-
curl (7.22.0-3ubuntu4.29) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: FTP redirect to malicious host via PASV response
- debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
default in lib/url.c, src/main.c.
- CVE-2020-8284
* SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
- debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
recurse in lib/ftp.c.
- CVE-2020-8285
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Dec 2020 11:42:29 -0300
-
curl (7.22.0-3ubuntu4.17) precise-security; urgency=medium
* SECURITY UPDATE: Incorrect reuse of client certificates with NSS
- debian/patches/CVE-2016-7141.patch: refuse previously loaded
certificate from file in lib/nss.c.
- CVE-2016-7141
* SECURITY UPDATE: curl escape and unescape integer overflows
- debian/patches/CVE-2016-7167.patch: deny negative string length
inputs in lib/escape.c.
- CVE-2016-7167
* SECURITY UPDATE: cookie injection for other servers
- debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
lib/cookie.c.
- CVE-2016-8615
* SECURITY UPDATE: case insensitive password comparison
- debian/patches/CVE-2016-8616.patch: use case sensitive user/password
comparisons in lib/url.c.
- CVE-2016-8616
* SECURITY UPDATE: OOB write via unchecked multiplication
- debian/patches/CVE-2016-8617.patch: check for integer overflow on
large input in lib/base64.c.
- CVE-2016-8617
* SECURITY UPDATE: double-free in curl_maprintf
- debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
allocation in lib/mprintf.c.
- CVE-2016-8618
* SECURITY UPDATE: double-free in krb5 code
- debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
- CVE-2016-8619
* SECURITY UPDATE: curl_getdate read out of bounds
- debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
lib/parsedate.c, added tests to tests/data/test517,
tests/libtest/lib517.c.
- CVE-2016-8621
* SECURITY UPDATE: URL unescape heap overflow via integer truncation
- debian/patches/CVE-2016-8622.patch: avoid integer overflow in
lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
- CVE-2016-8622
* SECURITY UPDATE: Use-after-free via shared cookies
- debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
in lib/cookie.c, lib/cookie.h, lib/http.c.
- CVE-2016-8623
* SECURITY UPDATE: invalid URL parsing with #
- debian/patches/CVE-2016-8624.patch: accept # as end of host name in
lib/url.c.
- CVE-2016-8624
-- Marc Deslauriers <email address hidden> Thu, 03 Nov 2016 08:03:52 -0400
-
curl (7.22.0-3ubuntu4.16) precise-security; urgency=medium
* SECURITY UPDATE: TLS session resumption client cert bypass
- debian/patches/CVE-2016-5419.patch: switch off SSL session id when
client cert is used in lib/url.c, lib/urldata.h, lib/sslgen.c.
- CVE-2016-5419
* SECURITY UPDATE: re-using connections with wrong client cert
- debian/patches/CVE-2016-5420.patch: only reuse connections with the
same client cert in lib/sslgen.c.
- CVE-2016-5420
-- Marc Deslauriers <email address hidden> Fri, 05 Aug 2016 11:27:56 -0400
-
curl (7.22.0-3ubuntu4.15) precise-security; urgency=medium
* SECURITY UPDATE: NTLM credentials not-checked for proxy connection
re-use
- debian/patches/ntlm-backports.patch: backport misc NTLM fixes.
- debian/patches/CVE-2014-0015.patch: refreshed.
- debian/patches/CVE-2014-0138.patch: refreshed.
- debian/patches/CVE-2014-3143.patch: refreshed.
- debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
Proxy credentials in lib/url.c.
- CVE-2016-0755
-- Marc Deslauriers <email address hidden> Wed, 27 Jan 2016 08:02:54 -0500
-
curl (7.22.0-3ubuntu4.14) precise-security; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
each exchange and close Negotiate connections when done in
lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
- CVE-2015-3148
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 14:03:35 -0400
-
curl (7.22.0-3ubuntu4.12) precise-security; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c.
- CVE-2014-8150
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 08:51:55 -0500
-
curl (7.22.0-3ubuntu4.11) precise-security; urgency=medium
* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
bounds
- debian/patches/CVE-2014-3707.patch: properly copy memory aread in
lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
src/Makefile.inc.
- CVE-2014-3707
-- Marc Deslauriers <email address hidden> Thu, 06 Nov 2014 12:03:12 -0500
-
curl (7.22.0-3ubuntu4.10) precise-security; urgency=medium
* SECURITY UPDATE: incorrect cookie handling via partial literal IP
addresses
- debian/patches/CVE-2014-3613.patch: only use full host matches for
hosts used as IP address in lib/cookie.c, added tests to
tests/data/test1105, tests/data/test31, tests/data/test8.
- CVE-2014-3613
-- Marc Deslauriers <email address hidden> Fri, 12 Sep 2014 08:39:14 -0400
-
curl (7.22.0-3ubuntu4.8) precise-security; urgency=medium
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/CVE-2014-0139.patch: fix wildcard logic in
lib/ssluse.c.
- CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
fail.
* debian/patches/disable_test519.path: disable test 519 as security
update causes it to hang. Fixing this would require backporting new
logic into tests/server/sws.c.
-- Marc Deslauriers <email address hidden> Tue, 01 Apr 2014 17:02:01 -0400
-
curl (7.22.0-3ubuntu4.7) precise-security; urgency=medium
* SECURITY UPDATE: information disclosure via incorrect NTLM credential
reuse
- debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
auth is used in lib/url.c.
- CVE-2014-0015
-- Marc Deslauriers <email address hidden> Fri, 31 Jan 2014 08:35:16 -0500
-
curl (7.22.0-3ubuntu4.6) precise-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled in GnuTLS backend.
- debian/patches/CVE-2013-6422.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
- CVE-2013-6422
-- Marc Deslauriers <email address hidden> Tue, 17 Dec 2013 12:52:40 -0500
-
curl (7.22.0-3ubuntu4.5) precise-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/patches/CVE-2013-4545.patch: properly disable host
verification when insecure mode is used in src/main.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:50:32 -0500
-
curl (7.22.0-3ubuntu4.4) precise-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled.
- debian/patches/CVE-2013-4545.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 29 Nov 2013 08:33:49 -0500
-
curl (7.22.0-3ubuntu4.3) precise; urgency=low
* Reset timecond when clearing session-info variables (LP: #1179781)
This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"
-- Dave Chiluk <email address hidden> Fri, 23 Aug 2013 16:05:09 -0700
-
curl (7.22.0-3ubuntu4.2) precise-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in URL decoder
- debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
added tests to tests/data/Makefile.am, tests/data/test1396,
tests/unit/Makefile.inc, tests/unit/unit1396.c.
- CVE-2013-2174
-- Marc Deslauriers <email address hidden> Thu, 27 Jun 2013 14:08:46 -0400
-
curl (7.22.0-3ubuntu4.1) precise-security; urgency=low
* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
- debian/patches/curl-tailmatch.patch: enforce strict subdomain match
when sending cookies. Patch from YAMADA Yasuharu.
- http://curl.haxx.se/curl-tailmatch.patch
- CVE-2013-1944
-- Seth Arnold <email address hidden> Thu, 11 Apr 2013 13:40:46 -0700
-
curl (7.22.0-3ubuntu4) precise; urgency=low
* debian/control: Add missing Depends on libcrypto1.0.0-udeb.
-- Andres Rodriguez <email address hidden> Thu, 22 Mar 2012 18:40:30 -0400
-
curl (7.22.0-3ubuntu3) precise; urgency=low
[ Andres Rodriguez ]
* Add curl-udeb package (LP: #940425)
[ Dave Walker (Daviey) ]
* debian/rules: Remove --add-udeb= for libcurl3, and appended to
debian/shlibs.local at build time, which this package seems to
be using for undocumented reasoning.
-- Dave Walker (Daviey) <email address hidden> Fri, 09 Mar 2012 23:45:09 +0000
-
curl (7.22.0-3ubuntu2) precise; urgency=low
* SECURITY UPDATE: URL sanitization vulnerability
- debian/patches/CVE-2012-0036.patch: reject URLs with embedded control
codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}.
- CVE-2012-0036
-- Marc Deslauriers <email address hidden> Tue, 24 Jan 2012 08:26:50 -0500
-
curl (7.22.0-3ubuntu1) precise; urgency=low
* Merge from Debian unstable, remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.
- Add new libcurl3-udeb package.
-- Timo Aaltonen <email address hidden> Fri, 25 Nov 2011 17:30:45 +0200
-
curl (7.21.7-3ubuntu1) precise; urgency=low
* Merge from Debian testing, remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel and libssh2-1-dev.
+ Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.
- Add new libcurl3-udeb package, stripped down for use during
installation (LP: #831496).
* Dropped changes:
- debian/patches/timeout_bug_736216: applied upstream.
curl (7.21.7-3) unstable; urgency=low
* debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the
packages do not need to be built with rtmp support. (closes: #641173)
curl (7.21.7-2) unstable; urgency=low
* debian/control: libcurl*-dev packages should depend on librtmp-dev.
(closes: #640260)
* debian/rules: add build-arch and build-indep targets.
curl (7.21.7-1) unstable; urgency=low
* New Upstream release which fixes the following bugs.
- libcurl3-gnutls: HTTPS over HTTP still broken in
Git (closes: #627335)
- git-core: gnutls_handshake() fail when using
https:// over a proxy (closes: #559371)
* debian/control: capitalize 'ftp'. (closes: #587338)
* debian/rules: add build-arch and build-indep targets.
-- James Page <email address hidden> Thu, 20 Oct 2011 09:28:24 +0100
-
curl (7.21.6-3ubuntu3) oneiric; urgency=low
[ James Page, Colin Watson ]
* Add new libcurl3-udeb package, stripped down for use during installation
(LP: #831496).
-- James Page <email address hidden> Wed, 14 Sep 2011 17:31:37 +0100