USN-7162-1: curl vulnerability
USN-7162-1: curl vulnerability
16 December 2024
curl could be made to expose sensitive information.
Releases
Ubuntu 24.10 Ubuntu 24.04 LTS Ubuntu 22.04 LTS Ubuntu 20.04 LTS
Packages
curl - HTTP, HTTPS, and FTP client and client libraries
Details
Harry Sintonen discovered that curl incorrectly handled credentials from
.netrc files when following HTTP redirects. In certain configurations, the
password for the first host could be leaked to the followed-to host,
contrary to expectations.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.10
- curl - 8.9.1-2ubuntu2.2
- libcurl3t64-gnutls - 8.9.1-2ubuntu2.2
- libcurl4t64 - 8.9.1-2ubuntu2.2
Ubuntu 24.04 - curl - 8.5.0-2ubuntu10.6
- libcurl3t64-gnutls - 8.5.0-2ubuntu10.6
- libcurl4t64 - 8.5.0-2ubuntu10.6
Ubuntu 22.04 - curl - 7.81.0-1ubuntu1.20
- libcurl3-gnutls - 7.81.0-1ubuntu1.20
- libcurl3-nss - 7.81.0-1ubuntu1.20
- libcurl4 - 7.81.0-1ubuntu1.20
Ubuntu 20.04 - curl - 7.68.0-1ubuntu2.25
- libcurl3-gnutls - 7.68.0-1ubuntu2.25
- libcurl3-nss - 7.68.0-1ubuntu2.25
- libcurl4 - 7.68.0-1ubuntu2.25
In general, a standard system update will make all the necessary changes.