-
curl (7.64.0-2ubuntu1.2) disco-security; urgency=medium
* SECURITY UPDATE: double-free when using kerberos over FTP may cause
denial-of-service
- debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
double-free on large memory allocation failures
- CVE-2019-5481
* SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
cause denial-of-service or remote code-execution
- debian/patches/CVE-2019-5482.patch: ensure to use the correct block
size when calling recvfrom() if the server returns an OACK without
specifying a block size in lib/tftp.c
- CVE-2019-5482
-- Alex Murray <email address hidden> Fri, 06 Sep 2019 14:50:00 +0930
-
curl (7.64.0-2ubuntu1.1) disco-security; urgency=medium
* SECURITY UPDATE: Integer overflows in curl_url_set()
- debian/patches/CVE-2019-5345.patch: limit sizes in lib/setopt.c,
lib/urlapi.c, lib/urldata.h, tests/data/Makefile.inc,
tests/data/test1559, tests/libtest/Makefile.inc,
tests/libtest/lib1559.c.
- CVE-2019-5345
* SECURITY UPDATE: TFTP receive buffer overflow
- debian/patches/CVE-2019-5346.patch: use the current blksize in
lib/tftp.c.
- CVE-2019-5346
-- Marc Deslauriers <email address hidden> Thu, 16 May 2019 08:32:04 -0400
-
curl (7.64.0-2ubuntu1) disco; urgency=low
* Merge from Debian unstable. Remaining changes:
* debian/control, debian/rules:
- build with libssh instead of libssh2, that's a better maintained
library and it's in Ubuntu main (lp: #311029)
curl (7.64.0-2) unstable; urgency=medium
* Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)
-- Gianfranco Costamagna <email address hidden> Fri, 05 Apr 2019 17:50:51 +0200
-
curl (7.64.0-1ubuntu1) disco; urgency=medium
* Resynchronize with Debian, remaining change
* debian/control, debian/rules:
- build with libssh instead of libssh2, that's a better maintained
library and it's in Ubuntu main (lp: #311029)
curl (7.64.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
+ Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html
+ Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
+ Fix HTTP negotiation with POST requests (Closes: #920267)
-- Sebastien Bacher <email address hidden> Thu, 14 Feb 2019 16:49:23 +0100
-
curl (7.63.0-1ubuntu1) disco; urgency=medium
* debian/control, debian/rules:
- build with libssh instead of libssh2, that's a better maintained
library and it's in Ubuntu main (lp: #311029)
-- Sebastien Bacher <email address hidden> Thu, 31 Jan 2019 15:29:39 +0100
-
curl (7.63.0-1) unstable; urgency=medium
* New upstream release
+ Fix IPv6 numeral address parser (Closes: #915520)
+ Fix timeout handling (Closes: #914793)
+ Fix HTTP auth to include query in URI (Closes: #913214)
* Drop 12_fix-runtests-curl.patch (merged upstream)
* Update symbols
* Update copyright for removed files
* Bump debhlper compat level to 12
* Bump Standards-Version to 4.3.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Tue, 15 Jan 2019 20:47:40 +0000
-
curl (7.62.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM password overflow via integer overflow as per CVE-2018-14618
(Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
+ Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
+ Fix use-after-free in handle close as per CVE-2018-16840
https://curl.haxx.se/docs/CVE-2018-16840.html
+ Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
+ Fix broken terminal output (closes: #911333)
* Refresh patches
* Add 12_fix-runtests-curl.patch to fix running curl in tests
-- Alessandro Ghedini <email address hidden> Wed, 31 Oct 2018 22:42:44 +0000
-
curl (7.61.0-1ubuntu2.2) cosmic-security; urgency=medium
* SECURITY UPDATE: SASL password overflow via integer overflow
- debian/patches/CVE-2018-16839.patch: fix check in
lib/vauth/cleartext.c.
- CVE-2018-16839
* SECURITY UPDATE: use-after-free in handle close
- debian/patches/CVE-2018-16840.patch: fix issue in lib/url.c.
- CVE-2018-16840
* SECURITY UPDATE: warning message out-of-buffer read
- debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
- CVE number pending
-- Marc Deslauriers <email address hidden> Mon, 29 Oct 2018 08:08:34 -0400
-
curl (7.61.0-1ubuntu2) cosmic; urgency=high
* No change rebuild against openssl 1.1.1 with TLS 1.3 support.
-- Dimitri John Ledkov <email address hidden> Sat, 29 Sep 2018 01:36:46 +0100