-
curl (7.55.1-1ubuntu2.6) artful-security; urgency=medium
* SECURITY UPDATE: SMTP send heap buffer overflow
- debian/patches/CVE-2018-0500.patch: use the upload buffer size for
scratch buffer malloc in lib/smtp.c.
- CVE-2018-0500
-- Marc Deslauriers <email address hidden> Wed, 04 Jul 2018 10:20:21 -0400
-
curl (7.55.1-1ubuntu2.5) artful-security; urgency=medium
* SECURITY UPDATE: FTP shutdown response buffer overflow
- debian/patches/CVE-2018-1000300.patch: check data size in
lib/pingpong.c.
- CVE-2018-1000303
* SECURITY UPDATE: RTSP bad headers buffer over-read
- debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
bad response-line is parsed in lib/http.c.
- CVE-2018-1000301
-- Marc Deslauriers <email address hidden> Tue, 08 May 2018 13:51:37 -0400
-
curl (7.55.1-1ubuntu2.4) artful-security; urgency=medium
* SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
- debian/patches/CVE-2018-1000120-pre.patch: URL decode path for dir
listing in nocwd mode in lib/ftp.c, add test to tests/*.
- debian/patches/CVE-2018-1000120.patch: reject path components with
control codes in lib/ftp.c, add test to tests/*.
- CVE-2018-1000120
* SECURITY UPDATE: LDAP NULL pointer dereference
- debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
results for NULL before using in lib/openldap.c.
- CVE-2018-1000121
* SECURITY UPDATE: RTSP RTP buffer over-read
- debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
go beyond buffer end in lib/transfer.c.
- CVE-2018-1000122
-- Marc Deslauriers <email address hidden> Wed, 14 Mar 2018 08:47:46 -0400
-
curl (7.55.1-1ubuntu2.3) artful-security; urgency=medium
* SECURITY UPDATE: Out of bounds read in code handling HTTP/2
- debian/patches/CVE-2018-1000005.patch: fix incorrect
trailer buffer size in lib/http2.c.
- CVE-2018-1000005
* SECURITY UPDATE: leak authentication data
- debian/patches/CVE-2018-1000007.patch: prevent custom
authorization headers in redirects in lib/http.c,
lib/url.c, lib/urldata.h, tests/data/Makefile.in,
tests/data/test317, tests/data/test318.
- CVE-2018-1000007
* Removing test that fails to check manpage after CVE-2018-1000007.
-- <email address hidden> (Leonidas S. Barbosa) Mon, 29 Jan 2018 16:54:19 -0300
-
curl (7.55.1-1ubuntu2.2) artful-security; urgency=medium
* SECURITY UPDATE: NTLM buffer overflow via integer overflow
- debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
size in lib/curl_ntlm_core.c
- CVE-2017-8816
* SECURITY UPDATE: FTP wildcard out of bounds read
- debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
setcharset in lib/curl_fnmatch.c, added tests to
tests/data/Makefile.inc, tests/data/test1163.
- CVE-2017-8817
-- Marc Deslauriers <email address hidden> Tue, 28 Nov 2017 07:59:20 -0500
-
curl (7.55.1-1ubuntu2.1) artful-security; urgency=medium
* SECURITY UPDATE: IMAP FETCH response out of bounds read
- debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
- CVE-2017-1000257
-- Marc Deslauriers <email address hidden> Fri, 20 Oct 2017 11:06:14 -0400
-
curl (7.55.1-1ubuntu2) artful; urgency=medium
* SECURITY UPDATE: FTP PWD response parser out of bounds read
- debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
even on bad input in lib/ftp.c, added test to
tests/data/Makefile.inc, tests/data/test1152.
- CVE-2017-1000254
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2017 08:35:10 -0400
-
curl (7.55.1-1ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
+ Drop libssh2-1-dev from binary package Depends.
+ debian/control: drop --with-nghttp2
curl (7.55.1-1) unstable; urgency=medium
* New upstream release
- Fix FTBFS on powerpc (Closes: #872502)
* Apply upstream patch to fix connection timeouts with NetworkManager
(Closes: #873181)
* Refresh patches
* Bump Standards-Version to 4.1.0 (no changes needed)
-- Gianfranco Costamagna <email address hidden> Sun, 03 Sep 2017 22:14:32 +0200
-
curl (7.55.0-1ubuntu2) artful; urgency=medium
* debian/patches/0001-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch:
Cherry-pick from upstream, via Arch: Don't wait for CONNECT. This fixes
timeouts in network-manager's connectivity checker.
-- Iain Lane <email address hidden> Fri, 25 Aug 2017 10:46:14 +0100
-
curl (7.55.0-1ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
+ Drop libssh2-1-dev from binary package Depends.
+ debian/control: drop --with-nghttp2
curl (7.55.0-1) unstable; urgency=medium
* New upstream release
- Fix TFTP sends more than buffer size as per CVE-2017-1000100
(Closes: #871555)
- Fix URL globbing out of bounds read as per CVE-2017-1000101
(Closes: #871554)
* Refresh patches and drop patches merged upstream
* Update Standards-Version to 4.0.1 (no changes needed)
* Drop -dbg package
-- Gianfranco Costamagna <email address hidden> Mon, 14 Aug 2017 13:02:36 +0200
-
curl (7.52.1-5ubuntu1) artful; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
+ Drop libssh2-1-dev from binary package Depends.
+ debian/control: drop --with-nghttp2
-- Gianfranco Costamagna <email address hidden> Sat, 22 Apr 2017 14:54:52 +0200
-
curl (7.52.1-4ubuntu1.1) zesty-security; urgency=medium
* SECURITY UPDATE: TLS session resumption client cert bypass
- debian/patches/CVE-2017-7468: Move the sessionid flag to
ssl_primary_config so that ssl and proxy_ssl will each have
their own sessionid flag.
- CVE-2017-7468
-- Steve Beattie <email address hidden> Mon, 17 Apr 2017 13:20:57 -0700
-
curl (7.52.1-4ubuntu1) zesty; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
+ Drop libssh2-1-dev from binary package Depends.
+ debian/control: drop --with-nghttp2
-- Gianfranco Costamagna <email address hidden> Sun, 09 Apr 2017 13:07:51 +0200