-
curl (7.58.0-2ubuntu3.24) bionic-security; urgency=medium
* SECURITY UPDATE: TELNET option IAC injection
- debian/patches/CVE-2023-27533.patch: only accept option arguments in
ascii in lib/telnet.c.
- CVE-2023-27533
* SECURITY UPDATE: SFTP path ~ resolving discrepancy
- debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
ends with one in lib/curl_path.c.
- debian/patches/CVE-2023-27534.patch: properly handle tilde character
in lib/curl_path.c.
- CVE-2023-27534
* SECURITY UPDATE: FTP too eager connection reuse
- debian/patches/CVE-2023-27535.patch: add more conditions for
connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
- CVE-2023-27535
* SECURITY UPDATE: GSS delegation too eager connection re-use
- debian/patches/CVE-2023-27536.patch: only reuse connections with same
GSS delegation in lib/url.c, lib/urldata.h.
- CVE-2023-27536
* SECURITY UPDATE: SSH connection too eager reuse still
- debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
check in lib/url.c.
- CVE-2023-27538
-- Marc Deslauriers <email address hidden> Wed, 15 Mar 2023 08:58:03 -0400
-
curl (7.58.0-2ubuntu3.23) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test418.
- CVE-2023-23916
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:34:26 -0500
-
curl (7.58.0-2ubuntu3.22) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP Proxy deny use-after-free
- debian/patches/CVE-2022-43552.patch: do not free the protocol struct
in *_done() in lib/smb.c, lib/telnet.c.
- CVE-2022-43552
-- Marc Deslauriers <email address hidden> Wed, 04 Jan 2023 12:08:06 -0500
-
curl (7.58.0-2ubuntu3.21) bionic-security; urgency=medium
* SECURITY UPDATE: POST following PUT confusion
- debian/patches/CVE-2022-32221.patch: when POST is set, reset the
'upload' field in lib/setopt.c.
- CVE-2022-32221
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2022 12:45:13 -0400
-
curl (7.58.0-2ubuntu3.20) bionic-security; urgency=medium
* SECURITY UPDATE: when curl sends back cookies with control bytes a
HTTP(S) server may return a 400 response
- debian/patches/CVE-2022-35252.patch: adds invalid_octets function
to lib/cookie.c to reject cookies with control bytes
- CVE-2022-35252
-- Mark Esler <email address hidden> Wed, 31 Aug 2022 14:18:59 -0500
-
curl (7.58.0-2ubuntu3.19) bionic-security; urgency=medium
* SECURITY UPDATE: HTTP compression denial of service
- debian/patches/CVE-2022-32206.patch: return error on too many
compression steps in lib/content_encoding.c.
- CVE-2022-32206
* SECURITY UPDATE: FTP-KRB bad msg verification
- debian/patches/CVE-2022-32208.patch: return error properly
on decode errors in lib/krb5.c.
- CVE-2022-32208
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 Jun 2022 13:00:50 -0300
-
curl (7.58.0-2ubuntu3.18) bionic-security; urgency=medium
* SECURITY UPDATE: CERTINFO never-ending busy-loop
- debian/patches/CVE-2022-27781.patch: return error if seemingly stuck
in a cert loop in lib/vtls/nss.c.
- CVE-2022-27781
* SECURITY UPDATE: TLS and SSH connection too eager reuse
- debian/patches/CVE-2022-27782.patch: check more TLS details for
connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c.
- CVE-2022-27782
-- Marc Deslauriers <email address hidden> Mon, 09 May 2022 14:12:53 -0400
-
curl (7.58.0-2ubuntu3.17) bionic-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 14:19:19 -0300
-
curl (7.58.0-2ubuntu3.16) bionic-security; urgency=medium
* SECURITY REGRESSION: regression in smtp starttls (LP: #1944120)
- debian/patches/CVE-2021-22947.patch: fix bad patch backport.
-- Marc Deslauriers <email address hidden> Mon, 20 Sep 2021 08:02:14 -0400
-
curl (7.58.0-2ubuntu3.15) bionic-security; urgency=medium
* SECURITY UPDATE: Protocol downgrade required TLS bypassed
- debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
HTTPS proxy in lib/ftp.c, lib/urldata.h.
- debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
tests/data/test984, tests/data/test985, tests/data/test986.
- CVE-2021-22946
* SECURITY UPDATE: STARTTLS protocol injection via MITM
- debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
tests/data/test982, tests/data/test983.
- CVE-2021-22947
-- Marc Deslauriers <email address hidden> Fri, 10 Sep 2021 10:29:24 -0400
-
curl (7.58.0-2ubuntu3.14) bionic-security; urgency=medium
* SECURITY UPDATE: TELNET stack contents disclosure
- debian/patches/CVE-2021-22898.patch: check sscanf() for correct
number of matches in lib/telnet.c.
- CVE-2021-22898
* SECURITY UPDATE: Bad connection reuse due to flawed path name checks
- debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
- CVE-2021-22924
* SECURITY UPDATE: TELNET stack contents disclosure again
- debian/patches/CVE-2021-22925.patch: fix option parser to not send
uninitialized contents in lib/telnet.c.
- CVE-2021-22925
-- Marc Deslauriers <email address hidden> Wed, 21 Jul 2021 08:37:41 -0400
-
curl (7.58.0-2ubuntu3.13) bionic-security; urgency=medium
* SECURITY UPDATE: data leak via referer header field
- debian/patches/urlapi.patch: backport url api support in
include/curl/Makefile.am, include/curl/curl.h, include/curl/urlapi.h,
lib/Makefile.inc, lib/urlapi-int.h, lib/urlapi.c,
lib/curl_setup_once.h, lib/url.c, lib/url.h, lib/escape.c,
lib/escape.h, docs/libcurl/symbols-in-versions.
- debian/libcurl*.symbols: added new symbols.
- debian/patches/CVE-2021-22876.patch: strip credentials from the
auto-referer header field in lib/transfer.c.
- CVE-2021-22876
-- Marc Deslauriers <email address hidden> Tue, 23 Mar 2021 09:13:58 -0400
-
curl (7.58.0-2ubuntu3.12) bionic-security; urgency=medium
* SECURITY UPDATE: FTP redirect to malicious host via PASV response
- debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
- CVE-2020-8284
* SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
- debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
recurse in lib/ftp.c.
- CVE-2020-8285
* SECURITY UPDATE: Inferior OCSP verification
- debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
the certificate id in lib/vtls/openssl.c.
- CVE-2020-8286
-- Marc Deslauriers <email address hidden> Tue, 01 Dec 2020 13:01:10 -0500
-
curl (7.58.0-2ubuntu3.10) bionic-security; urgency=medium
* SECURITY UPDATE: wrong connect-only connection
- debian/patches/CVE-2020-8231.patch: remember last connection by id,
not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
lib/urldata.h.
- CVE-2020-8231
-- Marc Deslauriers <email address hidden> Thu, 13 Aug 2020 13:38:57 -0400
-
curl (7.58.0-2ubuntu3.9) bionic-security; urgency=medium
* SECURITY UPDATE: curl overwrite local file with -J
- debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
src/tool_cb_hdr.c, src/tool_getparam.c.
- CVE-2020-8177
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2020 09:19:29 -0400
-
curl (7.58.0-2ubuntu3.8) bionic-security; urgency=medium
* SECURITY UPDATE: double-free when using kerberos over FTP may cause
denial-of-service
- debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
double-free on large memory allocation failures
- CVE-2019-5481
* SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
cause denial-of-service or remote code-execution
- debian/patches/CVE-2019-5482.patch: ensure to use the correct block
size when calling recvfrom() if the server returns an OACK without
specifying a block size in lib/tftp.c
- CVE-2019-5482
-- Alex Murray <email address hidden> Fri, 06 Sep 2019 14:57:21 +0930
-
curl (7.58.0-2ubuntu3.7) bionic-security; urgency=medium
* SECURITY UPDATE: TFTP receive buffer overflow
- debian/patches/CVE-2019-5346.patch: use the current blksize in
lib/tftp.c.
- CVE-2019-5346
-- Marc Deslauriers <email address hidden> Thu, 16 May 2019 08:40:17 -0400
-
curl (7.58.0-2ubuntu3.6) bionic-security; urgency=medium
* SECURITY UPDATE: NTLM type-2 out-of-bounds buffer read
- debian/patches/CVE-2018-16890.patch: fix size check condition for
type2 received data in lib/vauth/ntlm.c.
- CVE-2018-16890
* SECURITY UPDATE: NTLMv2 type-3 header stack buffer overflow
- debian/patches/CVE-2019-3822.patch: ix *_type3_message size check to
avoid buffer overflow in lib/vauth/ntlm.c.
- CVE-2019-3822
* SECURITY UPDATE: SMTP end-of-response out-of-bounds read
- debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
strtol in lib/smtp.c.
- CVE-2019-3823
-- Marc Deslauriers <email address hidden> Tue, 29 Jan 2019 08:48:30 -0500
-
curl (7.58.0-2ubuntu3.5) bionic-security; urgency=medium
* SECURITY UPDATE: SASL password overflow via integer overflow
- debian/patches/CVE-2018-16839-pre.patch: fix integer overflow check
in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/vauth/cleartext.c.
- debian/patches/CVE-2018-16839.patch: fix check in
lib/vauth/cleartext.c.
- CVE-2018-16839
* SECURITY UPDATE: warning message out-of-buffer read
- debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
- CVE number pending
-- Marc Deslauriers <email address hidden> Mon, 29 Oct 2018 08:10:57 -0400
-
curl (7.58.0-2ubuntu3.3) bionic-security; urgency=medium
* SECURITY UPDATE: Buffer overrun
- debian/patches/CVE-2018-14618.patch: fix in
lib/curl_ntlm_core.c.
- CVE-2018-14618
-- <email address hidden> (Leonidas S. Barbosa) Thu, 13 Sep 2018 13:06:47 -0300
-
curl (7.58.0-2ubuntu3.2) bionic-security; urgency=medium
* SECURITY UPDATE: SMTP send heap buffer overflow
- debian/patches/CVE-2018-0500.patch: use the upload buffer size for
scratch buffer malloc in lib/smtp.c.
- CVE-2018-0500
-- Marc Deslauriers <email address hidden> Wed, 04 Jul 2018 10:18:17 -0400
-
curl (7.58.0-2ubuntu3.1) bionic-security; urgency=medium
* SECURITY UPDATE: FTP shutdown response buffer overflow
- debian/patches/CVE-2018-1000300.patch: check data size in
lib/pingpong.c.
- CVE-2018-1000303
* SECURITY UPDATE: RTSP bad headers buffer over-read
- debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
bad response-line is parsed in lib/http.c.
- CVE-2018-1000301
-- Marc Deslauriers <email address hidden> Tue, 08 May 2018 13:47:34 -0400
-
curl (7.58.0-2ubuntu3) bionic; urgency=medium
* SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
- debian/patches/CVE-2018-1000120.patch: reject path components with
control codes in lib/ftp.c, add test to tests/*.
- CVE-2018-1000120
* SECURITY UPDATE: LDAP NULL pointer dereference
- debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
results for NULL before using in lib/openldap.c.
- CVE-2018-1000121
* SECURITY UPDATE: RTSP RTP buffer over-read
- debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
go beyond buffer end in lib/transfer.c.
- CVE-2018-1000122
-- Marc Deslauriers <email address hidden> Thu, 15 Mar 2018 08:20:41 -0400
-
curl (7.58.0-2ubuntu2) bionic; urgency=medium
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
-- Steve Langasek <email address hidden> Wed, 21 Feb 2018 08:21:31 -0800
-
curl (7.58.0-2ubuntu1) bionic; urgency=medium
* Use an if statement to conditionally disable libssh2 in Ubuntu-only
curl (7.58.0-2) unstable; urgency=medium
* Explicitly enable libssh2 support which got silently disabled in the
previous update
-- Gianfranco Costamagna <email address hidden> Thu, 25 Jan 2018 10:19:32 +0100
-
curl (7.58.0-2) unstable; urgency=medium
* Explicitly enable libssh2 support which got silently disabled in the
previous update
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 20:27:50 +0000
-
curl (7.58.0-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev.
curl (7.58.0-1) unstable; urgency=medium
* New upstream release
- Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
https://curl.haxx.se/docs/adv_2018-824a.html
- Fix HTTP authentication leak in redirects as per CVE-2018-1000007
https://curl.haxx.se/docs/adv_2018-b3bf.html
* Point Vcs-* to salsa.d.o
* Bump Standards-Version to 4.1.3 (no changes needed)
* Bump debhlper compat level to 11
* Refresh patches
* fix insecure-copyright-format-uri
-- Julian Andres Klode <email address hidden> Wed, 24 Jan 2018 22:31:28 +0100
-
curl (7.57.0-1ubuntu1) bionic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop libssh2-1-dev.
curl (7.57.0-1) unstable; urgency=medium
* New upstream release
- Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
- Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
- Fix SSL out of buffer access as per CVE-2017-8818
https://curl.haxx.se/docs/adv_2017-af0a.html
* Remove -fdebug-prefix-map from curl-config.
Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
* Don't install zsh completion when cross compiling.
Thanks to Wookey for the patch (Closes: #812965)
curl (7.56.1-1) unstable; urgency=medium
* New upstream release
- Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
https://curl.haxx.se/docs/adv_20171023.html
* Bump Standards-Version to 4.1.1 (no changes needed)
* Drop 01_runtests_gdb.patch
* Drop 12_dont-wait-on-CONNECT.patch
* Refresh patches
* Update *.symbols files
* Use https:// URL in watch file
-- Gianfranco Costamagna <email address hidden> Wed, 06 Dec 2017 18:11:20 +0100
-
curl (7.55.1-1ubuntu3) bionic; urgency=medium
* SECURITY UPDATE: NTLM buffer overflow via integer overflow
- debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
size in lib/curl_ntlm_core.c
- CVE-2017-8816
* SECURITY UPDATE: FTP wildcard out of bounds read
- debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
setcharset in lib/curl_fnmatch.c, added tests to
tests/data/Makefile.inc, tests/data/test1163.
- CVE-2017-8817
-- Marc Deslauriers <email address hidden> Wed, 29 Nov 2017 15:29:49 -0500
-
curl (7.55.1-1ubuntu2.1) artful-security; urgency=medium
* SECURITY UPDATE: IMAP FETCH response out of bounds read
- debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
- CVE-2017-1000257
-- Marc Deslauriers <email address hidden> Fri, 20 Oct 2017 11:06:14 -0400
-
curl (7.55.1-1ubuntu2) artful; urgency=medium
* SECURITY UPDATE: FTP PWD response parser out of bounds read
- debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
even on bad input in lib/ftp.c, added test to
tests/data/Makefile.inc, tests/data/test1152.
- CVE-2017-1000254
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2017 08:35:10 -0400
