What is the severity of CVE-2018-16890?

The severity of CVE-2018-16890 is moderate.

Which versions of Ubuntu are affected by CVE-2018-16890?

Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 are affected.

How can a remote attacker exploit CVE-2018-16890?

A remote attacker could possibly cause curl to crash, resulting in a denial of service.

How can I fix the curl vulnerability in Ubuntu 18.10?

To fix the curl vulnerability in Ubuntu 18.10, update the curl package to version 7.61.0-1ubuntu2.3 or later.

Where can I find more information about CVE-2018-16890?

You can find more information about CVE-2018-16890 on the Ubuntu Security website.

Vulnerability/
USN-3882-1

6/2/2019

USN-3882-1: curl vulnerabilities

First published: Wed Feb 06 2019(Updated: )

Wenxiang Qian discovered that curl incorrectly handled certain NTLM authentication messages. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10. (CVE-2018-16890) Wenxiang Qian discovered that curl incorrectly handled certain NTLMv2 authentication messages. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10. (CVE-2019-3822) Brian Carpenter discovered that curl incorrectly handled certain SMTP responses. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. (CVE-2019-3823)

Affected Software	Affected Version	How to fix
All of
ubuntu/curl	<7.61.0-1ubuntu2.3	7.61.0-1ubuntu2.3
	=18.10
All of
ubuntu/libcurl3-gnutls	<7.61.0-1ubuntu2.3	7.61.0-1ubuntu2.3
	=18.10
All of
ubuntu/libcurl3-nss	<7.61.0-1ubuntu2.3	7.61.0-1ubuntu2.3
	=18.10
All of
ubuntu/libcurl4	<7.61.0-1ubuntu2.3	7.61.0-1ubuntu2.3
	=18.10
All of
ubuntu/curl	<7.58.0-2ubuntu3.6	7.58.0-2ubuntu3.6
	=18.04
All of
ubuntu/libcurl3-gnutls	<7.58.0-2ubuntu3.6	7.58.0-2ubuntu3.6
	=18.04
All of
ubuntu/libcurl3-nss	<7.58.0-2ubuntu3.6	7.58.0-2ubuntu3.6
	=18.04
All of
ubuntu/libcurl4	<7.58.0-2ubuntu3.6	7.58.0-2ubuntu3.6
	=18.04
All of
ubuntu/curl	<7.47.0-1ubuntu2.12	7.47.0-1ubuntu2.12
	=16.04
All of
ubuntu/libcurl3	<7.47.0-1ubuntu2.12	7.47.0-1ubuntu2.12
	=16.04
All of
ubuntu/libcurl3-gnutls	<7.47.0-1ubuntu2.12	7.47.0-1ubuntu2.12
	=16.04
All of
ubuntu/libcurl3-nss	<7.47.0-1ubuntu2.12	7.47.0-1ubuntu2.12
	=16.04
All of
ubuntu/curl	<7.35.0-1ubuntu2.20	7.35.0-1ubuntu2.20
	=14.04
All of
ubuntu/libcurl3	<7.35.0-1ubuntu2.20	7.35.0-1ubuntu2.20
	=14.04
All of
ubuntu/libcurl3-gnutls	<7.35.0-1ubuntu2.20	7.35.0-1ubuntu2.20
	=14.04
All of
ubuntu/libcurl3-nss	<7.35.0-1ubuntu2.20	7.35.0-1ubuntu2.20
	=14.04

Never miss a vulnerability like this again

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

What is the severity of CVE-2018-16890?
The severity of CVE-2018-16890 is moderate.
Which versions of Ubuntu are affected by CVE-2018-16890?
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 are affected.
How can a remote attacker exploit CVE-2018-16890?
A remote attacker could possibly cause curl to crash, resulting in a denial of service.
How can I fix the curl vulnerability in Ubuntu 18.10?
To fix the curl vulnerability in Ubuntu 18.10, update the curl package to version 7.61.0-1ubuntu2.3 or later.
Where can I find more information about CVE-2018-16890?
You can find more information about CVE-2018-16890 on the Ubuntu Security website.

agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
collector/usn
source/Ubuntu
agent/software-canonical-lookup
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu ubuntu
version/ubuntu ubuntu/18.10
version/ubuntu ubuntu/18.04
version/ubuntu ubuntu/16.04
version/ubuntu ubuntu/14.04