Your submission was sent successfully! Close

USN-5412-1: curl vulnerabilities

11 May 2022

Several security issues were fixed in curl.

Releases

Packages

  • curl - HTTP, HTTPS, and FTP client and client libraries

Details

Axel Chong discovered that curl incorrectly handled percent-encoded URL
separators. A remote attacker could possibly use this issue to trick curl
into using the wrong URL and bypass certain checks or filters. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-27780)

Florian Kohnhuser discovered that curl incorrectly handled returning a
TLS server's certificate chain details. A remote attacker could possibly
use this issue to cause curl to stop responding, resulting in a denial of
service. (CVE-2022-27781)

Harry Sintonen discovered that curl incorrectly reused a previous
connection when certain options had been changed, contrary to expectations.
(CVE-2022-27782)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.04
Ubuntu 21.10
Ubuntu 20.04
Ubuntu 18.04

In general, a standard system update will make all the necessary changes.

Related notices

  • USN-5499-1: libcurl4-openssl-dev, curl, libcurl4-gnutls-dev, libcurl4-nss-dev, libcurl3-gnutls, libcurl3-nss, libcurl4-doc, libcurl3