[USN-4898-1] curl vulnerabilities

========================================================================== Ubuntu Security Notice USN-4898-1 March 31, 2021
curl vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 20.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS – Ubuntu 16.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description: – curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Viktor Szakats discovered that curl did not strip off user credentials from referrer header fields. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2021-22876)
Mingtao Yang discovered that curl incorrectly handled session tickets when using an HTTPS proxy. A remote attacker in control of an HTTPS proxy could use this issue to bypass certificate checks and intercept communications. This issue only affected Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2021-22890)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.10: curl 7.68.0-1ubuntu4.3 libcurl3-gnutls 7.68.0-1ubuntu4.3 libcurl3-nss 7.68.0-1ubuntu4.3 libcurl4 7.68.0-1ubuntu4.3
Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.5 libcurl3-gnutls 7.68.0-1ubuntu2.5 libcurl3-nss 7.68.0-1ubuntu2.5 libcurl4 7.68.0-1ubuntu2.5
Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.13 libcurl3-gnutls 7.58.0-2ubuntu3.13 libcurl3-nss 7.58.0-2ubuntu3.13 libcurl4 7.58.0-2ubuntu3.13
Ubuntu 16.04 LTS: curl 7.47.0-1ubuntu2.19 libcurl3 7.47.0-1ubuntu2.19 libcurl3-gnutls 7.47.0-1ubuntu2.19 libcurl3-nss 7.47.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References: ubuntu.com/security/notices/USN-4898-1 CVE-2021-22876, CVE-2021-22890
Package Information: launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu4.3 launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.5 launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.13 launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.19