-
curl (7.85.0-1ubuntu0.6) kinetic-security; urgency=medium
* SECURITY UPDATE: improper certificate validation vulnerability
- debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
in lib/vtls/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
- CVE-2023-28321
* SECURITY UPDATE: information disclosure vulnerability
- debian/patches/CVE-2023-28322.patch: unify the upload/method handling
in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
lib/vssh/wolfssh.c.
- CVE-2023-28322
* SECURITY UPDATE: fopen race condition
- debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
- CVE-2023-32001
-- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 08:03:23 -0400
-
curl (7.85.0-1ubuntu0.5) kinetic-security; urgency=medium
* SECURITY UPDATE: TELNET option IAC injection
- debian/patches/CVE-2023-27533.patch: only accept option arguments in
ascii in lib/telnet.c.
- CVE-2023-27533
* SECURITY UPDATE: SFTP path ~ resolving discrepancy
- debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
ends with one in lib/curl_path.c.
- debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
in lib/curl_path.c.
- CVE-2023-27534
* SECURITY UPDATE: FTP too eager connection reuse
- debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
- debian/patches/CVE-2023-27535.patch: add more conditions for
connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
- CVE-2023-27535
* SECURITY UPDATE: GSS delegation too eager connection re-use
- debian/patches/CVE-2023-27536.patch: only reuse connections with same
GSS delegation in lib/url.c, lib/urldata.h.
- CVE-2023-27536
* SECURITY UPDATE: SSH connection too eager reuse still
- debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
check in lib/url.c.
- CVE-2023-27538
-- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 09:55:46 -0400
-
curl (7.85.0-1ubuntu0.3) kinetic-security; urgency=medium
* SECURITY UPDATE: multiple HSTS issues
- debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
lib/url.c, lib/urldata.h.
- debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
in src/tool_operate.c.
- debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
name again in lib/hsts.c.
- debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
- debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
tests/data/Makefile.inc, tests/data/test446.
- CVE-2023-23914
- CVE-2023-23915
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
- CVE-2023-23916
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:12:14 -0500
-
curl (7.85.0-1ubuntu0.2) kinetic-security; urgency=medium
* SECURITY UPDATE: Another HSTS bypass via IDN
- debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
checks in lib/http.c.
- CVE-2022-43551
* SECURITY UPDATE: HTTP Proxy deny use-after-free
- debian/patches/CVE-2022-43552.patch: do not free the protocol struct
in *_done() in lib/smb.c, lib/telnet.c.
- CVE-2022-43552
-- Marc Deslauriers <email address hidden> Wed, 04 Jan 2023 09:49:54 -0500
-
curl (7.85.0-1ubuntu0.1) kinetic-security; urgency=medium
* SECURITY UPDATE: POST following PUT confusion
- debian/patches/CVE-2022-32221.patch: when POST is set, reset the
'upload' field in lib/setopt.c.
- CVE-2022-32221
* SECURITY UPDATE: .netrc parser out-of-bounds access
- debian/patches/CVE-2022-35260.patch: replace fgets with Curl_get_line
in lib/curl_get_line.c, lib/netrc.c.
- CVE-2022-35260
* SECURITY UPDATE: HTTP proxy double-free
- debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
error in lib/http_proxy.c, lib/url.c.
- CVE-2022-42915
* SECURITY UPDATE: HSTS bypass via IDN
- debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
checks in lib/url.c.
- CVE-2022-42916
-- Marc Deslauriers <email address hidden> Wed, 26 Oct 2022 06:47:08 -0400
-
curl (7.85.0-1) unstable; urgency=medium
* New upstream version 7.85.0
- Fix control code in cookie denial of service:
When curl retrieves and parses cookies from an HTTP(S) server, it
accepts cookies using control codes (byte values below 32). When cookies
that contain such control codes are later sent back to an HTTP(S) server,
it might make the server return a 400 response. Effectively allowing a
"sister site" to deny service to siblings
(closes: #1018831, CVE-2022-35252)
- Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
* Bump Standards-Version to 4.6.1
* Add lintian overrides for old-style-config-script-multiarch-path triggered
for curl-config
* d/patches:
- 11_omit-directories-from-config.patch: Update patch
- 20_ftbfs_import_sched.patch: Drop patch, applied upstream
* d/rules: Fix configure args, remove bogus '--without-ssl'
* d/copyright: Update the whole file
* d/(control|watch): Update upstream's URL
-- Samuel Henrique <email address hidden> Fri, 02 Sep 2022 13:00:10 +0100
-
curl (7.84.0-2ubuntu2) kinetic; urgency=medium
* SECURITY UPDATE: when curl sends back cookies with control bytes a
HTTP(S) server may return a 400 response
- debian/patches/CVE-2022-35252.patch: adds invalid_octets function
to lib/cookie.c to reject cookies with control bytes
- CVE-2022-35252
-- Mark Esler <email address hidden> Wed, 31 Aug 2022 14:06:26 -0500
-
curl (7.84.0-2ubuntu1) kinetic; urgency=medium
* d/patches: Fix atomic use for RISC-V (LP: #1982545)
-- Alexandre Ghiti <email address hidden> Thu, 21 Jul 2022 18:59:11 +0200
-
curl (7.84.0-2) unstable; urgency=medium
* d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
(closes: #1014596)
-- Samuel Henrique <email address hidden> Mon, 11 Jul 2022 22:50:01 +0100
-
curl (7.84.0-1ubuntu1) kinetic; urgency=medium
* Include sched.h to resolve FTBFS on affected architectures
-- William 'jawn-smith' Wilson <email address hidden> Fri, 08 Jul 2022 15:14:51 -0500
-
curl (7.84.0-1) unstable; urgency=medium
* New upstream version 7.84.0
-- Samuel Henrique <email address hidden> Mon, 27 Jun 2022 22:06:25 +0100
-
curl (7.83.1-2) unstable; urgency=medium
* d/p/fix_multiline_header_regression.patch: New upstream patch to fix
regression (closes: #1012263, #1011696)
-- Samuel Henrique <email address hidden> Tue, 14 Jun 2022 18:05:23 +0100
-
curl (7.83.1-1ubuntu1) kinetic; urgency=medium
* Apply upstream patch to fix multi-line header support (LP: #1976619)
-- Olivier Gayot <email address hidden> Thu, 02 Jun 2022 13:44:50 +0200
-
curl (7.83.1-1) unstable; urgency=medium
* New upstream version 7.83.1
- Fix the following CVEs:
~ HSTS bypass via trailing dot (CVE-2022-30115)
~ TLS and SSH connection too eager reuse (CVE-2022-27782)
~ CERTINFO never-ending busy-loop (CVE-2022-27781)
~ percent-encoded path separator in URL host (CVE-2022-27780)
~ cookie for trailing dot TLD (CVE-2022-27779)
~ curl removes wrong file on error (CVE-2022-27778)
-- Samuel Henrique <email address hidden> Wed, 11 May 2022 17:46:48 +0100
-
curl (7.83.0-1) unstable; urgency=medium
* New upstream version 7.83.0
- Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
- Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
- Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
- Fix OAUTH2 bearer bypass in connection re-use
(closes: #1010295, CVE-2022-22576)
* d/libcurl*.symbols: update symbols files to add curl_easy_header and
curl_easy_nextheader
* d/patches:
- Refresh patches
- 12_fix_openssl_cm_check.patch: remove patch, applied upstream
-- Samuel Henrique <email address hidden> Thu, 28 Apr 2022 18:53:32 +0100
-
curl (7.81.0-1) unstable; urgency=medium
* New upstream version 7.81.0
* d/p/13_fix-man-formatting.patch: Refresh patch
-- Samuel Henrique <email address hidden> Wed, 05 Jan 2022 09:31:32 -0300