Headline
Gentoo Linux Security Advisory 202409-20
Gentoo Linux Security Advisory 202409-20 - Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure. Versions greater than or equal to 8.7.1 are affected.
Gentoo Linux Security Advisory GLSA 202409-20
https://security.gentoo.org/
Severity: Normal
Title: curl: Multiple Vulnerabilities
Date: September 23, 2024
Bugs: #919325, #919889, #923413, #927960
ID: 202409-20
Synopsis
Multiple vulnerabilities have been discovered in curl, the worst of
which could lead to information disclosure.
Background
A command line tool and library for transferring data with URLs.
Affected packages
Package Vulnerable Unaffected
net-misc/curl < 8.7.1 >= 8.7.1
Description
Multiple vulnerabilities have been discovered in curl. Please review the
CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All curl users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=net-misc/curl-8.7.1”
References
[ 1 ] CVE-2023-42619
https://nvd.nist.gov/vuln/detail/CVE-2023-42619
[ 2 ] CVE-2023-46218
https://nvd.nist.gov/vuln/detail/CVE-2023-46218
[ 3 ] CVE-2023-46219
https://nvd.nist.gov/vuln/detail/CVE-2023-46219
[ 4 ] CVE-2024-0853
https://nvd.nist.gov/vuln/detail/CVE-2024-0853
[ 5 ] CVE-2024-2004
https://nvd.nist.gov/vuln/detail/CVE-2024-2004
[ 6 ] CVE-2024-2398
https://nvd.nist.gov/vuln/detail/CVE-2024-2398
[ 7 ] CVE-2024-2466
https://nvd.nist.gov/vuln/detail/CVE-2024-2466
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202409-20
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2024-7213-03 - Updated service-interconnect container images are now available for Service Interconnect 1.4 LTS for RHEL 9.
Red Hat Security Advisory 2024-3998-03 - An update for curl is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Ubuntu Security Notice 6718-3 - USN-6718-1 fixed vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 24.04 LTS. Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service.
Ubuntu Security Notice 6718-3 - USN-6718-1 fixed vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 24.04 LTS. Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service.
Red Hat Security Advisory 2024-1601-03 - An update for curl is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.
Ubuntu Security Notice 6718-1 - Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service.
Ubuntu Security Notice 6718-1 - Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service.
Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.
Red Hat Security Advisory 2024-1129-03 - An update for curl is now available for Red Hat Enterprise Linux 9. Issues addressed include an information leakage vulnerability.
Ubuntu Security Notice 6641-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains.
Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.
Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
Ubuntu Security Notice 6535-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains. Maksymilian Arciemowicz discovered that curl incorrectly handled long file names when saving HSTS data. This could result in curl losing HSTS data, and subsequent requests to a site would be done without it, contrary to expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
Ubuntu Security Notice 6535-1 - Harry Sintonen discovered that curl incorrectly handled mixed case cookie domains. A remote attacker could possibly use this issue to set cookies that get sent to different and unrelated sites and domains. Maksymilian Arciemowicz discovered that curl incorrectly handled long file names when saving HSTS data. This could result in curl losing HSTS data, and subsequent requests to a site would be done without it, contrary to expectations. This issue only affected Ubuntu 23.04 and Ubuntu 23.10.
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.