USN-7162-1

Harry Sintonen discovered that curl incorrectly handled credentials from .netrc files when following HTTP redirects. In certain configurations, the password for the first host could be leaked to the followed-to host, contrary to expectations.

References

Affected packages

Ubuntu:20.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.25?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.68.0-1ubuntu2.25

Affected versions

7.*

7.65.3-1ubuntu3

7.65.3-1ubuntu4

7.66.0-1ubuntu1

7.67.0-2ubuntu1

7.68.0-1ubuntu1

7.68.0-1ubuntu2

7.68.0-1ubuntu2.1

7.68.0-1ubuntu2.2

7.68.0-1ubuntu2.4

7.68.0-1ubuntu2.5

7.68.0-1ubuntu2.6

7.68.0-1ubuntu2.7

7.68.0-1ubuntu2.10

7.68.0-1ubuntu2.11

7.68.0-1ubuntu2.12

7.68.0-1ubuntu2.13

7.68.0-1ubuntu2.14

7.68.0-1ubuntu2.15

7.68.0-1ubuntu2.16

7.68.0-1ubuntu2.18

7.68.0-1ubuntu2.19

7.68.0-1ubuntu2.20

7.68.0-1ubuntu2.21

7.68.0-1ubuntu2.22

7.68.0-1ubuntu2.23

7.68.0-1ubuntu2.24

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "curl"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl3-gnutls"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl3-nss"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl4"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl4-gnutls-dev"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl4-nss-dev"
        },
        {
            "binary_version": "7.68.0-1ubuntu2.25",
            "binary_name": "libcurl4-openssl-dev"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "cves": [
        {
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "low"
                }
            ],
            "id": "CVE-2024-11053"
        }
    ],
    "ecosystem": "Ubuntu:20.04:LTS"
}

Ubuntu:22.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.20?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.81.0-1ubuntu1.20

Affected versions

7.*

7.74.0-1.3ubuntu2

7.74.0-1.3ubuntu3

7.80.0-3

7.81.0-1

7.81.0-1ubuntu1.1

7.81.0-1ubuntu1.2

7.81.0-1ubuntu1.3

7.81.0-1ubuntu1.4

7.81.0-1ubuntu1.6

7.81.0-1ubuntu1.7

7.81.0-1ubuntu1.8

7.81.0-1ubuntu1.10

7.81.0-1ubuntu1.11

7.81.0-1ubuntu1.13

7.81.0-1ubuntu1.14

7.81.0-1ubuntu1.15

7.81.0-1ubuntu1.16

7.81.0-1ubuntu1.17

7.81.0-1ubuntu1.18

7.81.0-1ubuntu1.19

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "curl"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl3-gnutls"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl3-nss"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl4"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl4-gnutls-dev"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl4-nss-dev"
        },
        {
            "binary_version": "7.81.0-1ubuntu1.20",
            "binary_name": "libcurl4-openssl-dev"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "cves": [
        {
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "low"
                }
            ],
            "id": "CVE-2024-11053"
        }
    ],
    "ecosystem": "Ubuntu:22.04:LTS"
}

Ubuntu:24.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@8.5.0-2ubuntu10.6?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.0-2ubuntu10.6

Affected versions

8.*

8.2.1-1ubuntu3

8.2.1-1ubuntu3.1

8.4.0-2ubuntu1

8.5.0-2ubuntu1

8.5.0-2ubuntu2

8.5.0-2ubuntu8

8.5.0-2ubuntu9

8.5.0-2ubuntu10

8.5.0-2ubuntu10.1

8.5.0-2ubuntu10.2

8.5.0-2ubuntu10.3

8.5.0-2ubuntu10.4

8.5.0-2ubuntu10.5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.5.0-2ubuntu10.6",
            "binary_name": "curl"
        },
        {
            "binary_version": "8.5.0-2ubuntu10.6",
            "binary_name": "libcurl3t64-gnutls"
        },
        {
            "binary_version": "8.5.0-2ubuntu10.6",
            "binary_name": "libcurl4-gnutls-dev"
        },
        {
            "binary_version": "8.5.0-2ubuntu10.6",
            "binary_name": "libcurl4-openssl-dev"
        },
        {
            "binary_version": "8.5.0-2ubuntu10.6",
            "binary_name": "libcurl4t64"
        }
    ],
    "availability": "No subscription required"
}

Database specific

cves_map

{
    "cves": [
        {
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "low"
                }
            ],
            "id": "CVE-2024-11053"
        }
    ],
    "ecosystem": "Ubuntu:24.04:LTS"
}