-
curl (7.64.0-4+deb10u2) buster-security; urgency=high
* Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
(Closes: #965280)
https://curl.haxx.se/docs/CVE-2020-8169.html
* Fix local file overwrite as per CVE-2020-8177 (Closes: #965281)
https://curl.se/docs/CVE-2020-8177.html
* Fix use of wrong connect-only connection as per CVE-2020-8231
(Closes: #968831)
https://curl.se/docs/CVE-2020-8231.html
* Don't trust FTP PASV responses by default as per CVE-2020-8284
(Closes: #977163)
* Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
https://curl.se/docs/CVE-2020-8285.html
* Make the OCSP verification verify the certificate id as per CVE-2020-8286
(Closes: #977161)
https://curl.se/docs/CVE-2020-8286.html
* Fix credentials leak with automatic referer as per CVE-2021-22876
https://curl.se/docs/CVE-2021-22876.html
* Fix TLS 1.3 session ticket proxy host mixup as per CVE-2021-22890
https://curl.se/docs/CVE-2021-22890.html
-- Alessandro Ghedini <email address hidden> Tue, 30 Mar 2021 21:56:00 +0100
-
curl (7.64.0-4+deb10u1) buster-security; urgency=high
* Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
* Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
-- Alessandro Ghedini <email address hidden> Sat, 22 Feb 2020 15:01:46 +0000
-
curl (7.64.0-4) unstable; urgency=medium
* Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
https://curl.haxx.se/docs/CVE-2019-5436.html
* Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
https://curl.haxx.se/docs/CVE-2019-5435.html
-- Alessandro Ghedini <email address hidden> Fri, 14 Jun 2019 19:23:32 +0100
-
curl (7.64.0-3) unstable; urgency=medium
* Fix potential crash in HTTP/2 code and busy loop at the end of connections
(Closes: #927471)
-- Alessandro Ghedini <email address hidden> Sat, 04 May 2019 12:51:06 +0100
-
curl (7.64.0-2) unstable; urgency=medium
* Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)
-- Alessandro Ghedini <email address hidden> Thu, 07 Mar 2019 20:02:35 +0000
-
curl (7.64.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
https://curl.haxx.se/docs/CVE-2018-16890.html
+ Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
https://curl.haxx.se/docs/CVE-2019-3822.html
+ Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
+ Fix HTTP negotiation with POST requests (Closes: #920267)
-- Alessandro Ghedini <email address hidden> Wed, 06 Feb 2019 22:33:05 +0000
-
curl (7.63.0-1) unstable; urgency=medium
* New upstream release
+ Fix IPv6 numeral address parser (Closes: #915520)
+ Fix timeout handling (Closes: #914793)
+ Fix HTTP auth to include query in URI (Closes: #913214)
* Drop 12_fix-runtests-curl.patch (merged upstream)
* Update symbols
* Update copyright for removed files
* Bump debhlper compat level to 12
* Bump Standards-Version to 4.3.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Tue, 15 Jan 2019 20:47:40 +0000
-
curl (7.62.0-1) unstable; urgency=medium
* New upstream release
+ Fix NTLM password overflow via integer overflow as per CVE-2018-14618
(Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
+ Fix SASL password overflow via integer overflow as per CVE-2018-16839
https://curl.haxx.se/docs/CVE-2018-16839.html
+ Fix use-after-free in handle close as per CVE-2018-16840
https://curl.haxx.se/docs/CVE-2018-16840.html
+ Fix warning message out-of-buffer read as per CVE-2018-16842
https://curl.haxx.se/docs/CVE-2018-16842.html
+ Fix broken terminal output (closes: #911333)
* Refresh patches
* Add 12_fix-runtests-curl.patch to fix running curl in tests
-- Alessandro Ghedini <email address hidden> Wed, 31 Oct 2018 22:42:44 +0000
-
curl (7.61.0-1) unstable; urgency=medium
* New upstream release
+ Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
https://curl.haxx.se/docs/adv_2018-70a2.html
+ Fix some crashes related to HTTP/2 (Closes: #902628)
* Disable libssh2 on Ubuntu.
Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
* Bump Standards-Version to 4.2.0 (no changes needed)
* Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)
-- Alessandro Ghedini <email address hidden> Sat, 11 Aug 2018 13:32:28 +0100
-
curl (7.60.0-2) unstable; urgency=medium
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
-- Alessandro Ghedini <email address hidden> Wed, 23 May 2018 20:25:39 +0100
-
curl (7.60.0-1) unstable; urgency=medium
* New upstream release (Closes: #891997, #893546, #898856)
+ Fix use of IPv6 literals with NO_PROXY
+ Fix NIL byte out of bounds write due to FTP path trickery
as per CVE-2018-1000120
https://curl.haxx.se/docs/adv_2018-9cd6.html
+ Fix LDAP NULL pointer dereference as per CVE-2018-1000121
https://curl.haxx.se/docs/adv_2018-97a2.html
+ Fix RTSP RTP buffer over-read as per CVE-2018-1000122
https://curl.haxx.se/docs/adv_2018-b047.html
+ Fix heap buffer overflow when closing down an FTP connection
with very long server command replies as per CVE-2018-1000300
https://curl.haxx.se/docs/adv_2018-82c2.html
+ Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
* Refresh patches
* Bump Standards-Version to 4.1.4 (no changes needed)
-- Alessandro Ghedini <email address hidden> Fri, 18 May 2018 20:21:17 +0100
-
curl (7.58.0-2) unstable; urgency=medium
* Explicitly enable libssh2 support which got silently disabled in the
previous update
-- Alessandro Ghedini <email address hidden> Wed, 24 Jan 2018 20:27:50 +0000
-
curl (7.57.0-1) unstable; urgency=medium
* New upstream release
- Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
https://curl.haxx.se/docs/adv_2017-11e7.html
- Fix FTP wildcard out of bounds read as per CVE-2017-8817
https://curl.haxx.se/docs/adv_2017-ae72.html
- Fix SSL out of buffer access as per CVE-2017-8818
https://curl.haxx.se/docs/adv_2017-af0a.html
* Remove -fdebug-prefix-map from curl-config.
Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
* Don't install zsh completion when cross compiling.
Thanks to Wookey for the patch (Closes: #812965)
-- Alessandro Ghedini <email address hidden> Thu, 30 Nov 2017 10:16:03 +0000
-
curl (7.56.1-1) unstable; urgency=medium
* New upstream release
- Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
https://curl.haxx.se/docs/adv_20171023.html
* Bump Standards-Version to 4.1.1 (no changes needed)
* Drop 01_runtests_gdb.patch
* Drop 12_dont-wait-on-CONNECT.patch
* Refresh patches
* Update *.symbols files
* Use https:// URL in watch file
-- Alessandro Ghedini <email address hidden> Tue, 24 Oct 2017 11:05:48 +0100
-
curl (7.55.1-1) unstable; urgency=medium
* New upstream release
- Fix FTBFS on powerpc (Closes: #872502)
* Apply upstream patch to fix connection timeouts with NetworkManager
(Closes: #873181)
* Refresh patches
* Bump Standards-Version to 4.1.0 (no changes needed)
-- Alessandro Ghedini <email address hidden> Sat, 02 Sep 2017 12:10:22 +0100
-
curl (7.55.0-1) unstable; urgency=medium
* New upstream release
- Fix TFTP sends more than buffer size as per CVE-2017-1000100
(Closes: #871555)
- Fix URL globbing out of bounds read as per CVE-2017-1000101
(Closes: #871554)
* Refresh patches and drop patches merged upstream
* Update Standards-Version to 4.0.1 (no changes needed)
* Drop -dbg package
-- Alessandro Ghedini <email address hidden> Sat, 12 Aug 2017 15:18:05 +0100
-
curl (7.52.1-5) unstable; urgency=high
* Fix TLS session resumption client cert bypass as per CVE-2017-7468
https://curl.haxx.se/docs/adv_20170419.html
-- Alessandro Ghedini <email address hidden> Wed, 19 Apr 2017 11:19:50 +0100