-2.2.3-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.41 updated . Crucial security patch released for bci/php-apache tackling various flaws and significant concerns within SUSE environments.. SUSE Container Update,bci/php-apache security,security patches. . Severity: Important. LinuxSecurity.com Team
Oct 13, 2023
•Important
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!