Ubuntu Security Notice 7104-1 - It was discovered that curl could overwrite the HSTS expiry of the parent domain with the subdomain's HSTS entry. This could lead to curl switching back to insecure HTTP earlier than otherwise intended, resulting in information exposure.
0f628650750691a59648b4a0228da093ce429c68aa5c949edc1146e5a110c9b2==========================================================================
Ubuntu Security Notice USN-7104-1
November 18, 2024
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
It was discovered that curl could overwrite the HSTS expiry of the parent
domain with the subdomain's HSTS entry. This could lead to curl switching
back to insecure HTTP earlier than otherwise intended, resulting in
information exposure.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
curl 8.9.1-2ubuntu2.1
libcurl3t64-gnutls 8.9.1-2ubuntu2.1
libcurl4t64 8.9.1-2ubuntu2.1
Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.5
libcurl3t64-gnutls 8.5.0-2ubuntu10.5
libcurl4t64 8.5.0-2ubuntu10.5
Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.19
libcurl3-gnutls 7.81.0-1ubuntu1.19
libcurl3-nss 7.81.0-1ubuntu1.19
libcurl4 7.81.0-1ubuntu1.19
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7104-1
CVE-2024-9681
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.9.1-2ubuntu2.1
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.5
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.19
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed