7

Since new release of CURL https://ubuntu.com/security/notices/USN-6237-1 we experianc problem with curl command on Ubuntu:

sudo apt update -y && sudo apt install --no-install-recommends -y curl
curl -vvv https://downloads.apache.org/maven/maven-3/3.8.8/binaries/

Error:

*   Trying 88.99.95.219:443...
99
* Connected to downloads.apache.org (88.99.95.219) port 443 (#0)
100
* ALPN, offering h2
101
* ALPN, offering http/1.1
102
*  CAfile: /etc/ssl/certs/ca-certificates.crt
103
*  CApath: /etc/ssl/certs
104
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
105
} [5 bytes data]
106
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
107
} [512 bytes data]
108
* TLSv1.2 (IN), TLS header, Certificate Status (22):
109
{ [5 bytes data]
110
* TLSv1.3 (IN), TLS handshake, Server hello (2):
111
{ [122 bytes data]
112
* TLSv1.2 (IN), TLS header, Finished (20):
113
{ [5 bytes data]
114
* TLSv1.2 (IN), TLS header, Supplemental data (23):
115
{ [5 bytes data]
116
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
117
{ [25 bytes data]
118
* TLSv1.2 (IN), TLS header, Supplemental data (23):
119
{ [5 bytes data]
120
* TLSv1.3 (IN), TLS handshake, Certificate (11):
121
{ [4583 bytes data]
122
* TLSv1.2 (IN), TLS header, Supplemental data (23):
123
{ [5 bytes data]
124
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
125
{ [264 bytes data]
126
* TLSv1.2 (IN), TLS header, Supplemental data (23):
127
{ [5 bytes data]
128
* TLSv1.3 (IN), TLS handshake, Finished (20):
129
{ [52 bytes data]
130
* TLSv1.2 (OUT), TLS header, Finished (20):
131
} [5 bytes data]
132
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
133
} [1 bytes data]
134
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
135
} [5 bytes data]
136
* TLSv1.3 (OUT), TLS handshake, Finished (20):
137
} [52 bytes data]
138
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
139
* ALPN, server accepted to use http/1.1
140
* Server certificate:
141
*  subject: CN=*.apache.org
142
*  start date: Jun 29 00:00:00 2022 GMT
143
*  expire date: Jul 30 23:59:59 2023 GMT
144
*  subjectAltName does not match downloads.apache.org
145
* SSL: no alternative certificate subject name matches target host name 'downloads.apache.org'
146
* Closing connection 0
147
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
148
} [5 bytes data]
149
* TLSv1.3 (OUT), TLS alert, close notify (256):
150
} [2 bytes data]
151
curl: (60) SSL: no alternative certificate subject name matches target host name 'downloads.apache.org'
152
More details here: https://curl.se/docs/sslcerts.html

How to fix it? Should we since now control 3rd party certs somehow?Worked yesterday. Thanks in advance

Sergei Varaksin
  • 71

3 Answers3

11

Look like there was a broken backport for a security fix. Should be fixed in 7.81.0-1ubuntu1.13 which fixes 7.81.0-1ubuntu1.11. From https://launchpad.net/ubuntu/jammy/+source/curl/+changelog:

curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium

    

  • SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
      

    • debian/patches/CVE-2023-28321.patch: fix missing line in backport.
      • 

    

    • 



-- Marc Deslauriers <email address hidden>  Wed, 19 Jul 2023 12:23:36 -0400
curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium


    

  • SECURITY UPDATE: improper certificate validation vulnerability
      

    • debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
      • 

    • CVE-2023-28321
      • 

    

    •
Steffen Ullrich
  • 1,616
  • 9
  • 14
4

Methods to get to the older version:

Remove it and use apt to install the previous version. Here is the most active topic on AU on this: How to downgrade a package via apt-get? It is also possible to install from source. That might be a better method: you can leave the apt version as is, wait for an update/bug fix and try the new one alongside the source install version.

Check if any of these fixes your issue. If so file a bug report. If you want to stick to the older apt version pin the package

Rinzwind
  • 299,756
  • 1
    Thanks @Rinzwind! we did just that, downgraded the version of the curl and the library. That helped. But the bottom line is that this is a crutch. I hope the fix doesn't take too long. – Sergei Varaksin Jul 19 '23 at 17:45
  • 1
    @Rinzwind: there seems to be a newly introduced bug in the code validating the certificate subject alternative names, while trying to fixing a bug there. So using a different CA certificates will not help. The bug happens for me too. – Steffen Ullrich Jul 19 '23 at 17:54
  • Oh thanks saves me searching :D (because I am likely to face this at work in a few days too :D ) – Rinzwind Jul 19 '23 at 17:58
  • Yeah... but it doesn't work for me as of today. Yesterday there was a new release. I'll try to open a bug ticket. – Sergei Varaksin Jul 19 '23 at 18:01
  • @SergeiVaraksin: no need, the bug is already known and fixed in the latest update. I'll create an answer – Steffen Ullrich Jul 19 '23 at 18:03
  • @SteffenUllrich Ooo, great! Thanks) Will wait – Sergei Varaksin Jul 19 '23 at 18:09
4

This is a confirmed bug: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2028170

They have already fixed it by reverting the changes and the new package version will be live soon.

Marlon Anjos
  • 41
  • 1