USN-6944-2: curl vulnerability
20 August 2024
curl could be made to crash or expose information if it received specially crafted network traffic.
Releases
Packages
- curl - HTTP, HTTPS, and FTP client and client libraries
Details
USN-6944-1 fixed CVE-2024-7264 for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 24.04 LTS. This update provides the corresponding fix for
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
Original advisory details:
Dov Murik discovered that curl incorrectly handled parsing ASN.1
Generalized Time fields. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04
-
curl
-
7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
-
libcurl3-gnutls
-
7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
-
libcurl3-nss
-
7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
-
libcurl4
-
7.58.0-2ubuntu3.24+esm5
Available with Ubuntu Pro
Ubuntu 16.04
-
curl
-
7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
-
libcurl3
-
7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
-
libcurl3-gnutls
-
7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
-
libcurl3-nss
-
7.47.0-1ubuntu2.19+esm13
Available with Ubuntu Pro
Ubuntu 14.04
-
curl
-
7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
-
libcurl3
-
7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
-
libcurl3-gnutls
-
7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
-
libcurl3-nss
-
7.35.0-1ubuntu2.20+esm18
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-6944-1: libcurl4-doc, libcurl4-nss-dev, libcurl4t64, libcurl3-gnutls, libcurl3-nss, libcurl4-openssl-dev, libcurl3t64-gnutls, curl, libcurl4-gnutls-dev, libcurl4