Headline
Ubuntu Security Notice USN-6641-1
Ubuntu Security Notice 6641-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains.
==========================================================================Ubuntu Security Notice USN-6641-1February 19, 2024curl vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:curl could be made to set cookies that would bypass PSL checks.Software Description:- curl: HTTP, HTTPS, and FTP client and client librariesDetails:Harry Sintonen discovered that curl incorrectly handled mixed case cookiedomains. A remote attacker could possibly use this issue to set cookiesthat get sent to different and unrelated sites and domains.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro): curl 7.58.0-2ubuntu3.24+esm3 libcurl3-gnutls 7.58.0-2ubuntu3.24+esm3 libcurl3-nss 7.58.0-2ubuntu3.24+esm3 libcurl4 7.58.0-2ubuntu3.24+esm3Ubuntu 16.04 LTS (Available with Ubuntu Pro): curl 7.47.0-1ubuntu2.19+esm11 libcurl3 7.47.0-1ubuntu2.19+esm11 libcurl3-gnutls 7.47.0-1ubuntu2.19+esm11 libcurl3-nss 7.47.0-1ubuntu2.19+esm11In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6641-1 CVE-2023-46218
Related news
Gentoo Linux Security Advisory 202409-20 - Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. Versions greater than or equal to 8.7.1 are affected.
Red Hat Security Advisory 2024-1601-03 - An update for curl is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.
Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2024-1129-03 - An update for curl is now available for Red Hat Enterprise Linux 9. Issues addressed include an information leakage vulnerability.
Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.
Ubuntu Security Notice 6535-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains. Maksymilian Arciemowicz discovered that curl incorrectly handled long file names when saving HSTS data. This could result in curl losing HSTS data, and subsequent requests to a site would be done without it, contrary to expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.