Change log for curl package in Ubuntu

175 of 242 results
Published in disco-proposed on 2019-02-14
curl (7.64.0-1ubuntu1) disco; urgency=medium

  * Resynchronize with Debian, remaining change
  * debian/control, debian/rules:
    - build with libssh instead of libssh2, that's a better maintained
      library and it's in Ubuntu main (lp: #311029)

Available diffs

Published in trusty-updates on 2019-02-06
Published in trusty-security on 2019-02-06
curl (7.35.0-1ubuntu2.20) trusty-security; urgency=medium

  * SECURITY UPDATE: SMTP end-of-response out-of-bounds read
    - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
      strtol in lib/smtp.c.
    - CVE-2019-3823

 -- Marc Deslauriers <email address hidden>  Tue, 29 Jan 2019 09:03:19 -0500
Published in disco-release on 2019-02-02
Deleted in disco-proposed (Reason: moved to release)
curl (7.63.0-1ubuntu1) disco; urgency=medium

  * debian/control, debian/rules:
    - build with libssh instead of libssh2, that's a better maintained
      library and it's in Ubuntu main (lp: #311029)

 -- Sebastien Bacher <email address hidden>  Thu, 31 Jan 2019 15:29:39 +0100
Published in xenial-updates on 2019-02-06
Published in xenial-security on 2019-02-06
curl (7.47.0-1ubuntu2.12) xenial-security; urgency=medium

  * SECURITY UPDATE: NTLM type-2 out-of-bounds buffer read
    - debian/patches/CVE-2018-16890.patch: fix size check condition for
      type2 received data in lib/curl_ntlm_msgs.c.
    - CVE-2018-16890
  * SECURITY UPDATE: NTLMv2 type-3 header stack buffer overflow
    - debian/patches/CVE-2019-3822.patch: ix *_type3_message size check to
      avoid buffer overflow in lib/curl_ntlm_msgs.c.
    - CVE-2019-3822
  * SECURITY UPDATE: SMTP end-of-response out-of-bounds read
    - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
      strtol in lib/smtp.c.
    - CVE-2019-3823

 -- Marc Deslauriers <email address hidden>  Tue, 29 Jan 2019 08:58:54 -0500
Published in bionic-updates on 2019-02-06
Published in bionic-security on 2019-02-06
curl (7.58.0-2ubuntu3.6) bionic-security; urgency=medium

  * SECURITY UPDATE: NTLM type-2 out-of-bounds buffer read
    - debian/patches/CVE-2018-16890.patch: fix size check condition for
      type2 received data in lib/vauth/ntlm.c.
    - CVE-2018-16890
  * SECURITY UPDATE: NTLMv2 type-3 header stack buffer overflow
    - debian/patches/CVE-2019-3822.patch: ix *_type3_message size check to
      avoid buffer overflow in lib/vauth/ntlm.c.
    - CVE-2019-3822
  * SECURITY UPDATE: SMTP end-of-response out-of-bounds read
    - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
      strtol in lib/smtp.c.
    - CVE-2019-3823

 -- Marc Deslauriers <email address hidden>  Tue, 29 Jan 2019 08:48:30 -0500
Published in cosmic-updates on 2019-02-06
Published in cosmic-security on 2019-02-06
curl (7.61.0-1ubuntu2.3) cosmic-security; urgency=medium

  * SECURITY UPDATE: NTLM type-2 out-of-bounds buffer read
    - debian/patches/CVE-2018-16890.patch: fix size check condition for
      type2 received data in lib/vauth/ntlm.c.
    - CVE-2018-16890
  * SECURITY UPDATE: NTLMv2 type-3 header stack buffer overflow
    - debian/patches/CVE-2019-3822.patch: ix *_type3_message size check to
      avoid buffer overflow in lib/vauth/ntlm.c.
    - CVE-2019-3822
  * SECURITY UPDATE: SMTP end-of-response out-of-bounds read
    - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
      strtol in lib/smtp.c.
    - CVE-2019-3823

 -- Marc Deslauriers <email address hidden>  Tue, 29 Jan 2019 08:44:13 -0500
Superseded in disco-release on 2019-02-02
Deleted in disco-proposed on 2019-02-03 (Reason: moved to release)
curl (7.63.0-1) unstable; urgency=medium

  * New upstream release
    + Fix IPv6 numeral address parser (Closes: #915520)
    + Fix timeout handling (Closes: #914793)
    + Fix HTTP auth to include query in URI (Closes: #913214)
  * Drop 12_fix-runtests-curl.patch (merged upstream)
  * Update symbols
  * Update copyright for removed files
  * Bump debhlper compat level to 12
  * Bump Standards-Version to 4.3.0 (no changes needed)

 -- Alessandro Ghedini <email address hidden>  Tue, 15 Jan 2019 20:47:40 +0000
Superseded in disco-proposed on 2019-01-16
curl (7.62.0-1) unstable; urgency=medium

  * New upstream release
    + Fix NTLM password overflow via integer overflow as per CVE-2018-14618
      (Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
    + Fix SASL password overflow via integer overflow as per CVE-2018-16839
      https://curl.haxx.se/docs/CVE-2018-16839.html
    + Fix use-after-free in handle close as per CVE-2018-16840
      https://curl.haxx.se/docs/CVE-2018-16840.html
    + Fix warning message out-of-buffer read as per CVE-2018-16842
      https://curl.haxx.se/docs/CVE-2018-16842.html
    + Fix broken terminal output (closes: #911333)
  * Refresh patches
  * Add 12_fix-runtests-curl.patch to fix running curl in tests

 -- Alessandro Ghedini <email address hidden>  Wed, 31 Oct 2018 22:42:44 +0000
Superseded in trusty-updates on 2019-02-06
Superseded in trusty-security on 2019-02-06
curl (7.35.0-1ubuntu2.19) trusty-security; urgency=medium

  * SECURITY UPDATE: SASL password overflow via integer overflow
    - debian/patches/CVE-2018-16839-pre1.patch: prevent size overflows in
      lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839-pre2.patch: fix integer overflow check
      in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839.patch: fix check in lib/curl_sasl.c.
    - CVE-2018-16839
  * SECURITY UPDATE: warning message out-of-buffer read
    - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Mon, 29 Oct 2018 08:15:06 -0400
Superseded in xenial-updates on 2019-02-06
Superseded in xenial-security on 2019-02-06
curl (7.47.0-1ubuntu2.11) xenial-security; urgency=medium

  * SECURITY UPDATE: SASL password overflow via integer overflow
    - debian/patches/CVE-2018-16839-pre1.patch: prevent size overflows in
      lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839-pre2.patch: fix integer overflow check
      in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839.patch: fix check in lib/curl_sasl.c.
    - CVE-2018-16839
  * SECURITY UPDATE: warning message out-of-buffer read
    - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Mon, 29 Oct 2018 08:13:39 -0400
Superseded in bionic-updates on 2019-02-06
Superseded in bionic-security on 2019-02-06
curl (7.58.0-2ubuntu3.5) bionic-security; urgency=medium

  * SECURITY UPDATE: SASL password overflow via integer overflow
    - debian/patches/CVE-2018-16839-pre.patch: fix integer overflow check
      in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/vauth/cleartext.c.
    - debian/patches/CVE-2018-16839.patch: fix check in
      lib/vauth/cleartext.c.
    - CVE-2018-16839
  * SECURITY UPDATE: warning message out-of-buffer read
    - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Mon, 29 Oct 2018 08:10:57 -0400
Superseded in disco-release on 2019-01-28
Deleted in disco-proposed on 2019-02-07 (Reason: moved to release)
Superseded in cosmic-updates on 2019-02-06
Superseded in cosmic-security on 2019-02-06
curl (7.61.0-1ubuntu2.2) cosmic-security; urgency=medium

  * SECURITY UPDATE: SASL password overflow via integer overflow
    - debian/patches/CVE-2018-16839.patch: fix check in
      lib/vauth/cleartext.c.
    - CVE-2018-16839
  * SECURITY UPDATE: use-after-free in handle close
    - debian/patches/CVE-2018-16840.patch: fix issue in lib/url.c.
    - CVE-2018-16840
  * SECURITY UPDATE: warning message out-of-buffer read
    - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
    - CVE number pending

 -- Marc Deslauriers <email address hidden>  Mon, 29 Oct 2018 08:08:34 -0400
Superseded in disco-release on 2018-12-01
Published in cosmic-release on 2018-10-05
Deleted in cosmic-proposed (Reason: moved to release)
curl (7.61.0-1ubuntu2) cosmic; urgency=high

  * No change rebuild against openssl 1.1.1 with TLS 1.3 support.

 -- Dimitri John Ledkov <email address hidden>  Sat, 29 Sep 2018 01:36:46 +0100

Available diffs

Superseded in cosmic-release on 2018-10-05
Deleted in cosmic-proposed on 2018-10-06 (Reason: moved to release)
curl (7.61.0-1ubuntu1) cosmic; urgency=medium

  * SECURITY UPDATE: Buffer overrun
    - debian/patches/CVE-2018-14618.patch: fix in
      lib/curl_ntlm_core.c.
    - CVE-2018-14618

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 17 Sep 2018 06:25:23 -0300
Superseded in bionic-updates on 2018-10-31
Superseded in bionic-security on 2018-10-31
curl (7.58.0-2ubuntu3.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Buffer overrun
    - debian/patches/CVE-2018-14618.patch: fix in
      lib/curl_ntlm_core.c.
    - CVE-2018-14618

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 13 Sep 2018 13:06:47 -0300
Superseded in xenial-updates on 2018-10-31
Superseded in xenial-security on 2018-10-31
curl (7.47.0-1ubuntu2.9) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overrun
    - debian/patches/CVE-2018-14618.patch: fix in
      lib/curl_ntlm_core.c.
    - CVE-2018-14618

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 13 Sep 2018 09:13:35 -0300
Superseded in trusty-updates on 2018-10-31
Superseded in trusty-security on 2018-10-31
curl (7.35.0-1ubuntu2.17) trusty-security; urgency=medium

  * SECURITY UPDATE: Buffer overrun
    - debian/patches/CVE-2018-14618.patch: fix in
      lib/curl_ntlm_core.c.
    - CVE-2018-14618

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 12 Sep 2018 15:20:26 -0300
Superseded in cosmic-release on 2018-09-18
Deleted in cosmic-proposed on 2018-09-19 (Reason: moved to release)
curl (7.61.0-1) unstable; urgency=medium

  * New upstream release
    + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
      https://curl.haxx.se/docs/adv_2018-70a2.html
    + Fix some crashes related to HTTP/2 (Closes: #902628)
  * Disable libssh2 on Ubuntu.
    Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
  * Bump Standards-Version to 4.2.0 (no changes needed)
  * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)

 -- Alessandro Ghedini <email address hidden>  Sat, 11 Aug 2018 13:32:28 +0100
Published in artful-updates on 2018-07-11
Published in artful-security on 2018-07-11
curl (7.55.1-1ubuntu2.6) artful-security; urgency=medium

  * SECURITY UPDATE: SMTP send heap buffer overflow
    - debian/patches/CVE-2018-0500.patch: use the upload buffer size for
      scratch buffer malloc in lib/smtp.c.
    - CVE-2018-0500

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jul 2018 10:20:21 -0400
Superseded in bionic-updates on 2018-09-17
Superseded in bionic-security on 2018-09-17
curl (7.58.0-2ubuntu3.2) bionic-security; urgency=medium

  * SECURITY UPDATE: SMTP send heap buffer overflow
    - debian/patches/CVE-2018-0500.patch: use the upload buffer size for
      scratch buffer malloc in lib/smtp.c.
    - CVE-2018-0500

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jul 2018 10:18:17 -0400
Superseded in cosmic-release on 2018-08-28
Deleted in cosmic-proposed on 2018-08-29 (Reason: moved to release)
curl (7.60.0-2ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Use an if statement to conditionally disable libssh2 in Ubuntu-only
  * Dropped changes, included in Debian:
    - Build-depend on libssl-dev instead of libssl1.0-dev.
    - Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
      CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
      openssl 1.0 and openssl 1.1.
    - debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
      claiming compatibility.
    - debian/patches/90_gnutls.patch: Retain symbol versioning compatibility
      for non-OpenSSL builds.
  * Dropped changes, include upstream:
    - SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
      - debian/patches/CVE-2018-1000120.patch: reject path components with
        control codes in lib/ftp.c, add test to tests/*.
      - CVE-2018-1000120
    - SECURITY UPDATE: LDAP NULL pointer dereference
      - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
        results for NULL before using in lib/openldap.c.
      - CVE-2018-1000121
    - SECURITY UPDATE: RTSP RTP buffer over-read
      - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
        go beyond buffer end in lib/transfer.c.
      - CVE-2018-1000122
    - SECURITY UPDATE: FTP shutdown response buffer overflow
      - debian/patches/CVE-2018-1000300.patch: check data size in
        lib/pingpong.c.
      - CVE-2018-1000303
    - SECURITY UPDATE: RTSP bad headers buffer over-read
      - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
        bad response-line is parsed in lib/http.c.
      - CVE-2018-1000301

Available diffs

Superseded in cosmic-release on 2018-06-22
Deleted in cosmic-proposed on 2018-06-23 (Reason: moved to release)
curl (7.58.0-2ubuntu4) cosmic; urgency=medium

  * SECURITY UPDATE: FTP shutdown response buffer overflow
    - debian/patches/CVE-2018-1000300.patch: check data size in
      lib/pingpong.c.
    - CVE-2018-1000303
  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

 -- Marc Deslauriers <email address hidden>  Wed, 16 May 2018 11:54:05 -0400
Superseded in trusty-updates on 2018-09-17
Superseded in trusty-security on 2018-09-17
curl (7.35.0-1ubuntu2.16) trusty-security; urgency=medium

  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

 -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 14:05:52 -0400
Superseded in bionic-updates on 2018-07-11
Superseded in bionic-security on 2018-07-11
curl (7.58.0-2ubuntu3.1) bionic-security; urgency=medium

  * SECURITY UPDATE: FTP shutdown response buffer overflow
    - debian/patches/CVE-2018-1000300.patch: check data size in
      lib/pingpong.c.
    - CVE-2018-1000303
  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

 -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 13:47:34 -0400
Superseded in artful-updates on 2018-07-11
Superseded in artful-security on 2018-07-11
curl (7.55.1-1ubuntu2.5) artful-security; urgency=medium

  * SECURITY UPDATE: FTP shutdown response buffer overflow
    - debian/patches/CVE-2018-1000300.patch: check data size in
      lib/pingpong.c.
    - CVE-2018-1000303
  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

 -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 13:51:37 -0400
Superseded in xenial-updates on 2018-09-17
Superseded in xenial-security on 2018-09-17
curl (7.47.0-1ubuntu2.8) xenial-security; urgency=medium

  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

 -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 13:52:59 -0400
Superseded in cosmic-release on 2018-05-24
Published in bionic-release on 2018-03-18
Deleted in bionic-proposed (Reason: moved to release)
curl (7.58.0-2ubuntu3) bionic; urgency=medium

  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

 -- Marc Deslauriers <email address hidden>  Thu, 15 Mar 2018 08:20:41 -0400
Superseded in trusty-updates on 2018-05-16
Superseded in trusty-security on 2018-05-16
curl (7.35.0-1ubuntu2.15) trusty-security; urgency=medium

  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120-pre1.patch: avoid using
      curl_easy_unescape() internally in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
      listing in nocwd mode in lib/ftp.c, add test to tests/*.
    - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
      ftp_done in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
      in error code in lib/ftp.c.
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

 -- Marc Deslauriers <email address hidden>  Wed, 14 Mar 2018 09:18:48 -0400

Available diffs

Superseded in xenial-updates on 2018-05-16
Superseded in xenial-security on 2018-05-16
curl (7.47.0-1ubuntu2.7) xenial-security; urgency=medium

  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120-pre1.patch: avoid using
      curl_easy_unescape() internally in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
      listing in nocwd mode in lib/ftp.c, add test to tests/*.
    - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
      ftp_done in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
      in error code in lib/ftp.c.
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

 -- Marc Deslauriers <email address hidden>  Wed, 14 Mar 2018 09:04:46 -0400

Available diffs

Superseded in artful-updates on 2018-05-16
Superseded in artful-security on 2018-05-16
curl (7.55.1-1ubuntu2.4) artful-security; urgency=medium

  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120-pre.patch: URL decode path for dir
      listing in nocwd mode in lib/ftp.c, add test to tests/*.
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

 -- Marc Deslauriers <email address hidden>  Wed, 14 Mar 2018 08:47:46 -0400
Superseded in bionic-release on 2018-03-18
Deleted in bionic-proposed on 2018-03-20 (Reason: moved to release)
curl (7.58.0-2ubuntu2) bionic; urgency=medium

  * Build-depend on libssl-dev instead of libssl1.0-dev.
  * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
    CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
    openssl 1.0 and openssl 1.1.
  * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
    claiming compatibility.
  * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
    non-OpenSSL builds.  Closes: #858398.

 -- Steve Langasek <email address hidden>  Wed, 21 Feb 2018 08:21:31 -0800
Superseded in trusty-updates on 2018-03-15
Superseded in trusty-security on 2018-03-15
curl (7.35.0-1ubuntu2.14) trusty-security; urgency=medium

  * SECURITY UPDATE: leak authentication data
    - debian/patches/CVE-2018-1000007.patch: prevent custom
      authorization headers in redirects in lib/http.c,
      lib/url.c, lib/urldata.h, tests/data/Makefile.in,
      tests/data/test317, tests/data/test318.
    - CVE-2018-1000007

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Jan 2018 17:53:40 -0300
Superseded in artful-updates on 2018-03-15
Superseded in artful-security on 2018-03-15
curl (7.55.1-1ubuntu2.3) artful-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read in code handling HTTP/2
    - debian/patches/CVE-2018-1000005.patch: fix incorrect
      trailer buffer size in lib/http2.c.
    - CVE-2018-1000005
  * SECURITY UPDATE: leak authentication data
    - debian/patches/CVE-2018-1000007.patch: prevent custom
      authorization headers in redirects in lib/http.c,
      lib/url.c, lib/urldata.h, tests/data/Makefile.in,
      tests/data/test317, tests/data/test318.
    - CVE-2018-1000007
  * Removing test that fails to check manpage after CVE-2018-1000007.

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Jan 2018 16:54:19 -0300
Superseded in xenial-updates on 2018-03-15
Superseded in xenial-security on 2018-03-15
curl (7.47.0-1ubuntu2.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Out of bounds read in code handling HTTP/2
    - debian/patches/CVE-2018-1000005.patch: fix incorrect
      trailer buffer size in lib/http2.c.
    - CVE-2018-1000005
  * SECURITY UPDATE: leak authentication data
    - debian/patches/CVE-2018-1000007.patch: prevent custom
      authorization headers in redirects in lib/http.c,
      lib/url.c, lib/urldata.h, tests/data/Makefile.in,
      tests/data/test317, tests/data/test318.
    - CVE-2018-1000007

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Jan 2018 16:06:08 -0300
Superseded in bionic-release on 2018-03-07
Deleted in bionic-proposed on 2018-03-08 (Reason: moved to release)
curl (7.58.0-2ubuntu1) bionic; urgency=medium

  * Use an if statement to conditionally disable libssh2 in Ubuntu-only

Superseded in bionic-proposed on 2018-01-25
curl (7.58.0-2) unstable; urgency=medium

  * Explicitly enable libssh2 support which got silently disabled in the
    previous update

 -- Alessandro Ghedini <email address hidden>  Wed, 24 Jan 2018 20:27:50 +0000
Superseded in bionic-proposed on 2018-01-25
curl (7.58.0-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev.

Available diffs

Superseded in bionic-release on 2018-02-08
Deleted in bionic-proposed on 2018-02-09 (Reason: moved to release)
curl (7.57.0-1ubuntu1) bionic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev.

Superseded in bionic-proposed on 2017-12-08
curl (7.55.1-1ubuntu3) bionic; urgency=medium

  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

 -- Marc Deslauriers <email address hidden>  Wed, 29 Nov 2017 15:29:49 -0500
Superseded in artful-updates on 2018-01-31
Superseded in artful-security on 2018-01-31
curl (7.55.1-1ubuntu2.2) artful-security; urgency=medium

  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

 -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 07:59:20 -0500
Obsolete in zesty-updates on 2018-06-22
Obsolete in zesty-security on 2018-06-22
curl (7.52.1-4ubuntu1.4) zesty-security; urgency=medium

  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

 -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 08:02:21 -0500
Superseded in xenial-updates on 2018-01-31
Superseded in xenial-security on 2018-01-31
curl (7.47.0-1ubuntu2.5) xenial-security; urgency=medium

  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

 -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 08:03:58 -0500
Superseded in trusty-updates on 2018-01-31
Superseded in trusty-security on 2018-01-31
curl (7.35.0-1ubuntu2.13) trusty-security; urgency=medium

  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.am, tests/data/test1163.
    - CVE-2017-8817

 -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 08:05:35 -0500
Superseded in bionic-release on 2017-12-12
Deleted in bionic-proposed on 2017-12-13 (Reason: moved to release)
Superseded in artful-updates on 2017-11-29
Superseded in artful-security on 2017-11-29
curl (7.55.1-1ubuntu2.1) artful-security; urgency=medium

  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

 -- Marc Deslauriers <email address hidden>  Fri, 20 Oct 2017 11:06:14 -0400
Superseded in zesty-updates on 2017-11-29
Superseded in zesty-security on 2017-11-29
curl (7.52.1-4ubuntu1.3) zesty-security; urgency=medium

  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

 -- Marc Deslauriers <email address hidden>  Tue, 17 Oct 2017 13:52:20 -0400
Superseded in xenial-updates on 2017-11-29
Superseded in xenial-security on 2017-11-29
curl (7.47.0-1ubuntu2.4) xenial-security; urgency=medium

  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

 -- Marc Deslauriers <email address hidden>  Tue, 17 Oct 2017 13:53:46 -0400
Superseded in trusty-updates on 2017-11-29
Superseded in trusty-security on 2017-11-29
curl (7.35.0-1ubuntu2.12) trusty-security; urgency=medium

  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

 -- Marc Deslauriers <email address hidden>  Tue, 17 Oct 2017 13:54:46 -0400
Superseded in trusty-updates on 2017-10-23
Superseded in trusty-security on 2017-10-23
curl (7.35.0-1ubuntu2.11) trusty-security; urgency=medium

  * SECURITY UPDATE: printf floating point buffer overflow
    - debian/patches/CVE-2016-9586.patch: fix floating point buffer
      overflow issues in lib/mprintf.c, added test to tests/data/test557,
      tests/libtest/lib557.c.
    - CVE-2016-9586
  * SECURITY UPDATE: TFTP sends more than buffer size
    - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
      don't fit in lib/tftp.c.
    - CVE-2017-1000100
  * SECURITY UPDATE: URL globbing out of bounds read
    - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
      a strtoul() overflow range in src/tool_urlglob.c, added test to
      tests/data/Makefile.am, tests/data/test1289.
    - CVE-2017-1000101
  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.am, tests/data/test1152.
    - CVE-2017-1000254
  * SECURITY UPDATE: --write-out out of buffer read
    - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in
      src/tool_writeout.c added test to tests/data/Makefile.am,
      tests/data/test1440, tests/data/test1441.
    - debian/patches/CVE-2017-7407-2.patch: check for end of input in
      src/tool_writeout.c added test to tests/data/Makefile.am,
      tests/data/test1442.
    - CVE-2017-7407

 -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 09:02:01 -0400
Superseded in xenial-updates on 2017-10-23
Superseded in xenial-security on 2017-10-23
curl (7.47.0-1ubuntu2.3) xenial-security; urgency=medium

  * SECURITY UPDATE: printf floating point buffer overflow
    - debian/patches/CVE-2016-9586.patch: fix floating point buffer
      overflow issues in lib/mprintf.c, added test to tests/data/test557,
      tests/libtest/lib557.c.
    - CVE-2016-9586
  * SECURITY UPDATE: TFTP sends more than buffer size
    - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
      don't fit in lib/tftp.c.
    - CVE-2017-1000100
  * SECURITY UPDATE: URL globbing out of bounds read
    - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
      a strtoul() overflow range in src/tool_urlglob.c, added test to
      tests/data/Makefile.inc, tests/data/test1289.
    - CVE-2017-1000101
  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.inc, tests/data/test1152.
    - CVE-2017-1000254
  * SECURITY UPDATE: --write-out out of buffer read
    - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in
      src/tool_writeout.c added test to tests/data/Makefile.inc,
      tests/data/test1440, tests/data/test1441.
    - debian/patches/CVE-2017-7407-2.patch: check for end of input in
      src/tool_writeout.c added test to tests/data/Makefile.inc,
      tests/data/test1442.
    - CVE-2017-7407

 -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 08:52:42 -0400
Superseded in zesty-updates on 2017-10-23
Superseded in zesty-security on 2017-10-23
curl (7.52.1-4ubuntu1.2) zesty-security; urgency=medium

  * SECURITY UPDATE: TFTP sends more than buffer size
    - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
      don't fit in lib/tftp.c.
    - CVE-2017-1000100
  * SECURITY UPDATE: URL globbing out of bounds read
    - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
      a strtoul() overflow range in src/tool_urlglob.c, added test to
      tests/data/Makefile.inc, tests/data/test1289.
    - CVE-2017-1000101
  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.inc, tests/data/test1152.
    - CVE-2017-1000254
  * SECURITY UPDATE: --write-out out of buffer read
    - debian/patches/CVE-2017-7407-2.patch: check for end of input in
      src/tool_writeout.c added test to tests/data/Makefile.inc,
      tests/data/test1442.
    - CVE-2017-7407

 -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 08:38:54 -0400
Superseded in bionic-release on 2017-10-28
Published in artful-release on 2017-10-06
Deleted in artful-proposed (Reason: moved to release)
curl (7.55.1-1ubuntu2) artful; urgency=medium

  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.inc, tests/data/test1152.
    - CVE-2017-1000254

 -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 08:35:10 -0400
Superseded in artful-release on 2017-10-06
Deleted in artful-proposed on 2017-10-07 (Reason: moved to release)
curl (7.55.1-1ubuntu1) artful; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

Available diffs

Superseded in artful-release on 2017-09-19
Deleted in artful-proposed on 2017-09-20 (Reason: moved to release)
curl (7.55.0-1ubuntu2) artful; urgency=medium

  * debian/patches/0001-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch:
    Cherry-pick from upstream, via Arch: Don't wait for CONNECT. This fixes
    timeouts in network-manager's connectivity checker.

 -- Iain Lane <email address hidden>  Fri, 25 Aug 2017 10:46:14 +0100
Superseded in artful-release on 2017-08-26
Deleted in artful-proposed on 2017-08-27 (Reason: moved to release)
curl (7.55.0-1ubuntu1) artful; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

Superseded in artful-release on 2017-08-23
Deleted in artful-proposed on 2017-08-25 (Reason: moved to release)
curl (7.52.1-5ubuntu1) artful; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

 -- Gianfranco Costamagna <email address hidden>  Sat, 22 Apr 2017 14:54:52 +0200
Superseded in artful-proposed on 2017-04-22
Superseded in zesty-updates on 2017-10-10
Superseded in zesty-security on 2017-10-10
curl (7.52.1-4ubuntu1.1) zesty-security; urgency=medium

  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2017-7468: Move the sessionid flag to
      ssl_primary_config so that ssl and proxy_ssl will each have
      their own sessionid flag.
    - CVE-2017-7468

 -- Steve Beattie <email address hidden>  Mon, 17 Apr 2017 13:20:57 -0700
Superseded in artful-release on 2017-04-23
Obsolete in zesty-release on 2018-06-22
Deleted in zesty-proposed on 2018-06-22 (Reason: moved to release)
curl (7.52.1-4ubuntu1) zesty; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

 -- Gianfranco Costamagna <email address hidden>  Sun, 09 Apr 2017 13:07:51 +0200
Superseded in zesty-release on 2017-04-10
Deleted in zesty-proposed on 2017-04-11 (Reason: moved to release)
curl (7.52.1-3ubuntu1) zesty; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

 -- Gianfranco Costamagna <email address hidden>  Mon, 27 Feb 2017 17:46:42 +0100
Superseded in zesty-proposed on 2017-02-27
curl (7.51.0-1ubuntu2) zesty; urgency=medium

  * No-change rebuild against libnspr4

 -- Andy Whitcroft <email address hidden>  Fri, 24 Feb 2017 11:12:42 +0000

Available diffs

Superseded in zesty-release on 2017-04-06
Deleted in zesty-proposed on 2017-04-07 (Reason: moved to release)
curl (7.51.0-1ubuntu1) zesty; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

Available diffs

Superseded in zesty-release on 2016-11-17
Deleted in zesty-proposed on 2016-11-18 (Reason: moved to release)
curl (7.50.1-1ubuntu2) zesty; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/vtls/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: glob parser write/read out of bounds
    - debian/patches/CVE-2016-8620.patch: stay within bounds in
      src/tool_urlglob.c.
    - CVE-2016-8620
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden>  Thu, 03 Nov 2016 14:04:47 -0400
Published in precise-updates on 2016-11-03
Published in precise-security on 2016-11-03
curl (7.22.0-3ubuntu4.17) precise-security; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden>  Thu, 03 Nov 2016 08:03:52 -0400
Superseded in trusty-updates on 2017-10-10
Superseded in trusty-security on 2017-10-10
curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/vtls/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: glob parser write/read out of bounds
    - debian/patches/CVE-2016-8620.patch: stay within bounds in
      src/tool_urlglob.c.
    - CVE-2016-8620
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden>  Wed, 02 Nov 2016 15:17:12 -0400
Superseded in xenial-updates on 2017-10-10
Superseded in xenial-security on 2017-10-10
curl (7.47.0-1ubuntu2.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/vtls/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: glob parser write/read out of bounds
    - debian/patches/CVE-2016-8620.patch: stay within bounds in
      src/tool_urlglob.c.
    - CVE-2016-8620
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden>  Wed, 02 Nov 2016 14:24:49 -0400
Obsolete in yakkety-updates on 2018-01-23
Obsolete in yakkety-security on 2018-01-23
curl (7.50.1-1ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/vtls/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: glob parser write/read out of bounds
    - debian/patches/CVE-2016-8620.patch: stay within bounds in
      src/tool_urlglob.c.
    - CVE-2016-8620
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden>  Wed, 02 Nov 2016 13:45:25 -0400
Superseded in trusty-updates on 2016-11-03
Deleted in trusty-proposed on 2016-11-05 (Reason: moved to -updates)
curl (7.35.0-1ubuntu2.9) trusty; urgency=medium

  [ Joe Afflerbach ]
  * debian/patches/curl-chunk-fix.patch:
    - fix problem with chunked encoded data (LP: #1613698)

 -- Gianfranco Costamagna <email address hidden>  Sun, 28 Aug 2016 21:27:34 +0200
Superseded in precise-updates on 2016-11-03
Superseded in precise-security on 2016-11-03
curl (7.22.0-3ubuntu4.16) precise-security; urgency=medium

  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
      client cert is used in lib/url.c, lib/urldata.h, lib/sslgen.c.
    - CVE-2016-5419
  * SECURITY UPDATE: re-using connections with wrong client cert
    - debian/patches/CVE-2016-5420.patch: only reuse connections with the
      same client cert in lib/sslgen.c.
    - CVE-2016-5420

 -- Marc Deslauriers <email address hidden>  Fri, 05 Aug 2016 11:27:56 -0400
Superseded in trusty-updates on 2016-09-07
Superseded in trusty-security on 2016-11-03
curl (7.35.0-1ubuntu2.8) trusty-security; urgency=medium

  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
      client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2016-5419
  * SECURITY UPDATE: re-using connections with wrong client cert
    - debian/patches/CVE-2016-5420.patch: only reuse connections with the
      same client cert in lib/vtls/vtls.c.
    - CVE-2016-5420
  * SECURITY UPDATE: use of connection struct after free
    - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy
      handles in lib/multi.c.
    - CVE-2016-5421

 -- Marc Deslauriers <email address hidden>  Fri, 05 Aug 2016 11:23:04 -0400
Superseded in xenial-updates on 2016-11-03
Superseded in xenial-security on 2016-11-03
curl (7.47.0-1ubuntu2.1) xenial-security; urgency=medium

  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
      client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2016-5419
  * SECURITY UPDATE: re-using connections with wrong client cert
    - debian/patches/CVE-2016-5420.patch: only reuse connections with the
      same client cert in lib/vtls/vtls.c.
    - CVE-2016-5420
  * SECURITY UPDATE: use of connection struct after free
    - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy
      handles in lib/multi.c.
    - CVE-2016-5421

 -- Marc Deslauriers <email address hidden>  Fri, 05 Aug 2016 11:17:47 -0400
Superseded in zesty-release on 2016-11-09
Obsolete in yakkety-release on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to release)
curl (7.50.1-1ubuntu1) yakkety; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2
  * Drop libgnutls28-dev change, the rename didn't happen in Debian
  * Readd stunnel build dependency, we can build-depend from
    universe now.

Superseded in yakkety-release on 2016-08-04
Deleted in yakkety-proposed on 2016-08-05 (Reason: moved to release)
curl (7.47.0-1ubuntu3) yakkety; urgency=medium

  * Build-depend on libgnutls28-dev, not libgnutls-dev, which was never
    added in Debian.

 -- Steve Langasek <email address hidden>  Thu, 14 Jul 2016 17:44:02 -0700

Available diffs

Superseded in trusty-updates on 2016-08-08
Deleted in trusty-proposed on 2016-08-10 (Reason: moved to -updates)
curl (7.35.0-1ubuntu2.7) trusty; urgency=medium

  [ Matthew Hall ]
  * debian/patches/libcurl_broken_pkcs12.patch:
    - fix p12 client certificates (LP: #1556330)

 -- Gianfranco Costamagna <email address hidden>  Sat, 12 Mar 2016 17:22:33 +0100
Superseded in yakkety-release on 2016-07-15
Published in xenial-release on 2016-02-22
Deleted in xenial-proposed (Reason: moved to release)
curl (7.47.0-1ubuntu2) xenial; urgency=medium

  * No-change rebuild for gnutls transition.

 -- Matthias Klose <email address hidden>  Wed, 17 Feb 2016 22:40:53 +0000

Available diffs

Superseded in xenial-release on 2016-02-22
Deleted in xenial-proposed on 2016-02-23 (Reason: moved to release)
curl (7.47.0-1ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2
    - Switch build depends from transitional libgnutsl28-dev to
      libgnutls-dev

Available diffs

Superseded in precise-updates on 2016-08-08
Superseded in precise-security on 2016-08-08
curl (7.22.0-3ubuntu4.15) precise-security; urgency=medium

  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/ntlm-backports.patch: backport misc NTLM fixes.
    - debian/patches/CVE-2014-0015.patch: refreshed.
    - debian/patches/CVE-2014-0138.patch: refreshed.
    - debian/patches/CVE-2014-3143.patch: refreshed.
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

 -- Marc Deslauriers <email address hidden>  Wed, 27 Jan 2016 08:02:54 -0500
175 of 242 results