A New Update For The Curl Package Has Been Released

A developer has discovered a couple of vulnerabilities in the curl package which is a command line tool designed to  transfer data from or to a server by using one of the following protocols:

  • DICT
  • FILE
  • FTP
  • FTPS
  • GOPHER
  • HTTP
  • HTTPS
  • IMAP
  • IMAPS
  • LDAP
  • LDAPS
  • POP3
  • POP3S
  • RTMP
  • RTSP
  • SCP
  • SFTP
  • SMTP
  • SMTPS
  • TELNET
  • TFTP

There are two exploits identified by the developer in this package. One of them allows the disclosure of cookies to the wrong sites and malicious sites being able to set cookies for others. The other vulnerability which has been identified by this developer in the curl package incorrectly allows cookies to be set for Top Level Domains (TLD). According to the Canonical’s security notification this could allow a malicious site to set a cookie that gets sent to other sites.

The new update for the curl package corrects the security issues that affect releases of Ubuntu and its derivates. I highly recommend to go and apply the patch to your system by upgrading your system to the latest libcurl3-nss, libcurl3-gnutls, and libcurl3 packages specific to each distribution.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:

libcurl3-nss 7.35.0-1ubuntu2.1
libcurl3-gnutls 7.35.0-1ubuntu2.1
libcurl3 7.35.0-1ubuntu2.1

Ubuntu 12.04 LTS:
libcurl3-nss 7.22.0-3ubuntu4.10
libcurl3-gnutls 7.22.0-3ubuntu4.10
libcurl3 7.22.0-3ubuntu4.10

Ubuntu 10.04 LTS:
libcurl3-gnutls 7.19.7-1ubuntu1.9
libcurl3 7.19.7-1ubuntu1.9

But if you don’t like to complicate your life you can easily fix the vulnerabilities by doing a standard system update. Ubuntu notifies its users when security updates are available. If you have missed the security alert you can run the Update Manager by pressing  ‘ALT+F2’ on your keyboard and searching for update manager.