-
curl (7.74.0-1.3ubuntu2.3) impish-security; urgency=medium
* SECURITY UPDATE: Set-cookie denial of service
- debian/patches/CVE-2022-32205.patch: apply limits to cookies
specifications in lib/cookie.c, lib/cookie.h, lib/http.c, lib/urldata.h.
- CVE-2022-32205
* SECURITY UPDATE: HTTP compression denial of service
- debian/patches/CVE-2022-32206.patch: return error on too many
compression steps in lib/content_encoding.c.
- CVE-2022-32206
* SECURITY UPDATE: Unpreserved file permissions
- debian/patches/CVE-2022-32207.patch: add Curl_fopen()
for better overwriting of files in lib/Makefile.inc,
lib/cookie.c, lib/fopen.c, lib/fopen.h.
- CVE-2022-32207
* SECURITY UPDATE: FTP-KRB bad msg verification
- debian/patches/CVE-2022-32208.patch: return error properly
on decode errors in lib/krb5.c.
- CVE-2022-32208
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 21 Jun 2022 06:59:50 -0300
-
curl (7.74.0-1.3ubuntu2.2) impish-security; urgency=medium
* SECURITY UPDATE: CERTINFO never-ending busy-loop
- debian/patches/CVE-2022-27781.patch: return error if seemingly stuck
in a cert loop in lib/vtls/nss.c.
- CVE-2022-27781
* SECURITY UPDATE: TLS and SSH connection too eager reuse
- debian/patches/CVE-2022-27782.patch: check more TLS details for
connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c,
lib/vssh/ssh.h.
- CVE-2022-27782
-- Marc Deslauriers <email address hidden> Mon, 09 May 2022 13:02:25 -0400
-
curl (7.74.0-1.3ubuntu2.1) impish-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 21 Apr 2022 09:19:37 -0300
-
curl (7.74.0-1.3ubuntu2) impish; urgency=medium
* SECURITY UPDATE: UAF and double-free in MQTT sending
- debian/patches/CVE-2021-22945.patch: clear the leftovers pointer when
sending succeeds in lib/mqtt.c.
- CVE-2021-22945
* SECURITY UPDATE: Protocol downgrade required TLS bypassed
- debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
tests/data/test984, tests/data/test985, tests/data/test986.
- CVE-2021-22946
* SECURITY UPDATE: STARTTLS protocol injection via MITM
- debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
tests/data/test982, tests/data/test983.
- CVE-2021-22947
-- Marc Deslauriers <email address hidden> Wed, 15 Sep 2021 08:05:33 -0400
-
curl (7.74.0-1.3ubuntu1) impish; urgency=low
* Merge from Debian unstable. Remaining changes:
+ SECURITY UPDATE: TELNET stack contents disclosure
- debian/patches/CVE-2021-22898.patch: check sscanf() for correct
number of matches in lib/telnet.c.
- CVE-2021-22898
+ SECURITY UPDATE: Bad connection reuse due to flawed path name checks
- debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
- CVE-2021-22924
+ SECURITY UPDATE: TELNET stack contents disclosure again
- debian/patches/CVE-2021-22925.patch: fix option parser to not send
uninitialized contents in lib/telnet.c.
- CVE-2021-22925
+ d/p/openldap-replace-ldap_-prefix-on-private-functions.patch:
Fix FTBFS with OpenLDAP 2.5. Patch renamed to reduce likelihood of
numbering overlap in patches with Debian upstream.
curl (7.74.0-1.3) unstable; urgency=medium
* Non-maintainer upload.
* Add upstream patch bc7ecc7 so curl -w times shown as seconds with
fractions (Closes: #989064)
-- Dan Bungert <email address hidden> Wed, 11 Aug 2021 17:39:44 -0600
-
curl (7.74.0-1.2ubuntu4) impish; urgency=medium
* SECURITY UPDATE: TELNET stack contents disclosure
- debian/patches/CVE-2021-22898.patch: check sscanf() for correct
number of matches in lib/telnet.c.
- CVE-2021-22898
* SECURITY UPDATE: Bad connection reuse due to flawed path name checks
- debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
- CVE-2021-22924
* SECURITY UPDATE: TELNET stack contents disclosure again
- debian/patches/CVE-2021-22925.patch: fix option parser to not send
uninitialized contents in lib/telnet.c.
- CVE-2021-22925
-- Marc Deslauriers <email address hidden> Wed, 28 Jul 2021 07:58:02 -0400
-
curl (7.74.0-1.2ubuntu3) impish; urgency=medium
* No-change rebuild due to OpenLDAP soname bump.
-- Sergio Durigan Junior <email address hidden> Mon, 21 Jun 2021 17:45:58 -0400
-
curl (7.74.0-1.2ubuntu2) impish; urgency=medium
* d/p/16_openldap-replace-ldap_-prefix-on-private-functions.patch:
Fix FTBFS with OpenLDAP 2.5.
-- Sergio Durigan Junior <email address hidden> Wed, 19 May 2021 19:13:37 -0400
-
curl (7.74.0-1.2ubuntu1) impish; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/control: build with libssh instead of libssh2
* Dropped changes:
- debian/patches/CVE-2021-22876.patch replaced by:
14_transfer-strip-credentials-from-the-auto-referer-hea.patch
- debian/patches/CVE-2021-22890.patch replaced by:
15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch
curl (7.74.0-1.2) unstable; urgency=medium
* Non-maintainer upload.
* transfer: strip credentials from the auto-referer header field
(CVE-2021-22876) (Closes: #986269)
* vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
(CVE-2021-22890) (Closes: #986270)
curl (7.74.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
[ Bruno Kleinert ]
* Fixed "Please build-depend on libidn2-dev instead of obsolete transition
package libidn2-0-dev" (Closes: #974996)
-- Lukas Märdian <email address hidden> Mon, 10 May 2021 15:15:26 +0200
-
curl (7.74.0-1ubuntu2) hirsute; urgency=medium
* SECURITY UPDATE: data leak via referer header field
- debian/patches/CVE-2021-22876.patch: strip credentials from the
auto-referer header field in lib/transfer.c.
- CVE-2021-22876
* SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
- debian/patches/CVE-2021-22890.patch: make sure we set and extract the
correct session in lib/vtls/*.
- CVE-2021-22890
-- Marc Deslauriers <email address hidden> Tue, 06 Apr 2021 08:43:24 -0400
