-
curl (7.43.0-1ubuntu2.1) wily-security; urgency=medium
* SECURITY UPDATE: NTLM credentials not-checked for proxy connection
re-use
- debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
Proxy credentials in lib/url.c.
- CVE-2016-0755
-- Marc Deslauriers <email address hidden> Tue, 26 Jan 2016 09:50:28 -0500
-
curl (7.43.0-1ubuntu2) wily; urgency=medium
* debian/control:
- Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
-- Robert Ancell <email address hidden> Tue, 11 Aug 2015 11:41:50 +1200
-
curl (7.43.0-1ubuntu1) wily; urgency=medium
* Merge from Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
curl (7.43.0-1) unstable; urgency=medium
* New upstream release
- Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
http://curl.haxx.se/docs/adv_20150617A.html
- Fix SMB send off unrelated memory contents as per CVE-2015-3237
http://curl.haxx.se/docs/adv_20150617B.html
* Refresh patches
* Fix spelling-error-in-description
-- Marc Deslauriers <email address hidden> Thu, 18 Jun 2015 07:39:39 -0400
-
curl (7.42.1-3ubuntu1) wily; urgency=low
* Merge from Debian (LP: #1459685). Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
* Dropped patches:
- debian/patches/CVE-2015-3143.patch: upstream
- debian/patches/CVE-2015-3148.patch: upstream
- debian/patches/CVE-2015-3144.patch: upstream
- debian/patches/CVE-2015-3153.patch: upstream
- debian/patches/CVE-2014-8150.patch: upstream
- debian/patches/CVE-2015-3145.patch: upstream
* Dropped changes:
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
they seems to be broken since pre-trusty
curl (7.42.1-3) unstable; urgency=medium
* Update copyright
* Set both CA bundle and CA path default values for OpenSSL and GnuTLS
backends
* Bump versioned depends on libgnutls to workaround lack of nettle versioned
symbols (Closes: #787960)
curl (7.42.1-2) unstable; urgency=medium
* Switch curl binary to libcurl3-gnutls (Closes: #342719)
This is the first step of a possible migration to a GnuTLS-only
libcurl for Debian. Let's see how it goes.
curl (7.42.1-1) unstable; urgency=high
* New upstream release
- Don't send sensitive HTTP server headers to proxies as per
CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
* Drop 08_fix-spelling.patch (merged upstream)
* Refresh patches
curl (7.42.0-1) unstable; urgency=medium
* New upstream release
- Fix re-using authenticated connection when unauthenticated
as per CVE-2015-3143
http://curl.haxx.se/docs/adv_20150422A.html
- Fix host name out of boundary memory access as per CVE-2015-3144
http://curl.haxx.se/docs/adv_20150422D.html
- Fix cookie parser out of boundary memory access as per CVE-2015-3145
http://curl.haxx.se/docs/adv_20150422C.html
- Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
http://curl.haxx.se/docs/adv_20150422B.html
- Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
defined (Closes: #768562)
* Drop patches merged upstream
* Refresh patches
* Bump Standards-Version to 3.9.6 (no changes needed)
curl (7.38.0-4) unstable; urgency=high
* Fix URL request injection vulnerability as per CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
* Set urgency=high accordingly
-- Gianfranco Costamagna <email address hidden> Mon, 08 Jun 2015 10:35:57 +0200
-
curl (7.42.1-2ubuntu1) wily; urgency=low
* Merge from Debian (LP: #1459685). Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
* Dropped patches:
- debian/patches/CVE-2015-3143.patch: upstream
- debian/patches/CVE-2015-3148.patch: upstream
- debian/patches/CVE-2015-3144.patch: upstream
- debian/patches/CVE-2015-3153.patch: upstream
- debian/patches/CVE-2014-8150.patch: upstream
- debian/patches/CVE-2015-3145.patch: upstream
* Dropped the added udeb packages. They were empty since trusty and were
originally added for LP: #831496, this change is likely not needed any
more.
curl (7.42.1-2) unstable; urgency=medium
* Switch curl binary to libcurl3-gnutls (Closes: #342719)
This is the first step of a possible migration to a GnuTLS-only
libcurl for Debian. Let's see how it goes.
curl (7.42.1-1) unstable; urgency=high
* New upstream release
- Don't send sensitive HTTP server headers to proxies as per
CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
* Drop 08_fix-spelling.patch (merged upstream)
* Refresh patches
curl (7.42.0-1) unstable; urgency=medium
* New upstream release
- Fix re-using authenticated connection when unauthenticated
as per CVE-2015-3143
http://curl.haxx.se/docs/adv_20150422A.html
- Fix host name out of boundary memory access as per CVE-2015-3144
http://curl.haxx.se/docs/adv_20150422D.html
- Fix cookie parser out of boundary memory access as per CVE-2015-3145
http://curl.haxx.se/docs/adv_20150422C.html
- Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
http://curl.haxx.se/docs/adv_20150422B.html
- Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
defined (Closes: #768562)
* Drop patches merged upstream
* Refresh patches
* Bump Standards-Version to 3.9.6 (no changes needed)
curl (7.38.0-4) unstable; urgency=high
* Fix URL request injection vulnerability as per CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
* Set urgency=high accordingly
-- Gianfranco Costamagna <email address hidden> Thu, 28 May 2015 15:53:47 +0200
-
curl (7.38.0-3ubuntu3) wily; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
- debian/patches/CVE-2015-3144.patch: check for valid length in
lib/url.c.
- CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
- debian/patches/CVE-2015-3145.patch: properly handle a single double
quote in lib/cookie.c.
- CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: close Negotiate connections when
done in lib/http.c.
- CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
- debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
- CVE-2015-3153
-- Marc Deslauriers <email address hidden> Tue, 05 May 2015 14:17:51 -0400
-
curl (7.38.0-3ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
- CVE-2014-8150
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 07:57:00 -0500