USN-3048-1: curl vulnerabilities
Ubuntu Security Notice USN-3048-1
8th August, 2016
curl vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in curl.
Software description
- curl
– HTTP, HTTPS, and FTP client and client libraries
Details
Bru Rom discovered that curl incorrectly handled client certificates when
resuming a TLS session. (CVE-2016-5419)
It was discovered that curl incorrectly handled client certificates when
reusing TLS connections. (CVE-2016-5420)
Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly
reused a connection struct, contrary to expectations. This issue only
applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421)
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
libcurl3-nss
7.47.0-1ubuntu2.1
-
libcurl3-gnutls
7.47.0-1ubuntu2.1
-
libcurl3
7.47.0-1ubuntu2.1
- Ubuntu 14.04 LTS:
-
libcurl3-nss
7.35.0-1ubuntu2.8
-
libcurl3-gnutls
7.35.0-1ubuntu2.8
-
libcurl3
7.35.0-1ubuntu2.8
- Ubuntu 12.04 LTS:
-
libcurl3-nss
7.22.0-3ubuntu4.16
-
libcurl3-gnutls
7.22.0-3ubuntu4.16
-
libcurl3
7.22.0-3ubuntu4.16
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Source: USN-3048-1: curl vulnerabilities
