Publishing details

• Published on 2021-06-19

Changelog

curl (7.64.0-4+deb10u2) buster-security; urgency=high

  * Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
    (Closes: #965280)
    https://curl.haxx.se/docs/CVE-2020-8169.html
  * Fix local file overwrite as per CVE-2020-8177 (Closes: #965281)
    https://curl.se/docs/CVE-2020-8177.html
  * Fix use of wrong connect-only connection as per CVE-2020-8231
    (Closes: #968831)
    https://curl.se/docs/CVE-2020-8231.html
  * Don't trust FTP PASV responses by default as per CVE-2020-8284
    (Closes: #977163)
  * Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
    https://curl.se/docs/CVE-2020-8285.html
  * Make the OCSP verification verify the certificate id as per CVE-2020-8286
    (Closes: #977161)
    https://curl.se/docs/CVE-2020-8286.html
  * Fix credentials leak with automatic referer as per CVE-2021-22876
    https://curl.se/docs/CVE-2021-22876.html
  * Fix TLS 1.3 session ticket proxy host mixup as per CVE-2021-22890
    https://curl.se/docs/CVE-2021-22890.html

 -- Alessandro Ghedini <email address hidden>  Tue, 30 Mar 2021 21:56:00 +0100

Builds

Package files

• curl_7.64.0-4+deb10u2.debian.tar.xz (42.6 KiB)
• curl_7.64.0-4+deb10u2.dsc (2.7 KiB)
• curl_7.64.0.orig.tar.gz (3.8 MiB)