This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--===============8687755173602311352==

Content-Type: multipart/signed; micalg=pgp-sha512;

protocol="application/pgp-signature";

boundary="FlC85C2ooeWBbSJ0Vq6QEQwNvLVfnBB1d"



This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--FlC85C2ooeWBbSJ0Vq6QEQwNvLVfnBB1d

Content-Type: multipart/mixed;

boundary="wGKBumgIVq8JjON1xg2HsI9ahxtEabM2v";

protected-headers="v1"

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Reply-To: Ubuntu Security <security@ubuntu.com>

To: ubuntu-security-announce@lists.ubuntu.com

Message-ID: <4646920e-2123-cc68-44e8-6c1ab3009305@canonical.com>

Subject: [USN-3498-1] curl vulnerabilities



--wGKBumgIVq8JjON1xg2HsI9ahxtEabM2v

Content-Type: text/plain; charset=utf-8

Content-Language: en-C

Content-Transfer-Encoding: quoted-printable



==========================================================================

Ubuntu Security Notice USN-3498-1

November 29, 2017



curl vulnerabilities

==========================================================================



A security issue affects these releases of Ubuntu and its derivatives:



- Ubuntu 17.10

- Ubuntu 17.04

- Ubuntu 16.04 LTS

- Ubuntu 14.04 LTS



Summary:



Several security issues were fixed in curl.



Software Description:

- curl: HTTP, HTTPS, and FTP client and client libraries



Details:



Alex Nichols discovered that curl incorrectly handled NTLM authentication

credentials. A remote attacker could use this issue to cause curl to crash,

resulting in a denial of service, or possibly execute arbitrary code. This

issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10.

(CVE-2017-8816)



It was discovered that curl incorrectly handled FTP wildcard matching. A

remote attacker could use this issue to cause curl to crash, resulting in a

denial of service, or possibly obtain sensitive information.

(CVE-2017-8817)



Update instructions:



The problem can be corrected by updating your system to the following

package versions:



Ubuntu 17.10:

curl 7.55.1-1ubuntu2.2

libcurl3 7.55.1-1ubuntu2.2

libcurl3-gnutls 7.55.1-1ubuntu2.2

libcurl3-nss 7.55.1-1ubuntu2.2



Ubuntu 17.04:

curl 7.52.1-4ubuntu1.4

libcurl3 7.52.1-4ubuntu1.4

libcurl3-gnutls 7.52.1-4ubuntu1.4

libcurl3-nss 7.52.1-4ubuntu1.4



Ubuntu 16.04 LTS:

curl 7.47.0-1ubuntu2.5

libcurl3 7.47.0-1ubuntu2.5

libcurl3-gnutls 7.47.0-1ubuntu2.5

libcurl3-nss 7.47.0-1ubuntu2.5



Ubuntu 14.04 LTS:

curl 7.35.0-1ubuntu2.13

libcurl3 7.35.0-1ubuntu2.13

libcurl3-gnutls 7.35.0-1ubuntu2.13

libcurl3-nss 7.35.0-1ubuntu2.13



In general, a standard system update will make all the necessary changes.



References:

https://www.ubuntu.com/usn/usn-3498-1

CVE-2017-8816, CVE-2017-8817



Package Information:

https://launchpad.net/ubuntu/+source/curl/7.55.1-1ubuntu2.2

https://launchpad.net/ubuntu/+source/curl/7.52.1-4ubuntu1.4

https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.5

https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.13







--wGKBumgIVq8JjON1xg2HsI9ahxtEabM2v--



--FlC85C2ooeWBbSJ0Vq6QEQwNvLVfnBB1d

Content-Type: application/pgp-signature; name="signature.asc"

Content-Description: OpenPGP digital signature

Content-Disposition: attachment; filename="signature.asc"



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2



iQIcBAEBCgAGBQJaHri/AAoJEGVp2FWnRL6T+rQQAJ0g4RlD4GlvyN5YuNDY+3ez

knOprIo96eOsaKiUHG4kGMALgvR7bbGMRL6FBZ9ZEXmhGrs8fPvxLadabJ84BvpT

zZ9FZLD+NTvHIaWOsRyoyx7/r5M/2D+EaUf6yFnnVUKNb/ZeQaxOPhfFAtTzpAau

LZWsHAB31lo72e9/CiaVSaR50ZN85hKqrnthH8JfezngAB3aOhXeYJ6KwDzZl3Pn

vaEUXJ4dMYQ9VBmeXYdT53+agdmN+uFbnoQL3mfHpodwSfXpIc3gAKC5UYjlVnED

m/V3EKJL/3UxYeuFCbL1g2V3am0SUDKlN99J/aYBszGTP0P4Lap0ihxZQrtCRyRg

JCPxviqNdzcu0MvWBna3ig1i85fSRPcXawuDUR+/epESjqq5N2IRZDOtecdCnLh4

1jqRlmvFyb72ygE0kn+MwKebzQMZpgJPBTIqu0WCMj/71W07Bl+8Uui+vDpJMwsq

2nGLM5Ck5cwYuWOXiRxMCKlAQ6zzb+F471Wq4kDaLy0L3j8Ytar+QvgLy+DGI5PV

DBNLlOfBGmAkRYyplGrHo+kyiDOp7Ad4QxCpj2jWFHVwYpLHsoJ8XjuWf6zR27PF

D8TEa0Bez/1Al2mZisE/Bnk+rXyhQYm1HTgGNJtHU2yUcPlqYI0rpGegSXHXvvYR

H0oPF3K1bpILYTRJ3KTx

=M23X

-----END PGP SIGNATURE-----



--FlC85C2ooeWBbSJ0Vq6QEQwNvLVfnBB1d--





--===============8687755173602311352==

Content-Type: text/plain; charset="utf-8"

MIME-Version: 1.0

Content-Transfer-Encoding: base64

Content-Disposition: inline



LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5

LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl

IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj

dXJpdHktYW5ub3VuY2UK



--===============8687755173602311352==--

