-
curl (8.8.0-1) unstable; urgency=medium
* New upstream version 8.8.0
* Refresh patches
* Revert "Temporarily disable LDAP support on 32-bit non-x86"
* d/patches: Drop merged patches
* d/p/docs_makefile...: Upstream patch to fix curl-config regression
* d/libcurl*.symbols: Add new symbol curl_multi_waitfds
-- Samuel Henrique <email address hidden> Wed, 22 May 2024 22:22:28 +0100
-
curl (8.7.1-5) unstable; urgency=high
* d/p/content_encoding_brotli_and_others...patch: New patch to fix an
encoding regression. Thank you to Jeroen Ooms and the curl developers
(Daniel Stenberg and Stefan Eissing) for reporting and pointing out the
fix.
-- Samuel Henrique <email address hidden> Mon, 29 Apr 2024 18:28:54 +0100
-
curl (8.7.1-4) unstable; urgency=medium
* d/p/curl-8_7_1-h2-ngtcp2-write-error-handling.diff: New patch to address
git+http2 issue. Thanks to Stefan Eissing <email address hidden> for
doing the backport.
-- Samuel Henrique <email address hidden> Sat, 27 Apr 2024 18:00:28 +0100
-
curl (8.7.1-3) unstable; urgency=medium
[ Carlos Henrique Lima Melara ]
* d/p/fix-regression-in-curlinfo.patch: add patch from upstream, thanks to
Antonio Terceiro for reporting it (closes: #1069292)
[ Samuel Henrique ]
* d/libcurl3t64-gnutls.lintian-overrides: Drop unused override
-- Samuel Henrique <email address hidden> Fri, 19 Apr 2024 19:06:23 +0100
-
curl (8.7.1-2) unstable; urgency=medium
[ Carlos Henrique Lima Melara ]
* d/rules: fix sed substitution regex for curl-config
* d/rules: make a call to dpkg-buildflags in curl-config to get CFLAGS
(Closes: #1057138)
* d/control: suggests dpkg-dev for -dev packages so we get dpkg goodies
* d/libcurl4-doc.docs: list each markdown file to be installed
* d/make-manpages-reproducible.patch: import from upstream
* d/p/fix-regression-on-chunked-post.patch: add new patch from upstream
[ Sergio Durigan Junior ]
* d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch:
(Closes: #1053643)
[ Samuel Henrique ]
* d/rules: Run tests in parallel
* d/p/test1901...: New patch to confirm regression fix
-- Samuel Henrique <email address hidden> Wed, 03 Apr 2024 18:59:41 +0100
-
curl (8.7.1-1) unstable; urgency=medium
* New upstream version 8.7.1
- Fix CVE-2024-2004: Usage of disabled protocol
- Fix CVE-2024-2398: HTTP/2 push headers memory-leak
* d/patches: Drop patches present on this release
-- Samuel Henrique <email address hidden> Wed, 27 Mar 2024 19:02:14 +0000
-
curl (8.6.0-4) unstable; urgency=medium
[ Carlos Henrique Lima Melara ]
* d/libcurl*.links: use substitution variables instead of executable files
[ Simon McVittie ]
* d/control: Add a build-profile that disables LDAP support
(closes: #1066981)
* Temporarily disable LDAP support on 32-bit non-x86 (closes: #1066982)
* Temporarily disable build-time tests on 32-bit non-x86
-- Samuel Henrique <email address hidden> Sat, 16 Mar 2024 17:17:57 +0000
-
curl (8.6.0-3.2) unstable; urgency=medium
* Non-maintainer upload.
* Fix wrong X-Time64-Compat for libcurl4t64. Closes: #1065315.
-- Steve Langasek <email address hidden> Sat, 02 Mar 2024 18:43:58 +0000
-
curl (8.6.0-3.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1061992
-- Steve Langasek <email address hidden> Sat, 02 Mar 2024 07:11:53 +0000
-
curl (8.6.0-3) unstable; urgency=medium
* d/p/vtls_revert_receive_max_buffer_add_test_case.patch: New patch to fix
tls regression (closes: #1063462)
-- Samuel Henrique <email address hidden> Mon, 19 Feb 2024 22:16:17 +0000
-
curl (8.6.0-2) unstable; urgency=medium
* d/p/sendf_ignore_response_body_to_head.patch: New upstream patch to fix a
compat issue (closes: #1063342)
* d/control: Switch from pkg-config to pkgconf
-- Samuel Henrique <email address hidden> Tue, 06 Feb 2024 20:52:46 +0000
-
curl (8.6.0-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 8.6.0
- Fix CVE-2024-0853: OCSP verification bypass with TLS session reuse
* Drop upstream patches from 8.6.0
* Update approach for installing manpages
* d/copyright: Update copyright
[ Carlos Henrique Lima Melara ]
* d/control: exclude dependency on gnutls-bin for tests on ppc64el
(Closes: #1059952)
-- Samuel Henrique <email address hidden> Wed, 31 Jan 2024 21:51:05 +0000
-
curl (8.5.0-2) unstable; urgency=medium
* d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault
(closes: #1057855)
-- Samuel Henrique <email address hidden> Fri, 29 Dec 2023 15:34:11 -0300
-
curl (8.5.0-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 8.5.0
- Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646)
- Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645)
* d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION
* d/p/90_gnutls.patch: Update patch
* d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to
fix tests
* d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream
tarball
[ Carlos Henrique Lima Melara ]
* d/control: change Maintainer field to curl packaging team
* d/README.Debian: add readme to explain curl's team creation
* d/control: add myself to Uploaders
-- Samuel Henrique <email address hidden> Wed, 06 Dec 2023 20:15:49 +0000
-
curl (8.4.0-2) unstable; urgency=medium
* d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
"--version" output
-- Samuel Henrique <email address hidden> Sat, 14 Oct 2023 12:19:21 +0100
-
curl (8.4.0-1) unstable; urgency=medium
* New upstream version 8.4.0
* d/libcurl*.symbols: New symbol curl_multi_get_handles
* d/patches:
- Remove patches from 8.4.0 release
- 90_gnutls.patch: Update patch
-- Samuel Henrique <email address hidden> Fri, 13 Oct 2023 00:53:16 +0100
-
curl (8.3.0-3) unstable; urgency=high
* Add patches to fix CVE-2023-38545 and CVE-2023-38546
-- Samuel Henrique <email address hidden> Thu, 05 Oct 2023 22:26:40 +0100
-
curl (8.3.0-2) unstable; urgency=medium
* d/rules: Add test 3102 to TESTS_FAILS_ON_IPV6_ONLY_MACHINES
* d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf
- test650_fix_an_end_tag_typo.patch
- tests_increase_the_default_server_logs_lock_timeout.patch
* d/p/lib_use_wrapper_for_curl_mime_data_fseek_callback.patch: New patch to
fix armel/armhf FTBFS
-- Samuel Henrique <email address hidden> Sun, 01 Oct 2023 15:01:42 +0100
-
curl (8.3.0-1) unstable; urgency=medium
* New upstream version 8.3.0
- Fix CVE-2023-38039: HTTP headers eat all memory
* debian/: Remove files used for the nss packaging
* d/patches:
- Refresh patches
- gen_pl_escape_all_dashes.patch: Drop merged patch
- 90_gnutls.patch: Update patch
* d/libcurl*.symbols: New symbol curl_global_trace
-- Samuel Henrique <email address hidden> Thu, 14 Sep 2023 16:13:10 +0530
-
curl (8.2.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Move ldap-test to a script and add retry logic
[ Samuel Henrique ]
* Build without nss, dropped by upstream in the next release
* d/p/gen_pl_escape_all_dashes.patch: New patch to fix manpage generation
(closes: #1043309, #1043339)
-- Samuel Henrique <email address hidden> Fri, 25 Aug 2023 20:05:02 +0100
-
curl (8.2.1-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 8.2.1
[ Sergio Durigan Junior ]
* d/p/{90_gnutls,99_nss}.patch:
Update GNUTls/NSS patches to unbreak tests/http/clients
* Drop unnecessary patches.
d/p/CVE-2023-27533.patch
d/p/CVE-2023-27534.patch
d/p/CVE-2023-27535.patch
d/p/CVE-2023-27536.patch
d/p/CVE-2023-27537.patch
d/p/CVE-2023-27538.patch
d/p/CVE-2023-28319.patch
d/p/CVE-2023-28320-1.patch
d/p/CVE-2023-28320.patch
d/p/CVE-2023-28321.patch
d/p/CVE-2023-28322.patch
d/p/CVE-2023-32001.patch
d/p/Use-OpenLDAP-specific-functionality.patch
d/p/fix-unix-domain-socket.patch
-- Sergio Durigan Junior <email address hidden> Thu, 03 Aug 2023 20:00:01 -0400
-
curl (7.88.1-11) unstable; urgency=medium
[ Carlos Henrique Lima Melara ]
* Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen():
- Done by d/p/CVE-2023-32001.patch (Closes: #1041812).
[ John Scott ]
* LDAP backend: correct the usage of OpenLDAP-specific functionality being
disabled with an upstream patch (Closes: #1041964)
This corrects the improper fetching of binary attributes.
* debian/tests: add a DEP-8 test that getting binary LDAP attributes works now
-- Samuel Henrique <email address hidden> Fri, 28 Jul 2023 21:11:25 +0100
-
curl (7.88.1-10) unstable; urgency=medium
* Add new patches to fix CVEs (closes: #1036239):
- CVE-2023-28319: UAF in SSH sha256 fingerprint check
- CVE-2023-28320: siglongjmp race condition
- CVE-2023-28321: IDN wildcard match
- CVE-2023-28322: more POST-after-PUT confusion
* d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
CVE-2023-28320
-- Samuel Henrique <email address hidden> Thu, 18 May 2023 23:43:40 +0100
-
curl (7.88.1-9) unstable; urgency=medium
[ Sergio Durigan Junior ]
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359)
[ Samuel Henrique ]
* Update list of tests that fail on IPv6-only envs and don't skip them on
autopkgtest
* d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix
(closes: #1033963)
-- Samuel Henrique <email address hidden> Sat, 15 Apr 2023 20:03:44 +0100
-
curl (7.88.1-8) unstable; urgency=medium
[ Samuel Henrique ]
* d/gbp.conf: Push gbp conf with sane defaults
* d/salsa-ci.yml: Disable dh_auto_test with DEB_BUILD_OPTIONS
* d/rules: Add new build profiles to limit builds to a single TLS backend
* d/tests: Add new autopkgtests that runs curl's test suite
[ Sergio Durigan Junior ]
* d/rules: Remove -D_DEB_HOST_ARCH from curl-config's CFLAGS.
-- Samuel Henrique <email address hidden> Sun, 26 Mar 2023 11:36:24 +0100
-
curl (7.88.1-7) unstable; urgency=medium
* Bump Standards-Version to 4.6.2
* d/p/06_always-disable-valgrind.patch: Remove unused patch
* d/patches: Refresh all patches
* Import 5 new upstream patches fixing CVES:
- CVE-2023-27533: TELNET option IAC injection
- CVE-2023-27534: SFTP path ~ resolving discrepancy
- CVE-2023-27535: FTP too eager connection reuse
- CVE-2023-27536: GSS delegation too eager connection re-use
- CVE-2023-27537: HSTS double-free
- CVE-2023-27538: SSH connection too eager reuse still
-- Samuel Henrique <email address hidden> Tue, 21 Mar 2023 22:39:05 +0000
-
curl (7.88.1-6) unstable; urgency=medium
* d/rules: Ignore test results from tests that fail on IPv6-only builders
(closes: #1032343)
* d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs
forever)
-- Samuel Henrique <email address hidden> Wed, 08 Mar 2023 20:57:09 +0000
-
curl (7.88.1-5) unstable; urgency=medium
* Fix stringification of _DEB_HOST_ARCH macro.
- d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Use _DEB_HOST_ARCH directly.
- d/rules: Quote _DEB_HOST_ARCH when passing it with -D.
-- Sergio Durigan Junior <email address hidden> Mon, 06 Mar 2023 10:22:32 -0500
-
curl (7.88.1-4) unstable; urgency=medium
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Prepend "/nss/" before the library name.
-- Sergio Durigan Junior <email address hidden> Sun, 05 Mar 2023 18:38:13 -0500
-
curl (7.88.1-2) unstable; urgency=medium
* Multiple test improvements, which will increase the reliability of the
package, especially when backporting fixes on stable and oldstable:
- Test results are now critical to the build process, if a test fails,
the build will fail.
- Add two new test build-dependencies to increase coverage: locales-all
and gnutls-bin.
- Only run non-flaky tests.
- Print logs of failed tests.
- Run all tests even if there was a failure.
- Ignore results of known failing tests (for Debian).
- Disable valgrind through a test parameter instead of patching
upstream source code.
-- Samuel Henrique <email address hidden> Fri, 03 Mar 2023 08:28:19 +0000
-
curl (7.88.1-1) unstable; urgency=medium
* New upstream version 7.88.1
- Fix the following CVEs (closes: #1031371)
~ CVE-2023-23916: HTTP multi-header compression denial of service
~ CVE-2023-23915: HSTS amnesia with --parallel
~ CVE-2023-23914: HSTS ignored on multiple requests
- Fix curl_multi_socket_action regression (closes: #1029231)
* d/patches: Drop backported patch added to fix regression in setopt/getinfo
* d/copyright: Drop removed file from copyright
* d/control: Update BD to drop transitional package libidn11-dev
-- Samuel Henrique <email address hidden> Mon, 20 Feb 2023 22:35:53 +0000
-
curl (7.87.0-2) unstable; urgency=medium
* d/patches: Add new upstream patch to fix regression in setopt/getinfo
(closes: #1027564)
* d/p/build-Divide-mit-krb5...patch: Refresh patch
-- Samuel Henrique <email address hidden> Sun, 15 Jan 2023 21:12:09 +0000
-
curl (7.87.0-1) unstable; urgency=medium
* New upstream version 7.87.0
* d/patches:
- Update patches
- Drop all backported patches that are applied in the new release
* d/copyright: Remove missing file
* d/*.lintian-overrides: Remove unused overrides
[ Simon McVittie ]
* Make -dev packages 'Multi-Arch: same' back again (closes: #1024668)
-- Samuel Henrique <email address hidden> Fri, 23 Dec 2022 20:36:01 +0000
-
curl (7.86.0-3) unstable; urgency=medium
* Fix two HSTS-related CVEs.
- d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN
decoded name in HSTS checks.
(Closes: #1026829, CVE-2022-43551)
- d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free
smb's/telnet's protocol struct in *_done().
(Closes: #1026830, CVE-2022-43552)
-- Sergio Durigan Junior <email address hidden> Wed, 21 Dec 2022 15:55:18 -0500
-
curl (7.86.0-2) unstable; urgency=medium
[ Debian Janitor ]
* Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev,
libcurl4-openssl-dev: Drop Multi-Arch: same.
[ Samuel Henrique ]
* d/patches: Backport three upstream patches to fix noproxy option.
-- Samuel Henrique <email address hidden> Tue, 15 Nov 2022 21:04:55 +0000
-
curl (7.86.0-1) unstable; urgency=medium
* New upstream version 7.86.0
- Fix HSTS bypass via IDN:
curl's HSTS check could be bypassed to trick it to keep using HTTP.
(closes: CVE-2022-42916)
- Fix HTTP proxy double-free (closes: CVE-2022-42915)
- Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260)
- Fix POST following PUT confusion (closes: CVE-2022-32221)
-- Samuel Henrique <email address hidden> Thu, 27 Oct 2022 20:38:24 +0100
-
curl (7.85.0-1) unstable; urgency=medium
* New upstream version 7.85.0
- Fix control code in cookie denial of service:
When curl retrieves and parses cookies from an HTTP(S) server, it
accepts cookies using control codes (byte values below 32). When cookies
that contain such control codes are later sent back to an HTTP(S) server,
it might make the server return a 400 response. Effectively allowing a
"sister site" to deny service to siblings
(closes: #1018831, CVE-2022-35252)
- Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
* Bump Standards-Version to 4.6.1
* Add lintian overrides for old-style-config-script-multiarch-path triggered
for curl-config
* d/patches:
- 11_omit-directories-from-config.patch: Update patch
- 20_ftbfs_import_sched.patch: Drop patch, applied upstream
* d/rules: Fix configure args, remove bogus '--without-ssl'
* d/copyright: Update the whole file
* d/(control|watch): Update upstream's URL
-- Samuel Henrique <email address hidden> Fri, 02 Sep 2022 13:00:10 +0100
-
curl (7.84.0-2) unstable; urgency=medium
* d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
(closes: #1014596)
-- Samuel Henrique <email address hidden> Mon, 11 Jul 2022 22:50:01 +0100
-
curl (7.84.0-1) unstable; urgency=medium
* New upstream version 7.84.0
-- Samuel Henrique <email address hidden> Mon, 27 Jun 2022 22:06:25 +0100
-
curl (7.83.1-2) unstable; urgency=medium
* d/p/fix_multiline_header_regression.patch: New upstream patch to fix
regression (closes: #1012263, #1011696)
-- Samuel Henrique <email address hidden> Tue, 14 Jun 2022 18:05:23 +0100
-
curl (7.83.1-1) unstable; urgency=medium
* New upstream version 7.83.1
- Fix the following CVEs:
~ HSTS bypass via trailing dot (CVE-2022-30115)
~ TLS and SSH connection too eager reuse (CVE-2022-27782)
~ CERTINFO never-ending busy-loop (CVE-2022-27781)
~ percent-encoded path separator in URL host (CVE-2022-27780)
~ cookie for trailing dot TLD (CVE-2022-27779)
~ curl removes wrong file on error (CVE-2022-27778)
-- Samuel Henrique <email address hidden> Wed, 11 May 2022 17:46:48 +0100
-
curl (7.83.0-1) unstable; urgency=medium
* New upstream version 7.83.0
- Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
- Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
- Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
- Fix OAUTH2 bearer bypass in connection re-use
(closes: #1010295, CVE-2022-22576)
* d/libcurl*.symbols: update symbols files to add curl_easy_header and
curl_easy_nextheader
* d/patches:
- Refresh patches
- 12_fix_openssl_cm_check.patch: remove patch, applied upstream
-- Samuel Henrique <email address hidden> Thu, 28 Apr 2022 18:53:32 +0100
-
curl (7.82.0-2) unstable; urgency=medium
* d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN
check (closes: #1007739, #1007740)
* d/control:
- Set libcurl4-doc as Multi-Arch: foreign
- Remove ancient version requirements for dependencies
* d/salsa-ci.yml: Disable reprotest until it acknowledges
SALSA_CI_DPKG_BUILDPACKAGE_ARGS
-- Samuel Henrique <email address hidden> Sat, 19 Mar 2022 13:55:00 +0000
-
curl (7.82.0-1) unstable; urgency=medium
* New upstream version 7.82.0
* d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to
avoid long build times
* Update and refresh patches: 13_fix-man-formatting.patch has been merged
upstream
* d/rules:
- Add --with-nss-deprecated, required to build with nss now
(upstream will drop support in August)
- Look for nocheck build profile in DEB_BUILD_PROFILES instead of
DEB_BUILD_OPTIONS (wider coverage)
-- Samuel Henrique <email address hidden> Sat, 05 Mar 2022 13:40:14 +0000
-
curl (7.81.0-1) unstable; urgency=medium
* New upstream version 7.81.0
* d/p/13_fix-man-formatting.patch: Refresh patch
-- Samuel Henrique <email address hidden> Wed, 05 Jan 2022 09:31:32 -0300
-
curl (7.80.0-3) unstable; urgency=medium
* Revert "Revert "debian/control: Add Build-Depends on libssh-dev for
Ubuntu".
As per #1002598, the blocker has been solved.
Note that this does not changes Debian's curl to libssh, it still
uses libssh2.
Discussions about changing to libssh are ongoing at #897950
-- Samuel Henrique <email address hidden> Sun, 26 Dec 2021 13:22:18 -0300
-
curl (7.80.0-2) unstable; urgency=medium
* Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu"
(closes: #1002597)
The change had side effects on Debian due to the inclusion of the new
Build-dep, even though it doesn't changes the resulting binary. It cause
issues for architecture bootstraping.
We are gonna reintroduce this change once the issues are fixed, to allow
Ubuntu to remove its delta.
See discussions at #1002598 and #1002597 for details
-- Samuel Henrique <email address hidden> Sat, 25 Dec 2021 10:47:13 -0300
-
curl (7.80.0-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 7.80.0
* Bump Standards-Version to 4.6.0
* Add new symbol curl_url_strerror to symbols files
* Compile with zstd support (closes: #983660)
* d/p/12_use-python3-in-tests.patch: Drop patch, merged upstream
* d/p/13_fix-man-formatting.patch: Update patch
* d/p/14_fix-compatibility-impacket-0-9-23.patch: Drop patch, merged upstream
[ Jeremy Bicha ]
* debian/control: Add Build-Depends on libssh-dev for Ubuntu
-- Samuel Henrique <email address hidden> Fri, 24 Dec 2021 11:42:57 -0300
-
curl (7.79.1-2) unstable; urgency=medium
* d/rules: Make test failures non-fatal again.
Unfortunately there are some test failures happening on a few
architectures, so we have to make the build pass even if not all tests
are succeeding, at least until we have time to properly investigate
the reason for these failures.
-- Sergio Durigan Junior <email address hidden> Mon, 08 Nov 2021 23:54:35 -0500
-
curl (7.79.1-1) unstable; urgency=medium
[ Samuel Henrique ]
* Add myself as an Uploader
* Add sergiodj as an uploader
* New upstream version 7.79.1 (closes: #989046)
- Changes since 7.74.0:
~ vtls: fix connection reuse checks for issuer cert and case sensitivity
(closes: #991492, CVE-2021-22924)
~ Fix User-Agent header missing in some cases (closes: #994940)
~ Fix TELNET stack contents disclosure (closes: #989228, CVE-2021-22898)
* d/rules: Add --with-{openssl|gnutls|nss} to configure args
* Update all patches.
Remove patches:
- 07_do-not-disable-debug-symbols: Obsolete as per
https://github.com/curl/curl/issues/7216.
- 14_transfer-strip-credentials-from-the-auto-referer-hea:
Originally from upstream, part of the release now.
- 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession:
Originally from upstream, part of the release now.
- fix-regression-microseconds-instead-of-seconds:
Originally from upstream, part of the release now.
Update patches:
- 12_use-python3-in-tests: Update and forward upstream.
- 90_gnutls: Update
- 99_nss: Update
- 13_fix-man-formatting: Update
[ Debian Janitor ]
* Use secure URI in Homepage field.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database,
Bug-Submit (from ./configure), Repository, Repository-Browse.
* Avoid explicitly specifying -Wl,--as-needed linker flag.
[ Helmut Grohne ]
* Also remove -ffile-prefix-map from curl-config (closes: #990128)
* Explicitly disable zstd support (closes: #992505)
[ Sergio Durigan Junior ]
* d/control: Add Rules-Requires-Root: no.
* d/copyright: Add public-domain license text.
* Enable GPG-checking of orig tarball.
- d/upstream/signing-key.asc: Upstream public key.
- d/watch: Add "pgpmode=auto" as an option.
* Bump debhelper-compat to 13.
- d/control: B-D on debhelper-compat = 13.
- d/rules: After the override_dh_auto_install target has been run,
we know that we can safely get rid of the contents inside the
debian/tmp/ directory. This is needed because otherwise dh_missing
will complain about uninstalled files, which will make the build
fail when using debhelper-compat 13.
* d/rules: Some minor cleanup and removal of unneeded comments.
* d/rules: Honour "nocheck" build option.
* Make OpenSSL and GNUTLS builds fail if tests fail
- d/rules: Adjust rule to make OpenSSL and GNUTLS builds fail if their
tests fail. Unfortunately, it's still not possible to make the NSS
build fail if its tests fail; we're still investigating the failures
there with it.
- d/p/14_fix-compatibility-impacket-0-9-23.patch: Needed patch
to make tests pass with impacket 0.9.23+.
-- Samuel Henrique <email address hidden> Mon, 08 Nov 2021 21:14:47 +0000
-
curl (7.74.0-1.3) unstable; urgency=medium
* Non-maintainer upload.
* Add upstream patch bc7ecc7 so curl -w times shown as seconds with
fractions (Closes: #989064)
-- Paul Gevers <email address hidden> Fri, 25 Jun 2021 20:59:54 +0200
-
curl (7.74.0-1.2) unstable; urgency=medium
* Non-maintainer upload.
* transfer: strip credentials from the auto-referer header field
(CVE-2021-22876) (Closes: #986269)
* vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
(CVE-2021-22890) (Closes: #986270)
-- Salvatore Bonaccorso <email address hidden> Sat, 03 Apr 2021 14:43:39 +0200
-
curl (7.74.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
[ Bruno Kleinert ]
* Fixed "Please build-depend on libidn2-dev instead of obsolete transition
package libidn2-0-dev" (Closes: #974996)
-- Samuel Henrique <email address hidden> Wed, 10 Feb 2021 00:42:40 +0000
-
curl (7.74.0-1) unstable; urgency=medium
* New upstream release
+ Fix inferior OCSP verification as per CVE-2020-8286 (Closes: #977161)
https://curl.se/docs/CVE-2020-8286.html
+ Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
https://curl.se/docs/CVE-2020-8285.html
+ Fix trusting FTP PASV responses as per CVE-2020-8284 (Closes: #977163)
https://curl.se/docs/CVE-2020-8284.html
* Update debian/watch to new upstream download page layout
* Update 12_use-python3-in-tests.patch due to renamed file
* Refresh patches
* Fix cross-build due to python build dependencies.
Thanks to Helmut Grohne for the patch (Closes: #969004)
* Fix formatting in some man pages.
Thanks to Bjarni Ingi Gislason for the patch (Closes: #963559)
* Update list of documentation files to install
* Update symbols
* Bump Standards-Version to 4.5.1 (no changes needed)
* Drop removed file from d/copyright
-- Alessandro Ghedini <email address hidden> Thu, 31 Dec 2020 15:22:05 +0100
-
curl (7.72.0-1) unstable; urgency=medium
* New upstream release
+ Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
(Closes: #965280)
https://curl.haxx.se/docs/CVE-2020-8169.html
+ Fix local file overwrite with -J option as per CVE-2020-8177
(Closes: #965281)
https://curl.haxx.se/docs/CVE-2020-8177.html
+ Fix wrong connect-only connection as per CVE-2020-8231 (Closes: #968831)
https://curl.haxx.se/docs/CVE-2020-8231.html
* Refresh patches
* Do not install *.la files.
Thanks to Pino Toscano for the patch. (Closes: #955785)
* Update list of doc files
* Update copyright for polarssl -> mbedtls rename
* Use python3 executable in tests
-- Alessandro Ghedini <email address hidden> Mon, 24 Aug 2020 10:26:12 +0200
-
curl (7.68.0-1) unstable; urgency=medium
* New upstream release
* Bump Standards-Version to 4.5.0 (no changes needed)
* Update symbols files
* Configure default CA file with OpenSSL again (Closes: #948441)
-- Alessandro Ghedini <email address hidden> Sat, 22 Feb 2020 14:37:19 +0000
-
curl (7.67.0-2) unstable; urgency=medium
* Restore :native annotation for python3 Build-Depends.
Thanks to Helmut Grohne for the patch (Closes: #945928)
-- Alessandro Ghedini <email address hidden> Sun, 01 Dec 2019 13:29:28 +0000
-
curl (7.67.0-1) unstable; urgency=medium
* New upstream release
* Replace python with python3 in Build-Depends (Closes: #942984)
* Bump Standards-Version to 4.4.1 (no changes needed)
-- Alessandro Ghedini <email address hidden> Sat, 30 Nov 2019 12:45:07 +0000
-
curl (7.66.0-1) unstable; urgency=medium
* New upstream release (Closes: #940024)
+ Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
+ Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
* Refresh patches
* Enable brotli support (Closes: #940129)
* Update *.symbols files
-- Alessandro Ghedini <email address hidden> Sun, 15 Sep 2019 15:47:05 +0100
-
curl (7.65.3-1) unstable; urgency=medium
* New upstream release
* Drop 12_fix-man-errors.patch (merged upstream)
* Remove Ian Jackson from Uploaders as he has never done an upload
-- Alessandro Ghedini <email address hidden> Fri, 09 Aug 2019 19:45:02 +0100
-
curl (7.65.1-1) unstable; urgency=medium
* New upstream release
+ Reduce verbose output (Closes: #926148)
+ Fix parsing URLs with link local addresses (Closes: #926812)
* Drop patches merged upstream
* Refresh patches
* Bump STandards-Version to 4.4.0 (no changes needed)
* Update entry in copyright for renamed files
* Fix some man errors.
Thanks to Bjarni Ingi Gislason for the patch (Closes: #926352)
* Add Build-Depends-Package field to symbols files
-- Alessandro Ghedini <email address hidden> Sat, 13 Jul 2019 12:37:09 +0100
-
curl (7.64.0-4) unstable; urgency=medium
* Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
https://curl.haxx.se/docs/CVE-2019-5436.html
* Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
https://curl.haxx.se/docs/CVE-2019-5435.html
-- Alessandro Ghedini <email address hidden> Fri, 14 Jun 2019 19:23:32 +0100
-
curl (7.64.0-3) unstable; urgency=medium
* Fix potential crash in HTTP/2 code and busy loop at the end of connections
(Closes: #927471)
-- Alessandro Ghedini <email address hidden> Sat, 04 May 2019 12:51:06 +0100
-
curl (7.64.0-2) unstable; urgency=medium
* Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)
-- Alessandro Ghedini <email address hidden> Thu, 07 Mar 2019 20:02:35 +0000
-
curl (7.64.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
+ Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html
+ Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
+ Fix HTTP negotiation with POST requests (Closes: #920267)
-- Alessandro Ghedini <email address hidden> Wed, 06 Feb 2019 22:33:05 +0000
-
curl (7.63.0-1) unstable; urgency=medium
* New upstream release
+ Fix IPv6 numeral address parser (Closes: #915520)
+ Fix timeout handling (Closes: #914793)
+ Fix HTTP auth to include query in URI (Closes: #913214)
* Drop 12_fix-runtests-curl.patch (merged upstream)
* Update symbols
* Update copyright for removed files
* Bump debhlper compat level to 12
* Bump Standards-Version to 4.3.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Tue, 15 Jan 2019 20:47:40 +0000
-
curl (7.62.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM password overflow via integer overflow as per CVE-2018-14618
(Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
+ Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
+ Fix use-after-free in handle close as per CVE-2018-16840
https://curl.haxx.se/docs/CVE-2018-16840.html
+ Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
+ Fix broken terminal output (closes: #911333)
* Refresh patches
* Add 12_fix-runtests-curl.patch to fix running curl in tests
-- Alessandro Ghedini <email address hidden> Wed, 31 Oct 2018 22:42:44 +0000
-
curl (7.61.0-1) unstable; urgency=medium
* New upstream release
+ Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
https://curl.haxx.se/docs/adv_2018-70a2.html
+ Fix some crashes related to HTTP/2 (Closes: #902628)
* Disable libssh2 on Ubuntu.
Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
* Bump Standards-Version to 4.2.0 (no changes needed)
* Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)
-- Alessandro Ghedini <email address hidden> Sat, 11 Aug 2018 13:32:28 +0100
-
curl (7.60.0-2) unstable; urgency=medium
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
-- Alessandro Ghedini <email address hidden> Wed, 23 May 2018 20:25:39 +0100
-
curl (7.60.0-1) unstable; urgency=medium
* New upstream release (Closes: #891997, #893546, #898856)
+ Fix use of IPv6 literals with NO_PROXY
+ Fix NIL byte out of bounds write due to FTP path trickery
as per CVE-2018-1000120
https://curl.haxx.se/docs/adv_2018-9cd6.html
+ Fix LDAP NULL pointer dereference as per CVE-2018-1000121
https://curl.haxx.se/docs/adv_2018-97a2.html
+ Fix RTSP RTP buffer over-read as per CVE-2018-1000122
https://curl.haxx.se/docs/adv_2018-b047.html
+ Fix heap buffer overflow when closing down an FTP connection
with very long server command replies as per CVE-2018-1000300
https://curl.haxx.se/docs/adv_2018-82c2.html
+ Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
* Refresh patches
* Bump Standards-Version to 4.1.4 (no changes needed)
-- Alessandro Ghedini <email address hidden> Fri, 18 May 2018 20:21:17 +0100
-
curl (7.58.0-2) unstable; urgency=medium
* Explicitly enable libssh2 support which got silently disabled in the
previous update
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 20:27:50 +0000
-
curl (7.58.0-1) unstable; urgency=medium
* New upstream release
- Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
https://curl.haxx.se/docs/adv_2018-824a.html
- Fix HTTP authentication leak in redirects as per CVE-2018-1000007
https://curl.haxx.se/docs/adv_2018-b3bf.html
* Point Vcs-* to salsa.d.o
* Bump Standards-Version to 4.1.3 (no changes needed)
* Bump debhlper compat level to 11
* Refresh patches
* fix insecure-copyright-format-uri
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 11:13:58 +0000
-
curl (7.57.0-1) unstable; urgency=medium
* New upstream release
- Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
- Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
- Fix SSL out of buffer access as per CVE-2017-8818
https://curl.haxx.se/docs/adv_2017-af0a.html
* Remove -fdebug-prefix-map from curl-config.
Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
* Don't install zsh completion when cross compiling.
Thanks to Wookey for the patch (Closes: #812965)
-- Alessandro Ghedini <email address hidden> Thu, 30 Nov 2017 10:16:03 +0000
-
curl (7.56.1-1) unstable; urgency=medium
* New upstream release
- Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
https://curl.haxx.se/docs/adv_20171023.html
* Bump Standards-Version to 4.1.1 (no changes needed)
* Drop 01_runtests_gdb.patch
* Drop 12_dont-wait-on-CONNECT.patch
* Refresh patches
* Update *.symbols files
* Use https:// URL in watch file
-- Alessandro Ghedini <email address hidden> Tue, 24 Oct 2017 11:05:48 +0100
-
curl (7.55.1-1) unstable; urgency=medium
* New upstream release
- Fix FTBFS on powerpc (Closes: #872502)
* Apply upstream patch to fix connection timeouts with NetworkManager
(Closes: #873181)
* Refresh patches
* Bump Standards-Version to 4.1.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Sat, 02 Sep 2017 12:10:22 +0100
-
curl (7.55.0-1) unstable; urgency=medium
* New upstream release
- Fix TFTP sends more than buffer size as per CVE-2017-1000100
(Closes: #871555)
- Fix URL globbing out of bounds read as per CVE-2017-1000101
(Closes: #871554)
* Refresh patches and drop patches merged upstream
* Update Standards-Version to 4.0.1 (no changes needed)
* Drop -dbg package
-- Alessandro Ghedini <email address hidden> Sat, 12 Aug 2017 15:18:05 +0100
-
curl (7.52.1-5) unstable; urgency=high
* Fix TLS session resumption client cert bypass as per CVE-2017-7468
https://curl.haxx.se/docs/adv_20170419.html
-- Alessandro Ghedini <email address hidden> Wed, 19 Apr 2017 11:19:50 +0100
-
curl (7.52.1-4) unstable; urgency=medium
* Fix regression in CONNECT response handling (Closes: #857613)
* Fix buffer read overrun on --write-out as per CVE-2017-7407
https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)
-- Alessandro Ghedini <email address hidden> Sat, 08 Apr 2017 21:55:27 +0100
-
curl (7.52.1-3) unstable; urgency=high
* Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
https://curl.haxx.se/docs/adv_20170222.html
-- Alessandro Ghedini <email address hidden> Tue, 21 Feb 2017 22:38:41 +0000
-
curl (7.52.1-2) unstable; urgency=medium
* Fix HTTPS connection timeout with OpenSSL (Closes: #852317)
-- Alessandro Ghedini <email address hidden> Sun, 29 Jan 2017 21:34:10 +0000
-
curl (7.52.1-1) unstable; urgency=medium
* New upstream release
- Fix printf floating point buffer overflow as per CVE-2016-9586
(Closes: #848958)
* B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
* Another attempt at making -dev packages multi-arch.
Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
* Enable support for PSL (Closes: #847958)
* Re-enable support for IDN (Closes: #849539)
* Drop 10_disable-network-tests.patch.
It didn't really work, and the issue is not urgent.
* Switch curl binary back to libcurl3/OpenSSL.
While the GnuTLS flavour mostly worked fine, there are a bunch of features
that are not implemented.
-- Alessandro Ghedini <email address hidden> Thu, 12 Jan 2017 22:02:44 +0000
-
curl (7.51.0-1) unstable; urgency=medium
* New upstream release
- Fix cookie injection for other servers as per CVE-2016-8615
https://curl.haxx.se/docs/adv_20161102A.html
- Fix case insensitive password comparison as per CVE-2016-8616
https://curl.haxx.se/docs/adv_20161102B.html
- Fix OOB write via unchecked multiplication as per CVE-2016-8617
https://curl.haxx.se/docs/adv_20161102C.html
- Fix double-free in curl_maprintf as per CVE-2016-8618
https://curl.haxx.se/docs/adv_20161102D.html
- Fix double-free in krb5 code as per CVE-2016-8619
https://curl.haxx.se/docs/adv_20161102E.html
- Fix glob parser write/read out of bounds as per CVE-2016-8620
https://curl.haxx.se/docs/adv_20161102F.html
- Fix curl_getdate read out of bounds as per CVE-2016-8621
https://curl.haxx.se/docs/adv_20161102G.html
- Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
https://curl.haxx.se/docs/adv_20161102H.html
- Fix use-after-free via shared cookies as per CVE-2016-8623
https://curl.haxx.se/docs/adv_20161102I.html
- Fix invalid URL parsing with '#' as per CVE-2016-8624
https://curl.haxx.se/docs/adv_20161102J.html
- Fix IDNA 2003 makes curl use wrong host
https://curl.haxx.se/docs/adv_20161102K.html
- Fix escape and unescape integer overflows as
per CVE-2016-7167 (Closes: #837945)
https://curl.haxx.se/docs/adv_20160914.html
- Fix incorrect reuse of client certificates (NSS backend)
as per CVE-2016-7141 (Closes: #836918)
https://curl.haxx.se/docs/adv_20160907.html
* Drop 02_art_http_scripting.patch (file not shipped anymore)
* Refresh patches
* Temporarily disable IDN support
* Don't install pdf and html docs (they are not shipped in the tarball anymore)
* Install markdown docs
-- Alessandro Ghedini <email address hidden> Thu, 03 Nov 2016 22:46:14 +0000
-
curl (7.50.1-1) unstable; urgency=medium
* New upstream release (Closes: #827900)
- Fix TLS session resumption client cert bypass as per CVE-2016-5419
https://curl.haxx.se/docs/adv_20160803A.html
- Fix re-using connection with wrong client cert as per CVE-2016-5420
https://curl.haxx.se/docs/adv_20160803B.html
- Fix use of connection struct after free as per CVE-2016-5421
https://curl.haxx.se/docs/adv_20160803C.html
- Support OpenSSL 1.1 (Closes: #828127)
* Fix 04_workaround_as_needed_bug.patch.
Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131)
* Bump Standards-Version to 3.9.8 (no changes needed)
* Update Vcs-* URLs
* Refresh patches
* Add 08_enable-zsh.patch to re-enable zsh completion generation
* Remove 08_fix-zsh-completion.patch (was already disabled)
* Add 09_fix-typo.patch to fix spelling-error-in-manpage
* Add 10_disable-network-tests.patch to disable networked tests
(Closes: #830273)
* Improve cross Build-Depends satisfiability.
Thanks to Helmut Grohne for the patch (Closes: #818092)
-- Alessandro Ghedini <email address hidden> Wed, 03 Aug 2016 12:46:05 +0100
-
curl (7.47.0-1) unstable; urgency=high
* New upstream release
- Fix NTLM credentials not-checked for proxy connection re-use
as per CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.html
- Set uyrgency=high accordingly
* Remove hard-coded dependency on libgnutls (Closes: #812542)
* Drop 08_fix-zsh-completion.patch (merged upstream)
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 27 Jan 2016 11:45:59 +0000
-
curl (7.46.0-1) unstable; urgency=medium
* New upstream release
- Initialize OpenSSL algorithms after loading config (Closes: #805408)
* Install curl zsh completion (Closes: #805509)
- Add 08_fix-zsh-completion.patch to fix zsh completion generation
-- Alessandro Ghedini <email address hidden> Sun, 27 Dec 2015 18:18:09 +0100
-
curl (7.45.0-1) unstable; urgency=medium
* New upstream release
* Drop 08_spelling.patch (merged upstream)
-- Alessandro Ghedini <email address hidden> Wed, 07 Oct 2015 12:59:03 +0200
-
curl (7.44.0-2) unstable; urgency=medium
* Enable HTTP/2 support (Closes: #796302)
-- Alessandro Ghedini <email address hidden> Thu, 10 Sep 2015 11:25:14 +0200
-
curl (7.44.0-1) unstable; urgency=medium
* New upstream release
* Refresh patches
* Update symbols files
* Add 08_spelling.patch to fix some spelling errors
-- Alessandro Ghedini <email address hidden> Wed, 12 Aug 2015 11:49:04 +0200
-
curl (7.43.0-1) unstable; urgency=medium
* New upstream release
- Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
http://curl.haxx.se/docs/adv_20150617A.html
- Fix SMB send off unrelated memory contents as per CVE-2015-3237
http://curl.haxx.se/docs/adv_20150617B.html
* Refresh patches
* Fix spelling-error-in-description
-- Alessandro Ghedini <email address hidden> Wed, 17 Jun 2015 10:21:34 +0200
-
curl (7.42.1-3) unstable; urgency=medium
* Update copyright
* Set both CA bundle and CA path default values for OpenSSL and GnuTLS
backends
* Bump versioned depends on libgnutls to workaround lack of nettle versioned
symbols (Closes: #787960)
-- Alessandro Ghedini <email address hidden> Sun, 07 Jun 2015 18:15:15 +0200
-
curl (7.42.1-2) unstable; urgency=medium
* Switch curl binary to libcurl3-gnutls (Closes: #342719)
This is the first step of a possible migration to a GnuTLS-only
libcurl for Debian. Let's see how it goes.
-- Alessandro Ghedini <email address hidden> Sun, 03 May 2015 13:13:15 +0200
-
curl (7.42.1-1) unstable; urgency=high
* New upstream release
- Don't send sensitive HTTP server headers to proxies as per
CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
* Drop 08_fix-spelling.patch (merged upstream)
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 29 Apr 2015 10:43:43 +0200
-
curl (7.42.0-1) unstable; urgency=medium
* New upstream release
- Fix re-using authenticated connection when unauthenticated
as per CVE-2015-3143
http://curl.haxx.se/docs/adv_20150422A.html
- Fix host name out of boundary memory access as per CVE-2015-3144
http://curl.haxx.se/docs/adv_20150422D.html
- Fix cookie parser out of boundary memory access as per CVE-2015-3145
http://curl.haxx.se/docs/adv_20150422C.html
- Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
http://curl.haxx.se/docs/adv_20150422B.html
- Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
defined (Closes: #768562)
* Drop patches merged upstream
* Refresh patches
* Bump Standards-Version to 3.9.6 (no changes needed)
-- Alessandro Ghedini <email address hidden> Wed, 22 Apr 2015 11:07:32 +0200
-
curl (7.38.0-4) unstable; urgency=high
* Fix URL request injection vulnerability as per CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Thu, 08 Jan 2015 10:47:24 +0100
-
curl (7.38.0-3) unstable; urgency=high
* Enable all hardening options (Closes: #763372)
* Fix duphandle read out of bounds as per CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Thu, 06 Nov 2014 11:40:24 +0100
-
curl (7.38.0-2) unstable; urgency=medium
* Check for libtoolize instead of libtool during build.
Thanks to Helmut Grohne for the patch (Closes: #761740)
* Add README.source note regarding ordering of patches (Closes: #762193)
* Add 10_fix-resolver.patch from upstream (Closes: #762014)
-- Alessandro Ghedini <email address hidden> Tue, 23 Sep 2014 16:41:53 +0200
-
curl (7.38.0-1) unstable; urgency=medium
* New upstream release
- Only use full host matches for hosts used as IP address
as per CVE-2014-3613
http://curl.haxx.se/docs/adv_20140910A.html
- Reject incoming cookies set for TLDs as per CVE-2014-3620
http://curl.haxx.se/docs/adv_20140910B.html
* Drop 08_link-curl-to-nss.patch (merged upstream)
* Refresh patches
* Fix wildcard-matches-nothing-in-dep5-copyright
* Add 08_fix-spelling.patch
-- Alessandro Ghedini <email address hidden> Wed, 10 Sep 2014 20:11:02 +0200
-
curl (7.37.1-1) unstable; urgency=medium
* New upstream release
* Re-enable RTMP support (Closes: #754222)
* Add 08_link-curl-to-nss.patch to fix NSS build
* Refresh patches
* Install manpages of single libcurl options too
-- Alessandro Ghedini <email address hidden> Fri, 18 Jul 2014 10:18:03 +0200
-
curl (7.37.0-1) unstable; urgency=medium
* New upstream release
- Fix NULL pointer dereference in GnuTLS code (Closes: #746349)
* Drop 08_fix-imap-tests.patch (merged upstream)
* Refresh 01_runtests_gdb.patch
* Remove Build-Depends on libgcrypt
-- Alessandro Ghedini <email address hidden> Wed, 21 May 2014 15:22:38 +0200
-
curl (7.36.0-2) unstable; urgency=medium
* Move Depends on -dev packages needed to use static libraries to Suggests
* Switch to GnuTLS 3.x (Closes: #741568)
* Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts
with libgnutls28-dev)
-- Alessandro Ghedini <email address hidden> Mon, 28 Apr 2014 19:37:14 +0200
-
curl (7.36.0-1) unstable; urgency=high
* New upstream release (Closes: #742728)
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
- Set urgency=high accordingly
* Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138
-- Alessandro Ghedini <email address hidden> Sun, 30 Mar 2014 15:36:35 +0200
-
curl (7.35.0-1) unstable; urgency=high
* New upstream release
- Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
- Set urgency=high accordingly
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 29 Jan 2014 11:16:57 +0100
-
curl (7.34.0-1) unstable; urgency=high
* New upstream release
- Fix GnuTLS checking of a certificate CN or SAN name field when the
digital signature verification is turned off as per CVE-2013-6422
http://curl.haxx.se/docs/adv_20131217.html
- Set urgency=high accordingly
* Drop patches merged upstream:
- 08_fix-typo.patch
- 09_fix-urlglob.patch
-- Alessandro Ghedini <email address hidden> Tue, 17 Dec 2013 13:16:19 +0100
-
curl (7.33.0-2) unstable; urgency=low
* Make -dev packages Multi-Arch: same too (Closes: #731309)
* Bump Standards-Version to 3.9.5 (no changes needed)
* Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855)
-- Alessandro Ghedini <email address hidden> Wed, 11 Dec 2013 18:44:37 +0100
-
curl (7.33.0-1) unstable; urgency=low
* New upstream release
- Handle arbitrary-length username and password (Closes: #719856)
* Remove Luk from Uploaders as per his request (Closes: #723603)
* Do not Build-Depends on specific automake version (Closes: #724361)
* Fix lintian vcs-field-not-canonical
* Add 08_fix-typo.patch
* Refresh patches
-- Alessandro Ghedini <email address hidden> Mon, 14 Oct 2013 22:11:14 +0200
-
curl (7.32.0-1) unstable; urgency=low
* New upstream release
* Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
* Drop 08_typo.patch (merged upstream)
* Drop 09_openssl-recv.patch (merged upstream)
* Refresh 90_gnutls.patch and 99_nss.patch
* Refresh 06_always-disable-valgrind.patch
* Enable threaded DNS resolver (Closes: #570436)
See NEWS.Debian for more info
-- Alessandro Ghedini <email address hidden> Mon, 12 Aug 2013 12:19:05 +0200
-
curl (7.31.0-2) unstable; urgency=high
* Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050)
* Set urgency=high because of the security fix in the previous upload
-- Alessandro Ghedini <email address hidden> Wed, 26 Jun 2013 11:47:00 +0200
-
curl (7.31.0-1) unstable; urgency=low
* New upstream release
- Fix URL decode buffer boundary flaw as per CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
* Maake curl Multi-Arch: foreign (Closes: #712585)
* Drop 08_reset-timecond.patch (merged upstream)
* Refresh patches
* Add 08_typo.patch to fix a couple of typos in one of the manpages
-- Alessandro Ghedini <email address hidden> Sat, 22 Jun 2013 15:46:53 +0200
-
curl (7.30.0-2) unstable; urgency=low
* Move textual docs to the -doc package too
* Move manpages from -dev packages to -doc as well
- Add Breaks+Replaces accordingly
* Remove outdated Replaces/Conflicts
* Update watch file version to 3
* Add 08_reset-timecond.patch (Closes: #705783)
-- Alessandro Ghedini <email address hidden> Fri, 10 May 2013 17:46:46 +0200
-
curl (7.30.0-1) unstable; urgency=low
* New upstream release
* Update upstream copyright years
* Drop patches merged upstream:
- 08_NULL-pointer-dereference-on-close.patch
- 09_CVE-213-1944.patch
- 10_test1218-another-cookie-tailmatch-test.patch
* Update patches:
- 03_keep_symbols_compat.patch
- 90_gnutls.patch
- 99_nss.patch
* Add libcurl4-doc package:
- Move *.pdf and *.html files to the libcurl4-doc package
- Add Suggests for -doc package to -dev packages
- Move examples to the -doc package
* Add Build-Depends on python which is used by some tests
-- Alessandro Ghedini <email address hidden> Thu, 18 Apr 2013 12:55:09 +0200
-
curl (7.29.0-2.1) unstable; urgency=high
* Non-maintainer upload.
[ Alessandro Ghedini ]
* Do not compress *.pdf files (Closes: #704093)
[ Salvatore Bonaccorso ]
* Add 09_CVE-213-1944.patch.
Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage.
Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).
(Closes: #705274)
* Add testcase for CVE-2013-1944.
-- Salvatore Bonaccorso <email address hidden> Fri, 12 Apr 2013 13:55:34 +0200
-
curl (7.29.0-2) unstable; urgency=low
* Fix a segfault when closing an unused multi handle (Closes: #701713)
* Mention LDAPS in packages' long descriptions
* Clean-up d/rules
- Switch to short-form dh
- Enable test suite on hurd and kfreebsd too
- Enable GSSAPI support on hurd too
-- Alessandro Ghedini <email address hidden> Mon, 11 Mar 2013 19:02:56 +0100
-
curl (7.29.0-1) unstable; urgency=high
* New upstream release
- Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication
as per CVE-2013-0249 (Closes: #700002)
http://curl.haxx.se/docs/adv_20130206.html
- Set urgency=high accordingly
* Install all the examples
* Update 90_gnutls.patch and 99_nss.patch
* Refresh patches
* Correctly pass CPPFLAGS to ./configure
* Upload to unstable
-- Alessandro Ghedini <email address hidden> Mon, 11 Feb 2013 14:48:03 +0100
-
curl (7.28.0-3) unstable; urgency=low
* Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug
anymore (Closes: #683103)
* Update 05_fix-git-over-https.patch to reflect new upstream patch
* Add 08_fix-git-auth.patch to fix HTTPS authentication (Closes: #690764)
-- Alessandro Ghedini <email address hidden> Sat, 17 Nov 2012 14:07:21 +0100
-
curl (7.28.0-2) unstable; urgency=low
* Add 05_fix-git-over-https.patch (Closes: #690551)
* Add 06_always-disable-valgrind.patch (Closes: #690968)
-- Alessandro Ghedini <email address hidden> Mon, 22 Oct 2012 14:35:02 +0200
-
curl (7.28.0-1) unstable; urgency=low
* New upstream release
- gnutls: do not fail on non-fatal handshake errors (Closes: #685402)
* Remove versioned build depends on libssh2 (already in stable)
* Bump Standards-Version to 3.9.4 (no changes needed)
* Refresh 01_runtests_gdb.patch
* Update *.symbols files
* Build depend on ca-certifcates to avoid test failure
-- Alessandro Ghedini <email address hidden> Thu, 11 Oct 2012 19:11:09 +0200
-
curl (7.27.0-1) unstable; urgency=low
* New upstream release
* Update upstream copyright
* Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch
-- Alessandro Ghedini <email address hidden> Wed, 08 Aug 2012 17:22:00 +0200
-
curl (7.26.0-1) unstable; urgency=low
* New upstream release
- Reject numerical IPv6 addresses outside brackets (Closes: #670126)
* Email change: Alessandro Ghedini -> <email address hidden>
* Stricter Depends on libcurl3 (Closes: #666089)
* Remove Ramakrishnan (as per his request), move myself to Maintainer
Thank you for all your work so far
* Disable memory tracking, but keep debug enabled
- Remove memdebug symbols (used by curl only)
* Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch
* Disable not-quite-working symbols hiding
-- Alessandro Ghedini <email address hidden> Fri, 25 May 2012 15:19:51 +0200
-
curl (7.25.0-1) unstable; urgency=low
* New upstream release
- Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276)
- Allow negative numbers as option value (Closes: #659591)
* Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends
* Bump debhelper compat level to 9
- Make *.links files executable to simplify rules file
* Pass --as-needed ld flag to avoid unneeded dependencies
- Add workaround_as_needed_bug to workaround a libtool bug
- Drop dont_link_to_krb5 (not needed because of --as-needed)
* Do some clean-up in debian/rules
* Update debian/copyright format as in Debian Policy 3.9.3
* Bump Standards-Version to 3.9.3
* Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict)
* Add openssh-server to build depends to enable some more tests
* Update upstream copyright years
* Refresh patches
-- Alessandro Ghedini <email address hidden> Fri, 23 Mar 2012 16:24:51 +0100
-
curl (7.24.0-1) unstable; urgency=high
* New upstream release
- Improve documentation for the --capath option (Closes: #628697)
- Fix URL sanitization vulnerability as per CVE-2012-0036
http://curl.haxx.se/docs/adv_20120124.html
- Fix SSL CBC IV vulnerability as per CVE-2011-3389
http://curl.haxx.se/docs/adv_20120124B.html
- Set urgency=high accordingly
* Remove curl_links_with_rt patch (curl links to librt anyway)
* Improve descriptions of -dev and -dbg packages
* Drop fix_manpage_spelling and versioned patches (merged upstream)
* Refresh patches
* Add keep_symbols_compat patch to not break backwards ABI compatibility
* Enable libssh2 support for GnuTLS and NSS flavours too
(libssh2 now uses libgcrypt instead of libssl)
-- Alessandro Ghedini <email address hidden> Tue, 24 Jan 2012 12:04:04 +0100
-
curl (7.23.1-3) unstable; urgency=low
* Enable security hardening flags
* Remove libdb-dev from B-D (not used)
* Improve short and long descriptions
* Provide proper *.symbols files (Closes: #651619)
* Do not version Curl_* symbols (for internal use only)
* Do not override dh_makeshlibs version anymore
-- Alessandro Ghedini <email address hidden> Tue, 13 Dec 2011 19:55:31 +0100
-
curl (7.23.1-2) unstable; urgency=low
* Bump shlibs version for libcurl3-nss (Closes: #650498)
-- Alessandro Ghedini <email address hidden> Thu, 01 Dec 2011 22:32:19 +0100
-
curl (7.23.1-1) unstable; urgency=low
* New upstream release
- Do not use gnutls_priority_set_direct and
gnutls_certificate_type_set_priority anymore (Closes: #624024)
* Refresh patches
* Add --enable-debug flag to configure (Closes: #648902)
* One Provides/Replaces per line
* libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126)
* Specify only 3 components for Standards-Version
(the fourth is not really needed)
* Move ca-certificates to Recommends in lib* packages (Closes: #546607)
* Add NSS flavour to versioned symbols
-- Alessandro Ghedini <email address hidden> Sun, 27 Nov 2011 18:45:01 +0100
-
curl (7.22.0-3) unstable; urgency=low
[ Ramakrishnan Muthukrishnan ]
* Add new Uploaders, Ian and Alessandro. (Closes: #647255)
[ Luk Claes ]
* Install lintian overrides with dh_lintian.
* Install all files with dh_install and get rid of dh_installdirs.
[ Alessandro Ghedini ]
* New upstream release.
* Bump debhelper compat level to 8.
* debian/control:
- One (Build-)Depends per line.
- Sort (Build-)Depends.
- Remove Build-Depends on binutils
(v2.18 is already in oldstable and it is Build-Essential: yes).
- Build depends on stunnel4 instead of stunnel
(stunnel is just a dummy package).
- Remove duplicate Section field in package curl.
- Add Luk to Uploaders too, sort names.
* debian/patches:
- Update runtests_gdb patch, add DEP3 headers.
- Update gnutls and nss patches, add DEP3 headers.
- Refresh other patches.
- Add DEP3 headers to all the patches.
- Remove libtool patch (not applied anyway)
- Set Forwarded: not-needed for Debian specific patches
* Replace dh_clean -k call with dh_prep
(dh_clean -k is deprecated since debhelper 7).
* Add fix_manpage_spelling patch
* debian/copyright:
- Switch to DEP5 format
- Update copyright information
* Add librtmp-dev to libcurl4-nss-dev too
-- Alessandro Ghedini <email address hidden> Sun, 13 Nov 2011 21:07:32 +0100
-
curl (7.21.7-3) unstable; urgency=low
* debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the
packages do not need to be built with rtmp support. (closes: #641173)
-- Ramakrishnan Muthukrishnan <email address hidden> Sun, 11 Sep 2011 22:08:08 +0200
-
curl (7.21.7-2) unstable; urgency=low
* debian/control: libcurl*-dev packages should depend on librtmp-dev.
(closes: #640260)
* debian/rules: add build-arch and build-indep targets.
-- Ramakrishnan Muthukrishnan <email address hidden> Mon, 05 Sep 2011 16:12:42 +0200
-
curl (7.21.7-1) unstable; urgency=low
* New Upstream release which fixes the following bugs. - libcurl3-gnutls: HTTPS over HTTP still broken in Git (closes: #627335) - git-core: gnutls_handshake() fail when using https:// over a proxy (closes: #559371) * debian/control: capitalize 'ftp'. (closes: #587338) * debian/rules: add build-arch and build-indep targets. -- Ramakrishnan Muthukrishnan <email address hidden> Sat, 30 Jul 2011 17:57:08 +0530
-
curl (7.21.6-3) unstable; urgency=low
* Apply the Multiarch patch from Steve Langasek. (closes: #631946) -- Ramakrishnan Muthukrishnan <email address hidden> Wed, 29 Jun 2011 08:26:56 +0530
-
curl (7.21.6-2) unstable; urgency=high
* Fix for the inappropriate GSSAPI delegation vulnerability (CVE-2011-2192). (closes: #631615) -- Ramakrishnan Muthukrishnan <email address hidden> Sat, 25 Jun 2011 23:37:04 +0530
-
curl (7.21.6-1) unstable; urgency=low
* New upstream release to fix a HTTPS over a HTTP proxy bug on 7.21.5. -- Ramakrishnan Muthukrishnan <email address hidden> Sat, 23 Apr 2011 07:12:57 +0530
-
curl (7.21.5-1) unstable; urgency=low
* New Upstream version. (closes: #623459) * debian/patches/{sslv2_disable, error_code}: removed as these patches were backported earlier from new upstream and this release incorporates them. -- Ramakrishnan Muthukrishnan <email address hidden> Fri, 22 Apr 2011 13:14:41 +0530
-
curl (7.21.4-2) unstable; urgency=low
* debian/patches/{sslv2-disable, series}: Apply the upstream commit c66b0b32fba175d5f096c944d8ec8f9f06299f4a. (closes: #622016) * debian/{rules, control}: enable rtmp. (closes: #622328) * debian/control: removing hurd from dependencies. Hurd is an 'essential' package. -- Ramakrishnan Muthukrishnan <email address hidden> Wed, 13 Apr 2011 16:15:27 -0700
-
curl (7.21.4-1) unstable; urgency=low
* New upstream release. * debian/control: downgraded the version number of libdb-dev required to 4.6 from 4.7, based on the inputs from Erik Schanze <email address hidden>. -- Ramakrishnan Muthukrishnan <email address hidden> Mon, 28 Feb 2011 19:35:36 +0530
-
curl (7.21.3-1) unstable; urgency=low
* New upstream release. * debian/*.manpages: adding all manpages for the curl library. (closes: #605651) * gnutls->handshake: improved timeout handling. See #594150 for details. -- Ramakrishnan Muthukrishnan <email address hidden> Wed, 15 Dec 2010 23:39:26 +0530
-
curl (7.21.2-4) unstable; urgency=low
* support for curl library built against nss. (closes: #606244) * honour DEB_BUILD_OPTIONS=nocheck option. (closes: #606059) -- Ramakrishnan Muthukrishnan <email address hidden> Thu, 09 Dec 2010 20:11:37 +0530
-
curl (7.21.2-3) unstable; urgency=low
* debian/rules: reverting changes related to c-ares inclusion. * debian/control: removing libc-ares-dev for now. (closes: #605558) -- Ramakrishnan Muthukrishnan <email address hidden> Thu, 02 Dec 2010 10:56:36 +0530
-
curl (7.21.2-2) unstable; urgency=low
* debian/control: add libc-ares-dev as build dependency. * debian/rules: invoke configure with --enable-ares. (closes: #570436) * debian/copyright: add copyright notice of lib/security to the copyright file. (closes: #603712) -- Ramakrishnan Muthukrishnan <email address hidden> Tue, 30 Nov 2010 17:35:29 +0530
-
curl (7.21.2-1) unstable; urgency=low
* New upstream release.
-- Ramakrishnan Muthukrishnan <email address hidden> Mon, 18 Oct 2010 11:13:17 +0530
-
curl (7.21.1-1) unstable; urgency=low
* New upstream release.
-- Ramakrishnan Muthukrishnan <email address hidden> Thu, 12 Aug 2010 08:20:48 +0530
-
curl (7.21.0-1) unstable; urgency=low
* New upstream.
-- Ramakrishnan Muthukrishnan <email address hidden> Wed, 16 Jun 2010 19:25:37 +0530
-
curl (7.20.1-2) unstable; urgency=low
* debian/rules: Removed the custom LDFLAGS variable. This is not
required as we are no longer using the libtool patch.
(closes: #578774)
-- Ramakrishnan Muthukrishnan <email address hidden> Wed, 28 Apr 2010 18:40:27 +0530
-
curl (7.20.0-3) unstable; urgency=low
* debian/control: Vcs* tags added.
* docs/libcurl/libcurl.m4: added the missing double quote (closes: #576518).
-- Ramakrishnan Muthukrishnan <email address hidden> Mon, 05 Apr 2010 18:56:40 +0530
-
curl (7.20.0-2) unstable; urgency=low
* New Maintainer (closes: #574137).
* Bug #533669 (curl segmentation fault in addbyter()) is fixed
from release 7.19.7 onwards (closes: #533669).
* Bug #510559 (curl sends whitespace unencoded in the url) can't
be reproduced in the 7.20.0 release (closes: #510559).
-- Ramakrishnan Muthukrishnan <email address hidden> Thu, 18 Mar 2010 08:55:19 +0530
-
curl (7.20.0-1) unstable; urgency=low
* Package is orphaned.
* New upstream release.
* Switch to dpkg-source 3.0 (quilt) format (closes: #538547).
* Fixed build error with binutils-gold (closes: #554296).
-- Domenico Andreoli <email address hidden> Tue, 09 Feb 2010 13:06:39 +0100
-
curl (7.19.7-1) unstable; urgency=low
* New upstream release:
- curl_getdate(3) now correctly manages single letter military
timezones as specified in RFC 822 (closes: #551461).
* build depends on generic libdb-dev (closes: #548476).
* build depends on libssh2-1-dev (>= 1.2) to enable new curl options.
-- Domenico Andreoli <email address hidden> Thu, 05 Nov 2009 10:11:57 +0100
-
curl (7.19.5-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix possible mitm via injected null byte (CVE-2009-2417; Closes: #541991).
-- Nico Golde <email address hidden> Thu, 27 Aug 2009 20:10:51 +0200
-
curl (7.19.5-1) unstable; urgency=low
* New upstream release
* Fix "libcurl3-gnutls has memory corruption" by upgrading to new upstream
release, which fixes this bug (Closes: #530131)
* update standards version to 3.8.1
* adjust overrides from libdevel to debug for -dbg package
* adjust doc-base section
-- Andreas Schuldei <email address hidden> Sun, 24 May 2009 21:12:19 +0200
-
curl (7.19.4-1) unstable; urgency=low
* New upstream release
* Fix "newer bdb version" <explain what you changed and why>
(Closes: #517277)
* resolve libtool version confusion, thanks to
Stefanos Harhalakis <email address hidden>
* add new dependency on libgcrypt11-dev due to newly arising binary symbols
-- Andreas Schuldei <email address hidden> Thu, 02 Apr 2009 23:35:45 +0200
-
curl (7.18.2-8.1) unstable; urgency=high
* Non-maintainer upload by the security team.
* Include upstream patch to prevent overwriting and reading arbitrary
local files or command execution via malicious redirects depending on
the setup curl is used in.
NOTE: This update introduces a new option called CURLOPT_REDIR_PROTOCOLS
which includes the protocols curl will follow on redirects, scp and file
are not included by default (CVE-2009-0037; Closes: #518423).
-- Nico Golde <email address hidden> Wed, 11 Mar 2009 15:33:08 +0100
-
curl (7.18.2-8) unstable; urgency=low
* Fix "Please add support for ldap/ldaps protocols"
by changing the linker option for liblber (Closes: #506096)
-- Andreas Schuldei <email address hidden> Fri, 26 Dec 2008 23:48:19 +0100
-
curl (7.18.2-7) unstable; urgency=low
* disable c-ares support again, no fix yet, just get stuff working again.
-- Andreas Schuldei <email address hidden> Tue, 15 Jul 2008 01:17:29 +0200
