Publishing details

• Created on 2018-06-22 by Ubuntu Archive Auto-Sync
• Removed from disk on 2018-08-29.
• Removal requested on 2018-08-29.
• Superseded on 2018-08-28 by curl - 7.61.0-1
• Published on 2018-06-22

Changelog

curl (7.60.0-2ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Use an if statement to conditionally disable libssh2 in Ubuntu-only
  * Dropped changes, included in Debian:
    - Build-depend on libssl-dev instead of libssl1.0-dev.
    - Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
      CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
      openssl 1.0 and openssl 1.1.
    - debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
      claiming compatibility.
    - debian/patches/90_gnutls.patch: Retain symbol versioning compatibility
      for non-OpenSSL builds.
  * Dropped changes, include upstream:
    - SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
      - debian/patches/CVE-2018-1000120.patch: reject path components with
        control codes in lib/ftp.c, add test to tests/*.
      - CVE-2018-1000120
    - SECURITY UPDATE: LDAP NULL pointer dereference
      - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
        results for NULL before using in lib/openldap.c.
      - CVE-2018-1000121
    - SECURITY UPDATE: RTSP RTP buffer over-read
      - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
        go beyond buffer end in lib/transfer.c.
      - CVE-2018-1000122
    - SECURITY UPDATE: FTP shutdown response buffer overflow
      - debian/patches/CVE-2018-1000300.patch: check data size in
        lib/pingpong.c.
      - CVE-2018-1000303
    - SECURITY UPDATE: RTSP bad headers buffer over-read
      - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
        bad response-line is parsed in lib/http.c.
      - CVE-2018-1000301

curl (7.60.0-2) unstable; urgency=medium

  [ Steve Langasek ]
  * Build-depend on libssl-dev instead of libssl1.0-dev.
  * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
    CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
    openssl 1.0 and openssl 1.1.
  * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
    claiming compatibility.
  * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
    non-OpenSSL builds.  Closes: #858398.
  * Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk

curl (7.60.0-1) unstable; urgency=medium

  * New upstream release (Closes: #891997, #893546, #898856)
    + Fix use of IPv6 literals with NO_PROXY
    + Fix NIL byte out of bounds write due to FTP path trickery
      as per CVE-2018-1000120
      https://curl.haxx.se/docs/adv_2018-9cd6.html
    + Fix LDAP NULL pointer dereference as per CVE-2018-1000121
      https://curl.haxx.se/docs/adv_2018-97a2.html
    + Fix RTSP RTP buffer over-read as per CVE-2018-1000122
      https://curl.haxx.se/docs/adv_2018-b047.html
    + Fix heap buffer overflow when closing down an FTP connection
      with very long server command replies as per CVE-2018-1000300
      https://curl.haxx.se/docs/adv_2018-82c2.html
    + Fix heap buffer over-read when parsing bad RTSP headers
      as per CVE-2018-1000301
      https://curl.haxx.se/docs/adv_2018-b138.html
  * Refresh patches
  * Bump Standards-Version to 4.1.4 (no changes needed)

 -- Steve Langasek <email address hidden>  Mon, 04 Jun 2018 16:27:47 -0700

Builds

• amd64
• arm64
• armhf
• i386
• ppc64el
• s390x

Package files

• curl-dbgsym_7.60.0-2ubuntu1_amd64.ddeb (141.0 KiB)
• curl-dbgsym_7.60.0-2ubuntu1_arm64.ddeb (144.0 KiB)
• curl-dbgsym_7.60.0-2ubuntu1_armhf.ddeb (137.1 KiB)
• curl-dbgsym_7.60.0-2ubuntu1_i386.ddeb (126.0 KiB)
• curl-dbgsym_7.60.0-2ubuntu1_ppc64el.ddeb (146.8 KiB)
• curl-dbgsym_7.60.0-2ubuntu1_s390x.ddeb (148.1 KiB)
• curl_7.60.0-2ubuntu1.debian.tar.xz (31.7 KiB)
• curl_7.60.0-2ubuntu1.dsc (2.7 KiB)
• curl_7.60.0-2ubuntu1_amd64.deb (158.0 KiB)
• curl_7.60.0-2ubuntu1_arm64.deb (150.9 KiB)
• curl_7.60.0-2ubuntu1_armhf.deb (151.6 KiB)
• curl_7.60.0-2ubuntu1_i386.deb (161.0 KiB)
• curl_7.60.0-2ubuntu1_ppc64el.deb (157.3 KiB)
• curl_7.60.0-2ubuntu1_s390x.deb (154.2 KiB)
• curl_7.60.0.orig.tar.gz (3.8 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_amd64.ddeb (1.2 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_arm64.ddeb (1.3 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_armhf.ddeb (1.2 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_i386.ddeb (1.1 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_ppc64el.ddeb (1.3 MiB)
• libcurl3-gnutls-dbgsym_7.60.0-2ubuntu1_s390x.ddeb (1.3 MiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_amd64.deb (209.5 KiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_arm64.deb (175.8 KiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_armhf.deb (179.0 KiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_i386.deb (232.4 KiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_ppc64el.deb (213.8 KiB)
• libcurl3-gnutls_7.60.0-2ubuntu1_s390x.deb (192.0 KiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_amd64.ddeb (1.3 MiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_arm64.ddeb (1.3 MiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_armhf.ddeb (1.2 MiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_i386.ddeb (1.1 MiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_ppc64el.ddeb (1.4 MiB)
• libcurl3-nss-dbgsym_7.60.0-2ubuntu1_s390x.ddeb (1.3 MiB)
• libcurl3-nss_7.60.0-2ubuntu1_amd64.deb (215.5 KiB)
• libcurl3-nss_7.60.0-2ubuntu1_arm64.deb (181.9 KiB)
• libcurl3-nss_7.60.0-2ubuntu1_armhf.deb (184.7 KiB)
• libcurl3-nss_7.60.0-2ubuntu1_i386.deb (238.1 KiB)
• libcurl3-nss_7.60.0-2ubuntu1_ppc64el.deb (220.6 KiB)
• libcurl3-nss_7.60.0-2ubuntu1_s390x.deb (198.4 KiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_amd64.ddeb (1.2 MiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_arm64.ddeb (1.3 MiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_armhf.ddeb (1.2 MiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_i386.ddeb (1.1 MiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_ppc64el.ddeb (1.3 MiB)
• libcurl4-dbgsym_7.60.0-2ubuntu1_s390x.ddeb (1.3 MiB)
• libcurl4-doc_7.60.0-2ubuntu1_all.deb (830.5 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_amd64.deb (289.3 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_arm64.deb (263.7 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_armhf.deb (265.3 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_i386.deb (321.9 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_ppc64el.deb (309.1 KiB)
• libcurl4-gnutls-dev_7.60.0-2ubuntu1_s390x.deb (275.6 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_amd64.deb (295.7 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_arm64.deb (270.1 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_armhf.deb (271.3 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_i386.deb (328.1 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_ppc64el.deb (317.0 KiB)
• libcurl4-nss-dev_7.60.0-2ubuntu1_s390x.deb (282.0 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_amd64.deb (290.6 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_arm64.deb (264.7 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_armhf.deb (266.8 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_i386.deb (324.1 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_ppc64el.deb (306.5 KiB)
• libcurl4-openssl-dev_7.60.0-2ubuntu1_s390x.deb (276.3 KiB)
• libcurl4_7.60.0-2ubuntu1_amd64.deb (211.4 KiB)
• libcurl4_7.60.0-2ubuntu1_arm64.deb (177.4 KiB)
• libcurl4_7.60.0-2ubuntu1_armhf.deb (180.7 KiB)
• libcurl4_7.60.0-2ubuntu1_i386.deb (235.2 KiB)
• libcurl4_7.60.0-2ubuntu1_ppc64el.deb (213.2 KiB)
• libcurl4_7.60.0-2ubuntu1_s390x.deb (193.4 KiB)