-
curl (7.68.0-1ubuntu2.22) focal-security; urgency=medium
* SECURITY UPDATE: HTTP/2 push headers memory-leak
- debian/patches/CVE-2024-2398.patch: push headers better cleanup in
lib/http2.c.
- CVE-2024-2398
-- Marc Deslauriers <email address hidden> Tue, 19 Mar 2024 09:53:11 -0400
-
curl (7.68.0-1ubuntu2.21) focal-security; urgency=medium
* SECURITY UPDATE: cookie mixed case PSL bypass
- debian/patches/CVE-2023-46218.patch: lowercase the domain names
before PSL checks in lib/cookie.c.
- CVE-2023-46218
-- Marc Deslauriers <email address hidden> Wed, 29 Nov 2023 14:26:14 -0500
-
curl (7.68.0-1ubuntu2.20) focal-security; urgency=medium
* SECURITY UPDATE: cookie injection with none file
- debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
in lib/cookie.c, lib/cookie.h, lib/easy.c.
- CVE-2023-38546
-- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:20:00 -0400
-
curl (7.68.0-1ubuntu2.19) focal-security; urgency=medium
* SECURITY UPDATE: improper certificate validation vulnerability
- debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
- CVE-2023-28321
* SECURITY UPDATE: information disclosure vulnerability
- debian/patches/CVE-2023-28322.patch: unify the upload/method handling
in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c.
- CVE-2023-28322
-- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 10:44:42 -0400
-
curl (7.68.0-1ubuntu2.18) focal-security; urgency=medium
* SECURITY UPDATE: TELNET option IAC injection
- debian/patches/CVE-2023-27533.patch: only accept option arguments in
ascii in lib/telnet.c.
- CVE-2023-27533
* SECURITY UPDATE: SFTP path ~ resolving discrepancy
- debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
ends with one in lib/curl_path.c.
- debian/patches/CVE-2023-27534.patch: properly handle tilde character
in lib/curl_path.c.
- CVE-2023-27534
* SECURITY UPDATE: FTP too eager connection reuse
- debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
- debian/patches/CVE-2023-27535.patch: add more conditions for
connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
- CVE-2023-27535
* SECURITY UPDATE: GSS delegation too eager connection re-use
- debian/patches/CVE-2023-27536.patch: only reuse connections with same
GSS delegation in lib/url.c, lib/urldata.h.
- CVE-2023-27536
* SECURITY UPDATE: SSH connection too eager reuse still
- debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
check in lib/url.c.
- CVE-2023-27538
-- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 13:13:49 -0400
-
curl (7.68.0-1ubuntu2.16) focal-security; urgency=medium
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test418.
- CVE-2023-23916
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:31:00 -0500
-
curl (7.68.0-1ubuntu2.15) focal-security; urgency=medium
* SECURITY UPDATE: HTTP Proxy deny use-after-free
- debian/patches/CVE-2022-43552.patch: do not free the protocol struct
in *_done() in lib/smb.c, lib/telnet.c.
- CVE-2022-43552
-- Marc Deslauriers <email address hidden> Wed, 04 Jan 2023 12:03:45 -0500
-
curl (7.68.0-1ubuntu2.14) focal-security; urgency=medium
* SECURITY UPDATE: POST following PUT confusion
- debian/patches/CVE-2022-32221.patch: when POST is set, reset the
'upload' field in lib/setopt.c.
- CVE-2022-32221
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2022 12:44:11 -0400
-
curl (7.68.0-1ubuntu2.13) focal-security; urgency=medium
* SECURITY UPDATE: when curl sends back cookies with control bytes a
HTTP(S) server may return a 400 response
- debian/patches/CVE-2022-35252.patch: adds invalid_octets function
to lib/cookie.c to reject cookies with control bytes
- CVE-2022-35252
-- Mark Esler <email address hidden> Wed, 31 Aug 2022 14:18:34 -0500
-
curl (7.68.0-1ubuntu2.12) focal-security; urgency=medium
* SECURITY UPDATE: HTTP compression denial of service
- debian/patches/CVE-2022-32206.patch: return error on too many
compression steps in lib/content_encoding.c.
- CVE-2022-32206
* SECURITY UPDATE: FTP-KRB bad msg verification
- debian/patches/CVE-2022-32208.patch: return error properly
on decode errors in lib/krb5.c.
- CVE-2022-32208
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 Jun 2022 11:49:28 -0300
-
curl (7.68.0-1ubuntu2.11) focal-security; urgency=medium
* SECURITY UPDATE: CERTINFO never-ending busy-loop
- debian/patches/CVE-2022-27781.patch: return error if seemingly stuck
in a cert loop in lib/vtls/nss.c.
- CVE-2022-27781
* SECURITY UPDATE: TLS and SSH connection too eager reuse
- debian/patches/CVE-2022-27782.patch: check more TLS details for
connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c,
lib/vssh/ssh.h.
- CVE-2022-27782
-- Marc Deslauriers <email address hidden> Mon, 09 May 2022 13:42:15 -0400
-
curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 10:02:10 -0300
-
curl (7.68.0-1ubuntu2.8) focal; urgency=medium
* Correctly initialize OpenSSL API to ensure that engines are only
loaded and unloaded once. This prevents user-after-free and
double-free errors when using OpenSSL engines. LP: #1940528
-- Dimitri John Ledkov <email address hidden> Fri, 12 Nov 2021 17:24:22 +0000
-
curl (7.68.0-1ubuntu2.7) focal-security; urgency=medium
* SECURITY UPDATE: Protocol downgrade required TLS bypassed
- debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
HTTPS proxy in lib/ftp.c, lib/urldata.h.
- debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
tests/data/test984, tests/data/test985, tests/data/test986.
- CVE-2021-22946
* SECURITY UPDATE: STARTTLS protocol injection via MITM
- debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
tests/data/test982, tests/data/test983.
- CVE-2021-22947
-- Marc Deslauriers <email address hidden> Fri, 10 Sep 2021 10:28:17 -0400
-
curl (7.68.0-1ubuntu2.6) focal-security; urgency=medium
* SECURITY UPDATE: TELNET stack contents disclosure
- debian/patches/CVE-2021-22898.patch: check sscanf() for correct
number of matches in lib/telnet.c.
- CVE-2021-22898
* SECURITY UPDATE: Bad connection reuse due to flawed path name checks
- debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
- CVE-2021-22924
* SECURITY UPDATE: TELNET stack contents disclosure again
- debian/patches/CVE-2021-22925.patch: fix option parser to not send
uninitialized contents in lib/telnet.c.
- CVE-2021-22925
-- Marc Deslauriers <email address hidden> Wed, 21 Jul 2021 08:35:58 -0400
-
curl (7.68.0-1ubuntu2.5) focal-security; urgency=medium
* SECURITY UPDATE: data leak via referer header field
- debian/patches/CVE-2021-22876.patch: strip credentials from the
auto-referer header field in lib/transfer.c.
- CVE-2021-22876
* SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
- debian/patches/CVE-2021-22890.patch: make sure we set and extract the
correct session in lib/vtls/*.
- CVE-2021-22890
-- Marc Deslauriers <email address hidden> Tue, 23 Mar 2021 09:13:04 -0400
-
curl (7.68.0-1ubuntu2.4) focal-security; urgency=medium
* SECURITY UPDATE: FTP redirect to malicious host via PASV response
- debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
- CVE-2020-8284
* SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
- debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
recurse in lib/ftp.c.
- CVE-2020-8285
* SECURITY UPDATE: Inferior OCSP verification
- debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
the certificate id in lib/vtls/openssl.c.
- CVE-2020-8286
-- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:59:13 -0500
-
curl (7.68.0-1ubuntu2.2) focal-security; urgency=medium
* SECURITY UPDATE: wrong connect-only connection
- debian/patches/CVE-2020-8231.patch: remember last connection by id,
not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
lib/urldata.h.
- CVE-2020-8231
-- Marc Deslauriers <email address hidden> Thu, 13 Aug 2020 13:34:56 -0400
-
curl (7.68.0-1ubuntu2.1) focal-security; urgency=medium
* SECURITY UPDATE: Partial password leak over DNS on HTTP redirect
- debian/patches/CVE-2020-8169.patch: make the updated credentials
URL-encoded in the URL in lib/url.c, tests/data/test1168,
tests/data/Makefile.inc.
- CVE-2020-8169
* SECURITY UPDATE: curl overwrite local file with -J
- debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
src/tool_cb_hdr.c, src/tool_getparam.c.
- CVE-2020-8177
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2020 09:03:28 -0400
-
curl (7.68.0-1ubuntu2) focal; urgency=medium
* debian/patches/git_tls13_gnutls.patch:
- Ensure TLS 1.3 works with GnuTLS, thanks Dirkjan Bussink for writting
the patch and pointing it out on launchpad! (lp: #1872698)
-- Sebastien Bacher <email address hidden> Wed, 15 Apr 2020 08:27:03 +0200
-
curl (7.68.0-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control, debian/rules: build with libssh instead of libssh2.
curl (7.68.0-1) unstable; urgency=medium
* New upstream release
* Bump Standards-Version to 4.5.0 (no changes needed)
* Update symbols files
* Configure default CA file with OpenSSL again (Closes: #948441)
-- Steve Langasek <email address hidden> Sun, 23 Feb 2020 12:33:45 -0800
-
curl (7.67.0-2ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control, debian/rules: build with libssh instead of libssh2.
curl (7.67.0-2) unstable; urgency=medium
* Restore :native annotation for python3 Build-Depends.
Thanks to Helmut Grohne for the patch (Closes: #945928)
curl (7.67.0-1) unstable; urgency=medium
* New upstream release
* Replace python with python3 in Build-Depends (Closes: #942984)
* Bump Standards-Version to 4.4.1 (no changes needed)
-- Steve Langasek <email address hidden> Thu, 13 Feb 2020 11:01:54 -0800
-
curl (7.66.0-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control, debian/rules: build with libssh instead of libssh2.
* Dropped changes, included upstream:
- debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
double-free on large memory allocation failures
- debian/patches/CVE-2019-5482.patch: ensure to use the correct block
size when calling recvfrom() if the server returns an OACK without
specifying a block size in lib/tftp.c
curl (7.66.0-1) unstable; urgency=medium
* New upstream release (Closes: #940024)
+ Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
+ Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
* Refresh patches
* Enable brotli support (Closes: #940129)
* Update *.symbols files
-- Steve Langasek <email address hidden> Tue, 12 Nov 2019 17:05:51 -0800
-
curl (7.65.3-1ubuntu4) focal; urgency=medium
* No-change rebuild against libnettle7
-- Steve Langasek <email address hidden> Thu, 31 Oct 2019 22:10:02 +0000
-
curl (7.65.3-1ubuntu3) eoan; urgency=medium
* SECURITY UPDATE: double-free when using kerberos over FTP may cause
denial-of-service
- debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
double-free on large memory allocation failures
- CVE-2019-5481
* SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
cause denial-of-service or remote code-execution
- debian/patches/CVE-2019-5482.patch: ensure to use the correct block
size when calling recvfrom() if the server returns an OACK without
specifying a block size in lib/tftp.c
- CVE-2019-5482
-- Alex Murray <email address hidden> Fri, 06 Sep 2019 14:52:01 +0930