Headline
Ubuntu Security Notice USN-6535-1
Ubuntu Security Notice 6535-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains. Maksymilian Arciemowicz discovered that curl incorrectly handled long file names when saving HSTS data. This could result in curl losing HSTS data, and subsequent requests to a site would be done without it, contrary to expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
==========================================================================
Ubuntu Security Notice USN-6535-1
December 06, 2023
curl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Harry Sintonen discovered that curl incorrectly handled mixed case cookie
domains. A remote attacker could possibly use this issue to set cookies
that get sent to different and unrelated sites and domains.
(CVE-2023-46218)
Maksymilian Arciemowicz discovered that curl incorrectly handled long file
names when saving HSTS data. This could result in curl losing HSTS data,
and subsequent requests to a site would be done without it, contrary to
expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
(CVE-2023-46219)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
curl 8.2.1-1ubuntu3.2
libcurl3-gnutls 8.2.1-1ubuntu3.2
libcurl3-nss 8.2.1-1ubuntu3.2
libcurl4 8.2.1-1ubuntu3.2
Ubuntu 23.04:
curl 7.88.1-8ubuntu2.4
libcurl3-gnutls 7.88.1-8ubuntu2.4
libcurl3-nss 7.88.1-8ubuntu2.4
libcurl4 7.88.1-8ubuntu2.4
Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.15
libcurl3-gnutls 7.81.0-1ubuntu1.15
libcurl3-nss 7.81.0-1ubuntu1.15
libcurl4 7.81.0-1ubuntu1.15
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.21
libcurl3-gnutls 7.68.0-1ubuntu2.21
libcurl3-nss 7.68.0-1ubuntu2.21
libcurl4 7.68.0-1ubuntu2.21
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6535-1
CVE-2023-46218, CVE-2023-46219
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.2.1-1ubuntu3.2
https://launchpad.net/ubuntu/+source/curl/7.88.1-8ubuntu2.4
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.15
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.21
Related news
Gentoo Linux Security Advisory 202409-20 - Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. Versions greater than or equal to 8.7.1 are affected.
Red Hat Security Advisory 2024-1601-03 - An update for curl is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.
Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2024-1129-03 - An update for curl is now available for Red Hat Enterprise Linux 9. Issues addressed include an information leakage vulnerability.
Ubuntu Security Notice 6641-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains.
Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.