Change log for curl package in Ubuntu

76150 of 242 results
Superseded in trusty-updates on 2016-07-19
Superseded in trusty-security on 2016-08-08
curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium

  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

 -- Marc Deslauriers <email address hidden>  Tue, 26 Jan 2016 12:10:58 -0500
Obsolete in vivid-updates on 2018-01-18
Obsolete in vivid-security on 2018-01-18
curl (7.38.0-3ubuntu2.3) vivid-security; urgency=medium

  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

 -- Marc Deslauriers <email address hidden>  Tue, 26 Jan 2016 10:02:06 -0500
Obsolete in wily-updates on 2018-01-22
Obsolete in wily-security on 2018-01-22
curl (7.43.0-1ubuntu2.1) wily-security; urgency=medium

  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

 -- Marc Deslauriers <email address hidden>  Tue, 26 Jan 2016 09:50:28 -0500
Superseded in xenial-release on 2016-01-28
Deleted in xenial-proposed on 2016-01-29 (Reason: moved to release)
curl (7.46.0-1ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2
    - Switch build depends from transitional libgnutsl28-dev to
      libgnutls-dev

Available diffs

Superseded in xenial-release on 2016-01-22
Deleted in xenial-proposed on 2016-01-24 (Reason: moved to release)
curl (7.45.0-1ubuntu1) xenial; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2
    - Switch build depends from transitional libgnutsl28-dev to
      libgnutls-dev

Available diffs

Superseded in xenial-release on 2015-11-11
Obsolete in wily-release on 2018-01-22
Deleted in wily-proposed on 2018-01-22 (Reason: moved to release)
curl (7.43.0-1ubuntu2) wily; urgency=medium

  * debian/control:
    - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev

 -- Robert Ancell <email address hidden>  Tue, 11 Aug 2015 11:41:50 +1200

Available diffs

Superseded in wily-release on 2015-09-07
Deleted in wily-proposed on 2015-09-08 (Reason: moved to release)
curl (7.43.0-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.

Superseded in wily-proposed on 2015-06-18
curl (7.42.1-3ubuntu1) wily; urgency=low

  * Merge from Debian (LP: #1459685). Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
  * Dropped patches:
    - debian/patches/CVE-2015-3143.patch: upstream
    - debian/patches/CVE-2015-3148.patch: upstream
    - debian/patches/CVE-2015-3144.patch: upstream
    - debian/patches/CVE-2015-3153.patch: upstream
    - debian/patches/CVE-2014-8150.patch: upstream
    - debian/patches/CVE-2015-3145.patch: upstream
  * Dropped changes:
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
      they seems to be broken since pre-trusty

Superseded in wily-proposed on 2015-06-12
curl (7.42.1-2ubuntu1) wily; urgency=low

  * Merge from Debian (LP: #1459685). Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
  * Dropped patches:
    - debian/patches/CVE-2015-3143.patch: upstream
    - debian/patches/CVE-2015-3148.patch: upstream
    - debian/patches/CVE-2015-3144.patch: upstream
    - debian/patches/CVE-2015-3153.patch: upstream
    - debian/patches/CVE-2014-8150.patch: upstream
    - debian/patches/CVE-2015-3145.patch: upstream
  * Dropped the added udeb packages. They were empty since trusty and were
    originally added for LP: #831496, this change is likely not needed any
    more.

Superseded in wily-release on 2015-06-24
Deleted in wily-proposed on 2015-09-05 (Reason: moved to release)
curl (7.38.0-3ubuntu3) wily; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: host name out of boundary memory access
    - debian/patches/CVE-2015-3144.patch: check for valid length in
      lib/url.c.
    - CVE-2015-3144
  * SECURITY UPDATE: cookie parser out of boundary memory access
    - debian/patches/CVE-2015-3145.patch: properly handle a single double
      quote in lib/cookie.c.
    - CVE-2015-3145
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
      done in lib/http.c.
    - CVE-2015-3148
  * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
    - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
      docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
      tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
    - CVE-2015-3153

 -- Marc Deslauriers <email address hidden>  Tue, 05 May 2015 14:17:51 -0400
Superseded in trusty-updates on 2016-01-27
Superseded in trusty-security on 2016-01-27
curl (7.35.0-1ubuntu2.5) trusty-security; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: cookie parser out of boundary memory access
    - debian/patches/CVE-2015-3145.patch: properly handle a single double
      quote in lib/cookie.c.
    - CVE-2015-3145
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
      each exchange and close Negotiate connections when done in
      lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
    - CVE-2015-3148

 -- Marc Deslauriers <email address hidden>  Wed, 29 Apr 2015 14:03:00 -0400
Superseded in precise-updates on 2016-01-27
Superseded in precise-security on 2016-01-27
curl (7.22.0-3ubuntu4.14) precise-security; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
      each exchange and close Negotiate connections when done in
      lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
    - CVE-2015-3148

 -- Marc Deslauriers <email address hidden>  Wed, 29 Apr 2015 14:03:35 -0400
Obsolete in utopic-updates on 2016-11-03
Obsolete in utopic-security on 2016-11-03
curl (7.37.1-1ubuntu3.4) utopic-security; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: host name out of boundary memory access
    - debian/patches/CVE-2015-3144.patch: check for valid length in
      lib/url.c.
    - CVE-2015-3144
  * SECURITY UPDATE: cookie parser out of boundary memory access
    - debian/patches/CVE-2015-3145.patch: properly handle a single double
      quote in lib/cookie.c.
    - CVE-2015-3145
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
      each exchange and close Negotiate connections when done in
      lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
    - CVE-2015-3148
  * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
    - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
      docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
      tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
    - CVE-2015-3153

 -- Marc Deslauriers <email address hidden>  Wed, 29 Apr 2015 10:23:26 -0400
Superseded in vivid-updates on 2016-01-27
Superseded in vivid-security on 2016-01-27
curl (7.38.0-3ubuntu2.2) vivid-security; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: host name out of boundary memory access
    - debian/patches/CVE-2015-3144.patch: check for valid length in
      lib/url.c.
    - CVE-2015-3144
  * SECURITY UPDATE: cookie parser out of boundary memory access
    - debian/patches/CVE-2015-3145.patch: properly handle a single double
      quote in lib/cookie.c.
    - CVE-2015-3145
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
      done in lib/http.c.
    - CVE-2015-3148
  * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
    - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
      docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
      tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
    - CVE-2015-3153

 -- Marc Deslauriers <email address hidden>  Wed, 29 Apr 2015 09:09:44 -0400
Superseded in wily-release on 2015-05-05
Obsolete in vivid-release on 2018-01-18
Deleted in vivid-proposed on 2018-01-19 (Reason: moved to release)
curl (7.38.0-3ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
      tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 07:57:00 -0500
Obsolete in lucid-updates on 2016-10-26
Obsolete in lucid-security on 2016-10-26
curl (7.19.7-1ubuntu1.11) lucid-security; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 16:46:45 -0500
Superseded in precise-updates on 2015-04-30
Superseded in precise-security on 2015-04-30
curl (7.22.0-3ubuntu4.12) precise-security; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 08:51:55 -0500
Superseded in trusty-updates on 2015-04-30
Superseded in trusty-security on 2015-04-30
curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
      tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 08:49:32 -0500
Superseded in utopic-updates on 2015-04-30
Superseded in utopic-security on 2015-04-30
curl (7.37.1-1ubuntu3.2) utopic-security; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
      tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 08:17:04 -0500
Superseded in vivid-release on 2015-01-15
Deleted in vivid-proposed on 2015-01-16 (Reason: moved to release)
curl (7.38.0-3ubuntu1) vivid; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
  * Dropped patches:
    - debian/patches/09_fix-timeout-in-poll-and-wait.patch: upstream
    - debian/patches/CVE-2014-3613.patch: upstream
    - debian/patches/CVE-2014-3620.patch: upstream

Available diffs

Superseded in precise-updates on 2015-01-15
Superseded in precise-security on 2015-01-15
curl (7.22.0-3ubuntu4.11) precise-security; urgency=medium

  * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
    bounds
    - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
      lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
      src/Makefile.inc.
    - CVE-2014-3707
 -- Marc Deslauriers <email address hidden>   Thu, 06 Nov 2014 12:03:12 -0500
Superseded in lucid-updates on 2015-01-15
Superseded in lucid-security on 2015-01-15
curl (7.19.7-1ubuntu1.10) lucid-security; urgency=medium

  * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
    bounds
    - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
      lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
      src/Makefile.inc.
    - CVE-2014-3707
 -- Marc Deslauriers <email address hidden>   Thu, 06 Nov 2014 12:08:42 -0500
Superseded in utopic-updates on 2015-01-15
Superseded in utopic-security on 2015-01-15
curl (7.37.1-1ubuntu3.1) utopic-security; urgency=medium

  * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
    bounds
    - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
      lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
      src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
    - CVE-2014-3707
 -- Marc Deslauriers <email address hidden>   Thu, 06 Nov 2014 09:06:15 -0500
Superseded in trusty-updates on 2015-01-15
Superseded in trusty-security on 2015-01-15
curl (7.35.0-1ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
    bounds
    - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
      lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
      src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
    - CVE-2014-3707
 -- Marc Deslauriers <email address hidden>   Thu, 06 Nov 2014 10:53:58 -0500
Superseded in vivid-release on 2014-11-10
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
curl (7.37.1-1ubuntu3) utopic; urgency=medium

  * debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream
    commit fixing timeout return value for curl_poll and curl_wait_ms.
    Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663)
 -- Brian Murray <email address hidden>   Thu, 02 Oct 2014 13:26:57 -0700
Superseded in lucid-updates on 2014-11-10
Superseded in lucid-security on 2014-11-10
curl (7.19.7-1ubuntu1.9) lucid-security; urgency=medium

  * SECURITY UPDATE: incorrect cookie handling via partial literal IP
    addresses
    - debian/patches/CVE-2014-3613.patch: only use full host matches for
      hosts used as IP address in lib/cookie.c, added tests to
      tests/data/test1105, tests/data/test31, tests/data/test8.
    - CVE-2014-3613
  * debian/patches/disable_test519.path: disable test 519 as previous
    security update causes it to hang.
  * debian/patches/versioned: added Curl_* so test suite works during
    build.
 -- Marc Deslauriers <email address hidden>   Fri, 12 Sep 2014 10:01:28 -0400
Superseded in precise-updates on 2014-11-10
Superseded in precise-security on 2014-11-10
curl (7.22.0-3ubuntu4.10) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect cookie handling via partial literal IP
    addresses
    - debian/patches/CVE-2014-3613.patch: only use full host matches for
      hosts used as IP address in lib/cookie.c, added tests to
      tests/data/test1105, tests/data/test31, tests/data/test8.
    - CVE-2014-3613
 -- Marc Deslauriers <email address hidden>   Fri, 12 Sep 2014 08:39:14 -0400
Superseded in utopic-release on 2014-10-03
Deleted in utopic-proposed on 2014-10-04 (Reason: moved to release)
curl (7.37.1-1ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: incorrect cookie handling via partial literal IP
    addresses
    - debian/patches/CVE-2014-3613.patch: only use full host matches for
      hosts used as IP address in lib/cookie.c, added tests to
      tests/data/test1105, tests/data/test31, tests/data/test8.
    - CVE-2014-3613
  * SECURITY UPDATE: incorrect cookie handling for TLDs
    - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for
      TLDs in lib/cookie.c, added test to tests/data/test61.
    - CVE-2014-3620
 -- Marc Deslauriers <email address hidden>   Thu, 11 Sep 2014 08:15:47 -0400
Superseded in trusty-updates on 2014-11-10
Superseded in trusty-security on 2014-11-10
curl (7.35.0-1ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect cookie handling via partial literal IP
    addresses
    - debian/patches/CVE-2014-3613.patch: only use full host matches for
      hosts used as IP address in lib/cookie.c, added tests to
      tests/data/test1105, tests/data/test31, tests/data/test8.
    - CVE-2014-3613
  * SECURITY UPDATE: incorrect cookie handling for TLDs
    - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for
      TLDs in lib/cookie.c, added test to tests/data/test61.
    - CVE-2014-3620
 -- Marc Deslauriers <email address hidden>   Thu, 11 Sep 2014 08:21:24 -0400
Superseded in utopic-release on 2014-09-11
Deleted in utopic-proposed on 2014-09-12 (Reason: moved to release)
curl (7.37.1-1ubuntu1) utopic; urgency=low

  * Merge from Debian unstable (LP: #1348564). Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Superseded in utopic-proposed on 2014-07-25
curl (7.37.0-1ubuntu1) utopic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Available diffs

Superseded in utopic-proposed on 2014-07-11
curl (7.36.0-2ubuntu2) utopic; urgency=medium

  * Rebuild against libgnutls-deb0-28.
 -- Colin Watson <email address hidden>   Fri, 06 Jun 2014 15:24:02 +0100

Available diffs

Superseded in utopic-release on 2014-07-29
Deleted in utopic-proposed on 2014-07-30 (Reason: moved to release)
curl (7.36.0-2ubuntu1) utopic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Superseded in utopic-proposed on 2014-04-30
curl (7.35.0-1ubuntu3) utopic; urgency=high

  * No change rebuild against librtmp1.
 -- Dimitri John Ledkov <email address hidden>   Sat, 26 Apr 2014 20:53:06 +0100

Available diffs

Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
curl (7.27.0-1ubuntu1.9) quantal-security; urgency=medium

  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/ssluse.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
  * debian/patches/disable_test519.path: disable test 519 as security
    update causes it to hang. Fixing this would require backporting new
    logic into tests/server/sws.c.
 -- Marc Deslauriers <email address hidden>   Tue, 01 Apr 2014 09:59:44 -0400
Superseded in lucid-updates on 2014-09-15
Superseded in lucid-security on 2014-09-15
curl (7.19.7-1ubuntu1.7) lucid-security; urgency=medium

  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/ssluse.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
  * debian/patches/disable_test519.path: disable test 519 as security
    update causes it to hang. Fixing this would require backporting new
    logic into tests/server/sws.c.
 -- Marc Deslauriers <email address hidden>   Mon, 14 Apr 2014 09:43:35 -0400
Superseded in precise-updates on 2014-09-15
Superseded in precise-security on 2014-09-15
curl (7.22.0-3ubuntu4.8) precise-security; urgency=medium

  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/ssluse.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
  * debian/patches/disable_test519.path: disable test 519 as security
    update causes it to hang. Fixing this would require backporting new
    logic into tests/server/sws.c.
 -- Marc Deslauriers <email address hidden>   Tue, 01 Apr 2014 17:02:01 -0400
Obsolete in saucy-updates on 2015-04-24
Obsolete in saucy-security on 2015-04-24
curl (7.32.0-1ubuntu1.4) saucy-security; urgency=medium

  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/hostcheck.c, added tests to tests/data/Makefile.am,
      tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
 -- Marc Deslauriers <email address hidden>   Tue, 01 Apr 2014 10:16:55 -0400
Superseded in utopic-release on 2014-05-01
Published in trusty-release on 2014-04-01
Deleted in trusty-proposed (Reason: moved to release)
curl (7.35.0-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/hostcheck.c, added tests to tests/data/Makefile.am,
      tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
 -- Marc Deslauriers <email address hidden>   Tue, 01 Apr 2014 09:25:23 -0400
Superseded in quantal-updates on 2014-04-14
Superseded in quantal-security on 2014-04-14
Deleted in quantal-security on 2014-04-16 (Reason: Forcing deletion to allow copying back in)
curl (7.27.0-1ubuntu1.8) quantal-security; urgency=medium

  * SECURITY UPDATE: information disclosure via incorrect NTLM credential
    reuse
    - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
      auth is used in lib/url.c.
    - CVE-2014-0015
 -- Marc Deslauriers <email address hidden>   Fri, 31 Jan 2014 08:33:44 -0500
Superseded in trusty-release on 2014-04-01
Deleted in trusty-proposed on 2014-04-03 (Reason: moved to release)
curl (7.35.0-1ubuntu1) trusty; urgency=medium

  * Resynchronize on Debian, remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Available diffs

Superseded in saucy-updates on 2014-04-14
Superseded in saucy-security on 2014-04-14
Deleted in saucy-security on 2014-04-16 (Reason: Forcing deletion to allow copying back in)
curl (7.32.0-1ubuntu1.3) saucy-security; urgency=medium

  * SECURITY UPDATE: information disclosure via incorrect NTLM credential
    reuse
    - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
      auth is used in lib/url.c.
    - CVE-2014-0015
 -- Marc Deslauriers <email address hidden>   Fri, 31 Jan 2014 08:29:56 -0500
Superseded in precise-updates on 2014-04-14
Superseded in precise-security on 2014-04-14
Deleted in precise-security on 2014-04-16 (Reason: Forcing deletion to allow copying back in)
curl (7.22.0-3ubuntu4.7) precise-security; urgency=medium

  * SECURITY UPDATE: information disclosure via incorrect NTLM credential
    reuse
    - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
      auth is used in lib/url.c.
    - CVE-2014-0015
 -- Marc Deslauriers <email address hidden>   Fri, 31 Jan 2014 08:35:16 -0500
Superseded in lucid-updates on 2014-04-14
Superseded in lucid-security on 2014-04-14
Deleted in lucid-security on 2014-04-16 (Reason: Forcing deletion to allow copying back in)
curl (7.19.7-1ubuntu1.6) lucid-security; urgency=medium

  * SECURITY UPDATE: information disclosure via incorrect NTLM credential
    reuse
    - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
      auth is used in lib/url.c.
    - CVE-2014-0015
 -- Marc Deslauriers <email address hidden>   Fri, 31 Jan 2014 08:37:13 -0500
Superseded in trusty-release on 2014-01-31
Deleted in trusty-proposed on 2014-02-02 (Reason: moved to release)
curl (7.34.0-1ubuntu1) trusty; urgency=low

  * Resynchronize on Debian, remaining changes
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
  * Dropped undocumented Build-Depends change to automake1.9.

Available diffs

Superseded in quantal-updates on 2014-02-03
Superseded in quantal-security on 2014-02-03
curl (7.27.0-1ubuntu1.7) quantal-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled in GnuTLS backend.
    - debian/patches/CVE-2013-6422.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
    - CVE-2013-6422
 -- Marc Deslauriers <email address hidden>   Tue, 17 Dec 2013 12:49:18 -0500
Obsolete in raring-updates on 2015-04-24
Obsolete in raring-security on 2015-04-24
curl (7.29.0-1ubuntu3.4) raring-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled in GnuTLS backend.
    - debian/patches/CVE-2013-6422.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
    - CVE-2013-6422
 -- Marc Deslauriers <email address hidden>   Tue, 17 Dec 2013 12:47:31 -0500
Superseded in saucy-updates on 2014-02-03
Superseded in saucy-security on 2014-02-03
curl (7.32.0-1ubuntu1.2) saucy-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled in GnuTLS backend.
    - debian/patches/CVE-2013-6422.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
    - CVE-2013-6422
 -- Marc Deslauriers <email address hidden>   Tue, 17 Dec 2013 12:45:52 -0500
Superseded in precise-updates on 2014-02-03
Superseded in precise-security on 2014-02-03
curl (7.22.0-3ubuntu4.6) precise-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled in GnuTLS backend.
    - debian/patches/CVE-2013-6422.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
    - CVE-2013-6422
 -- Marc Deslauriers <email address hidden>   Tue, 17 Dec 2013 12:52:40 -0500
Superseded in precise-updates on 2013-12-18
Superseded in precise-security on 2013-12-18
curl (7.22.0-3ubuntu4.5) precise-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/main.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 06 Dec 2013 07:50:32 -0500
Superseded in quantal-updates on 2013-12-18
Superseded in quantal-security on 2013-12-18
curl (7.27.0-1ubuntu1.6) quantal-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/tool_operate.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 06 Dec 2013 07:47:06 -0500
Superseded in lucid-updates on 2014-02-03
Superseded in lucid-security on 2014-02-03
curl (7.19.7-1ubuntu1.5) lucid-security; urgency=low

  * SECURITY REGRESSION: can't disable cert checking in command line tool
    (LP: #1258366)
    - debian/patches/CVE-2013-4545.patch: properly disable host
      verification when insecure mode is used in src/main.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 06 Dec 2013 07:52:56 -0500
Superseded in saucy-updates on 2013-12-18
Superseded in saucy-security on 2013-12-18
curl (7.32.0-1ubuntu1.1) saucy-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled.
    - debian/patches/CVE-2013-4545.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 29 Nov 2013 08:28:32 -0500
Superseded in quantal-updates on 2013-12-06
Superseded in quantal-security on 2013-12-06
curl (7.27.0-1ubuntu1.5) quantal-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled.
    - debian/patches/CVE-2013-4545.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 29 Nov 2013 08:32:41 -0500
Superseded in raring-updates on 2013-12-18
Superseded in raring-security on 2013-12-18
curl (7.29.0-1ubuntu3.3) raring-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled.
    - debian/patches/CVE-2013-4545.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 29 Nov 2013 08:31:05 -0500
Superseded in precise-updates on 2013-12-06
Superseded in precise-security on 2013-12-06
curl (7.22.0-3ubuntu4.4) precise-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled.
    - debian/patches/CVE-2013-4545.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 29 Nov 2013 08:33:49 -0500
Superseded in lucid-updates on 2013-12-06
Superseded in lucid-security on 2013-12-06
curl (7.19.7-1ubuntu1.4) lucid-security; urgency=low

  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled.
    - debian/patches/CVE-2013-4545.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
    - CVE-2013-4545
 -- Marc Deslauriers <email address hidden>   Fri, 29 Nov 2013 08:34:48 -0500
Superseded in trusty-release on 2013-12-20
Deleted in trusty-proposed on 2013-12-21 (Reason: moved to release)
curl (7.33.0-1ubuntu1) trusty; urgency=low

  * Resynchronize on Debian, remaining changes
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Available diffs

Superseded in trusty-release on 2013-11-06
Obsolete in saucy-release on 2015-04-24
Deleted in saucy-proposed on 2015-04-28 (Reason: moved to release)
curl (7.32.0-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
  * Fixes freeipa-client join. (LP: #1220928)

Available diffs

Superseded in precise-updates on 2013-12-05
Deleted in precise-proposed on 2013-12-07 (Reason: moved to -updates)
curl (7.22.0-3ubuntu4.3) precise; urgency=low

  * Reset timecond when clearing session-info variables (LP: #1179781)
    This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"
 -- Dave Chiluk <email address hidden>   Fri, 23 Aug 2013 16:05:09 -0700
Superseded in quantal-updates on 2013-12-05
Deleted in quantal-proposed on 2013-12-07 (Reason: moved to -updates)
curl (7.27.0-1ubuntu1.4) quantal; urgency=low

  * Reset timecond when clearing session-info variables (LP: #1179781)
    This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"
 -- Dave Chiluk <email address hidden>   Fri, 23 Aug 2013 14:58:40 -0700
Superseded in raring-updates on 2013-12-05
Deleted in raring-proposed on 2013-12-07 (Reason: moved to -updates)
curl (7.29.0-1ubuntu3.2) raring; urgency=low

  * Reset timecond when clearing session-info variables (LP: #1179781)
    This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"
 -- Dave Chiluk <email address hidden>   Wed, 21 Aug 2013 13:09:13 -0500
Superseded in saucy-release on 2013-09-05
Deleted in saucy-proposed on 2013-09-06 (Reason: moved to release)
curl (7.31.0-2ubuntu1) saucy; urgency=low

  * Merge from Debian, Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Superseded in raring-updates on 2013-09-18
Superseded in raring-security on 2013-12-05
curl (7.29.0-1ubuntu3.1) raring-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow in URL decoder
    - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
      added tests to tests/data/Makefile.am, tests/data/test1396,
      tests/unit/Makefile.inc, tests/unit/unit1396.c.
    - CVE-2013-2174
 -- Marc Deslauriers <email address hidden>   Thu, 27 Jun 2013 10:34:25 -0400
Superseded in quantal-updates on 2013-09-19
Superseded in quantal-security on 2013-12-05
curl (7.27.0-1ubuntu1.3) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow in URL decoder
    - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
      added tests to tests/data/Makefile.am, tests/data/test1396,
      tests/unit/Makefile.inc, tests/unit/unit1396.c.
    - CVE-2013-2174
 -- Marc Deslauriers <email address hidden>   Thu, 27 Jun 2013 14:06:10 -0400
Superseded in precise-updates on 2013-09-18
Superseded in precise-security on 2013-12-05
curl (7.22.0-3ubuntu4.2) precise-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow in URL decoder
    - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
      added tests to tests/data/Makefile.am, tests/data/test1396,
      tests/unit/Makefile.inc, tests/unit/unit1396.c.
    - CVE-2013-2174
 -- Marc Deslauriers <email address hidden>   Thu, 27 Jun 2013 14:08:46 -0400
Superseded in lucid-updates on 2013-12-05
Superseded in lucid-security on 2013-12-05
curl (7.19.7-1ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow in URL decoder
    - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c.
    - CVE-2013-2174
 -- Marc Deslauriers <email address hidden>   Thu, 27 Jun 2013 14:13:20 -0400
Superseded in saucy-release on 2013-07-25
Deleted in saucy-proposed on 2013-07-26 (Reason: moved to release)
curl (7.31.0-1ubuntu1) saucy; urgency=low

  * Resynchronize on Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.

Available diffs

Superseded in saucy-release on 2013-06-24
Deleted in saucy-proposed on 2013-06-25 (Reason: moved to release)
curl (7.30.0-1ubuntu1) saucy; urgency=low

  * Resynchronize on Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
  * Add warning to debian/patches/series.

Superseded in saucy-release on 2013-05-08
Obsolete in raring-release on 2015-04-24
Deleted in raring-proposed on 2015-04-27 (Reason: moved to release)
curl (7.29.0-1ubuntu3) raring; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Wed, 10 Apr 2013 15:16:17 -0700
Obsolete in hardy-updates on 2015-04-24
Obsolete in hardy-security on 2015-04-24
curl (7.18.0-1ubuntu2.4) hardy-security; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Thu, 11 Apr 2013 14:11:37 -0700
Superseded in lucid-updates on 2013-07-02
Superseded in lucid-security on 2013-07-02
curl (7.19.7-1ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Thu, 11 Apr 2013 14:08:02 -0700
Obsolete in oneiric-updates on 2015-04-24
Obsolete in oneiric-security on 2015-04-24
curl (7.21.6-3ubuntu3.3) oneiric-security; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Thu, 11 Apr 2013 13:55:41 -0700
Superseded in precise-updates on 2013-07-02
Superseded in precise-security on 2013-07-02
curl (7.22.0-3ubuntu4.1) precise-security; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Thu, 11 Apr 2013 13:40:46 -0700
Superseded in quantal-updates on 2013-07-02
Superseded in quantal-security on 2013-07-02
curl (7.27.0-1ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
    - debian/patches/05_curl-tailmatch.patch: enforce strict subdomain match
      when sending cookies. Patch from YAMADA Yasuharu.
    - http://curl.haxx.se/curl-tailmatch.patch
    - CVE-2013-1944
 -- Seth Arnold <email address hidden>   Wed, 10 Apr 2013 16:08:21 -0700
76150 of 242 results