Ubuntu Security Notice 5412-1 - Axel Chong discovered that curl incorrectly handled percent-encoded URL separators. A remote attacker could possibly use this issue to trick curl into using the wrong URL and bypass certain checks or filters. This issue only affected Ubuntu 22.04 LTS. Florian Kohnhuser discovered that curl incorrectly handled returning a TLS server's certificate chain details. A remote attacker could possibly use this issue to cause curl to stop responding, resulting in a denial of service.
477ec6bff1dfd28bf6df200de8f8540192a02b1e6306fa486d364e719ff4bca8
==========================================================================
Ubuntu Security Notice USN-5412-1
May 11, 2022
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Axel Chong discovered that curl incorrectly handled percent-encoded URL
separators. A remote attacker could possibly use this issue to trick curl
into using the wrong URL and bypass certain checks or filters. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-27780)
Florian Kohnhuser discovered that curl incorrectly handled returning a
TLS server's certificate chain details. A remote attacker could possibly
use this issue to cause curl to stop responding, resulting in a denial of
service. (CVE-2022-27781)
Harry Sintonen discovered that curl incorrectly reused a previous
connection when certain options had been changed, contrary to expectations.
(CVE-2022-27782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.2
libcurl3-gnutls 7.81.0-1ubuntu1.2
libcurl3-nss 7.81.0-1ubuntu1.2
libcurl4 7.81.0-1ubuntu1.2
Ubuntu 21.10:
curl 7.74.0-1.3ubuntu2.2
libcurl3-gnutls 7.74.0-1.3ubuntu2.2
libcurl3-nss 7.74.0-1.3ubuntu2.2
libcurl4 7.74.0-1.3ubuntu2.2
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.11
libcurl3-gnutls 7.68.0-1ubuntu2.11
libcurl3-nss 7.68.0-1ubuntu2.11
libcurl4 7.68.0-1ubuntu2.11
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.18
libcurl3-gnutls 7.58.0-2ubuntu3.18
libcurl3-nss 7.58.0-2ubuntu3.18
libcurl4 7.58.0-2ubuntu3.18
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5412-1
CVE-2022-27780, CVE-2022-27781, CVE-2022-27782
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.2
https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.11
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.18