Change log for curl package in Debian
| 76 → 150 of 204 results | First • Previous • Next • Last |
| Superseded in buster-release |
curl (7.64.0-4+deb10u1) buster-security; urgency=high
* Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
* Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
-- Alessandro Ghedini <email address hidden> Sat, 22 Feb 2020 15:01:46 +0000
curl (7.68.0-1) unstable; urgency=medium * New upstream release * Bump Standards-Version to 4.5.0 (no changes needed) * Update symbols files * Configure default CA file with OpenSSL again (Closes: #948441) -- Alessandro Ghedini <email address hidden> Sat, 22 Feb 2020 14:37:19 +0000
curl (7.67.0-2) unstable; urgency=medium
* Restore :native annotation for python3 Build-Depends.
Thanks to Helmut Grohne for the patch (Closes: #945928)
-- Alessandro Ghedini <email address hidden> Sun, 01 Dec 2019 13:29:28 +0000
curl (7.67.0-1) unstable; urgency=medium * New upstream release * Replace python with python3 in Build-Depends (Closes: #942984) * Bump Standards-Version to 4.4.1 (no changes needed) -- Alessandro Ghedini <email address hidden> Sat, 30 Nov 2019 12:45:07 +0000
curl (7.66.0-1) unstable; urgency=medium
* New upstream release (Closes: #940024)
+ Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
+ Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
* Refresh patches
* Enable brotli support (Closes: #940129)
* Update *.symbols files
-- Alessandro Ghedini <email address hidden> Sun, 15 Sep 2019 15:47:05 +0100
curl (7.65.3-1) unstable; urgency=medium * New upstream release * Drop 12_fix-man-errors.patch (merged upstream) * Remove Ian Jackson from Uploaders as he has never done an upload -- Alessandro Ghedini <email address hidden> Fri, 09 Aug 2019 19:45:02 +0100
curl (7.65.1-1) unstable; urgency=medium
* New upstream release
+ Reduce verbose output (Closes: #926148)
+ Fix parsing URLs with link local addresses (Closes: #926812)
* Drop patches merged upstream
* Refresh patches
* Bump STandards-Version to 4.4.0 (no changes needed)
* Update entry in copyright for renamed files
* Fix some man errors.
Thanks to Bjarni Ingi Gislason for the patch (Closes: #926352)
* Add Build-Depends-Package field to symbols files
-- Alessandro Ghedini <email address hidden> Sat, 13 Jul 2019 12:37:09 +0100
curl (7.64.0-4) unstable; urgency=medium
* Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
https://curl.haxx.se/docs/CVE-2019-5436.html
* Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
https://curl.haxx.se/docs/CVE-2019-5435.html
-- Alessandro Ghedini <email address hidden> Fri, 14 Jun 2019 19:23:32 +0100
curl (7.64.0-3) unstable; urgency=medium
* Fix potential crash in HTTP/2 code and busy loop at the end of connections
(Closes: #927471)
-- Alessandro Ghedini <email address hidden> Sat, 04 May 2019 12:51:06 +0100
curl (7.64.0-2) unstable; urgency=medium * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554) -- Alessandro Ghedini <email address hidden> Thu, 07 Mar 2019 20:02:35 +0000
| Superseded in stretch-release |
curl (7.52.1-5+deb9u9) stretch-security; urgency=high
* Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
* Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html
* Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
-- Alessandro Ghedini <email address hidden> Mon, 04 Feb 2019 20:55:32 +0000
curl (7.64.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
+ Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html
+ Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
+ Fix HTTP negotiation with POST requests (Closes: #920267)
-- Alessandro Ghedini <email address hidden> Wed, 06 Feb 2019 22:33:05 +0000
curl (7.63.0-1) unstable; urgency=medium
* New upstream release
+ Fix IPv6 numeral address parser (Closes: #915520)
+ Fix timeout handling (Closes: #914793)
+ Fix HTTP auth to include query in URI (Closes: #913214)
* Drop 12_fix-runtests-curl.patch (merged upstream)
* Update symbols
* Update copyright for removed files
* Bump debhlper compat level to 12
* Bump Standards-Version to 4.3.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Tue, 15 Jan 2019 20:47:40 +0000
Available diffs
| Superseded in stretch-release |
curl (7.52.1-5+deb9u8) stretch-security; urgency=high
* Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
* Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
-- Alessandro Ghedini <email address hidden> Tue, 30 Oct 2018 21:39:11 +0000
curl (7.62.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM password overflow via integer overflow as per CVE-2018-14618
(Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
+ Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
+ Fix use-after-free in handle close as per CVE-2018-16840
https://curl.haxx.se/docs/CVE-2018-16840.html
+ Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
+ Fix broken terminal output (closes: #911333)
* Refresh patches
* Add 12_fix-runtests-curl.patch to fix running curl in tests
-- Alessandro Ghedini <email address hidden> Wed, 31 Oct 2018 22:42:44 +0000
Available diffs
curl (7.61.0-1) unstable; urgency=medium
* New upstream release
+ Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
https://curl.haxx.se/docs/adv_2018-70a2.html
+ Fix some crashes related to HTTP/2 (Closes: #902628)
* Disable libssh2 on Ubuntu.
Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
* Bump Standards-Version to 4.2.0 (no changes needed)
* Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)
-- Alessandro Ghedini <email address hidden> Sat, 11 Aug 2018 13:32:28 +0100
Available diffs
| Superseded in stretch-release |
curl (7.52.1-5+deb9u6) stretch-security; urgency=high
* Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
-- Alessandro Ghedini <email address hidden> Tue, 15 May 2018 23:00:28 +0100
| Published in jessie-release |
curl (7.38.0-4+deb8u11) jessie-security; urgency=high
* Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
-- Alessandro Ghedini <email address hidden> Tue, 15 May 2018 23:05:31 +0100
curl (7.60.0-2) unstable; urgency=medium
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
-- Alessandro Ghedini <email address hidden> Wed, 23 May 2018 20:25:39 +0100
curl (7.60.0-1) unstable; urgency=medium
* New upstream release (Closes: #891997, #893546, #898856)
+ Fix use of IPv6 literals with NO_PROXY
+ Fix NIL byte out of bounds write due to FTP path trickery
as per CVE-2018-1000120
https://curl.haxx.se/docs/adv_2018-9cd6.html
+ Fix LDAP NULL pointer dereference as per CVE-2018-1000121
https://curl.haxx.se/docs/adv_2018-97a2.html
+ Fix RTSP RTP buffer over-read as per CVE-2018-1000122
https://curl.haxx.se/docs/adv_2018-b047.html
+ Fix heap buffer overflow when closing down an FTP connection
with very long server command replies as per CVE-2018-1000300
https://curl.haxx.se/docs/adv_2018-82c2.html
+ Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
* Refresh patches
* Bump Standards-Version to 4.1.4 (no changes needed)
-- Alessandro Ghedini <email address hidden> Fri, 18 May 2018 20:21:17 +0100
| Superseded in stretch-release |
curl (7.52.1-5+deb9u4) stretch-security; urgency=high
* Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
https://curl.haxx.se/docs/adv_2018-824a.html
* Fix HTTP authentication leak in redirects as per CVE-2018-1000007
https://curl.haxx.se/docs/adv_2018-b3bf.html
-- Alessandro Ghedini <email address hidden> Tue, 23 Jan 2018 21:56:56 +0000
| Deleted in experimental-release (Reason: None provided.) |
curl (7.58.0-3) experimental; urgency=medium
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
-- Alessandro Ghedini <email address hidden> Tue, 27 Feb 2018 21:16:17 +0000
curl (7.58.0-2) unstable; urgency=medium
* Explicitly enable libssh2 support which got silently disabled in the
previous update
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 20:27:50 +0000
Available diffs
curl (7.58.0-1) unstable; urgency=medium
* New upstream release
- Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
https://curl.haxx.se/docs/adv_2018-824a.html
- Fix HTTP authentication leak in redirects as per CVE-2018-1000007
https://curl.haxx.se/docs/adv_2018-b3bf.html
* Point Vcs-* to salsa.d.o
* Bump Standards-Version to 4.1.3 (no changes needed)
* Bump debhlper compat level to 11
* Refresh patches
* fix insecure-copyright-format-uri
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 11:13:58 +0000
| Superseded in jessie-release |
curl (7.38.0-4+deb8u8) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
* Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
-- Yves-Alexis Perez <email address hidden> Sat, 25 Nov 2017 22:03:21 +0100
| Superseded in stretch-release |
curl (7.52.1-5+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
* Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
-- Yves-Alexis Perez <email address hidden> Sun, 26 Nov 2017 13:00:56 +0100
curl (7.57.0-1) unstable; urgency=medium
* New upstream release
- Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
- Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
- Fix SSL out of buffer access as per CVE-2017-8818
https://curl.haxx.se/docs/adv_2017-af0a.html
* Remove -fdebug-prefix-map from curl-config.
Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
* Don't install zsh completion when cross compiling.
Thanks to Wookey for the patch (Closes: #812965)
-- Alessandro Ghedini <email address hidden> Thu, 30 Nov 2017 10:16:03 +0000
curl (7.56.1-1) unstable; urgency=medium
* New upstream release
- Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
https://curl.haxx.se/docs/adv_20171023.html
* Bump Standards-Version to 4.1.1 (no changes needed)
* Drop 01_runtests_gdb.patch
* Drop 12_dont-wait-on-CONNECT.patch
* Refresh patches
* Update *.symbols files
* Use https:// URL in watch file
-- Alessandro Ghedini <email address hidden> Tue, 24 Oct 2017 11:05:48 +0100
curl (7.55.1-1) unstable; urgency=medium
* New upstream release
- Fix FTBFS on powerpc (Closes: #872502)
* Apply upstream patch to fix connection timeouts with NetworkManager
(Closes: #873181)
* Refresh patches
* Bump Standards-Version to 4.1.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Sat, 02 Sep 2017 12:10:22 +0100
curl (7.55.0-1) unstable; urgency=medium
* New upstream release
- Fix TFTP sends more than buffer size as per CVE-2017-1000100
(Closes: #871555)
- Fix URL globbing out of bounds read as per CVE-2017-1000101
(Closes: #871554)
* Refresh patches and drop patches merged upstream
* Update Standards-Version to 4.0.1 (no changes needed)
* Drop -dbg package
-- Alessandro Ghedini <email address hidden> Sat, 12 Aug 2017 15:18:05 +0100
curl (7.52.1-5) unstable; urgency=high
* Fix TLS session resumption client cert bypass as per CVE-2017-7468
https://curl.haxx.se/docs/adv_20170419.html
-- Alessandro Ghedini <email address hidden> Wed, 19 Apr 2017 11:19:50 +0100
curl (7.52.1-4) unstable; urgency=medium
* Fix regression in CONNECT response handling (Closes: #857613)
* Fix buffer read overrun on --write-out as per CVE-2017-7407
https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)
-- Alessandro Ghedini <email address hidden> Sat, 08 Apr 2017 21:55:27 +0100
curl (7.52.1-3) unstable; urgency=high
* Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
https://curl.haxx.se/docs/adv_20170222.html
-- Alessandro Ghedini <email address hidden> Tue, 21 Feb 2017 22:38:41 +0000
curl (7.52.1-2) unstable; urgency=medium * Fix HTTPS connection timeout with OpenSSL (Closes: #852317) -- Alessandro Ghedini <email address hidden> Sun, 29 Jan 2017 21:34:10 +0000
| Superseded in jessie-release |
curl (7.38.0-4+deb8u5) jessie-security; urgency=high
* Fix cookie injection for other servers as per CVE-2016-8615
https://curl.haxx.se/docs/adv_20161102A.html
* Fix case insensitive password comparison as per CVE-2016-8616
https://curl.haxx.se/docs/adv_20161102B.html
* Fix OOB write via unchecked multiplication as per CVE-2016-8617
https://curl.haxx.se/docs/adv_20161102C.html
* Fix double-free in curl_maprintf as per CVE-2016-8618
https://curl.haxx.se/docs/adv_20161102D.html
* Fix double-free in krb5 code as per CVE-2016-8619
https://curl.haxx.se/docs/adv_20161102E.html
* Fix glob parser write/read out of bounds as per CVE-2016-8620
https://curl.haxx.se/docs/adv_20161102F.html
* Fix curl_getdate read out of bounds as per CVE-2016-8621
https://curl.haxx.se/docs/adv_20161102G.html
* Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
https://curl.haxx.se/docs/adv_20161102H.html
* Fix use-after-free via shared cookies as per CVE-2016-8623
https://curl.haxx.se/docs/adv_20161102I.html
* Fix invalid URL parsing with '#' as per CVE-2016-8624
https://curl.haxx.se/docs/adv_20161102J.html
-- Alessandro Ghedini <email address hidden> Tue, 01 Nov 2016 21:38:10 +0000
curl (7.52.1-1) unstable; urgency=medium
* New upstream release
- Fix printf floating point buffer overflow as per CVE-2016-9586
(Closes: #848958)
* B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
* Another attempt at making -dev packages multi-arch.
Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
* Enable support for PSL (Closes: #847958)
* Re-enable support for IDN (Closes: #849539)
* Drop 10_disable-network-tests.patch.
It didn't really work, and the issue is not urgent.
* Switch curl binary back to libcurl3/OpenSSL.
While the GnuTLS flavour mostly worked fine, there are a bunch of features
that are not implemented.
-- Alessandro Ghedini <email address hidden> Thu, 12 Jan 2017 22:02:44 +0000
curl (7.51.0-1) unstable; urgency=medium
* New upstream release
- Fix cookie injection for other servers as per CVE-2016-8615
https://curl.haxx.se/docs/adv_20161102A.html
- Fix case insensitive password comparison as per CVE-2016-8616
https://curl.haxx.se/docs/adv_20161102B.html
- Fix OOB write via unchecked multiplication as per CVE-2016-8617
https://curl.haxx.se/docs/adv_20161102C.html
- Fix double-free in curl_maprintf as per CVE-2016-8618
https://curl.haxx.se/docs/adv_20161102D.html
- Fix double-free in krb5 code as per CVE-2016-8619
https://curl.haxx.se/docs/adv_20161102E.html
- Fix glob parser write/read out of bounds as per CVE-2016-8620
https://curl.haxx.se/docs/adv_20161102F.html
- Fix curl_getdate read out of bounds as per CVE-2016-8621
https://curl.haxx.se/docs/adv_20161102G.html
- Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
https://curl.haxx.se/docs/adv_20161102H.html
- Fix use-after-free via shared cookies as per CVE-2016-8623
https://curl.haxx.se/docs/adv_20161102I.html
- Fix invalid URL parsing with '#' as per CVE-2016-8624
https://curl.haxx.se/docs/adv_20161102J.html
- Fix IDNA 2003 makes curl use wrong host
https://curl.haxx.se/docs/adv_20161102K.html
- Fix escape and unescape integer overflows as
per CVE-2016-7167 (Closes: #837945)
https://curl.haxx.se/docs/adv_20160914.html
- Fix incorrect reuse of client certificates (NSS backend)
as per CVE-2016-7141 (Closes: #836918)
https://curl.haxx.se/docs/adv_20160907.html
* Drop 02_art_http_scripting.patch (file not shipped anymore)
* Refresh patches
* Temporarily disable IDN support
* Don't install pdf and html docs (they are not shipped in the tarball anymore)
* Install markdown docs
-- Alessandro Ghedini <email address hidden> Thu, 03 Nov 2016 22:46:14 +0000
| Superseded in jessie-release |
curl (7.38.0-4+deb8u4) jessie-security; urgency=high
* Fix TLS session resumption client cert bypass as per CVE-2016-5419
https://curl.haxx.se/docs/adv_20160803A.html
* Fix re-using connection with wrong client cert as per CVE-2016-5420
https://curl.haxx.se/docs/adv_20160803B.html
* Fix use of connection struct after free as per CVE-2016-5421
https://curl.haxx.se/docs/adv_20160803C.html
-- Alessandro Ghedini <email address hidden> Mon, 01 Aug 2016 12:19:28 +0100
curl (7.50.1-1) unstable; urgency=medium
* New upstream release (Closes: #827900)
- Fix TLS session resumption client cert bypass as per CVE-2016-5419
https://curl.haxx.se/docs/adv_20160803A.html
- Fix re-using connection with wrong client cert as per CVE-2016-5420
https://curl.haxx.se/docs/adv_20160803B.html
- Fix use of connection struct after free as per CVE-2016-5421
https://curl.haxx.se/docs/adv_20160803C.html
- Support OpenSSL 1.1 (Closes: #828127)
* Fix 04_workaround_as_needed_bug.patch.
Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131)
* Bump Standards-Version to 3.9.8 (no changes needed)
* Update Vcs-* URLs
* Refresh patches
* Add 08_enable-zsh.patch to re-enable zsh completion generation
* Remove 08_fix-zsh-completion.patch (was already disabled)
* Add 09_fix-typo.patch to fix spelling-error-in-manpage
* Add 10_disable-network-tests.patch to disable networked tests
(Closes: #830273)
* Improve cross Build-Depends satisfiability.
Thanks to Helmut Grohne for the patch (Closes: #818092)
-- Alessandro Ghedini <email address hidden> Wed, 03 Aug 2016 12:46:05 +0100
| Superseded in jessie-release |
curl (7.38.0-4+deb8u3) jessie-security; urgency=medium
* Fix NTLM credentials not-checked for proxy connection re-use
as per CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.htm
-- Alessandro Ghedini <email address hidden> Tue, 26 Jan 2016 22:39:38 +0000
curl (7.47.0-1) unstable; urgency=high
* New upstream release
- Fix NTLM credentials not-checked for proxy connection re-use
as per CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.html
- Set uyrgency=high accordingly
* Remove hard-coded dependency on libgnutls (Closes: #812542)
* Drop 08_fix-zsh-completion.patch (merged upstream)
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 27 Jan 2016 11:45:59 +0000
curl (7.46.0-1) unstable; urgency=medium
* New upstream release
- Initialize OpenSSL algorithms after loading config (Closes: #805408)
* Install curl zsh completion (Closes: #805509)
- Add 08_fix-zsh-completion.patch to fix zsh completion generation
-- Alessandro Ghedini <email address hidden> Sun, 27 Dec 2015 18:18:09 +0100
curl (7.45.0-1) unstable; urgency=medium * New upstream release * Drop 08_spelling.patch (merged upstream) -- Alessandro Ghedini <email address hidden> Wed, 07 Oct 2015 12:59:03 +0200
curl (7.44.0-2) unstable; urgency=medium * Enable HTTP/2 support (Closes: #796302) -- Alessandro Ghedini <email address hidden> Thu, 10 Sep 2015 11:25:14 +0200
| Published in wheezy-release |
curl (7.26.0-1+wheezy13) wheezy-security; urgency=high
* Fix re-using authenticated connection when unauthenticated
as per CVE-2015-3143
http://curl.haxx.se/docs/adv_20150422A.html
* Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
http://curl.haxx.se/docs/adv_20150422B.html
-- Alessandro Ghedini <email address hidden> Tue, 21 Apr 2015 13:51:57 +0200
curl (7.44.0-1) unstable; urgency=medium * New upstream release * Refresh patches * Update symbols files * Add 08_spelling.patch to fix some spelling errors -- Alessandro Ghedini <email address hidden> Wed, 12 Aug 2015 11:49:04 +0200
curl (7.43.0-1) unstable; urgency=medium
* New upstream release
- Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
http://curl.haxx.se/docs/adv_20150617A.html
- Fix SMB send off unrelated memory contents as per CVE-2015-3237
http://curl.haxx.se/docs/adv_20150617B.html
* Refresh patches
* Fix spelling-error-in-description
-- Alessandro Ghedini <email address hidden> Wed, 17 Jun 2015 10:21:34 +0200
curl (7.42.1-3) unstable; urgency=medium
* Update copyright
* Set both CA bundle and CA path default values for OpenSSL and GnuTLS
backends
* Bump versioned depends on libgnutls to workaround lack of nettle versioned
symbols (Closes: #787960)
-- Alessandro Ghedini <email address hidden> Sun, 07 Jun 2015 18:15:15 +0200
| Superseded in jessie-release |
curl (7.38.0-4+deb8u2) jessie-security; urgency=high
* Don't send sensitive HTTP server headers to proxies as per CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
-- Alessandro Ghedini <email address hidden> Wed, 29 Apr 2015 10:47:47 +0200
curl (7.42.1-2) unstable; urgency=medium
* Switch curl binary to libcurl3-gnutls (Closes: #342719)
This is the first step of a possible migration to a GnuTLS-only
libcurl for Debian. Let's see how it goes.
-- Alessandro Ghedini <email address hidden> Sun, 03 May 2015 13:13:15 +0200
curl (7.42.1-1) unstable; urgency=high
* New upstream release
- Don't send sensitive HTTP server headers to proxies as per
CVE-2015-3153
http://curl.haxx.se/docs/adv_20150429.html
* Drop 08_fix-spelling.patch (merged upstream)
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 29 Apr 2015 10:43:43 +0200
curl (7.42.0-1) unstable; urgency=medium
* New upstream release
- Fix re-using authenticated connection when unauthenticated
as per CVE-2015-3143
http://curl.haxx.se/docs/adv_20150422A.html
- Fix host name out of boundary memory access as per CVE-2015-3144
http://curl.haxx.se/docs/adv_20150422D.html
- Fix cookie parser out of boundary memory access as per CVE-2015-3145
http://curl.haxx.se/docs/adv_20150422C.html
- Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
http://curl.haxx.se/docs/adv_20150422B.html
- Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
defined (Closes: #768562)
* Drop patches merged upstream
* Refresh patches
* Bump Standards-Version to 3.9.6 (no changes needed)
-- Alessandro Ghedini <email address hidden> Wed, 22 Apr 2015 11:07:32 +0200
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy11) wheezy-security; urgency=high
* Fix duphandle read out of bounds as per CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Sun, 02 Nov 2014 16:07:47 +0100
curl (7.38.0-4) unstable; urgency=high
* Fix URL request injection vulnerability as per CVE-2014-8150
http://curl.haxx.se/docs/adv_20150108B.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Thu, 08 Jan 2015 10:47:24 +0100
curl (7.38.0-3) unstable; urgency=high
* Enable all hardening options (Closes: #763372)
* Fix duphandle read out of bounds as per CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Thu, 06 Nov 2014 11:40:24 +0100
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy10) wheezy-security; urgency=high
* Fix multiple security issues:
- Only use full host matches for hosts used as IP address
as per CVE-2014-3613
- Reject incoming cookies set for TLDs as per CVE-2014-3620
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Sat, 06 Sep 2014 14:07:02 +0200
curl (7.38.0-2) unstable; urgency=medium
* Check for libtoolize instead of libtool during build.
Thanks to Helmut Grohne for the patch (Closes: #761740)
* Add README.source note regarding ordering of patches (Closes: #762193)
* Add 10_fix-resolver.patch from upstream (Closes: #762014)
-- Alessandro Ghedini <email address hidden> Tue, 23 Sep 2014 16:41:53 +0200
curl (7.38.0-1) unstable; urgency=medium
* New upstream release
- Only use full host matches for hosts used as IP address
as per CVE-2014-3613
http://curl.haxx.se/docs/adv_20140910A.html
- Reject incoming cookies set for TLDs as per CVE-2014-3620
http://curl.haxx.se/docs/adv_20140910B.html
* Drop 08_link-curl-to-nss.patch (merged upstream)
* Refresh patches
* Fix wildcard-matches-nothing-in-dep5-copyright
* Add 08_fix-spelling.patch
-- Alessandro Ghedini <email address hidden> Wed, 10 Sep 2014 20:11:02 +0200
| Published in squeeze-release |
curl (7.21.0-2.1+squeeze8) squeeze-security; urgency=medium
* Fix multiple security issues (Closes: #742728):
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Wed, 09 Apr 2014 19:47:38 +0200
curl (7.37.1-1) unstable; urgency=medium * New upstream release * Re-enable RTMP support (Closes: #754222) * Add 08_link-curl-to-nss.patch to fix NSS build * Refresh patches * Install manpages of single libcurl options too -- Alessandro Ghedini <email address hidden> Fri, 18 Jul 2014 10:18:03 +0200
curl (7.37.0-1) unstable; urgency=medium
* New upstream release
- Fix NULL pointer dereference in GnuTLS code (Closes: #746349)
* Drop 08_fix-imap-tests.patch (merged upstream)
* Refresh 01_runtests_gdb.patch
* Remove Build-Depends on libgcrypt
-- Alessandro Ghedini <email address hidden> Wed, 21 May 2014 15:22:38 +0200
curl (7.36.0-2) unstable; urgency=medium
* Move Depends on -dev packages needed to use static libraries to Suggests
* Switch to GnuTLS 3.x (Closes: #741568)
* Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts
with libgnutls28-dev)
-- Alessandro Ghedini <email address hidden> Mon, 28 Apr 2014 19:37:14 +0200
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy9) wheezy-security; urgency=high
* Fix multiple security issues (Closes: #742728):
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Wed, 09 Apr 2014 19:03:55 +0200
curl (7.36.0-1) unstable; urgency=high
* New upstream release (Closes: #742728)
- Fix connection re-use when using different log-in credentials
as per CVE-2014-0138
http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
http://curl.haxx.se/docs/adv_20140326B.html
- Set urgency=high accordingly
* Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138
-- Alessandro Ghedini <email address hidden> Sun, 30 Mar 2014 15:36:35 +0200
| Superseded in squeeze-release |
curl (7.21.0-2.1+squeeze7) squeeze-security; urgency=high
* Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Wed, 29 Jan 2014 19:05:15 +0100
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy8) wheezy-security; urgency=high
* Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Wed, 29 Jan 2014 19:01:03 +0100
curl (7.35.0-1) unstable; urgency=high
* New upstream release
- Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
- Set urgency=high accordingly
* Refresh patches
-- Alessandro Ghedini <email address hidden> Wed, 29 Jan 2014 11:16:57 +0100
curl (7.34.0-1) unstable; urgency=high
* New upstream release
- Fix GnuTLS checking of a certificate CN or SAN name field when the
digital signature verification is turned off as per CVE-2013-6422
http://curl.haxx.se/docs/adv_20131217.html
- Set urgency=high accordingly
* Drop patches merged upstream:
- 08_fix-typo.patch
- 09_fix-urlglob.patch
-- Alessandro Ghedini <email address hidden> Tue, 17 Dec 2013 13:16:19 +0100
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy6) stable-security; urgency=low
* Disable host verification too when using the --insecure option
(Closes: #729965)
-- Alessandro Ghedini <email address hidden> Tue, 19 Nov 2013 17:15:32 +0100
curl (7.33.0-2) unstable; urgency=low * Make -dev packages Multi-Arch: same too (Closes: #731309) * Bump Standards-Version to 3.9.5 (no changes needed) * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855) -- Alessandro Ghedini <email address hidden> Wed, 11 Dec 2013 18:44:37 +0100
| Superseded in squeeze-release |
curl (7.21.0-2.1+squeeze4) oldstable-security; urgency=high
* Fix URL decode buffer boundary flaw as per CVE-2013-2174
http://curl.haxx.se/docs/adv_20130622.html
* Set urgency=high accordingly
-- Alessandro Ghedini <email address hidden> Sat, 22 Jun 2013 16:53:25 +0200
| Superseded in wheezy-release |
curl (7.26.0-1+wheezy4) stable-proposed-updates; urgency=low * Add 09_reset-timecond.patch (Closes: #705783, #719300) -- Alessandro Ghedini <email address hidden> Sat, 10 Aug 2013 16:45:38 +0200
curl (7.33.0-1) unstable; urgency=low
* New upstream release
- Handle arbitrary-length username and password (Closes: #719856)
* Remove Luk from Uploaders as per his request (Closes: #723603)
* Do not Build-Depends on specific automake version (Closes: #724361)
* Fix lintian vcs-field-not-canonical
* Add 08_fix-typo.patch
* Refresh patches
-- Alessandro Ghedini <email address hidden> Mon, 14 Oct 2013 22:11:14 +0200
curl (7.32.0-1) unstable; urgency=low
* New upstream release
* Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
* Drop 08_typo.patch (merged upstream)
* Drop 09_openssl-recv.patch (merged upstream)
* Refresh 90_gnutls.patch and 99_nss.patch
* Refresh 06_always-disable-valgrind.patch
* Enable threaded DNS resolver (Closes: #570436)
See NEWS.Debian for more info
-- Alessandro Ghedini <email address hidden> Mon, 12 Aug 2013 12:19:05 +0200
curl (7.31.0-2) unstable; urgency=high * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) * Set urgency=high because of the security fix in the previous upload -- Alessandro Ghedini <email address hidden> Wed, 26 Jun 2013 11:47:00 +0200
| 76 → 150 of 204 results | First • Previous • Next • Last |
