Change log : curl package : Debian

8.7.1-3

Published in sid-release on 2024-04-19

curl (8.7.1-3) unstable; urgency=medium

  [ Carlos Henrique Lima Melara ]
  * d/p/fix-regression-in-curlinfo.patch: add patch from upstream, thanks to
    Antonio Terceiro for reporting it (closes: #1069292)

  [ Samuel Henrique ]
  * d/libcurl3t64-gnutls.lintian-overrides: Drop unused override

 -- Samuel Henrique <email address hidden>  Fri, 19 Apr 2024 19:06:23 +0100

8.7.1-2

Superseded in sid-release on 2024-04-20

curl (8.7.1-2) unstable; urgency=medium

  [ Carlos Henrique Lima Melara ]
  * d/rules: fix sed substitution regex for curl-config
  * d/rules: make a call to dpkg-buildflags in curl-config to get CFLAGS
    (Closes: #1057138)
  * d/control: suggests dpkg-dev for -dev packages so we get dpkg goodies
  * d/libcurl4-doc.docs: list each markdown file to be installed
  * d/make-manpages-reproducible.patch: import from upstream
  * d/p/fix-regression-on-chunked-post.patch: add new patch from upstream

  [ Sergio Durigan Junior ]
  * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch:
    (Closes: #1053643)

  [ Samuel Henrique ]
  * d/rules: Run tests in parallel
  * d/p/test1901...: New patch to confirm regression fix

 -- Samuel Henrique <email address hidden>  Wed, 03 Apr 2024 18:59:41 +0100

8.7.1-1+exp1

Deleted in experimental-release (Reason: None provided.)

curl (8.7.1-1+exp1) experimental; urgency=medium

  * d/rules: Run tests in parallel, using uptream's suggestion of 7 workers
    per thread: https://daniel.haxx.se/blog/2023/06/08/parallel-curl-tests/

 -- Samuel Henrique <email address hidden>  Wed, 27 Mar 2024 19:51:33 +0000

8.7.1-1

Superseded in sid-release on 2024-04-04

curl (8.7.1-1) unstable; urgency=medium

  * New upstream version 8.7.1
    - Fix CVE-2024-2004: Usage of disabled protocol
    - Fix CVE-2024-2398: HTTP/2 push headers memory-leak
  * d/patches: Drop patches present on this release

 -- Samuel Henrique <email address hidden>  Wed, 27 Mar 2024 19:02:14 +0000

8.6.0-4

Published in sid-release on 2024-03-16

curl (8.6.0-4) unstable; urgency=medium

  [ Carlos Henrique Lima Melara ]
  * d/libcurl*.links: use substitution variables instead of executable files

  [ Simon McVittie ]
  * d/control: Add a build-profile that disables LDAP support
    (closes: #1066981)
  * Temporarily disable LDAP support on 32-bit non-x86 (closes: #1066982)
  * Temporarily disable build-time tests on 32-bit non-x86

 -- Samuel Henrique <email address hidden>  Sat, 16 Mar 2024 17:17:57 +0000

8.6.0-3.2

Published in sid-release on 2024-03-02

curl (8.6.0-3.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix wrong X-Time64-Compat for libcurl4t64.  Closes: #1065315.

 -- Steve Langasek <email address hidden>  Sat, 02 Mar 2024 18:43:58 +0000

8.6.0-3.1

Superseded in sid-release on 2024-03-23

curl (8.6.0-3.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Rename libraries for 64-bit time_t transition.  Closes: #1061992

 -- Steve Langasek <email address hidden>  Sat, 02 Mar 2024 07:11:53 +0000

8.6.0-3.1~exp2

Deleted in experimental-release (Reason: None provided.)

curl (8.6.0-3.1~exp2) experimental; urgency=medium

  * Non-maintainer upload.
  * Set missing executable bit on debian/libcurl3t64-gnutls.links, lost when
    round-tripping through diff+patch.

 -- Steve Langasek <email address hidden>  Sat, 24 Feb 2024 01:20:40 +0000

8.6.0-3.1~exp1

Superseded in experimental-release on 2024-02-24

curl (8.6.0-3.1~exp1) experimental; urgency=medium

  * Non-maintainer upload.
  * Rename libraries for 64-bit time_t transition.

 -- Michael Hudson-Doyle <email address hidden>  Thu, 22 Feb 2024 11:59:41 +1300

8.6.0-3

Deleted in experimental-release (Reason: None provided.)

Published in sid-release on 2024-02-20

curl (8.6.0-3) unstable; urgency=medium

  * d/p/vtls_revert_receive_max_buffer_add_test_case.patch: New patch to fix
    tls regression (closes: #1063462)

 -- Samuel Henrique <email address hidden>  Mon, 19 Feb 2024 22:16:17 +0000

7.74.0-1.3+deb11u11

Published in bullseye-release on 2024-02-10

curl (7.74.0-1.3+deb11u11) bullseye-security; urgency=high

  * Add patch to fix CVE-2023-46218
  * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
    "--version" output

 -- Samuel Henrique <email address hidden>  Sun, 10 Dec 2023 06:05:18 +0000

7.88.1-10+deb12u5

Published in bookworm-release on 2024-02-10

curl (7.88.1-10+deb12u5) bookworm-security; urgency=high

  * Add patches to fix CVE-2023-46218 and CVE-2023-46219
  * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
    "--version" output

 -- Samuel Henrique <email address hidden>  Sun, 10 Dec 2023 06:07:30 +0000

8.6.0-2

Superseded in sid-release on 2024-03-22

curl (8.6.0-2) unstable; urgency=medium

  * d/p/sendf_ignore_response_body_to_head.patch: New upstream patch to fix a
    compat issue (closes: #1063342)
  * d/control: Switch from pkg-config to pkgconf

 -- Samuel Henrique <email address hidden>  Tue, 06 Feb 2024 20:52:46 +0000

8.6.0-1.1

Deleted in experimental-release (Reason: None provided.)

curl (8.6.0-1.1) experimental; urgency=medium

  * Non-maintainer upload.
  * Rename libraries for 64-bit time_t transition.

 -- Michael Hudson-Doyle <email address hidden>  Thu, 01 Feb 2024 03:10:56 +0000

8.6.0-1

Superseded in sid-release on 2024-02-16

curl (8.6.0-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * New upstream version 8.6.0
    - Fix CVE-2024-0853: OCSP verification bypass with TLS session reuse
  * Drop upstream patches from 8.6.0
  * Update approach for installing manpages
  * d/copyright: Update copyright

  [ Carlos Henrique Lima Melara ]
  * d/control: exclude dependency on gnutls-bin for tests on ppc64el
    (Closes: #1059952)

 -- Samuel Henrique <email address hidden>  Wed, 31 Jan 2024 21:51:05 +0000

8.5.0-2+exp1

Deleted in experimental-release (Reason: None provided.)

curl (8.5.0-2+exp1) experimental; urgency=medium

  * d/rules: Run tests in parallel

 -- Samuel Henrique <email address hidden>  Sat, 06 Jan 2024 09:01:03 -0300

8.5.0-2

Superseded in experimental-release on 2024-02-05

Superseded in sid-release on 2024-02-01

curl (8.5.0-2) unstable; urgency=medium

  * d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault
    (closes: #1057855)

 -- Samuel Henrique <email address hidden>  Fri, 29 Dec 2023 15:34:11 -0300

8.5.0-1+exp1

Deleted in experimental-release (Reason: None provided.)

curl (8.5.0-1+exp1) experimental; urgency=medium

  * Build on experimental with a newer openldap to help investigate #1057855

 -- Samuel Henrique <email address hidden>  Fri, 22 Dec 2023 11:20:39 -0300

7.88.1-10+deb12u4

Superseded in bookworm-release on 2024-02-10

curl (7.88.1-10+deb12u4) bookworm-security; urgency=high

  * Add patches to fix CVE-2023-38545 and CVE-2023-38546

 -- Samuel Henrique <email address hidden>  Thu, 05 Oct 2023 22:31:47 +0100

8.5.0-1

Superseded in sid-release on 2024-02-05

curl (8.5.0-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * New upstream version 8.5.0
    - Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646)
    - Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645)
  * d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION
  * d/p/90_gnutls.patch: Update patch
  * d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to
    fix tests
  * d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream
    tarball

  [ Carlos Henrique Lima Melara ]
  * d/control: change Maintainer field to curl packaging team
  * d/README.Debian: add readme to explain curl's team creation
  * d/control: add myself to Uploaders

 -- Samuel Henrique <email address hidden>  Wed, 06 Dec 2023 20:15:49 +0000

8.4.0-2

Superseded in sid-release on 2024-02-05

curl (8.4.0-2) unstable; urgency=medium

  * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
    "--version" output

 -- Samuel Henrique <email address hidden>  Sat, 14 Oct 2023 12:19:21 +0100

8.4.0-1

Superseded in sid-release on 2023-10-14

curl (8.4.0-1) unstable; urgency=medium

  * New upstream version 8.4.0
  * d/libcurl*.symbols: New symbol curl_multi_get_handles
  * d/patches:
    - Remove patches from 8.4.0 release
    - 90_gnutls.patch: Update patch

 -- Samuel Henrique <email address hidden>  Fri, 13 Oct 2023 00:53:16 +0100

8.3.0-3

Superseded in sid-release on 2023-10-13

curl (8.3.0-3) unstable; urgency=high

  * Add patches to fix CVE-2023-38545 and CVE-2023-38546

 -- Samuel Henrique <email address hidden>  Thu, 05 Oct 2023 22:26:40 +0100

7.74.0-1.3+deb11u9

Superseded in bullseye-release on 2024-02-10

curl (7.74.0-1.3+deb11u9) bullseye; urgency=medium

  * Team upload.
  * Import 2 new patches to fix CVES:
    - CVE-2023-28321: IDN wildcard match may lead to Improper Cerificate
      Validation.
    - CVE-2023-28322: more POST-after-PUT confusion.
  * debian/patches/CVE-2023-28322.patch: backport patch.

 -- Carlos Henrique Lima Melara <email address hidden>  Sun, 10 Sep 2023 15:19:20 +0530

7.88.1-10+deb12u3

Superseded in bookworm-release on 2023-12-09

curl (7.88.1-10+deb12u3) bookworm; urgency=medium

  * Team upload.

  [ Andreas Hasenack ]
  * Move ldap-test to a script and add retry logic.

  [ Carlos Henrique Lima Melara ]
  * Fix CVE-2023-38039: HTTP headers eat all memory.
      - Done by debian/patches/CVE-2023-38039.patch.

 -- Carlos Henrique Lima Melara <email address hidden>  Fri, 15 Sep 2023 22:31:23 +0530

8.3.0-2

Superseded in sid-release on 2023-10-24

curl (8.3.0-2) unstable; urgency=medium

  * d/rules: Add test 3102 to TESTS_FAILS_ON_IPV6_ONLY_MACHINES
  * d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf
    - test650_fix_an_end_tag_typo.patch
    - tests_increase_the_default_server_logs_lock_timeout.patch
  * d/p/lib_use_wrapper_for_curl_mime_data_fseek_callback.patch: New patch to
    fix armel/armhf FTBFS

 -- Samuel Henrique <email address hidden>  Sun, 01 Oct 2023 15:01:42 +0100

8.3.0-2~exp1

Deleted in experimental-release (Reason: None provided.)

curl (8.3.0-2~exp1) experimental; urgency=medium

  * d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf:
    - test650_fix_an_end_tag_typo.patch
    - tests_increase_the_default_server_logs_lock_timeout.patch

 -- Samuel Henrique <email address hidden>  Fri, 29 Sep 2023 21:04:33 +0100

8.3.0-1

Superseded in sid-release on 2023-10-01

curl (8.3.0-1) unstable; urgency=medium

  * New upstream version 8.3.0
    - Fix CVE-2023-38039: HTTP headers eat all memory
  * debian/: Remove files used for the nss packaging
  * d/patches:
    - Refresh patches
    - gen_pl_escape_all_dashes.patch: Drop merged patch
    - 90_gnutls.patch: Update patch
  * d/libcurl*.symbols: New symbol curl_global_trace

 -- Samuel Henrique <email address hidden>  Thu, 14 Sep 2023 16:13:10 +0530

8.2.1-2

Superseded in sid-release on 2023-10-07

curl (8.2.1-2) unstable; urgency=medium

  [ Andreas Hasenack ]
  * Move ldap-test to a script and add retry logic

  [ Samuel Henrique ]
  * Build without nss, dropped by upstream in the next release
  * d/p/gen_pl_escape_all_dashes.patch: New patch to fix manpage generation
    (closes: #1043309, #1043339)

 -- Samuel Henrique <email address hidden>  Fri, 25 Aug 2023 20:05:02 +0100

8.2.1-1

Superseded in sid-release on 2023-09-09

curl (8.2.1-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * New upstream version 8.2.1

  [ Sergio Durigan Junior ]
  * d/p/{90_gnutls,99_nss}.patch:
    Update GNUTls/NSS patches to unbreak tests/http/clients
  * Drop unnecessary patches.
    d/p/CVE-2023-27533.patch
    d/p/CVE-2023-27534.patch
    d/p/CVE-2023-27535.patch
    d/p/CVE-2023-27536.patch
    d/p/CVE-2023-27537.patch
    d/p/CVE-2023-27538.patch
    d/p/CVE-2023-28319.patch
    d/p/CVE-2023-28320-1.patch
    d/p/CVE-2023-28320.patch
    d/p/CVE-2023-28321.patch
    d/p/CVE-2023-28322.patch
    d/p/CVE-2023-32001.patch
    d/p/Use-OpenLDAP-specific-functionality.patch
    d/p/fix-unix-domain-socket.patch

 -- Sergio Durigan Junior <email address hidden>  Thu, 03 Aug 2023 20:00:01 -0400

7.88.1-11

Superseded in sid-release on 2023-09-05

curl (7.88.1-11) unstable; urgency=medium

  [ Carlos Henrique Lima Melara ]
  * Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen():
    - Done by d/p/CVE-2023-32001.patch (Closes: #1041812).

  [ John Scott ]
  * LDAP backend: correct the usage of OpenLDAP-specific functionality being
    disabled with an upstream patch (Closes: #1041964)
    This corrects the improper fetching of binary attributes.
  * debian/tests: add a DEP-8 test that getting binary LDAP attributes works now

 -- Samuel Henrique <email address hidden>  Fri, 28 Jul 2023 21:11:25 +0100

7.88.1-10

Superseded in bookworm-release on 2023-10-07

Superseded in sid-release on 2023-08-06

curl (7.88.1-10) unstable; urgency=medium

  * Add new patches to fix CVEs (closes: #1036239):
    - CVE-2023-28319: UAF in SSH sha256 fingerprint check
    - CVE-2023-28320: siglongjmp race condition
    - CVE-2023-28321: IDN wildcard match
    - CVE-2023-28322: more POST-after-PUT confusion
  * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
    CVE-2023-28320

 -- Samuel Henrique <email address hidden>  Thu, 18 May 2023 23:43:40 +0100

7.74.0-1.3+deb11u7

Superseded in bullseye-release on 2023-10-07

curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium

  * Fix CVE-2023-23916: HTTP multi-header compression denial of service:
    - Done by d/p/CVE-2023-23916.patch.

 -- Samuel Henrique <email address hidden>  Thu, 23 Feb 2023 22:09:57 +0000

7.88.1-9

Superseded in sid-release on 2023-05-19

curl (7.88.1-9) unstable; urgency=medium

  [ Sergio Durigan Junior ]
  * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
    Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359)

  [ Samuel Henrique ]
  * Update list of tests that fail on IPv6-only envs and don't skip them on
    autopkgtest
  * d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix
    (closes: #1033963)

 -- Samuel Henrique <email address hidden>  Sat, 15 Apr 2023 20:03:44 +0100

8.0.1-1~exp1

Deleted in experimental-release (Reason: None provided.)

curl (8.0.1-1~exp1) experimental; urgency=medium

  * New upstream version 8.0.1
  * d/patches: Remove CVE patches that are present on 8.0.1

 -- Samuel Henrique <email address hidden>  Sun, 02 Apr 2023 20:05:56 +0100

7.88.1-8

Superseded in sid-release on 2023-04-16

curl (7.88.1-8) unstable; urgency=medium

  [ Samuel Henrique ]
  * d/gbp.conf: Push gbp conf with sane defaults
  * d/salsa-ci.yml: Disable dh_auto_test with DEB_BUILD_OPTIONS
  * d/rules: Add new build profiles to limit builds to a single TLS backend
  * d/tests: Add new autopkgtests that runs curl's test suite

  [ Sergio Durigan Junior ]
  * d/rules: Remove -D_DEB_HOST_ARCH from curl-config's CFLAGS.

 -- Samuel Henrique <email address hidden>  Sun, 26 Mar 2023 11:36:24 +0100

7.88.1-7

Superseded in sid-release on 2023-03-27

curl (7.88.1-7) unstable; urgency=medium

  * Bump Standards-Version to 4.6.2
  * d/p/06_always-disable-valgrind.patch: Remove unused patch
  * d/patches: Refresh all patches
  * Import 5 new upstream patches fixing CVES:
    - CVE-2023-27533: TELNET option IAC injection
    - CVE-2023-27534: SFTP path ~ resolving discrepancy
    - CVE-2023-27535: FTP too eager connection reuse
    - CVE-2023-27536: GSS delegation too eager connection re-use
    - CVE-2023-27537: HSTS double-free
    - CVE-2023-27538: SSH connection too eager reuse still

 -- Samuel Henrique <email address hidden>  Tue, 21 Mar 2023 22:39:05 +0000

7.88.1-6

Superseded in sid-release on 2023-03-22

curl (7.88.1-6) unstable; urgency=medium

  * d/rules: Ignore test results from tests that fail on IPv6-only builders
    (closes: #1032343)
  * d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs
    forever)

 -- Samuel Henrique <email address hidden>  Wed, 08 Mar 2023 20:57:09 +0000

7.88.1-7~exp1

Deleted in experimental-release (Reason: None provided.)

curl (7.88.1-7~exp1) experimental; urgency=medium

  * Revert "d/control: Don't install gnutls-bin for tests on ppc64el (tests
    hangs forever)"
    So we can confirm whether the build only hangs on unstable.

 -- Samuel Henrique <email address hidden>  Wed, 08 Mar 2023 21:45:48 +0000

7.88.1-5

Superseded in sid-release on 2023-03-09

curl (7.88.1-5) unstable; urgency=medium

  * Fix stringification of _DEB_HOST_ARCH macro.
    - d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
      Use _DEB_HOST_ARCH directly.
    - d/rules: Quote _DEB_HOST_ARCH when passing it with -D.

 -- Sergio Durigan Junior <email address hidden>  Mon, 06 Mar 2023 10:22:32 -0500

7.88.1-4

Superseded in sid-release on 2023-03-06

curl (7.88.1-4) unstable; urgency=medium

  * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
    Prepend "/nss/" before the library name.

 -- Sergio Durigan Junior <email address hidden>  Sun, 05 Mar 2023 18:38:13 -0500

7.88.1-2

Superseded in sid-release on 2023-03-06

curl (7.88.1-2) unstable; urgency=medium

  * Multiple test improvements, which will increase the reliability of the
    package, especially when backporting fixes on stable and oldstable:
    - Test results are now critical to the build process, if a test fails,
      the build will fail.
    - Add two new test build-dependencies to increase coverage: locales-all
      and gnutls-bin.
    - Only run non-flaky tests.
    - Print logs of failed tests.
    - Run all tests even if there was a failure.
    - Ignore results of known failing tests (for Debian).
    - Disable valgrind through a test parameter instead of patching
      upstream source code.

 -- Samuel Henrique <email address hidden>  Fri, 03 Mar 2023 08:28:19 +0000

7.88.1-2~exp4

Deleted in experimental-release (Reason: None provided.)

curl (7.88.1-2~exp4) experimental; urgency=medium

  * d/rules: Fail the build if tests fails

 -- Samuel Henrique <email address hidden>  Mon, 27 Feb 2023 22:19:03 +0000

7.88.1-2~exp3

Superseded in experimental-release on 2023-02-28

curl (7.88.1-2~exp3) experimental; urgency=medium

  * Fix locale-related tests and ignore known failures

 -- Samuel Henrique <email address hidden>  Sun, 26 Feb 2023 15:52:13 +0000

7.88.1-2~exp2

Superseded in experimental-release on 2023-02-26

curl (7.88.1-2~exp2) experimental; urgency=medium

  * d/rules: Multiple improvements to dh_auto_test
    - Skip flaky tests.
    - Print test logs in case of errors.
    - Ignore known failures, but still print their logs.
    - Disable valgrind through parametrization instead of patching the source
      code.
    - Add gnutls-bin as a test dependency as gnutls-serv is used.

 -- Samuel Henrique <email address hidden>  Sat, 25 Feb 2023 19:09:28 +0000

7.88.1-2~exp1

Superseded in experimental-release on 2023-02-26

curl (7.88.1-2~exp1) experimental; urgency=medium

  * d/rules: Run non-flaky tests only (it also has an improved output for
    failures)

 -- Samuel Henrique <email address hidden>  Fri, 24 Feb 2023 19:13:26 +0000

7.88.1-1

Superseded in sid-release on 2023-03-09

curl (7.88.1-1) unstable; urgency=medium

  * New upstream version 7.88.1
    - Fix the following CVEs (closes: #1031371)
      ~ CVE-2023-23916: HTTP multi-header compression denial of service
      ~ CVE-2023-23915: HSTS amnesia with --parallel
      ~ CVE-2023-23914: HSTS ignored on multiple requests
    - Fix curl_multi_socket_action regression (closes: #1029231)
  * d/patches: Drop backported patch added to fix regression in setopt/getinfo
  * d/copyright: Drop removed file from copyright
  * d/control: Update BD to drop transitional package libidn11-dev

 -- Samuel Henrique <email address hidden>  Mon, 20 Feb 2023 22:35:53 +0000

7.87.0-2

Superseded in sid-release on 2023-02-21

curl (7.87.0-2) unstable; urgency=medium

  * d/patches: Add new upstream patch to fix regression in setopt/getinfo
    (closes: #1027564)
  * d/p/build-Divide-mit-krb5...patch: Refresh patch

 -- Samuel Henrique <email address hidden>  Sun, 15 Jan 2023 21:12:09 +0000

7.87.0-1

Superseded in sid-release on 2023-01-16

curl (7.87.0-1) unstable; urgency=medium

  * New upstream version 7.87.0
  * d/patches:
    - Update patches
    - Drop all backported patches that are applied in the new release
  * d/copyright: Remove missing file
  * d/*.lintian-overrides: Remove unused overrides

  [ Simon McVittie ]
  * Make -dev packages 'Multi-Arch: same' back again (closes: #1024668)

 -- Samuel Henrique <email address hidden>  Fri, 23 Dec 2022 20:36:01 +0000

Available diffs

diff from 7.86.0-3 to 7.87.0-1 (932.0 KiB)

7.86.0-3

Superseded in sid-release on 2022-12-24

curl (7.86.0-3) unstable; urgency=medium

  * Fix two HSTS-related CVEs.
    - d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN
      decoded name in HSTS checks.
      (Closes: #1026829, CVE-2022-43551)
    - d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free
      smb's/telnet's protocol struct in *_done().
      (Closes: #1026830, CVE-2022-43552)

 -- Sergio Durigan Junior <email address hidden>  Wed, 21 Dec 2022 15:55:18 -0500

Available diffs

diff from 7.86.0-2build1 (in Ubuntu) to 7.86.0-3 (2.1 KiB)

7.86.0-2

Superseded in sid-release on 2022-12-22

curl (7.86.0-2) unstable; urgency=medium

  [ Debian Janitor ]
  * Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev,
    libcurl4-openssl-dev: Drop Multi-Arch: same.

  [ Samuel Henrique ]
  * d/patches: Backport three upstream patches to fix noproxy option.

 -- Samuel Henrique <email address hidden>  Tue, 15 Nov 2022 21:04:55 +0000

Available diffs

diff from 7.85.0-1 to 7.86.0-2 (815.6 KiB)
diff from 7.86.0-1 to 7.86.0-2 (3.5 KiB)

7.86.0-1

Superseded in sid-release on 2022-11-16

curl (7.86.0-1) unstable; urgency=medium

  * New upstream version 7.86.0
    - Fix HSTS bypass via IDN:
      curl's HSTS check could be bypassed to trick it to keep using HTTP.
      (closes: CVE-2022-42916)
    - Fix HTTP proxy double-free (closes: CVE-2022-42915)
    - Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260)
    - Fix POST following PUT confusion (closes: CVE-2022-32221)

 -- Samuel Henrique <email address hidden>  Thu, 27 Oct 2022 20:38:24 +0100

Available diffs

diff from 7.85.0-1ubuntu0.1 (in ~ubuntu-security/ubuntu/ppa) to 7.86.0-1 (815.6 KiB)

7.74.0-1.3+deb11u3

Superseded in bullseye-release on 2023-04-29

curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium

  * cookie: reject cookies with "control bytes" (CVE-2022-35252)
    (Closes: #1018831)
  * test8: verify that "ctrl-byte cookies" are ignored

 -- Salvatore Bonaccorso <email address hidden>  Sat, 03 Sep 2022 12:26:12 +0200

7.85.0-1

Superseded in sid-release on 2022-10-28

curl (7.85.0-1) unstable; urgency=medium

  * New upstream version 7.85.0
    - Fix control code in cookie denial of service:
      When curl retrieves and parses cookies from an HTTP(S) server, it
      accepts cookies using control codes (byte values below 32). When cookies
      that contain such control codes are later sent back to an HTTP(S) server,
      it might make the server return a 400 response. Effectively allowing a
      "sister site" to deny service to siblings
      (closes: #1018831, CVE-2022-35252)
    - Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
  * Bump Standards-Version to 4.6.1
  * Add lintian overrides for old-style-config-script-multiarch-path triggered
    for curl-config
  * d/patches:
    - 11_omit-directories-from-config.patch: Update patch
    - 20_ftbfs_import_sched.patch: Drop patch, applied upstream
  * d/rules: Fix configure args, remove bogus '--without-ssl'
  * d/copyright: Update the whole file
  * d/(control|watch): Update upstream's URL

 -- Samuel Henrique <email address hidden>  Fri, 02 Sep 2022 13:00:10 +0100

Available diffs

diff from 7.84.0-2ubuntu2 (in Ubuntu) to 7.85.0-1 (544.6 KiB)

7.84.0-2

Superseded in sid-release on 2022-09-02

curl (7.84.0-2) unstable; urgency=medium

  * d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
    (closes: #1014596)

 -- Samuel Henrique <email address hidden>  Mon, 11 Jul 2022 22:50:01 +0100

Available diffs

diff from 7.84.0-1ubuntu1 (in Ubuntu) to 7.84.0-2 (1.5 KiB)

7.84.0-1

Superseded in sid-release on 2022-07-12

curl (7.84.0-1) unstable; urgency=medium

  * New upstream version 7.84.0

 -- Samuel Henrique <email address hidden>  Mon, 27 Jun 2022 22:06:25 +0100

Available diffs

diff from 7.83.1-2 to 7.84.0-1 (543.6 KiB)

7.83.1-2

Superseded in sid-release on 2022-07-12

curl (7.83.1-2) unstable; urgency=medium

  * d/p/fix_multiline_header_regression.patch: New upstream patch to fix
    regression (closes: #1012263, #1011696)

 -- Samuel Henrique <email address hidden>  Tue, 14 Jun 2022 18:05:23 +0100

Available diffs

diff from 7.83.1-1ubuntu1 (in Ubuntu) to 7.83.1-2 (5.2 KiB)

7.83.1-1

Superseded in sid-release on 2022-06-15

curl (7.83.1-1) unstable; urgency=medium

  * New upstream version 7.83.1
    - Fix the following CVEs:
      ~ HSTS bypass via trailing dot (CVE-2022-30115)
      ~ TLS and SSH connection too eager reuse (CVE-2022-27782)
      ~ CERTINFO never-ending busy-loop (CVE-2022-27781)
      ~ percent-encoded path separator in URL host (CVE-2022-27780)
      ~ cookie for trailing dot TLD (CVE-2022-27779)
      ~ curl removes wrong file on error (CVE-2022-27778)

 -- Samuel Henrique <email address hidden>  Wed, 11 May 2022 17:46:48 +0100

Available diffs

diff from 7.81.0-1 to 7.83.1-1 (1.0 MiB)
diff from 7.83.0-1 to 7.83.1-1 (64.1 KiB)

7.83.0-1

Superseded in sid-release on 2022-05-11

curl (7.83.0-1) unstable; urgency=medium

  * New upstream version 7.83.0
    - Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
    - Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
    - Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
    - Fix OAUTH2 bearer bypass in connection re-use
      (closes: #1010295, CVE-2022-22576)
  * d/libcurl*.symbols: update symbols files to add curl_easy_header and
    curl_easy_nextheader
  * d/patches:
    - Refresh patches
    - 12_fix_openssl_cm_check.patch: remove patch, applied upstream

 -- Samuel Henrique <email address hidden>  Thu, 28 Apr 2022 18:53:32 +0100

7.82.0-2

Superseded in sid-release on 2022-04-29

curl (7.82.0-2) unstable; urgency=medium

  * d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN
    check (closes: #1007739, #1007740)
  * d/control:
    - Set libcurl4-doc as Multi-Arch: foreign
    - Remove ancient version requirements for dependencies
  * d/salsa-ci.yml: Disable reprotest until it acknowledges
    SALSA_CI_DPKG_BUILDPACKAGE_ARGS

 -- Samuel Henrique <email address hidden>  Sat, 19 Mar 2022 13:55:00 +0000

7.82.0-1

Superseded in sid-release on 2022-03-20

curl (7.82.0-1) unstable; urgency=medium

  * New upstream version 7.82.0
  * d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to
    avoid long build times
  * Update and refresh patches: 13_fix-man-formatting.patch has been merged
    upstream
  * d/rules:
    - Add --with-nss-deprecated, required to build with nss now
      (upstream will drop support in August)
    - Look for nocheck build profile in DEB_BUILD_PROFILES instead of
      DEB_BUILD_OPTIONS (wider coverage)

 -- Samuel Henrique <email address hidden>  Sat, 05 Mar 2022 13:40:14 +0000

7.81.0-1

Superseded in sid-release on 2022-03-07

curl (7.81.0-1) unstable; urgency=medium

  * New upstream version 7.81.0
  * d/p/13_fix-man-formatting.patch: Refresh patch

 -- Samuel Henrique <email address hidden>  Wed, 05 Jan 2022 09:31:32 -0300

Available diffs

diff from 7.80.0-3 to 7.81.0-1 (653.6 KiB)

7.80.0-3

Superseded in sid-release on 2022-01-07

curl (7.80.0-3) unstable; urgency=medium

  * Revert "Revert "debian/control: Add Build-Depends on libssh-dev for
    Ubuntu".

    As per #1002598, the blocker has been solved.

    Note that this does not changes Debian's curl to libssh, it still
    uses libssh2.

    Discussions about changing to libssh are ongoing at #897950

 -- Samuel Henrique <email address hidden>  Sun, 26 Dec 2021 13:22:18 -0300

Available diffs

diff from 7.74.0-1.3ubuntu3 (in Ubuntu) to 7.80.0-3 (1.8 MiB)

7.80.0-2

Superseded in sid-release on 2021-12-26

curl (7.80.0-2) unstable; urgency=medium

  * Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu"
    (closes: #1002597)
    The change had side effects on Debian due to the inclusion of the new
    Build-dep, even though it doesn't changes the resulting binary. It cause
    issues for architecture bootstraping.

    We are gonna reintroduce this change once the issues are fixed, to allow
    Ubuntu to remove its delta.

    See discussions at #1002598 and #1002597 for details

 -- Samuel Henrique <email address hidden>  Sat, 25 Dec 2021 10:47:13 -0300

7.80.0-1

Superseded in sid-release on 2021-12-26

curl (7.80.0-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * New upstream version 7.80.0
  * Bump Standards-Version to 4.6.0
  * Add new symbol curl_url_strerror to symbols files
  * Compile with zstd support (closes: #983660)
  * d/p/12_use-python3-in-tests.patch: Drop patch, merged upstream
  * d/p/13_fix-man-formatting.patch: Update patch
  * d/p/14_fix-compatibility-impacket-0-9-23.patch: Drop patch, merged upstream

  [ Jeremy Bicha ]
  * debian/control: Add Build-Depends on libssh-dev for Ubuntu

 -- Samuel Henrique <email address hidden>  Fri, 24 Dec 2021 11:42:57 -0300

7.74.0-1.3+deb11u1

Superseded in bullseye-release on 2022-09-10

curl (7.74.0-1.3+deb11u1) bullseye; urgency=medium

  * Non-maintainer upload.
  * Also remove -ffile-prefix-map from curl-config. (Closes: #990128)

 -- Helmut Grohne <email address hidden>  Sun, 28 Nov 2021 06:38:09 +0100

7.79.1-3~exp2

Deleted in experimental-release (Reason: None provided.)

curl (7.79.1-3~exp2) experimental; urgency=medium

  * d/rules: Adjust CPPFLAGS.

 -- Sergio Durigan Junior <email address hidden>  Sat, 13 Nov 2021 23:34:07 -0500

7.79.1-2

Superseded in sid-release on 2021-12-25

curl (7.79.1-2) unstable; urgency=medium

  * d/rules: Make test failures non-fatal again.
    Unfortunately there are some test failures happening on a few
    architectures, so we have to make the build pass even if not all tests
    are succeeding, at least until we have time to properly investigate
    the reason for these failures.

 -- Sergio Durigan Junior <email address hidden>  Mon, 08 Nov 2021 23:54:35 -0500

7.79.1-1

Superseded in sid-release on 2021-11-09

curl (7.79.1-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * Add myself as an Uploader
  * Add sergiodj as an uploader
  * New upstream version 7.79.1 (closes: #989046)
    - Changes since 7.74.0:
      ~ vtls: fix connection reuse checks for issuer cert and case sensitivity
      (closes: #991492, CVE-2021-22924)
      ~ Fix User-Agent header missing in some cases (closes: #994940)
      ~ Fix TELNET stack contents disclosure (closes: #989228, CVE-2021-22898)
  * d/rules: Add --with-{openssl|gnutls|nss} to configure args
  * Update all patches.
     Remove patches:
     - 07_do-not-disable-debug-symbols: Obsolete as per
       https://github.com/curl/curl/issues/7216.
     - 14_transfer-strip-credentials-from-the-auto-referer-hea:
       Originally from upstream, part of the release now.
     - 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession:
       Originally from upstream, part of the release now.
     - fix-regression-microseconds-instead-of-seconds:
       Originally from upstream, part of the release now.
     Update patches:
     - 12_use-python3-in-tests: Update and forward upstream.
     - 90_gnutls: Update
     - 99_nss: Update
     - 13_fix-man-formatting: Update

  [ Debian Janitor ]
  * Use secure URI in Homepage field.
  * Set debhelper-compat version in Build-Depends.
  * Set upstream metadata fields: Bug-Database,
    Bug-Submit (from ./configure), Repository, Repository-Browse.
  * Avoid explicitly specifying -Wl,--as-needed linker flag.

  [ Helmut Grohne ]
  * Also remove -ffile-prefix-map from curl-config (closes: #990128)
  * Explicitly disable zstd support (closes: #992505)

  [ Sergio Durigan Junior ]
  * d/control: Add Rules-Requires-Root: no.
  * d/copyright: Add public-domain license text.
  * Enable GPG-checking of orig tarball.
    - d/upstream/signing-key.asc: Upstream public key.
    - d/watch: Add "pgpmode=auto" as an option.
  * Bump debhelper-compat to 13.
    - d/control: B-D on debhelper-compat = 13.
    - d/rules: After the override_dh_auto_install target has been run,
      we know that we can safely get rid of the contents inside the
      debian/tmp/ directory.  This is needed because otherwise dh_missing
      will complain about uninstalled files, which will make the build
      fail when using debhelper-compat 13.
  * d/rules: Some minor cleanup and removal of unneeded comments.
  * d/rules: Honour "nocheck" build option.
  * Make OpenSSL and GNUTLS builds fail if tests fail
    - d/rules: Adjust rule to make OpenSSL and GNUTLS builds fail if their
      tests fail.  Unfortunately, it's still not possible to make the NSS
      build fail if its tests fail; we're still investigating the failures
      there with it.
    - d/p/14_fix-compatibility-impacket-0-9-23.patch: Needed patch
      to make tests pass with impacket 0.9.23+.

 -- Samuel Henrique <email address hidden>  Mon, 08 Nov 2021 21:14:47 +0000

7.74.0-1.3

Superseded in bullseye-release on 2021-12-18

Superseded in sid-release on 2021-11-09

curl (7.74.0-1.3) unstable; urgency=medium

  * Non-maintainer upload.
  * Add upstream patch bc7ecc7 so curl -w times shown as seconds with
    fractions (Closes: #989064)

 -- Paul Gevers <email address hidden>  Fri, 25 Jun 2021 20:59:54 +0200

7.64.0-4+deb10u2

Published in buster-release on 2021-06-19

curl (7.64.0-4+deb10u2) buster-security; urgency=high

  * Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
    (Closes: #965280)
    https://curl.haxx.se/docs/CVE-2020-8169.html
  * Fix local file overwrite as per CVE-2020-8177 (Closes: #965281)
    https://curl.se/docs/CVE-2020-8177.html
  * Fix use of wrong connect-only connection as per CVE-2020-8231
    (Closes: #968831)
    https://curl.se/docs/CVE-2020-8231.html
  * Don't trust FTP PASV responses by default as per CVE-2020-8284
    (Closes: #977163)
  * Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
    https://curl.se/docs/CVE-2020-8285.html
  * Make the OCSP verification verify the certificate id as per CVE-2020-8286
    (Closes: #977161)
    https://curl.se/docs/CVE-2020-8286.html
  * Fix credentials leak with automatic referer as per CVE-2021-22876
    https://curl.se/docs/CVE-2021-22876.html
  * Fix TLS 1.3 session ticket proxy host mixup as per CVE-2021-22890
    https://curl.se/docs/CVE-2021-22890.html

 -- Alessandro Ghedini <email address hidden>  Tue, 30 Mar 2021 21:56:00 +0100

7.74.0-1.2

Superseded in sid-release on 2021-06-26

curl (7.74.0-1.2) unstable; urgency=medium

  * Non-maintainer upload.
  * transfer: strip credentials from the auto-referer header field
    (CVE-2021-22876) (Closes: #986269)
  * vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
    (CVE-2021-22890) (Closes: #986270)

 -- Salvatore Bonaccorso <email address hidden>  Sat, 03 Apr 2021 14:43:39 +0200

7.74.0-1.1

Superseded in sid-release on 2021-04-08

curl (7.74.0-1.1) unstable; urgency=medium

  * Non-maintainer upload.

  [ Bruno Kleinert ]
  * Fixed "Please build-depend on libidn2-dev instead of obsolete transition
    package libidn2-0-dev" (Closes: #974996)

 -- Samuel Henrique <email address hidden>  Wed, 10 Feb 2021 00:42:40 +0000

7.74.0-1

Superseded in sid-release on 2021-02-13

curl (7.74.0-1) unstable; urgency=medium

  * New upstream release
    + Fix inferior OCSP verification as per CVE-2020-8286 (Closes: #977161)
      https://curl.se/docs/CVE-2020-8286.html
    + Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
      https://curl.se/docs/CVE-2020-8285.html
    + Fix trusting FTP PASV responses as per CVE-2020-8284 (Closes: #977163)
      https://curl.se/docs/CVE-2020-8284.html
  * Update debian/watch to new upstream download page layout
  * Update 12_use-python3-in-tests.patch due to renamed file
  * Refresh patches
  * Fix cross-build due to python build dependencies.
    Thanks to Helmut Grohne for the patch (Closes: #969004)
  * Fix formatting in some man pages.
    Thanks to Bjarni Ingi Gislason for the patch (Closes: #963559)
  * Update list of documentation files to install
  * Update symbols
  * Bump Standards-Version to 4.5.1 (no changes needed)
  * Drop removed file from d/copyright

 -- Alessandro Ghedini <email address hidden>  Thu, 31 Dec 2020 15:22:05 +0100

7.72.0-1

Superseded in sid-release on 2021-01-01

curl (7.72.0-1) unstable; urgency=medium

  * New upstream release
    + Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
      (Closes: #965280)
      https://curl.haxx.se/docs/CVE-2020-8169.html
    + Fix local file overwrite with -J option as per CVE-2020-8177
      (Closes: #965281)
      https://curl.haxx.se/docs/CVE-2020-8177.html
    + Fix wrong connect-only connection as per CVE-2020-8231 (Closes: #968831)
      https://curl.haxx.se/docs/CVE-2020-8231.html
  * Refresh patches
  * Do not install *.la files.
    Thanks to Pino Toscano for the patch. (Closes: #955785)
  * Update list of doc files
  * Update copyright for polarssl -> mbedtls rename
  * Use python3 executable in tests

 -- Alessandro Ghedini <email address hidden>  Mon, 24 Aug 2020 10:26:12 +0200

Debian
curl package

Change log for curl package in Debian

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Debiancurl package

Change log for curl package in Debian

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Available diffs

Debian
curl package