-
curl (7.37.1-1ubuntu3.4) utopic-security; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
- debian/patches/CVE-2015-3144.patch: check for valid length in
lib/url.c.
- CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
- debian/patches/CVE-2015-3145.patch: properly handle a single double
quote in lib/cookie.c.
- CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
each exchange and close Negotiate connections when done in
lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
- CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
- debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
- CVE-2015-3153
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 10:23:26 -0400
-
curl (7.37.1-1ubuntu3.2) utopic-security; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
- CVE-2014-8150
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 08:17:04 -0500
-
curl (7.37.1-1ubuntu3.1) utopic-security; urgency=medium
* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
bounds
- debian/patches/CVE-2014-3707.patch: properly copy memory aread in
lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
- CVE-2014-3707
-- Marc Deslauriers <email address hidden> Thu, 06 Nov 2014 09:06:15 -0500
-
curl (7.37.1-1ubuntu3) utopic; urgency=medium
* debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream
commit fixing timeout return value for curl_poll and curl_wait_ms.
Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663)
-- Brian Murray <email address hidden> Thu, 02 Oct 2014 13:26:57 -0700
-
curl (7.37.1-1ubuntu2) utopic; urgency=medium
* SECURITY UPDATE: incorrect cookie handling via partial literal IP
addresses
- debian/patches/CVE-2014-3613.patch: only use full host matches for
hosts used as IP address in lib/cookie.c, added tests to
tests/data/test1105, tests/data/test31, tests/data/test8.
- CVE-2014-3613
* SECURITY UPDATE: incorrect cookie handling for TLDs
- debian/patches/CVE-2014-3620.patch: reject incoming cookies set for
TLDs in lib/cookie.c, added test to tests/data/test61.
- CVE-2014-3620
-- Marc Deslauriers <email address hidden> Thu, 11 Sep 2014 08:15:47 -0400
-
curl (7.37.1-1ubuntu1) utopic; urgency=low
* Merge from Debian unstable (LP: #1348564). Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.37.1-1) unstable; urgency=medium
* New upstream release
* Re-enable RTMP support (Closes: #754222)
* Add 08_link-curl-to-nss.patch to fix NSS build
* Refresh patches
* Install manpages of single libcurl options too
-- Gianfranco Costamagna <email address hidden> Fri, 25 Jul 2014 12:03:28 +0200
-
curl (7.37.0-1ubuntu1) utopic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.37.0-1) unstable; urgency=medium
* New upstream release
- Fix NULL pointer dereference in GnuTLS code (Closes: #746349)
* Drop 08_fix-imap-tests.patch (merged upstream)
* Refresh 01_runtests_gdb.patch
* Remove Build-Depends on libgcrypt
-- Michael Vogt <email address hidden> Fri, 11 Jul 2014 14:37:53 +0200
-
curl (7.36.0-2ubuntu2) utopic; urgency=medium
* Rebuild against libgnutls-deb0-28.
-- Colin Watson <email address hidden> Fri, 06 Jun 2014 15:24:02 +0100
-
curl (7.36.0-2ubuntu1) utopic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.36.0-2) unstable; urgency=medium
* Move Depends on -dev packages needed to use static libraries to Suggests
* Switch to GnuTLS 3.x (Closes: #741568)
* Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts
with libgnutls28-dev)
curl (7.36.0-1) unstable; urgency=high
* New upstream release (Closes: #742728)
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
- Set urgency=high accordingly
* Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138
-- Michael Vogt <email address hidden> Wed, 30 Apr 2014 13:34:14 +0200
-
curl (7.35.0-1ubuntu3) utopic; urgency=high
* No change rebuild against librtmp1.
-- Dimitri John Ledkov <email address hidden> Sat, 26 Apr 2014 20:53:06 +0100
-
curl (7.35.0-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/CVE-2014-0139.patch: fix wildcard logic in
lib/hostcheck.c, added tests to tests/data/Makefile.am,
tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
- CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
fail.
-- Marc Deslauriers <email address hidden> Tue, 01 Apr 2014 09:25:23 -0400
