Change log for curl package in Debian

175 of 120 results
Published in sid-release on 2019-03-08
curl (7.64.0-2) unstable; urgency=medium

  * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)

 -- Alessandro Ghedini <email address hidden>  Thu, 07 Mar 2019 20:02:35 +0000
Published in stretch-release on 2019-02-16
curl (7.52.1-5+deb9u9) stretch-security; urgency=high

  * Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
    https://curl.haxx.se/docs/CVE-2018-16890.html
  * Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
    https://curl.haxx.se/docs/CVE-2019-3822.html
  * Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
    https://curl.haxx.se/docs/CVE-2019-3823.html

 -- Alessandro Ghedini <email address hidden>  Mon, 04 Feb 2019 20:55:32 +0000
Published in buster-release on 2019-02-12
Published in sid-release on 2019-02-07
curl (7.64.0-1) unstable; urgency=medium

  * New upstream release
    + Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
      https://curl.haxx.se/docs/CVE-2018-16890.html
    + Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
      https://curl.haxx.se/docs/CVE-2019-3822.html
    + Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
      https://curl.haxx.se/docs/CVE-2019-3823.html
    + Fix HTTP negotiation with POST requests (Closes: #920267)

 -- Alessandro Ghedini <email address hidden>  Wed, 06 Feb 2019 22:33:05 +0000
Superseded in buster-release on 2019-02-12
Superseded in sid-release on 2019-03-08
curl (7.63.0-1) unstable; urgency=medium

  * New upstream release
    + Fix IPv6 numeral address parser (Closes: #915520)
    + Fix timeout handling (Closes: #914793)
    + Fix HTTP auth to include query in URI (Closes: #913214)
  * Drop 12_fix-runtests-curl.patch (merged upstream)
  * Update symbols
  * Update copyright for removed files
  * Bump debhlper compat level to 12
  * Bump Standards-Version to 4.3.0 (no changes needed)

 -- Alessandro Ghedini <email address hidden>  Tue, 15 Jan 2019 20:47:40 +0000
Superseded in stretch-release on 2019-02-16
curl (7.52.1-5+deb9u8) stretch-security; urgency=high

  * Fix SASL password overflow via integer overflow as per CVE-2018-16839
    https://curl.haxx.se/docs/CVE-2018-16839.html
  * Fix warning message out-of-buffer read as per CVE-2018-16842
    https://curl.haxx.se/docs/CVE-2018-16842.html

 -- Alessandro Ghedini <email address hidden>  Tue, 30 Oct 2018 21:39:11 +0000
Superseded in buster-release on 2019-01-22
Superseded in sid-release on 2019-01-17
curl (7.62.0-1) unstable; urgency=medium

  * New upstream release
    + Fix NTLM password overflow via integer overflow as per CVE-2018-14618
      (Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
    + Fix SASL password overflow via integer overflow as per CVE-2018-16839
      https://curl.haxx.se/docs/CVE-2018-16839.html
    + Fix use-after-free in handle close as per CVE-2018-16840
      https://curl.haxx.se/docs/CVE-2018-16840.html
    + Fix warning message out-of-buffer read as per CVE-2018-16842
      https://curl.haxx.se/docs/CVE-2018-16842.html
    + Fix broken terminal output (closes: #911333)
  * Refresh patches
  * Add 12_fix-runtests-curl.patch to fix running curl in tests

 -- Alessandro Ghedini <email address hidden>  Wed, 31 Oct 2018 22:42:44 +0000
Superseded in buster-release on 2018-11-29
Superseded in sid-release on 2018-11-02
curl (7.61.0-1) unstable; urgency=medium

  * New upstream release
    + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
      https://curl.haxx.se/docs/adv_2018-70a2.html
    + Fix some crashes related to HTTP/2 (Closes: #902628)
  * Disable libssh2 on Ubuntu.
    Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
  * Bump Standards-Version to 4.2.0 (no changes needed)
  * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)

 -- Alessandro Ghedini <email address hidden>  Sat, 11 Aug 2018 13:32:28 +0100
Superseded in stretch-release on 2018-11-10
curl (7.52.1-5+deb9u6) stretch-security; urgency=high

  * Fix heap buffer over-read when parsing bad RTSP headers
    as per CVE-2018-1000301
    https://curl.haxx.se/docs/adv_2018-b138.html

 -- Alessandro Ghedini <email address hidden>  Tue, 15 May 2018 23:00:28 +0100
Published in jessie-release on 2018-06-23
curl (7.38.0-4+deb8u11) jessie-security; urgency=high

  * Fix heap buffer over-read when parsing bad RTSP headers
    as per CVE-2018-1000301
    https://curl.haxx.se/docs/adv_2018-b138.html

 -- Alessandro Ghedini <email address hidden>  Tue, 15 May 2018 23:05:31 +0100
Superseded in buster-release on 2018-08-16
Superseded in sid-release on 2018-08-15
curl (7.60.0-2) unstable; urgency=medium

  [ Steve Langasek ]
  * Build-depend on libssl-dev instead of libssl1.0-dev.
  * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
    CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
    openssl 1.0 and openssl 1.1.
  * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
    claiming compatibility.
  * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
    non-OpenSSL builds.  Closes: #858398.
  * Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk

 -- Alessandro Ghedini <email address hidden>  Wed, 23 May 2018 20:25:39 +0100
Superseded in buster-release on 2018-08-14
Superseded in sid-release on 2019-02-03
curl (7.60.0-1) unstable; urgency=medium

  * New upstream release (Closes: #891997, #893546, #898856)
    + Fix use of IPv6 literals with NO_PROXY
    + Fix NIL byte out of bounds write due to FTP path trickery
      as per CVE-2018-1000120
      https://curl.haxx.se/docs/adv_2018-9cd6.html
    + Fix LDAP NULL pointer dereference as per CVE-2018-1000121
      https://curl.haxx.se/docs/adv_2018-97a2.html
    + Fix RTSP RTP buffer over-read as per CVE-2018-1000122
      https://curl.haxx.se/docs/adv_2018-b047.html
    + Fix heap buffer overflow when closing down an FTP connection
      with very long server command replies as per CVE-2018-1000300
      https://curl.haxx.se/docs/adv_2018-82c2.html
    + Fix heap buffer over-read when parsing bad RTSP headers
      as per CVE-2018-1000301
      https://curl.haxx.se/docs/adv_2018-b138.html
  * Refresh patches
  * Bump Standards-Version to 4.1.4 (no changes needed)

 -- Alessandro Ghedini <email address hidden>  Fri, 18 May 2018 20:21:17 +0100
Superseded in stretch-release on 2018-07-14
curl (7.52.1-5+deb9u4) stretch-security; urgency=high

  * Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
    https://curl.haxx.se/docs/adv_2018-824a.html
  * Fix HTTP authentication leak in redirects as per CVE-2018-1000007
    https://curl.haxx.se/docs/adv_2018-b3bf.html

 -- Alessandro Ghedini <email address hidden>  Tue, 23 Jan 2018 21:56:56 +0000
Deleted in experimental-release (Reason: None provided.)
curl (7.58.0-3) experimental; urgency=medium

  [ Steve Langasek ]
  * Build-depend on libssl-dev instead of libssl1.0-dev.
  * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
    CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
    openssl 1.0 and openssl 1.1.
  * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
    claiming compatibility.
  * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
    non-OpenSSL builds.  Closes: #858398.
  * Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk

 -- Alessandro Ghedini <email address hidden>  Tue, 27 Feb 2018 21:16:17 +0000
Superseded in buster-release on 2018-05-24
Superseded in sid-release on 2019-02-03
curl (7.58.0-2) unstable; urgency=medium

  * Explicitly enable libssh2 support which got silently disabled in the
    previous update

 -- Alessandro Ghedini <email address hidden>  Wed, 24 Jan 2018 20:27:50 +0000
Superseded in sid-release on 2018-01-25
curl (7.58.0-1) unstable; urgency=medium

  * New upstream release
    - Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
      https://curl.haxx.se/docs/adv_2018-824a.html
    - Fix HTTP authentication leak in redirects as per CVE-2018-1000007
      https://curl.haxx.se/docs/adv_2018-b3bf.html
  * Point Vcs-* to salsa.d.o
  * Bump Standards-Version to 4.1.3 (no changes needed)
  * Bump debhlper compat level to 11
  * Refresh patches
  * fix insecure-copyright-format-uri

 -- Alessandro Ghedini <email address hidden>  Wed, 24 Jan 2018 11:13:58 +0000
Superseded in jessie-release on 2018-06-23
curl (7.38.0-4+deb8u8) jessie-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
    https://curl.haxx.se/docs/adv_2017-11e7.html
  * Fix FTP wildcard out of bounds read as per CVE-2017-8817
    https://curl.haxx.se/docs/adv_2017-ae72.html

 -- Yves-Alexis Perez <email address hidden>  Sat, 25 Nov 2017 22:03:21 +0100
Superseded in stretch-release on 2018-03-10
curl (7.52.1-5+deb9u3) stretch-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
    https://curl.haxx.se/docs/adv_2017-11e7.html
  * Fix FTP wildcard out of bounds read as per CVE-2017-8817
    https://curl.haxx.se/docs/adv_2017-ae72.html

 -- Yves-Alexis Perez <email address hidden>  Sun, 26 Nov 2017 13:00:56 +0100
Superseded in buster-release on 2018-01-30
Superseded in sid-release on 2018-01-25
curl (7.57.0-1) unstable; urgency=medium

  * New upstream release
    - Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
      https://curl.haxx.se/docs/adv_2017-11e7.html
    - Fix FTP wildcard out of bounds read as per CVE-2017-8817
      https://curl.haxx.se/docs/adv_2017-ae72.html
    - Fix SSL out of buffer access as per CVE-2017-8818
      https://curl.haxx.se/docs/adv_2017-af0a.html
  * Remove -fdebug-prefix-map from curl-config.
    Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
  * Don't install zsh completion when cross compiling.
    Thanks to Wookey for the patch (Closes: #812965)

 -- Alessandro Ghedini <email address hidden>  Thu, 30 Nov 2017 10:16:03 +0000
Superseded in buster-release on 2017-12-06
Superseded in sid-release on 2019-02-03
curl (7.56.1-1) unstable; urgency=medium

  * New upstream release
    - Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
      https://curl.haxx.se/docs/adv_20171023.html
  * Bump Standards-Version to 4.1.1 (no changes needed)
  * Drop 01_runtests_gdb.patch
  * Drop 12_dont-wait-on-CONNECT.patch
  * Refresh patches
  * Update *.symbols files
  * Use https:// URL in watch file

 -- Alessandro Ghedini <email address hidden>  Tue, 24 Oct 2017 11:05:48 +0100
Superseded in buster-release on 2017-10-29
Superseded in sid-release on 2017-12-01
curl (7.55.1-1) unstable; urgency=medium

  * New upstream release
    - Fix FTBFS on powerpc (Closes: #872502)
  * Apply upstream patch to fix connection timeouts with NetworkManager
    (Closes: #873181)
  * Refresh patches
  * Bump Standards-Version to 4.1.0 (no changes needed)

 -- Alessandro Ghedini <email address hidden>  Sat, 02 Sep 2017 12:10:22 +0100
Superseded in buster-release on 2017-09-08
Superseded in sid-release on 2017-09-04
curl (7.55.0-1) unstable; urgency=medium

  * New upstream release
    - Fix TFTP sends more than buffer size as per CVE-2017-1000100
      (Closes: #871555)
    - Fix URL globbing out of bounds read as per CVE-2017-1000101
      (Closes: #871554)
  * Refresh patches and drop patches merged upstream
  * Update Standards-Version to 4.0.1 (no changes needed)
  * Drop -dbg package

 -- Alessandro Ghedini <email address hidden>  Sat, 12 Aug 2017 15:18:05 +0100
Superseded in buster-release on 2017-08-18
Superseded in stretch-release on 2017-12-09
Superseded in sid-release on 2017-10-24
curl (7.52.1-5) unstable; urgency=high

  * Fix TLS session resumption client cert bypass as per CVE-2017-7468
    https://curl.haxx.se/docs/adv_20170419.html

 -- Alessandro Ghedini <email address hidden>  Wed, 19 Apr 2017 11:19:50 +0100
Superseded in stretch-release on 2017-04-29
Superseded in sid-release on 2017-04-20
curl (7.52.1-4) unstable; urgency=medium

  * Fix regression in CONNECT response handling (Closes: #857613)
  * Fix buffer read overrun on --write-out as per CVE-2017-7407
    https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)

 -- Alessandro Ghedini <email address hidden>  Sat, 08 Apr 2017 21:55:27 +0100
Superseded in stretch-release on 2017-04-11
Superseded in sid-release on 2017-04-09
curl (7.52.1-3) unstable; urgency=high

  * Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
    https://curl.haxx.se/docs/adv_20170222.html

 -- Alessandro Ghedini <email address hidden>  Tue, 21 Feb 2017 22:38:41 +0000
Superseded in stretch-release on 2017-02-27
Superseded in sid-release on 2017-02-25
curl (7.52.1-2) unstable; urgency=medium

  * Fix HTTPS connection timeout with OpenSSL (Closes: #852317)

 -- Alessandro Ghedini <email address hidden>  Sun, 29 Jan 2017 21:34:10 +0000
Superseded in jessie-release on 2017-12-09
curl (7.38.0-4+deb8u5) jessie-security; urgency=high

  * Fix cookie injection for other servers as per CVE-2016-8615
    https://curl.haxx.se/docs/adv_20161102A.html
  * Fix case insensitive password comparison as per CVE-2016-8616
    https://curl.haxx.se/docs/adv_20161102B.html
  * Fix OOB write via unchecked multiplication as per CVE-2016-8617
    https://curl.haxx.se/docs/adv_20161102C.html
  * Fix double-free in curl_maprintf as per CVE-2016-8618
    https://curl.haxx.se/docs/adv_20161102D.html
  * Fix double-free in krb5 code as per CVE-2016-8619
    https://curl.haxx.se/docs/adv_20161102E.html
  * Fix glob parser write/read out of bounds as per CVE-2016-8620
    https://curl.haxx.se/docs/adv_20161102F.html
  * Fix curl_getdate read out of bounds as per CVE-2016-8621
    https://curl.haxx.se/docs/adv_20161102G.html
  * Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
    https://curl.haxx.se/docs/adv_20161102H.html
  * Fix use-after-free via shared cookies as per CVE-2016-8623
    https://curl.haxx.se/docs/adv_20161102I.html
  * Fix invalid URL parsing with '#' as per CVE-2016-8624
    https://curl.haxx.se/docs/adv_20161102J.html

 -- Alessandro Ghedini <email address hidden>  Tue, 01 Nov 2016 21:38:10 +0000
Superseded in stretch-release on 2017-02-04
Superseded in sid-release on 2017-01-31
curl (7.52.1-1) unstable; urgency=medium

  * New upstream release
    - Fix printf floating point buffer overflow as per CVE-2016-9586
      (Closes: #848958)
  * B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
  * Another attempt at making -dev packages multi-arch.
    Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
  * Enable support for PSL (Closes: #847958)
  * Re-enable support for IDN (Closes: #849539)
  * Drop 10_disable-network-tests.patch.
    It didn't really work, and the issue is not urgent.
  * Switch curl binary back to libcurl3/OpenSSL.
    While the GnuTLS flavour mostly worked fine, there are a bunch of features
    that are not implemented.

 -- Alessandro Ghedini <email address hidden>  Thu, 12 Jan 2017 22:02:44 +0000
Superseded in stretch-release on 2017-01-23
Superseded in sid-release on 2017-01-13
curl (7.51.0-1) unstable; urgency=medium

  * New upstream release
    - Fix cookie injection for other servers as per CVE-2016-8615
      https://curl.haxx.se/docs/adv_20161102A.html
    - Fix case insensitive password comparison as per CVE-2016-8616
      https://curl.haxx.se/docs/adv_20161102B.html
    - Fix OOB write via unchecked multiplication as per CVE-2016-8617
      https://curl.haxx.se/docs/adv_20161102C.html
    - Fix double-free in curl_maprintf as per CVE-2016-8618
      https://curl.haxx.se/docs/adv_20161102D.html
    - Fix double-free in krb5 code as per CVE-2016-8619
      https://curl.haxx.se/docs/adv_20161102E.html
    - Fix glob parser write/read out of bounds as per CVE-2016-8620
      https://curl.haxx.se/docs/adv_20161102F.html
    - Fix curl_getdate read out of bounds as per CVE-2016-8621
      https://curl.haxx.se/docs/adv_20161102G.html
    - Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
      https://curl.haxx.se/docs/adv_20161102H.html
    - Fix use-after-free via shared cookies as per CVE-2016-8623
      https://curl.haxx.se/docs/adv_20161102I.html
    - Fix invalid URL parsing with '#' as per CVE-2016-8624
      https://curl.haxx.se/docs/adv_20161102J.html
    - Fix IDNA 2003 makes curl use wrong host
      https://curl.haxx.se/docs/adv_20161102K.html
    - Fix escape and unescape integer overflows as
      per CVE-2016-7167 (Closes: #837945)
      https://curl.haxx.se/docs/adv_20160914.html
    - Fix incorrect reuse of client certificates (NSS backend)
      as per CVE-2016-7141 (Closes: #836918)
      https://curl.haxx.se/docs/adv_20160907.html
  * Drop 02_art_http_scripting.patch (file not shipped anymore)
  * Refresh patches
  * Temporarily disable IDN support
  * Don't install pdf and html docs (they are not shipped in the tarball anymore)
  * Install markdown docs

 -- Alessandro Ghedini <email address hidden>  Thu, 03 Nov 2016 22:46:14 +0000
Superseded in jessie-release on 2017-01-14
curl (7.38.0-4+deb8u4) jessie-security; urgency=high

  * Fix TLS session resumption client cert bypass as per CVE-2016-5419
    https://curl.haxx.se/docs/adv_20160803A.html
  * Fix re-using connection with wrong client cert as per CVE-2016-5420
    https://curl.haxx.se/docs/adv_20160803B.html
  * Fix use of connection struct after free as per CVE-2016-5421
    https://curl.haxx.se/docs/adv_20160803C.html

 -- Alessandro Ghedini <email address hidden>  Mon, 01 Aug 2016 12:19:28 +0100
Superseded in stretch-release on 2016-12-29
Superseded in sid-release on 2016-11-04
curl (7.50.1-1) unstable; urgency=medium

  * New upstream release (Closes: #827900)
    - Fix TLS session resumption client cert bypass as per CVE-2016-5419
      https://curl.haxx.se/docs/adv_20160803A.html
    - Fix re-using connection with wrong client cert as per CVE-2016-5420
      https://curl.haxx.se/docs/adv_20160803B.html
    - Fix use of connection struct after free as per CVE-2016-5421
      https://curl.haxx.se/docs/adv_20160803C.html
    - Support OpenSSL 1.1 (Closes: #828127)
  * Fix 04_workaround_as_needed_bug.patch.
    Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131)
  * Bump Standards-Version to 3.9.8 (no changes needed)
  * Update Vcs-* URLs
  * Refresh patches
  * Add 08_enable-zsh.patch to re-enable zsh completion generation
  * Remove 08_fix-zsh-completion.patch (was already disabled)
  * Add 09_fix-typo.patch to fix spelling-error-in-manpage
  * Add 10_disable-network-tests.patch to disable networked tests
    (Closes: #830273)
  * Improve cross Build-Depends satisfiability.
    Thanks to Helmut Grohne for the patch (Closes: #818092)

 -- Alessandro Ghedini <email address hidden>  Wed, 03 Aug 2016 12:46:05 +0100
Superseded in jessie-release on 2016-09-17
curl (7.38.0-4+deb8u3) jessie-security; urgency=medium

  * Fix NTLM credentials not-checked for proxy connection re-use
    as per CVE-2016-0755
    http://curl.haxx.se/docs/adv_20160127A.htm

 -- Alessandro Ghedini <email address hidden>  Tue, 26 Jan 2016 22:39:38 +0000
Superseded in stretch-release on 2016-08-09
Superseded in sid-release on 2016-08-04
curl (7.47.0-1) unstable; urgency=high

  * New upstream release
    - Fix NTLM credentials not-checked for proxy connection re-use
      as per CVE-2016-0755
      http://curl.haxx.se/docs/adv_20160127A.html
    - Set uyrgency=high accordingly
  * Remove hard-coded dependency on libgnutls (Closes: #812542)
  * Drop 08_fix-zsh-completion.patch (merged upstream)
  * Refresh patches

 -- Alessandro Ghedini <email address hidden>  Wed, 27 Jan 2016 11:45:59 +0000
Superseded in stretch-release on 2016-01-30
Superseded in sid-release on 2016-02-22
curl (7.46.0-1) unstable; urgency=medium

  * New upstream release
    - Initialize OpenSSL algorithms after loading config (Closes: #805408)
  * Install curl zsh completion (Closes: #805509)
    - Add 08_fix-zsh-completion.patch to fix zsh completion generation

 -- Alessandro Ghedini <email address hidden>  Sun, 27 Dec 2015 18:18:09 +0100
Superseded in stretch-release on 2016-01-02
Superseded in sid-release on 2015-12-28
curl (7.45.0-1) unstable; urgency=medium

  * New upstream release
  * Drop 08_spelling.patch (merged upstream)

 -- Alessandro Ghedini <email address hidden>  Wed, 07 Oct 2015 12:59:03 +0200
Superseded in stretch-release on 2015-10-13
Superseded in sid-release on 2015-10-08
curl (7.44.0-2) unstable; urgency=medium

  * Enable HTTP/2 support (Closes: #796302)

 -- Alessandro Ghedini <email address hidden>  Thu, 10 Sep 2015 11:25:14 +0200
Published in wheezy-release on 2015-09-05
curl (7.26.0-1+wheezy13) wheezy-security; urgency=high

  * Fix re-using authenticated connection when unauthenticated
    as per CVE-2015-3143
    http://curl.haxx.se/docs/adv_20150422A.html
  * Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
    http://curl.haxx.se/docs/adv_20150422B.html

 -- Alessandro Ghedini <email address hidden>  Tue, 21 Apr 2015 13:51:57 +0200
Superseded in stretch-release on 2015-09-19
Superseded in sid-release on 2015-09-13
curl (7.44.0-1) unstable; urgency=medium

  * New upstream release
  * Refresh patches
  * Update symbols files
  * Add 08_spelling.patch to fix some spelling errors

 -- Alessandro Ghedini <email address hidden>  Wed, 12 Aug 2015 11:49:04 +0200
Superseded in stretch-release on 2015-08-18
Superseded in sid-release on 2015-08-13
curl (7.43.0-1) unstable; urgency=medium

  * New upstream release
    - Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
      http://curl.haxx.se/docs/adv_20150617A.html
    - Fix SMB send off unrelated memory contents as per CVE-2015-3237
      http://curl.haxx.se/docs/adv_20150617B.html
  * Refresh patches
  * Fix spelling-error-in-description

 -- Alessandro Ghedini <email address hidden>  Wed, 17 Jun 2015 10:21:34 +0200
Superseded in stretch-release on 2015-06-23
Superseded in sid-release on 2015-06-18
curl (7.42.1-3) unstable; urgency=medium

  * Update copyright
  * Set both CA bundle and CA path default values for OpenSSL and GnuTLS
    backends
  * Bump versioned depends on libgnutls to workaround lack of nettle versioned
    symbols (Closes: #787960)

 -- Alessandro Ghedini <email address hidden>  Sun, 07 Jun 2015 18:15:15 +0200
Superseded in jessie-release on 2016-04-02
curl (7.38.0-4+deb8u2) jessie-security; urgency=high

  * Don't send sensitive HTTP server headers to proxies as per CVE-2015-3153
    http://curl.haxx.se/docs/adv_20150429.html

 -- Alessandro Ghedini <email address hidden>  Wed, 29 Apr 2015 10:47:47 +0200
Superseded in stretch-release on 2015-06-14
Superseded in sid-release on 2015-06-09
curl (7.42.1-2) unstable; urgency=medium

  * Switch curl binary to libcurl3-gnutls (Closes: #342719)
    This is the first step of a possible migration to a GnuTLS-only
    libcurl for Debian. Let's see how it goes.

 -- Alessandro Ghedini <email address hidden>  Sun, 03 May 2015 13:13:15 +0200
Superseded in stretch-release on 2015-05-09
Superseded in sid-release on 2015-05-03
curl (7.42.1-1) unstable; urgency=high

  * New upstream release
    - Don't send sensitive HTTP server headers to proxies as per
      CVE-2015-3153
      http://curl.haxx.se/docs/adv_20150429.html
  * Drop 08_fix-spelling.patch (merged upstream)
  * Refresh patches

 -- Alessandro Ghedini <email address hidden>  Wed, 29 Apr 2015 10:43:43 +0200
Superseded in sid-release on 2015-04-30
curl (7.42.0-1) unstable; urgency=medium


  * New upstream release
    - Fix re-using authenticated connection when unauthenticated
      as per CVE-2015-3143
      http://curl.haxx.se/docs/adv_20150422A.html
    - Fix host name out of boundary memory access as per CVE-2015-3144
      http://curl.haxx.se/docs/adv_20150422D.html
    - Fix cookie parser out of boundary memory access as per CVE-2015-3145
      http://curl.haxx.se/docs/adv_20150422C.html
    - Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
      http://curl.haxx.se/docs/adv_20150422B.html
    - Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
      defined (Closes: #768562)
  * Drop patches merged upstream
  * Refresh patches
  * Bump Standards-Version to 3.9.6 (no changes needed)

 -- Alessandro Ghedini <email address hidden>  Wed, 22 Apr 2015 11:07:32 +0200
Superseded in wheezy-release on 2015-09-05
curl (7.26.0-1+wheezy11) wheezy-security; urgency=high


  * Fix duphandle read out of bounds as per CVE-2014-3707
    http://curl.haxx.se/docs/adv_20141105.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Sun, 02 Nov 2014 16:07:47 +0100
Superseded in jessie-release on 2015-06-06
Superseded in sid-release on 2015-04-22
curl (7.38.0-4) unstable; urgency=high


  * Fix URL request injection vulnerability as per CVE-2014-8150
    http://curl.haxx.se/docs/adv_20150108B.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Thu, 08 Jan 2015 10:47:24 +0100
Superseded in jessie-release on 2015-01-11
Superseded in sid-release on 2015-01-09
curl (7.38.0-3) unstable; urgency=high


  * Enable all hardening options (Closes: #763372)
  * Fix duphandle read out of bounds as per CVE-2014-3707
    http://curl.haxx.se/docs/adv_20141105.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Thu, 06 Nov 2014 11:40:24 +0100
Superseded in wheezy-release on 2015-01-10
curl (7.26.0-1+wheezy10) wheezy-security; urgency=high


  * Fix multiple security issues:
    - Only use full host matches for hosts used as IP address
      as per CVE-2014-3613
    - Reject incoming cookies set for TLDs as per CVE-2014-3620
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Sat, 06 Sep 2014 14:07:02 +0200
Superseded in jessie-release on 2014-11-09
Superseded in sid-release on 2014-11-07
curl (7.38.0-2) unstable; urgency=medium


  * Check for libtoolize instead of libtool during build.
    Thanks to Helmut Grohne for the patch (Closes: #761740)
  * Add README.source note regarding ordering of patches (Closes: #762193)
  * Add 10_fix-resolver.patch from upstream (Closes: #762014)

 -- Alessandro Ghedini <email address hidden>  Tue, 23 Sep 2014 16:41:53 +0200
Superseded in jessie-release on 2014-09-29
Superseded in sid-release on 2014-09-24
curl (7.38.0-1) unstable; urgency=medium


  * New upstream release
    - Only use full host matches for hosts used as IP address
      as per CVE-2014-3613
      http://curl.haxx.se/docs/adv_20140910A.html
    - Reject incoming cookies set for TLDs as per CVE-2014-3620
      http://curl.haxx.se/docs/adv_20140910B.html
  * Drop 08_link-curl-to-nss.patch (merged upstream)
  * Refresh patches
  * Fix wildcard-matches-nothing-in-dep5-copyright
  * Add 08_fix-spelling.patch

 -- Alessandro Ghedini <email address hidden>  Wed, 10 Sep 2014 20:11:02 +0200
Published in squeeze-release on 2014-07-19
curl (7.21.0-2.1+squeeze8) squeeze-security; urgency=medium


  * Fix multiple security issues (Closes: #742728):
    - Fix connection re-use when using different log-in credentials
      as per CVE-2014-0138
      http://curl.haxx.se/docs/adv_20140326A.html
    - Reject IP address wildcard matches as per CVE-2014-0139
      http://curl.haxx.se/docs/adv_20140326B.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Wed, 09 Apr 2014 19:47:38 +0200
Superseded in jessie-release on 2014-09-16
Superseded in sid-release on 2014-09-11
curl (7.37.1-1) unstable; urgency=medium


  * New upstream release
  * Re-enable RTMP support (Closes: #754222)
  * Add 08_link-curl-to-nss.patch to fix NSS build
  * Refresh patches
  * Install manpages of single libcurl options too

 -- Alessandro Ghedini <email address hidden>  Fri, 18 Jul 2014 10:18:03 +0200
Superseded in jessie-release on 2014-07-24
Superseded in sid-release on 2014-07-19
curl (7.37.0-1) unstable; urgency=medium


  * New upstream release
    - Fix NULL pointer dereference in GnuTLS code (Closes: #746349)
  * Drop 08_fix-imap-tests.patch (merged upstream)
  * Refresh 01_runtests_gdb.patch
  * Remove Build-Depends on libgcrypt

 -- Alessandro Ghedini <email address hidden>  Wed, 21 May 2014 15:22:38 +0200
Superseded in jessie-release on 2014-05-27
Superseded in sid-release on 2014-05-24
curl (7.36.0-2) unstable; urgency=medium


  * Move Depends on -dev packages needed to use static libraries to Suggests
  * Switch to GnuTLS 3.x (Closes: #741568)
  * Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts
    with libgnutls28-dev)

 -- Alessandro Ghedini <email address hidden>  Mon, 28 Apr 2014 19:37:14 +0200
Superseded in wheezy-release on 2014-10-18
curl (7.26.0-1+wheezy9) wheezy-security; urgency=high


  * Fix multiple security issues (Closes: #742728):
    - Fix connection re-use when using different log-in credentials
      as per CVE-2014-0138
      http://curl.haxx.se/docs/adv_20140326A.html
    - Reject IP address wildcard matches as per CVE-2014-0139
      http://curl.haxx.se/docs/adv_20140326B.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Wed, 09 Apr 2014 19:03:55 +0200
Superseded in jessie-release on 2014-05-04
Superseded in sid-release on 2014-05-01
curl (7.36.0-1) unstable; urgency=high


  * New upstream release (Closes: #742728)
    - Fix connection re-use when using different log-in credentials
      as per CVE-2014-0138
      http://curl.haxx.se/docs/adv_20140326A.html
    - Reject IP address wildcard matches as per CVE-2014-0139
      http://curl.haxx.se/docs/adv_20140326B.html
    - Set urgency=high accordingly
  * Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138

 -- Alessandro Ghedini <email address hidden>  Sun, 30 Mar 2014 15:36:35 +0200
Superseded in squeeze-release on 2014-07-19
curl (7.21.0-2.1+squeeze7) squeeze-security; urgency=high


  * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
    http://curl.haxx.se/docs/adv_20140129.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Wed, 29 Jan 2014 19:05:15 +0100
Superseded in wheezy-release on 2014-04-26
curl (7.26.0-1+wheezy8) wheezy-security; urgency=high


  * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
    http://curl.haxx.se/docs/adv_20140129.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Wed, 29 Jan 2014 19:01:03 +0100
Superseded in jessie-release on 2014-04-02
Superseded in sid-release on 2014-03-31
curl (7.35.0-1) unstable; urgency=high


  * New upstream release
    - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
      http://curl.haxx.se/docs/adv_20140129.html
    - Set urgency=high accordingly
  * Refresh patches

 -- Alessandro Ghedini <email address hidden>  Wed, 29 Jan 2014 11:16:57 +0100
Superseded in jessie-release on 2014-02-01
Superseded in sid-release on 2014-01-29
curl (7.34.0-1) unstable; urgency=high


  * New upstream release
    - Fix GnuTLS checking of a certificate CN or SAN name field when the
      digital signature verification is turned off as per CVE-2013-6422
      http://curl.haxx.se/docs/adv_20131217.html
    - Set urgency=high accordingly
  * Drop patches merged upstream:
    - 08_fix-typo.patch
    - 09_fix-urlglob.patch

 -- Alessandro Ghedini <email address hidden>  Tue, 17 Dec 2013 13:16:19 +0100
Superseded in wheezy-release on 2014-02-08
curl (7.26.0-1+wheezy6) stable-security; urgency=low


  * Disable host verification too when using the --insecure option
    (Closes: #729965)

 -- Alessandro Ghedini <email address hidden>  Tue, 19 Nov 2013 17:15:32 +0100
Superseded in sid-release on 2013-12-19
curl (7.33.0-2) unstable; urgency=low


  * Make -dev packages Multi-Arch: same too (Closes: #731309)
  * Bump Standards-Version to 3.9.5 (no changes needed)
  * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855)

 -- Alessandro Ghedini <email address hidden>  Wed, 11 Dec 2013 18:44:37 +0100
Superseded in squeeze-release on 2014-02-15
curl (7.21.0-2.1+squeeze4) oldstable-security; urgency=high


  * Fix URL decode buffer boundary flaw as per CVE-2013-2174
    http://curl.haxx.se/docs/adv_20130622.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Sat, 22 Jun 2013 16:53:25 +0200
Superseded in wheezy-release on 2013-12-14
curl (7.26.0-1+wheezy4) stable-proposed-updates; urgency=low


  * Add 09_reset-timecond.patch (Closes: #705783, #719300)

 -- Alessandro Ghedini <email address hidden>  Sat, 10 Aug 2013 16:45:38 +0200
Superseded in jessie-release on 2013-12-20
Superseded in sid-release on 2013-12-14
curl (7.33.0-1) unstable; urgency=low


  * New upstream release
    - Handle arbitrary-length username and password (Closes: #719856)
  * Remove Luk from Uploaders as per his request (Closes: #723603)
  * Do not Build-Depends on specific automake version (Closes: #724361)
  * Fix lintian vcs-field-not-canonical
  * Add 08_fix-typo.patch
  * Refresh patches

 -- Alessandro Ghedini <email address hidden>  Mon, 14 Oct 2013 22:11:14 +0200
Superseded in jessie-release on 2013-10-25
Superseded in sid-release on 2013-10-16
curl (7.32.0-1) unstable; urgency=low


  * New upstream release
  * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
  * Drop 08_typo.patch (merged upstream)
  * Drop 09_openssl-recv.patch (merged upstream)
  * Refresh 90_gnutls.patch and 99_nss.patch
  * Refresh 06_always-disable-valgrind.patch
  * Enable threaded DNS resolver (Closes: #570436)
    See NEWS.Debian for more info

 -- Alessandro Ghedini <email address hidden>  Mon, 12 Aug 2013 12:19:05 +0200
Superseded in jessie-release on 2013-08-23
Superseded in sid-release on 2013-08-13
curl (7.31.0-2) unstable; urgency=high


  * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050)
  * Set urgency=high because of the security fix in the previous upload

 -- Alessandro Ghedini <email address hidden>  Wed, 26 Jun 2013 11:47:00 +0200
Superseded in sid-release on 2013-06-27
curl (7.31.0-1) unstable; urgency=low


  * New upstream release
    - Fix URL decode buffer boundary flaw as per CVE-2013-2174
      http://curl.haxx.se/docs/adv_20130622.html
  * Maake curl Multi-Arch: foreign (Closes: #712585)
  * Drop 08_reset-timecond.patch (merged upstream)
  * Refresh patches
  * Add 08_typo.patch to fix a couple of typos in one of the manpages

 -- Alessandro Ghedini <email address hidden>  Sat, 22 Jun 2013 15:46:53 +0200
Superseded in jessie-release on 2013-06-29
Superseded in sid-release on 2013-06-26
curl (7.30.0-2) unstable; urgency=low


  * Move textual docs to the -doc package too
  * Move manpages from -dev packages to -doc as well
    - Add Breaks+Replaces accordingly
  * Remove outdated Replaces/Conflicts
  * Update watch file version to 3
  * Add 08_reset-timecond.patch (Closes: #705783)

 -- Alessandro Ghedini <email address hidden>  Fri, 10 May 2013 17:46:46 +0200
Superseded in jessie-release on 2013-05-23
Superseded in sid-release on 2013-05-11
curl (7.30.0-1) unstable; urgency=low


  * New upstream release
  * Update upstream copyright years
  * Drop patches merged upstream:
    - 08_NULL-pointer-dereference-on-close.patch
    - 09_CVE-213-1944.patch
    - 10_test1218-another-cookie-tailmatch-test.patch
  * Update patches:
    - 03_keep_symbols_compat.patch
    - 90_gnutls.patch
    - 99_nss.patch
  * Add libcurl4-doc package:
    - Move *.pdf and *.html files to the libcurl4-doc package
    - Add Suggests for -doc package to -dev packages
    - Move examples to the -doc package
  * Add Build-Depends on python which is used by some tests

 -- Alessandro Ghedini <email address hidden>  Thu, 18 Apr 2013 12:55:09 +0200
Superseded in wheezy-release on 2013-10-18
curl (7.26.0-1+wheezy2) wheezy-proposed-updates; urgency=high


  [ Alessandro Ghedini ]
  * Fix cookie domain tailmatch as per CVE-2013-1944
    http://curl.haxx.se/docs/adv_20130412.html (Closes: #705274)
  * Set urgency=high accordingly

  [ Salvatore Bonaccorso ]
  * Add testcase for CVE-2013-1944

 -- Alessandro Ghedini <email address hidden>  Wed, 10 Apr 2013 22:56:48 +0200
Superseded in sid-release on 2013-04-19
curl (7.29.0-2.1) unstable; urgency=high


  * Non-maintainer upload.

  [ Alessandro Ghedini ]
  * Do not compress *.pdf files (Closes: #704093)

  [ Salvatore Bonaccorso ]
  * Add 09_CVE-213-1944.patch.
    Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage.
    Cookies set for 'example.com' could accidentaly also be sent by libcurl
    to the 'bexample.com' (ie with a prefix to the first domain name).
    (Closes: #705274)
  * Add testcase for CVE-2013-1944.

 -- Salvatore Bonaccorso <email address hidden>  Fri, 12 Apr 2013 13:55:34 +0200
Superseded in sid-release on 2013-04-13
curl (7.29.0-2) unstable; urgency=low


  * Fix a segfault when closing an unused multi handle (Closes: #701713)
  * Mention LDAPS in packages' long descriptions
  * Clean-up d/rules
    - Switch to short-form dh
    - Enable test suite on hurd and kfreebsd too
    - Enable GSSAPI support on hurd too

 -- Alessandro Ghedini <email address hidden>  Mon, 11 Mar 2013 19:02:56 +0100
Superseded in wheezy-release on 2013-04-14
curl (7.26.0-1+wheezy1) testing-proposed-updates; urgency=high


  * Fix buffer overflow when negotiating SMTP DIGEST-MD5 authentication
    as per CVE-2013-0249 (Closes: #700002)
    http://curl.haxx.se/docs/adv_20130206.html
  * Set urgency=high accordingly

 -- Alessandro Ghedini <email address hidden>  Sun, 10 Feb 2013 19:14:47 +0100
Superseded in sid-release on 2013-03-12
curl (7.29.0-1) unstable; urgency=high


  * New upstream release
    - Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication
      as per CVE-2013-0249 (Closes: #700002)
      http://curl.haxx.se/docs/adv_20130206.html
    - Set urgency=high accordingly
  * Install all the examples
  * Update 90_gnutls.patch and 99_nss.patch
  * Refresh patches
  * Correctly pass CPPFLAGS to ./configure
  * Upload to unstable

 -- Alessandro Ghedini <email address hidden>  Mon, 11 Feb 2013 14:48:03 +0100
Deleted in experimental-release (Reason: None provided.)
curl (7.28.1-1) experimental; urgency=low


  * New upstream release
  * Drop 05_fix-git-over-https.patch and 08_fix-git-auth.patch
    (merged upstream)
  * Update 07_do-not-disable-debug-symbols.patch
  * Refresh patches
  * Add NEWS entry about change in CURLOPT_SSL_VERIFYHOST semantics

 -- Alessandro Ghedini <email address hidden>  Mon, 26 Nov 2012 17:51:27 +0100
175 of 120 results