-
curl (7.81.0-1ubuntu1.16) jammy-security; urgency=medium
* SECURITY UPDATE: HTTP/2 push headers memory-leak
- debian/patches/CVE-2024-2398.patch: push headers better cleanup in
lib/http2.c.
- CVE-2024-2398
-- Marc Deslauriers <email address hidden> Tue, 19 Mar 2024 08:16:19 -0400
-
curl (7.81.0-1ubuntu1.15) jammy-security; urgency=medium
* SECURITY UPDATE: cookie mixed case PSL bypass
- debian/patches/CVE-2023-46218.patch: lowercase the domain names
before PSL checks in lib/cookie.c.
- CVE-2023-46218
-- Marc Deslauriers <email address hidden> Wed, 29 Nov 2023 14:23:00 -0500
-
curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium
* SECURITY UPDATE: SOCKS5 heap buffer overflow
- debian/patches/CVE-2023-38545.patch: return error if hostname too
long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
tests/data/test728.
- CVE-2023-38545
* SECURITY UPDATE: cookie injection with none file
- debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
in lib/cookie.c, lib/cookie.h, lib/easy.c.
- CVE-2023-38546
-- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:15:41 -0400
-
curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium
* SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
- debian/patches/CVE-2023-28321.patch: fix missing line in backport.
-- Marc Deslauriers <email address hidden> Wed, 19 Jul 2023 12:23:36 -0400
-
curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium
* SECURITY UPDATE: improper certificate validation vulnerability
- debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
- CVE-2023-28321
* SECURITY UPDATE: information disclosure vulnerability
- debian/patches/CVE-2023-28322.patch: unify the upload/method handling
in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
lib/vssh/wolfssh.c.
- CVE-2023-28322
-- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 10:25:41 -0400
-
curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium
* SECURITY UPDATE: TELNET option IAC injection
- debian/patches/CVE-2023-27533.patch: only accept option arguments in
ascii in lib/telnet.c.
- CVE-2023-27533
* SECURITY UPDATE: SFTP path ~ resolving discrepancy
- debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
ends with one in lib/curl_path.c.
- debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
in lib/curl_path.c.
- CVE-2023-27534
* SECURITY UPDATE: FTP too eager connection reuse
- debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
- debian/patches/CVE-2023-27535.patch: add more conditions for
connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
- CVE-2023-27535
* SECURITY UPDATE: GSS delegation too eager connection re-use
- debian/patches/CVE-2023-27536.patch: only reuse connections with same
GSS delegation in lib/url.c, lib/urldata.h.
- CVE-2023-27536
* SECURITY UPDATE: SSH connection too eager reuse still
- debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
check in lib/url.c.
- CVE-2023-27538
-- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 12:37:02 -0400
-
curl (7.81.0-1ubuntu1.8) jammy-security; urgency=medium
* SECURITY UPDATE: multiple HSTS issues
- debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
lib/url.c, lib/urldata.h.
- debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
in src/tool_operate.c.
- debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
name again in lib/hsts.c.
- debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
- debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
tests/data/Makefile.inc, tests/data/test446.
- CVE-2023-23914
- CVE-2023-23915
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test418.
- CVE-2023-23916
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:20:05 -0500
-
curl (7.81.0-1ubuntu1.7) jammy-security; urgency=medium
* SECURITY UPDATE: Another HSTS bypass via IDN
- debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
checks in lib/http.c.
- CVE-2022-43551
* SECURITY UPDATE: HTTP Proxy deny use-after-free
- debian/patches/CVE-2022-43552.patch: do not free the protocol struct
in *_done() in lib/smb.c, lib/telnet.c.
- CVE-2022-43552
-- Marc Deslauriers <email address hidden> Wed, 04 Jan 2023 09:53:07 -0500
-
curl (7.81.0-1ubuntu1.6) jammy-security; urgency=medium
* SECURITY UPDATE: POST following PUT confusion
- debian/patches/CVE-2022-32221.patch: when POST is set, reset the
'upload' field in lib/setopt.c.
- CVE-2022-32221
* SECURITY UPDATE: HTTP proxy double-free
- debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
error in lib/http_proxy.c, lib/url.c.
- CVE-2022-42915
* SECURITY UPDATE: HSTS bypass via IDN
- debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
checks in lib/url.c.
- CVE-2022-42916
-- Marc Deslauriers <email address hidden> Tue, 18 Oct 2022 12:35:33 -0400
-
curl (7.81.0-1ubuntu1.4) jammy-security; urgency=medium
* SECURITY UPDATE: when curl sends back cookies with control bytes a
HTTP(S) server may return a 400 response
- debian/patches/CVE-2022-35252.patch: adds invalid_octets function
to lib/cookie.c to reject cookies with control bytes
- CVE-2022-35252
-- Mark Esler <email address hidden> Wed, 31 Aug 2022 14:18:07 -0500
-
curl (7.81.0-1ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: Set-cookie denial of service
- debian/patches/CVE-2022-32205.patch: apply limits to cookies
specifications in lib/cookie.c, lib/cookie.h, lib/http.c, lib/urldata.h.
- CVE-2022-32205
* SECURITY UPDATE: HTTP compression denial of service
- debian/patches/CVE-2022-32206.patch: return error on too many
compression steps in lib/content_encoding.c.
- CVE-2022-32206
* SECURITY UPDATE: Unpreserved file permissions
- debian/patches/CVE-2022-32207.patch: add Curl_fopen()
for better overwriting of files in lib/Makefile.inc,
lib/cookie.c, lib/fopen.c, lib/fopen.h.
- CVE-2022-32207
* SECURITY UPDATE: FTP-KRB bad msg verification
- debian/patches/CVE-2022-32208.patch: return error properly
on decode errors in lib/krb5.c.
- CVE-2022-32208
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 20 Jun 2022 15:08:01 -0300
-
curl (7.81.0-1ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: percent-encoded path separator in URL host
- debian/patches/CVE-2022-27780.patch: reject percent-decoding host
name into separator bytes in lib/urlapi.c.
- CVE-2022-27780
* SECURITY UPDATE: CERTINFO never-ending busy-loop
- debian/patches/CVE-2022-27781.patch: return error if seemingly stuck
in a cert loop in lib/vtls/nss.c.
- CVE-2022-27781
* SECURITY UPDATE: TLS and SSH connection too eager reuse
- debian/patches/CVE-2022-27782.patch: check more TLS details for
connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h,
lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c,
lib/vssh/ssh.h.
- CVE-2022-27782
-- Marc Deslauriers <email address hidden> Mon, 09 May 2022 08:34:24 -0400
-
curl (7.81.0-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 20 Apr 2022 11:50:18 -0300
-
curl (7.81.0-1) unstable; urgency=medium
* New upstream version 7.81.0
* d/p/13_fix-man-formatting.patch: Refresh patch
-- Samuel Henrique <email address hidden> Wed, 05 Jan 2022 09:31:32 -0300
-
curl (7.80.0-3) unstable; urgency=medium
* Revert "Revert "debian/control: Add Build-Depends on libssh-dev for
Ubuntu".
As per #1002598, the blocker has been solved.
Note that this does not changes Debian's curl to libssh, it still
uses libssh2.
Discussions about changing to libssh are ongoing at #897950
-- Samuel Henrique <email address hidden> Sun, 26 Dec 2021 13:22:18 -0300
-
curl (7.74.0-1.3ubuntu3) jammy; urgency=medium
* No-change rebuild against libssl3
-- Steve Langasek <email address hidden> Wed, 08 Dec 2021 23:29:14 +0000
-
curl (7.74.0-1.3ubuntu2) impish; urgency=medium
* SECURITY UPDATE: UAF and double-free in MQTT sending
- debian/patches/CVE-2021-22945.patch: clear the leftovers pointer when
sending succeeds in lib/mqtt.c.
- CVE-2021-22945
* SECURITY UPDATE: Protocol downgrade required TLS bypassed
- debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
tests/data/test984, tests/data/test985, tests/data/test986.
- CVE-2021-22946
* SECURITY UPDATE: STARTTLS protocol injection via MITM
- debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
tests/data/test982, tests/data/test983.
- CVE-2021-22947
-- Marc Deslauriers <email address hidden> Wed, 15 Sep 2021 08:05:33 -0400
