Format: 1.8 Date: Mon, 25 Apr 2022 14:19:19 -0300 Source: curl Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc Architecture: s390x Version: 7.58.0-2ubuntu3.17 Distribution: bionic Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Leonidas Da Silva Barbosa Description: curl - command line tool for transferring data with URL syntax libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Changes: curl (7.58.0-2ubuntu3.17) bionic-security; urgency=medium . * SECURITY UPDATE: OAUTH2 bypass - debian/patches/CVE-2022-22576.patch: check sasl additional parameters for conn resuse in lib/strcase.c, lib/strcase.h, lib/url.c, lib/urldata.h, lib/vtls/vtls.c. - CVE-2022-22576 * SECURITY UPDATE: Credential leak on redirect - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port in the info struct to make it available after the connection ended in lib/connect.c, lib/urldata.h. - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols or ports clear auth in lib/transfer.c. - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify these fix in tests/data/Makefile.inc, tests/data/test973, tests/data/test974, tests/data/test975, tests/data/test976. - CVE-2022-27774 * SECURITY UPDATE: Bad local IPV6 connection reuse - debian/patches/CVE-2022-27775.patch: include the zone id in the 'bundle' haskey in lib/conncache.c. - CVE-2022-27775 * SECURITY UPDATE: Auth/cookie leak on redirect - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects same host diff port in lib/http.c, lib/urldata.h. - CVE-2022-27776 Checksums-Sha1: 7a5e199403c8f66581b96f669853721f55ddae3e 150396 curl-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 8b71f5b235890ab325f2afee7642bb4751fef706 11679 curl_7.58.0-2ubuntu3.17_s390x.buildinfo 82bbbc02d6366dc3846cafbf25a89345df4c7b41 155296 curl_7.58.0-2ubuntu3.17_s390x.deb 77f6b6664f660c561000f29bd444a1266452bef9 1378380 libcurl3-gnutls-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb ac763201f4fe502ce4ff9029adf654f58a3ec959 200376 libcurl3-gnutls_7.58.0-2ubuntu3.17_s390x.deb 2a71ec51cf3343d2d9c3715ec50f51260f9585c7 1411000 libcurl3-nss-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 3ea5f56e4b4e946999499915cd6cf2135ca8bebf 207180 libcurl3-nss_7.58.0-2ubuntu3.17_s390x.deb 4eb3b8a3904cfaad7dc51c18ab3612ce8000c2c7 1390780 libcurl4-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 6ab911e550a425050a7924c730fdd34e341deb75 287548 libcurl4-gnutls-dev_7.58.0-2ubuntu3.17_s390x.deb 7d27774aa48c74c83595db1358796676d97415a5 294492 libcurl4-nss-dev_7.58.0-2ubuntu3.17_s390x.deb 9ccebe9e7b691c2f38b08964ff11b2729b0effb3 288588 libcurl4-openssl-dev_7.58.0-2ubuntu3.17_s390x.deb d1a76552184bad52e048abdb05ef2ba61ab01c8d 201800 libcurl4_7.58.0-2ubuntu3.17_s390x.deb Checksums-Sha256: b5166f6eeae8aaea5c67bcacc1f352314e07749dc0ff70cdf05a42f694e97b83 150396 curl-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 511e7279613dcd8b7da1f3714fe13800258a90817555f61f809ae55b6c8656e9 11679 curl_7.58.0-2ubuntu3.17_s390x.buildinfo fd0bddf8cda91c39a83f3b9e1444aee8e4450952472b4e1f9d1d4f01f7ab0663 155296 curl_7.58.0-2ubuntu3.17_s390x.deb 74bcfd17d616117876854c0a7495de46689730fbc080f13166018396c5236ba6 1378380 libcurl3-gnutls-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 924ac9d34194f0ddca23187375c3bb507cd648ddb81178e7bff449d49ccd36fb 200376 libcurl3-gnutls_7.58.0-2ubuntu3.17_s390x.deb 1f3be89793164a0de69b628670c14dacd3cbe308901a1d3b8a24ce2c510d5f73 1411000 libcurl3-nss-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb cf5b7566fe02225c47b98b01da62b61cdf023bd582cca5516c4eb31af1390cec 207180 libcurl3-nss_7.58.0-2ubuntu3.17_s390x.deb a5445995781a5be4df8a41a554f6b50b3b88d7988a2f95a8a453936673f30b94 1390780 libcurl4-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 743a406ad7a4dd068916611a7c9b9affab91f38fcf150b7f863344f0f0aa60a8 287548 libcurl4-gnutls-dev_7.58.0-2ubuntu3.17_s390x.deb c5bb304e8a40c6f36d7eed2e9c929f420cb55d7e94279d98c681de5e264fa5b1 294492 libcurl4-nss-dev_7.58.0-2ubuntu3.17_s390x.deb e9312f924ce9b57475dec4b7b9815970aade25e08372e8e562e401d4aa38c902 288588 libcurl4-openssl-dev_7.58.0-2ubuntu3.17_s390x.deb dfc2656b4e487f2284f971b983e76c2c6cebb47c9caa8e2828541805ba3978ed 201800 libcurl4_7.58.0-2ubuntu3.17_s390x.deb Files: 4863a88b2ca3c9015501442b7e5d423b 150396 debug optional curl-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 07fd53f2fa893497e24793a985d1bc82 11679 web optional curl_7.58.0-2ubuntu3.17_s390x.buildinfo 507a5fa97d9201daaefe4229b305d09d 155296 web optional curl_7.58.0-2ubuntu3.17_s390x.deb fe313d1f311b6c6d529698560f35a89e 1378380 debug optional libcurl3-gnutls-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 5c02b4f58c0f4fbfd57c75980d98402e 200376 libs optional libcurl3-gnutls_7.58.0-2ubuntu3.17_s390x.deb ec11beeb6669fad907ba82df1d0deefc 1411000 debug optional libcurl3-nss-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb cd5dd9cd009d5e57716ee4e75c91cd5c 207180 libs optional libcurl3-nss_7.58.0-2ubuntu3.17_s390x.deb ad841689bf5a7b627d2a950ac6e0efe0 1390780 debug optional libcurl4-dbgsym_7.58.0-2ubuntu3.17_s390x.ddeb 1b85bd35cb3416bcf2ce0c407a387fe4 287548 libdevel optional libcurl4-gnutls-dev_7.58.0-2ubuntu3.17_s390x.deb a37f935f26c57b65f6b656c02b60bbd9 294492 libdevel optional libcurl4-nss-dev_7.58.0-2ubuntu3.17_s390x.deb 50816b063758d411bb3389be98068019 288588 libdevel optional libcurl4-openssl-dev_7.58.0-2ubuntu3.17_s390x.deb 9e529dd1523e57ed080183bd6de568d0 201800 libs optional libcurl4_7.58.0-2ubuntu3.17_s390x.deb Original-Maintainer: Alessandro Ghedini