Change log for curl package in Debian
1 → 75 of 205 results | First • Previous • Next • Last |
curl (8.7.1-3) unstable; urgency=medium [ Carlos Henrique Lima Melara ] * d/p/fix-regression-in-curlinfo.patch: add patch from upstream, thanks to Antonio Terceiro for reporting it (closes: #1069292) [ Samuel Henrique ] * d/libcurl3t64-gnutls.lintian-overrides: Drop unused override -- Samuel Henrique <email address hidden> Fri, 19 Apr 2024 19:06:23 +0100
curl (8.7.1-2) unstable; urgency=medium [ Carlos Henrique Lima Melara ] * d/rules: fix sed substitution regex for curl-config * d/rules: make a call to dpkg-buildflags in curl-config to get CFLAGS (Closes: #1057138) * d/control: suggests dpkg-dev for -dev packages so we get dpkg goodies * d/libcurl4-doc.docs: list each markdown file to be installed * d/make-manpages-reproducible.patch: import from upstream * d/p/fix-regression-on-chunked-post.patch: add new patch from upstream [ Sergio Durigan Junior ] * d/p/openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch: (Closes: #1053643) [ Samuel Henrique ] * d/rules: Run tests in parallel * d/p/test1901...: New patch to confirm regression fix -- Samuel Henrique <email address hidden> Wed, 03 Apr 2024 18:59:41 +0100
Deleted in experimental-release (Reason: None provided.) |
curl (8.7.1-1+exp1) experimental; urgency=medium * d/rules: Run tests in parallel, using uptream's suggestion of 7 workers per thread: https://daniel.haxx.se/blog/2023/06/08/parallel-curl-tests/ -- Samuel Henrique <email address hidden> Wed, 27 Mar 2024 19:51:33 +0000
curl (8.7.1-1) unstable; urgency=medium * New upstream version 8.7.1 - Fix CVE-2024-2004: Usage of disabled protocol - Fix CVE-2024-2398: HTTP/2 push headers memory-leak * d/patches: Drop patches present on this release -- Samuel Henrique <email address hidden> Wed, 27 Mar 2024 19:02:14 +0000
curl (8.6.0-4) unstable; urgency=medium [ Carlos Henrique Lima Melara ] * d/libcurl*.links: use substitution variables instead of executable files [ Simon McVittie ] * d/control: Add a build-profile that disables LDAP support (closes: #1066981) * Temporarily disable LDAP support on 32-bit non-x86 (closes: #1066982) * Temporarily disable build-time tests on 32-bit non-x86 -- Samuel Henrique <email address hidden> Sat, 16 Mar 2024 17:17:57 +0000
curl (8.6.0-3.2) unstable; urgency=medium * Non-maintainer upload. * Fix wrong X-Time64-Compat for libcurl4t64. Closes: #1065315. -- Steve Langasek <email address hidden> Sat, 02 Mar 2024 18:43:58 +0000
curl (8.6.0-3.1) unstable; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. Closes: #1061992 -- Steve Langasek <email address hidden> Sat, 02 Mar 2024 07:11:53 +0000
Deleted in experimental-release (Reason: None provided.) |
curl (8.6.0-3.1~exp2) experimental; urgency=medium * Non-maintainer upload. * Set missing executable bit on debian/libcurl3t64-gnutls.links, lost when round-tripping through diff+patch. -- Steve Langasek <email address hidden> Sat, 24 Feb 2024 01:20:40 +0000
Superseded in experimental-release |
curl (8.6.0-3.1~exp1) experimental; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. -- Michael Hudson-Doyle <email address hidden> Thu, 22 Feb 2024 11:59:41 +1300
Deleted in experimental-release (Reason: None provided.) |
Published in sid-release |
curl (8.6.0-3) unstable; urgency=medium * d/p/vtls_revert_receive_max_buffer_add_test_case.patch: New patch to fix tls regression (closes: #1063462) -- Samuel Henrique <email address hidden> Mon, 19 Feb 2024 22:16:17 +0000
Published in bullseye-release |
curl (7.74.0-1.3+deb11u11) bullseye-security; urgency=high * Add patch to fix CVE-2023-46218 * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in "--version" output -- Samuel Henrique <email address hidden> Sun, 10 Dec 2023 06:05:18 +0000
Published in bookworm-release |
curl (7.88.1-10+deb12u5) bookworm-security; urgency=high * Add patches to fix CVE-2023-46218 and CVE-2023-46219 * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in "--version" output -- Samuel Henrique <email address hidden> Sun, 10 Dec 2023 06:07:30 +0000
curl (8.6.0-2) unstable; urgency=medium * d/p/sendf_ignore_response_body_to_head.patch: New upstream patch to fix a compat issue (closes: #1063342) * d/control: Switch from pkg-config to pkgconf -- Samuel Henrique <email address hidden> Tue, 06 Feb 2024 20:52:46 +0000
Deleted in experimental-release (Reason: None provided.) |
curl (8.6.0-1.1) experimental; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. -- Michael Hudson-Doyle <email address hidden> Thu, 01 Feb 2024 03:10:56 +0000
curl (8.6.0-1) unstable; urgency=medium [ Samuel Henrique ] * New upstream version 8.6.0 - Fix CVE-2024-0853: OCSP verification bypass with TLS session reuse * Drop upstream patches from 8.6.0 * Update approach for installing manpages * d/copyright: Update copyright [ Carlos Henrique Lima Melara ] * d/control: exclude dependency on gnutls-bin for tests on ppc64el (Closes: #1059952) -- Samuel Henrique <email address hidden> Wed, 31 Jan 2024 21:51:05 +0000
Deleted in experimental-release (Reason: None provided.) |
curl (8.5.0-2+exp1) experimental; urgency=medium * d/rules: Run tests in parallel -- Samuel Henrique <email address hidden> Sat, 06 Jan 2024 09:01:03 -0300
Superseded in experimental-release |
Superseded in sid-release |
curl (8.5.0-2) unstable; urgency=medium * d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault (closes: #1057855) -- Samuel Henrique <email address hidden> Fri, 29 Dec 2023 15:34:11 -0300
Deleted in experimental-release (Reason: None provided.) |
curl (8.5.0-1+exp1) experimental; urgency=medium * Build on experimental with a newer openldap to help investigate #1057855 -- Samuel Henrique <email address hidden> Fri, 22 Dec 2023 11:20:39 -0300
Superseded in bookworm-release |
curl (7.88.1-10+deb12u4) bookworm-security; urgency=high * Add patches to fix CVE-2023-38545 and CVE-2023-38546 -- Samuel Henrique <email address hidden> Thu, 05 Oct 2023 22:31:47 +0100
curl (8.5.0-1) unstable; urgency=medium [ Samuel Henrique ] * New upstream version 8.5.0 - Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646) - Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645) * d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION * d/p/90_gnutls.patch: Update patch * d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to fix tests * d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream tarball [ Carlos Henrique Lima Melara ] * d/control: change Maintainer field to curl packaging team * d/README.Debian: add readme to explain curl's team creation * d/control: add myself to Uploaders -- Samuel Henrique <email address hidden> Wed, 06 Dec 2023 20:15:49 +0000
curl (8.4.0-2) unstable; urgency=medium * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in "--version" output -- Samuel Henrique <email address hidden> Sat, 14 Oct 2023 12:19:21 +0100
curl (8.4.0-1) unstable; urgency=medium * New upstream version 8.4.0 * d/libcurl*.symbols: New symbol curl_multi_get_handles * d/patches: - Remove patches from 8.4.0 release - 90_gnutls.patch: Update patch -- Samuel Henrique <email address hidden> Fri, 13 Oct 2023 00:53:16 +0100
curl (8.3.0-3) unstable; urgency=high * Add patches to fix CVE-2023-38545 and CVE-2023-38546 -- Samuel Henrique <email address hidden> Thu, 05 Oct 2023 22:26:40 +0100
Superseded in bullseye-release |
curl (7.74.0-1.3+deb11u9) bullseye; urgency=medium * Team upload. * Import 2 new patches to fix CVES: - CVE-2023-28321: IDN wildcard match may lead to Improper Cerificate Validation. - CVE-2023-28322: more POST-after-PUT confusion. * debian/patches/CVE-2023-28322.patch: backport patch. -- Carlos Henrique Lima Melara <email address hidden> Sun, 10 Sep 2023 15:19:20 +0530
Superseded in bookworm-release |
curl (7.88.1-10+deb12u3) bookworm; urgency=medium * Team upload. [ Andreas Hasenack ] * Move ldap-test to a script and add retry logic. [ Carlos Henrique Lima Melara ] * Fix CVE-2023-38039: HTTP headers eat all memory. - Done by debian/patches/CVE-2023-38039.patch. -- Carlos Henrique Lima Melara <email address hidden> Fri, 15 Sep 2023 22:31:23 +0530
curl (8.3.0-2) unstable; urgency=medium * d/rules: Add test 3102 to TESTS_FAILS_ON_IPV6_ONLY_MACHINES * d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf - test650_fix_an_end_tag_typo.patch - tests_increase_the_default_server_logs_lock_timeout.patch * d/p/lib_use_wrapper_for_curl_mime_data_fseek_callback.patch: New patch to fix armel/armhf FTBFS -- Samuel Henrique <email address hidden> Sun, 01 Oct 2023 15:01:42 +0100
Deleted in experimental-release (Reason: None provided.) |
curl (8.3.0-2~exp1) experimental; urgency=medium * d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf: - test650_fix_an_end_tag_typo.patch - tests_increase_the_default_server_logs_lock_timeout.patch -- Samuel Henrique <email address hidden> Fri, 29 Sep 2023 21:04:33 +0100
curl (8.3.0-1) unstable; urgency=medium * New upstream version 8.3.0 - Fix CVE-2023-38039: HTTP headers eat all memory * debian/: Remove files used for the nss packaging * d/patches: - Refresh patches - gen_pl_escape_all_dashes.patch: Drop merged patch - 90_gnutls.patch: Update patch * d/libcurl*.symbols: New symbol curl_global_trace -- Samuel Henrique <email address hidden> Thu, 14 Sep 2023 16:13:10 +0530
curl (8.2.1-2) unstable; urgency=medium [ Andreas Hasenack ] * Move ldap-test to a script and add retry logic [ Samuel Henrique ] * Build without nss, dropped by upstream in the next release * d/p/gen_pl_escape_all_dashes.patch: New patch to fix manpage generation (closes: #1043309, #1043339) -- Samuel Henrique <email address hidden> Fri, 25 Aug 2023 20:05:02 +0100
curl (8.2.1-1) unstable; urgency=medium [ Samuel Henrique ] * New upstream version 8.2.1 [ Sergio Durigan Junior ] * d/p/{90_gnutls,99_nss}.patch: Update GNUTls/NSS patches to unbreak tests/http/clients * Drop unnecessary patches. d/p/CVE-2023-27533.patch d/p/CVE-2023-27534.patch d/p/CVE-2023-27535.patch d/p/CVE-2023-27536.patch d/p/CVE-2023-27537.patch d/p/CVE-2023-27538.patch d/p/CVE-2023-28319.patch d/p/CVE-2023-28320-1.patch d/p/CVE-2023-28320.patch d/p/CVE-2023-28321.patch d/p/CVE-2023-28322.patch d/p/CVE-2023-32001.patch d/p/Use-OpenLDAP-specific-functionality.patch d/p/fix-unix-domain-socket.patch -- Sergio Durigan Junior <email address hidden> Thu, 03 Aug 2023 20:00:01 -0400
curl (7.88.1-11) unstable; urgency=medium [ Carlos Henrique Lima Melara ] * Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen(): - Done by d/p/CVE-2023-32001.patch (Closes: #1041812). [ John Scott ] * LDAP backend: correct the usage of OpenLDAP-specific functionality being disabled with an upstream patch (Closes: #1041964) This corrects the improper fetching of binary attributes. * debian/tests: add a DEP-8 test that getting binary LDAP attributes works now -- Samuel Henrique <email address hidden> Fri, 28 Jul 2023 21:11:25 +0100
curl (7.88.1-10) unstable; urgency=medium * Add new patches to fix CVEs (closes: #1036239): - CVE-2023-28319: UAF in SSH sha256 fingerprint check - CVE-2023-28320: siglongjmp race condition - CVE-2023-28321: IDN wildcard match - CVE-2023-28322: more POST-after-PUT confusion * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to CVE-2023-28320 -- Samuel Henrique <email address hidden> Thu, 18 May 2023 23:43:40 +0100
Superseded in bullseye-release |
curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium * Fix CVE-2023-23916: HTTP multi-header compression denial of service: - Done by d/p/CVE-2023-23916.patch. -- Samuel Henrique <email address hidden> Thu, 23 Feb 2023 22:09:57 +0000
curl (7.88.1-9) unstable; urgency=medium [ Sergio Durigan Junior ] * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359) [ Samuel Henrique ] * Update list of tests that fail on IPv6-only envs and don't skip them on autopkgtest * d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix (closes: #1033963) -- Samuel Henrique <email address hidden> Sat, 15 Apr 2023 20:03:44 +0100
Deleted in experimental-release (Reason: None provided.) |
curl (8.0.1-1~exp1) experimental; urgency=medium * New upstream version 8.0.1 * d/patches: Remove CVE patches that are present on 8.0.1 -- Samuel Henrique <email address hidden> Sun, 02 Apr 2023 20:05:56 +0100
curl (7.88.1-8) unstable; urgency=medium [ Samuel Henrique ] * d/gbp.conf: Push gbp conf with sane defaults * d/salsa-ci.yml: Disable dh_auto_test with DEB_BUILD_OPTIONS * d/rules: Add new build profiles to limit builds to a single TLS backend * d/tests: Add new autopkgtests that runs curl's test suite [ Sergio Durigan Junior ] * d/rules: Remove -D_DEB_HOST_ARCH from curl-config's CFLAGS. -- Samuel Henrique <email address hidden> Sun, 26 Mar 2023 11:36:24 +0100
curl (7.88.1-7) unstable; urgency=medium * Bump Standards-Version to 4.6.2 * d/p/06_always-disable-valgrind.patch: Remove unused patch * d/patches: Refresh all patches * Import 5 new upstream patches fixing CVES: - CVE-2023-27533: TELNET option IAC injection - CVE-2023-27534: SFTP path ~ resolving discrepancy - CVE-2023-27535: FTP too eager connection reuse - CVE-2023-27536: GSS delegation too eager connection re-use - CVE-2023-27537: HSTS double-free - CVE-2023-27538: SSH connection too eager reuse still -- Samuel Henrique <email address hidden> Tue, 21 Mar 2023 22:39:05 +0000
curl (7.88.1-6) unstable; urgency=medium * d/rules: Ignore test results from tests that fail on IPv6-only builders (closes: #1032343) * d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs forever) -- Samuel Henrique <email address hidden> Wed, 08 Mar 2023 20:57:09 +0000
Deleted in experimental-release (Reason: None provided.) |
curl (7.88.1-7~exp1) experimental; urgency=medium * Revert "d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs forever)" So we can confirm whether the build only hangs on unstable. -- Samuel Henrique <email address hidden> Wed, 08 Mar 2023 21:45:48 +0000
curl (7.88.1-5) unstable; urgency=medium * Fix stringification of _DEB_HOST_ARCH macro. - d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: Use _DEB_HOST_ARCH directly. - d/rules: Quote _DEB_HOST_ARCH when passing it with -D. -- Sergio Durigan Junior <email address hidden> Mon, 06 Mar 2023 10:22:32 -0500
curl (7.88.1-4) unstable; urgency=medium * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: Prepend "/nss/" before the library name. -- Sergio Durigan Junior <email address hidden> Sun, 05 Mar 2023 18:38:13 -0500
curl (7.88.1-2) unstable; urgency=medium * Multiple test improvements, which will increase the reliability of the package, especially when backporting fixes on stable and oldstable: - Test results are now critical to the build process, if a test fails, the build will fail. - Add two new test build-dependencies to increase coverage: locales-all and gnutls-bin. - Only run non-flaky tests. - Print logs of failed tests. - Run all tests even if there was a failure. - Ignore results of known failing tests (for Debian). - Disable valgrind through a test parameter instead of patching upstream source code. -- Samuel Henrique <email address hidden> Fri, 03 Mar 2023 08:28:19 +0000
Deleted in experimental-release (Reason: None provided.) |
curl (7.88.1-2~exp4) experimental; urgency=medium * d/rules: Fail the build if tests fails -- Samuel Henrique <email address hidden> Mon, 27 Feb 2023 22:19:03 +0000
Superseded in experimental-release |
curl (7.88.1-2~exp3) experimental; urgency=medium * Fix locale-related tests and ignore known failures -- Samuel Henrique <email address hidden> Sun, 26 Feb 2023 15:52:13 +0000
Superseded in experimental-release |
curl (7.88.1-2~exp2) experimental; urgency=medium * d/rules: Multiple improvements to dh_auto_test - Skip flaky tests. - Print test logs in case of errors. - Ignore known failures, but still print their logs. - Disable valgrind through parametrization instead of patching the source code. - Add gnutls-bin as a test dependency as gnutls-serv is used. -- Samuel Henrique <email address hidden> Sat, 25 Feb 2023 19:09:28 +0000
Superseded in experimental-release |
curl (7.88.1-2~exp1) experimental; urgency=medium * d/rules: Run non-flaky tests only (it also has an improved output for failures) -- Samuel Henrique <email address hidden> Fri, 24 Feb 2023 19:13:26 +0000
curl (7.88.1-1) unstable; urgency=medium * New upstream version 7.88.1 - Fix the following CVEs (closes: #1031371) ~ CVE-2023-23916: HTTP multi-header compression denial of service ~ CVE-2023-23915: HSTS amnesia with --parallel ~ CVE-2023-23914: HSTS ignored on multiple requests - Fix curl_multi_socket_action regression (closes: #1029231) * d/patches: Drop backported patch added to fix regression in setopt/getinfo * d/copyright: Drop removed file from copyright * d/control: Update BD to drop transitional package libidn11-dev -- Samuel Henrique <email address hidden> Mon, 20 Feb 2023 22:35:53 +0000
curl (7.87.0-2) unstable; urgency=medium * d/patches: Add new upstream patch to fix regression in setopt/getinfo (closes: #1027564) * d/p/build-Divide-mit-krb5...patch: Refresh patch -- Samuel Henrique <email address hidden> Sun, 15 Jan 2023 21:12:09 +0000
curl (7.87.0-1) unstable; urgency=medium * New upstream version 7.87.0 * d/patches: - Update patches - Drop all backported patches that are applied in the new release * d/copyright: Remove missing file * d/*.lintian-overrides: Remove unused overrides [ Simon McVittie ] * Make -dev packages 'Multi-Arch: same' back again (closes: #1024668) -- Samuel Henrique <email address hidden> Fri, 23 Dec 2022 20:36:01 +0000
Available diffs
- diff from 7.86.0-3 to 7.87.0-1 (932.0 KiB)
curl (7.86.0-3) unstable; urgency=medium * Fix two HSTS-related CVEs. - d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN decoded name in HSTS checks. (Closes: #1026829, CVE-2022-43551) - d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free smb's/telnet's protocol struct in *_done(). (Closes: #1026830, CVE-2022-43552) -- Sergio Durigan Junior <email address hidden> Wed, 21 Dec 2022 15:55:18 -0500
Available diffs
curl (7.86.0-2) unstable; urgency=medium [ Debian Janitor ] * Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev, libcurl4-openssl-dev: Drop Multi-Arch: same. [ Samuel Henrique ] * d/patches: Backport three upstream patches to fix noproxy option. -- Samuel Henrique <email address hidden> Tue, 15 Nov 2022 21:04:55 +0000
Available diffs
- diff from 7.85.0-1 to 7.86.0-2 (815.6 KiB)
- diff from 7.86.0-1 to 7.86.0-2 (3.5 KiB)
curl (7.86.0-1) unstable; urgency=medium * New upstream version 7.86.0 - Fix HSTS bypass via IDN: curl's HSTS check could be bypassed to trick it to keep using HTTP. (closes: CVE-2022-42916) - Fix HTTP proxy double-free (closes: CVE-2022-42915) - Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260) - Fix POST following PUT confusion (closes: CVE-2022-32221) -- Samuel Henrique <email address hidden> Thu, 27 Oct 2022 20:38:24 +0100
Available diffs
Superseded in bullseye-release |
curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium * cookie: reject cookies with "control bytes" (CVE-2022-35252) (Closes: #1018831) * test8: verify that "ctrl-byte cookies" are ignored -- Salvatore Bonaccorso <email address hidden> Sat, 03 Sep 2022 12:26:12 +0200
curl (7.85.0-1) unstable; urgency=medium * New upstream version 7.85.0 - Fix control code in cookie denial of service: When curl retrieves and parses cookies from an HTTP(S) server, it accepts cookies using control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response. Effectively allowing a "sister site" to deny service to siblings (closes: #1018831, CVE-2022-35252) - Fix FTBFS on riscv64 with gcc-12 (closes: #1015835) * Bump Standards-Version to 4.6.1 * Add lintian overrides for old-style-config-script-multiarch-path triggered for curl-config * d/patches: - 11_omit-directories-from-config.patch: Update patch - 20_ftbfs_import_sched.patch: Drop patch, applied upstream * d/rules: Fix configure args, remove bogus '--without-ssl' * d/copyright: Update the whole file * d/(control|watch): Update upstream's URL -- Samuel Henrique <email address hidden> Fri, 02 Sep 2022 13:00:10 +0100
Available diffs
curl (7.84.0-2) unstable; urgency=medium * d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS (closes: #1014596) -- Samuel Henrique <email address hidden> Mon, 11 Jul 2022 22:50:01 +0100
Available diffs
curl (7.84.0-1) unstable; urgency=medium * New upstream version 7.84.0 -- Samuel Henrique <email address hidden> Mon, 27 Jun 2022 22:06:25 +0100
Available diffs
- diff from 7.83.1-2 to 7.84.0-1 (543.6 KiB)
curl (7.83.1-2) unstable; urgency=medium * d/p/fix_multiline_header_regression.patch: New upstream patch to fix regression (closes: #1012263, #1011696) -- Samuel Henrique <email address hidden> Tue, 14 Jun 2022 18:05:23 +0100
Available diffs
curl (7.83.1-1) unstable; urgency=medium * New upstream version 7.83.1 - Fix the following CVEs: ~ HSTS bypass via trailing dot (CVE-2022-30115) ~ TLS and SSH connection too eager reuse (CVE-2022-27782) ~ CERTINFO never-ending busy-loop (CVE-2022-27781) ~ percent-encoded path separator in URL host (CVE-2022-27780) ~ cookie for trailing dot TLD (CVE-2022-27779) ~ curl removes wrong file on error (CVE-2022-27778) -- Samuel Henrique <email address hidden> Wed, 11 May 2022 17:46:48 +0100
Available diffs
- diff from 7.81.0-1 to 7.83.1-1 (1.0 MiB)
- diff from 7.83.0-1 to 7.83.1-1 (64.1 KiB)
curl (7.83.0-1) unstable; urgency=medium * New upstream version 7.83.0 - Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776) - Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775) - Fix credential leak on redirect (closes: #1010254, CVE-2022-27774) - Fix OAUTH2 bearer bypass in connection re-use (closes: #1010295, CVE-2022-22576) * d/libcurl*.symbols: update symbols files to add curl_easy_header and curl_easy_nextheader * d/patches: - Refresh patches - 12_fix_openssl_cm_check.patch: remove patch, applied upstream -- Samuel Henrique <email address hidden> Thu, 28 Apr 2022 18:53:32 +0100
curl (7.82.0-2) unstable; urgency=medium * d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN check (closes: #1007739, #1007740) * d/control: - Set libcurl4-doc as Multi-Arch: foreign - Remove ancient version requirements for dependencies * d/salsa-ci.yml: Disable reprotest until it acknowledges SALSA_CI_DPKG_BUILDPACKAGE_ARGS -- Samuel Henrique <email address hidden> Sat, 19 Mar 2022 13:55:00 +0000
curl (7.82.0-1) unstable; urgency=medium * New upstream version 7.82.0 * d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to avoid long build times * Update and refresh patches: 13_fix-man-formatting.patch has been merged upstream * d/rules: - Add --with-nss-deprecated, required to build with nss now (upstream will drop support in August) - Look for nocheck build profile in DEB_BUILD_PROFILES instead of DEB_BUILD_OPTIONS (wider coverage) -- Samuel Henrique <email address hidden> Sat, 05 Mar 2022 13:40:14 +0000
curl (7.81.0-1) unstable; urgency=medium * New upstream version 7.81.0 * d/p/13_fix-man-formatting.patch: Refresh patch -- Samuel Henrique <email address hidden> Wed, 05 Jan 2022 09:31:32 -0300
Available diffs
- diff from 7.80.0-3 to 7.81.0-1 (653.6 KiB)
curl (7.80.0-3) unstable; urgency=medium * Revert "Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu". As per #1002598, the blocker has been solved. Note that this does not changes Debian's curl to libssh, it still uses libssh2. Discussions about changing to libssh are ongoing at #897950 -- Samuel Henrique <email address hidden> Sun, 26 Dec 2021 13:22:18 -0300
Available diffs
curl (7.80.0-2) unstable; urgency=medium * Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu" (closes: #1002597) The change had side effects on Debian due to the inclusion of the new Build-dep, even though it doesn't changes the resulting binary. It cause issues for architecture bootstraping. We are gonna reintroduce this change once the issues are fixed, to allow Ubuntu to remove its delta. See discussions at #1002598 and #1002597 for details -- Samuel Henrique <email address hidden> Sat, 25 Dec 2021 10:47:13 -0300
curl (7.80.0-1) unstable; urgency=medium [ Samuel Henrique ] * New upstream version 7.80.0 * Bump Standards-Version to 4.6.0 * Add new symbol curl_url_strerror to symbols files * Compile with zstd support (closes: #983660) * d/p/12_use-python3-in-tests.patch: Drop patch, merged upstream * d/p/13_fix-man-formatting.patch: Update patch * d/p/14_fix-compatibility-impacket-0-9-23.patch: Drop patch, merged upstream [ Jeremy Bicha ] * debian/control: Add Build-Depends on libssh-dev for Ubuntu -- Samuel Henrique <email address hidden> Fri, 24 Dec 2021 11:42:57 -0300
Superseded in bullseye-release |
curl (7.74.0-1.3+deb11u1) bullseye; urgency=medium * Non-maintainer upload. * Also remove -ffile-prefix-map from curl-config. (Closes: #990128) -- Helmut Grohne <email address hidden> Sun, 28 Nov 2021 06:38:09 +0100
Deleted in experimental-release (Reason: None provided.) |
curl (7.79.1-3~exp2) experimental; urgency=medium * d/rules: Adjust CPPFLAGS. -- Sergio Durigan Junior <email address hidden> Sat, 13 Nov 2021 23:34:07 -0500
curl (7.79.1-2) unstable; urgency=medium * d/rules: Make test failures non-fatal again. Unfortunately there are some test failures happening on a few architectures, so we have to make the build pass even if not all tests are succeeding, at least until we have time to properly investigate the reason for these failures. -- Sergio Durigan Junior <email address hidden> Mon, 08 Nov 2021 23:54:35 -0500
curl (7.79.1-1) unstable; urgency=medium [ Samuel Henrique ] * Add myself as an Uploader * Add sergiodj as an uploader * New upstream version 7.79.1 (closes: #989046) - Changes since 7.74.0: ~ vtls: fix connection reuse checks for issuer cert and case sensitivity (closes: #991492, CVE-2021-22924) ~ Fix User-Agent header missing in some cases (closes: #994940) ~ Fix TELNET stack contents disclosure (closes: #989228, CVE-2021-22898) * d/rules: Add --with-{openssl|gnutls|nss} to configure args * Update all patches. Remove patches: - 07_do-not-disable-debug-symbols: Obsolete as per https://github.com/curl/curl/issues/7216. - 14_transfer-strip-credentials-from-the-auto-referer-hea: Originally from upstream, part of the release now. - 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession: Originally from upstream, part of the release now. - fix-regression-microseconds-instead-of-seconds: Originally from upstream, part of the release now. Update patches: - 12_use-python3-in-tests: Update and forward upstream. - 90_gnutls: Update - 99_nss: Update - 13_fix-man-formatting: Update [ Debian Janitor ] * Use secure URI in Homepage field. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit (from ./configure), Repository, Repository-Browse. * Avoid explicitly specifying -Wl,--as-needed linker flag. [ Helmut Grohne ] * Also remove -ffile-prefix-map from curl-config (closes: #990128) * Explicitly disable zstd support (closes: #992505) [ Sergio Durigan Junior ] * d/control: Add Rules-Requires-Root: no. * d/copyright: Add public-domain license text. * Enable GPG-checking of orig tarball. - d/upstream/signing-key.asc: Upstream public key. - d/watch: Add "pgpmode=auto" as an option. * Bump debhelper-compat to 13. - d/control: B-D on debhelper-compat = 13. - d/rules: After the override_dh_auto_install target has been run, we know that we can safely get rid of the contents inside the debian/tmp/ directory. This is needed because otherwise dh_missing will complain about uninstalled files, which will make the build fail when using debhelper-compat 13. * d/rules: Some minor cleanup and removal of unneeded comments. * d/rules: Honour "nocheck" build option. * Make OpenSSL and GNUTLS builds fail if tests fail - d/rules: Adjust rule to make OpenSSL and GNUTLS builds fail if their tests fail. Unfortunately, it's still not possible to make the NSS build fail if its tests fail; we're still investigating the failures there with it. - d/p/14_fix-compatibility-impacket-0-9-23.patch: Needed patch to make tests pass with impacket 0.9.23+. -- Samuel Henrique <email address hidden> Mon, 08 Nov 2021 21:14:47 +0000
curl (7.74.0-1.3) unstable; urgency=medium * Non-maintainer upload. * Add upstream patch bc7ecc7 so curl -w times shown as seconds with fractions (Closes: #989064) -- Paul Gevers <email address hidden> Fri, 25 Jun 2021 20:59:54 +0200
Published in buster-release |
curl (7.64.0-4+deb10u2) buster-security; urgency=high * Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169 (Closes: #965280) https://curl.haxx.se/docs/CVE-2020-8169.html * Fix local file overwrite as per CVE-2020-8177 (Closes: #965281) https://curl.se/docs/CVE-2020-8177.html * Fix use of wrong connect-only connection as per CVE-2020-8231 (Closes: #968831) https://curl.se/docs/CVE-2020-8231.html * Don't trust FTP PASV responses by default as per CVE-2020-8284 (Closes: #977163) * Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162) https://curl.se/docs/CVE-2020-8285.html * Make the OCSP verification verify the certificate id as per CVE-2020-8286 (Closes: #977161) https://curl.se/docs/CVE-2020-8286.html * Fix credentials leak with automatic referer as per CVE-2021-22876 https://curl.se/docs/CVE-2021-22876.html * Fix TLS 1.3 session ticket proxy host mixup as per CVE-2021-22890 https://curl.se/docs/CVE-2021-22890.html -- Alessandro Ghedini <email address hidden> Tue, 30 Mar 2021 21:56:00 +0100
Superseded in sid-release |
curl (7.74.0-1.2) unstable; urgency=medium * Non-maintainer upload. * transfer: strip credentials from the auto-referer header field (CVE-2021-22876) (Closes: #986269) * vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() (CVE-2021-22890) (Closes: #986270) -- Salvatore Bonaccorso <email address hidden> Sat, 03 Apr 2021 14:43:39 +0200
Superseded in sid-release |
curl (7.74.0-1.1) unstable; urgency=medium * Non-maintainer upload. [ Bruno Kleinert ] * Fixed "Please build-depend on libidn2-dev instead of obsolete transition package libidn2-0-dev" (Closes: #974996) -- Samuel Henrique <email address hidden> Wed, 10 Feb 2021 00:42:40 +0000
curl (7.74.0-1) unstable; urgency=medium * New upstream release + Fix inferior OCSP verification as per CVE-2020-8286 (Closes: #977161) https://curl.se/docs/CVE-2020-8286.html + Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162) https://curl.se/docs/CVE-2020-8285.html + Fix trusting FTP PASV responses as per CVE-2020-8284 (Closes: #977163) https://curl.se/docs/CVE-2020-8284.html * Update debian/watch to new upstream download page layout * Update 12_use-python3-in-tests.patch due to renamed file * Refresh patches * Fix cross-build due to python build dependencies. Thanks to Helmut Grohne for the patch (Closes: #969004) * Fix formatting in some man pages. Thanks to Bjarni Ingi Gislason for the patch (Closes: #963559) * Update list of documentation files to install * Update symbols * Bump Standards-Version to 4.5.1 (no changes needed) * Drop removed file from d/copyright -- Alessandro Ghedini <email address hidden> Thu, 31 Dec 2020 15:22:05 +0100
curl (7.72.0-1) unstable; urgency=medium * New upstream release + Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169 (Closes: #965280) https://curl.haxx.se/docs/CVE-2020-8169.html + Fix local file overwrite with -J option as per CVE-2020-8177 (Closes: #965281) https://curl.haxx.se/docs/CVE-2020-8177.html + Fix wrong connect-only connection as per CVE-2020-8231 (Closes: #968831) https://curl.haxx.se/docs/CVE-2020-8231.html * Refresh patches * Do not install *.la files. Thanks to Pino Toscano for the patch. (Closes: #955785) * Update list of doc files * Update copyright for polarssl -> mbedtls rename * Use python3 executable in tests -- Alessandro Ghedini <email address hidden> Mon, 24 Aug 2020 10:26:12 +0200
1 → 75 of 205 results | First • Previous • Next • Last |