Ubuntu
curl package

Change logs for curl source package in Groovy

  1. Groovy (20.10)
  2. Change log 
  • curl (7.68.0-1ubuntu4.3) groovy-security; urgency=medium

  * SECURITY UPDATE: data leak via referer header field
    - debian/patches/CVE-2021-22876.patch: strip credentials from the
      auto-referer header field in lib/transfer.c.
    - CVE-2021-22876
  * SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
    - debian/patches/CVE-2021-22890.patch: make sure we set and extract the
      correct session in lib/vtls/*.
    - CVE-2021-22890

 -- Marc Deslauriers <email address hidden>  Mon, 22 Mar 2021 10:34:32 -0400
  • curl (7.68.0-1ubuntu4.2) groovy-security; urgency=medium

  * SECURITY UPDATE: wrong connect-only connection
    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
      lib/urldata.h.
    - CVE-2020-8231
  * SECURITY UPDATE: FTP redirect to malicious host via PASV response
    - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
      default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
    - CVE-2020-8284
  * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
    - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
      recurse in lib/ftp.c.
    - CVE-2020-8285
  * SECURITY UPDATE: Inferior OCSP verification
    - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
      the certificate id in lib/vtls/openssl.c.
    - CVE-2020-8286

 -- Marc Deslauriers <email address hidden>  Mon, 30 Nov 2020 10:49:53 -0500
  • curl (7.68.0-1ubuntu4) groovy; urgency=medium

  * No change rebuild against new libnettle8 and libhogweed6 ABI.

 -- Dimitri John Ledkov <email address hidden>  Mon, 29 Jun 2020 22:23:05 +0100
  • curl (7.68.0-1ubuntu3) groovy; urgency=medium

  * SECURITY UPDATE: Partial password leak over DNS on HTTP redirect
    - debian/patches/CVE-2020-8169.patch: make the updated credentials
      URL-encoded in the URL in lib/url.c, tests/data/test1168,
      tests/data/Makefile.inc.
    - CVE-2020-8169
  * SECURITY UPDATE: curl overwrite local file with -J
    - debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
      src/tool_cb_hdr.c, src/tool_getparam.c.
    - CVE-2020-8177

 -- Marc Deslauriers <email address hidden>  Mon, 29 Jun 2020 10:47:54 -0400
  • curl (7.68.0-1ubuntu2) focal; urgency=medium

  * debian/patches/git_tls13_gnutls.patch:
    - Ensure TLS 1.3 works with GnuTLS, thanks Dirkjan Bussink for writting
      the patch and pointing it out on launchpad! (lp: #1872698)

 -- Sebastien Bacher <email address hidden>  Wed, 15 Apr 2020 08:27:03 +0200