[USN-6944-2] curl vulnerability

Federico Quattrin federico.quattrin at canonical.com
Tue Aug 20 20:22:28 UTC 2024


==========================================================================
Ubuntu Security Notice USN-6944-2
August 20, 2024

curl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

curl could be made to crash or expose information if it received specially
crafted network traffic.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

USN-6944-1 fixed CVE-2024-7264 for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 24.04 LTS. This update provides the corresponding fix for
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.

Original advisory details:

Dov Murik discovered that curl incorrectly handled parsing ASN.1
Generalized Time fields. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
curl 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl3-nss 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
libcurl4 7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro

Ubuntu 16.04 LTS
curl 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
libcurl3-nss 7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro

Ubuntu 14.04 LTS
curl 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
libcurl3-nss 7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6944-2
https://ubuntu.com/security/notices/USN-6944-1
CVE-2024-7264


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x703AAD91046CD76E.asc
Type: application/pgp-keys
Size: 1769 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20240820/080ed7c5/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20240820/080ed7c5/attachment-0001.sig>


More information about the ubuntu-security-announce mailing list