-
curl (7.32.0-1ubuntu1.4) saucy-security; urgency=medium
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/CVE-2014-0139.patch: fix wildcard logic in
lib/hostcheck.c, added tests to tests/data/Makefile.am,
tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
- CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
fail.
-- Marc Deslauriers <email address hidden> Tue, 01 Apr 2014 10:16:55 -0400
-
curl (7.32.0-1ubuntu1.3) saucy-security; urgency=medium
* SECURITY UPDATE: information disclosure via incorrect NTLM credential
reuse
- debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
auth is used in lib/url.c.
- CVE-2014-0015
-- Marc Deslauriers <email address hidden> Fri, 31 Jan 2014 08:29:56 -0500
-
curl (7.32.0-1ubuntu1.2) saucy-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled in GnuTLS backend.
- debian/patches/CVE-2013-6422.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
- CVE-2013-6422
-- Marc Deslauriers <email address hidden> Tue, 17 Dec 2013 12:45:52 -0500
-
curl (7.32.0-1ubuntu1.1) saucy-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled.
- debian/patches/CVE-2013-4545.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 29 Nov 2013 08:28:32 -0500
-
curl (7.32.0-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)
curl (7.32.0-1) unstable; urgency=low
* New upstream release
* Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
* Drop 08_typo.patch (merged upstream)
* Drop 09_openssl-recv.patch (merged upstream)
* Refresh 90_gnutls.patch and 99_nss.patch
* Refresh 06_always-disable-valgrind.patch
* Enable threaded DNS resolver (Closes: #570436)
See NEWS.Debian for more info
-- Ubuntu Merge-o-Matic <email address hidden> Mon, 12 Aug 2013 15:39:32 +0000
-
curl (7.31.0-2ubuntu1) saucy; urgency=low
* Merge from Debian, Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.31.0-2) unstable; urgency=high
* Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050)
* Set urgency=high because of the security fix in the previous upload
-- Oussama Bounaim <email address hidden> Tue, 23 Jul 2013 18:42:00 +0100
-
curl (7.31.0-1ubuntu1) saucy; urgency=low
* Resynchronize on Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.31.0-1) unstable; urgency=low
* New upstream release
- Fix URL decode buffer boundary flaw as per CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
* Maake curl Multi-Arch: foreign (Closes: #712585)
* Drop 08_reset-timecond.patch (merged upstream)
* Refresh patches
* Add 08_typo.patch to fix a couple of typos in one of the manpages
-- Sebastien Bacher <email address hidden> Mon, 24 Jun 2013 13:36:52 +0200
-
curl (7.30.0-1ubuntu1) saucy; urgency=low
* Resynchronize on Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Add warning to debian/patches/series.
curl (7.30.0-1) unstable; urgency=low
* New upstream release
* Update upstream copyright years
* Drop patches merged upstream:
- 08_NULL-pointer-dereference-on-close.patch
- 09_CVE-213-1944.patch
- 10_test1218-another-cookie-tailmatch-test.patch
* Update patches:
- 03_keep_symbols_compat.patch
- 90_gnutls.patch
- 99_nss.patch
* Add libcurl4-doc package:
- Move *.pdf and *.html files to the libcurl4-doc package
- Add Suggests for -doc package to -dev packages
- Move examples to the -doc package
* Add Build-Depends on python which is used by some tests
curl (7.29.0-2.1) unstable; urgency=high
* Non-maintainer upload.
[ Alessandro Ghedini ]
* Do not compress *.pdf files (Closes: #704093)
[ Salvatore Bonaccorso ]
* Add 09_CVE-213-1944.patch.
Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage.
Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).
(Closes: #705274)
* Add testcase for CVE-2013-1944.
curl (7.29.0-2) unstable; urgency=low
* Fix a segfault when closing an unused multi handle (Closes: #701713)
* Mention LDAPS in packages' long descriptions
* Clean-up d/rules
- Switch to short-form dh
- Enable test suite on hurd and kfreebsd too
- Enable GSSAPI support on hurd too
-- Sebastien Bacher <email address hidden> Tue, 07 May 2013 12:16:37 +0200
-
curl (7.29.0-1ubuntu3) raring; urgency=low
* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
- debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match
when sending cookies. Patch from YAMADA Yasuharu.
- http://curl.haxx.se/curl-tailmatch.patch
- CVE-2013-1944
-- Seth Arnold <email address hidden> Wed, 10 Apr 2013 15:16:17 -0700