Ubuntu
curl package

Change logs for curl source package in Kinetic

  1. Kinetic (22.10)
  2. Change log 
  • curl (7.85.0-1ubuntu0.6) kinetic-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/vtls/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322
  * SECURITY UPDATE: fopen race condition
    - debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
    - CVE-2023-32001

 -- Marc Deslauriers <email address hidden>  Mon, 17 Jul 2023 08:03:23 -0400
  • curl (7.85.0-1ubuntu0.5) kinetic-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2023 09:55:46 -0400
  • curl (7.85.0-1ubuntu0.3) kinetic-security; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
      tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2023 08:12:14 -0500
  • curl (7.85.0-1ubuntu0.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: Another HSTS bypass via IDN
    - debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
      checks in lib/http.c.
    - CVE-2022-43551
  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jan 2023 09:49:54 -0500
  • curl (7.85.0-1ubuntu0.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221
  * SECURITY UPDATE: .netrc parser out-of-bounds access
    - debian/patches/CVE-2022-35260.patch: replace fgets with Curl_get_line
      in lib/curl_get_line.c, lib/netrc.c.
    - CVE-2022-35260
  * SECURITY UPDATE: HTTP proxy double-free
    - debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
      error in lib/http_proxy.c, lib/url.c.
    - CVE-2022-42915
  * SECURITY UPDATE: HSTS bypass via IDN
    - debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
      checks in lib/url.c.
    - CVE-2022-42916

 -- Marc Deslauriers <email address hidden>  Wed, 26 Oct 2022 06:47:08 -0400
  • curl (7.85.0-1) unstable; urgency=medium

  * New upstream version 7.85.0
    - Fix control code in cookie denial of service:
      When curl retrieves and parses cookies from an HTTP(S) server, it
      accepts cookies using control codes (byte values below 32). When cookies
      that contain such control codes are later sent back to an HTTP(S) server,
      it might make the server return a 400 response. Effectively allowing a
      "sister site" to deny service to siblings
      (closes: #1018831, CVE-2022-35252)
    - Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
  * Bump Standards-Version to 4.6.1
  * Add lintian overrides for old-style-config-script-multiarch-path triggered
    for curl-config
  * d/patches:
    - 11_omit-directories-from-config.patch: Update patch
    - 20_ftbfs_import_sched.patch: Drop patch, applied upstream
  * d/rules: Fix configure args, remove bogus '--without-ssl'
  * d/copyright: Update the whole file
  * d/(control|watch): Update upstream's URL

 -- Samuel Henrique <email address hidden>  Fri, 02 Sep 2022 13:00:10 +0100
  • curl (7.84.0-2ubuntu2) kinetic; urgency=medium

  * SECURITY UPDATE: when curl sends back cookies with control bytes a
    HTTP(S) server may return a 400 response
    - debian/patches/CVE-2022-35252.patch: adds invalid_octets function
      to lib/cookie.c to reject cookies with control bytes
    - CVE-2022-35252

 -- Mark Esler <email address hidden>  Wed, 31 Aug 2022 14:06:26 -0500
  • curl (7.84.0-2ubuntu1) kinetic; urgency=medium

  * d/patches: Fix atomic use for RISC-V (LP: #1982545)

 -- Alexandre Ghiti <email address hidden>  Thu, 21 Jul 2022 18:59:11 +0200
  • curl (7.84.0-2) unstable; urgency=medium

  * d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
    (closes: #1014596)

 -- Samuel Henrique <email address hidden>  Mon, 11 Jul 2022 22:50:01 +0100
  • curl (7.84.0-1ubuntu1) kinetic; urgency=medium

  * Include sched.h to resolve FTBFS on affected architectures

 -- William 'jawn-smith' Wilson <email address hidden>  Fri, 08 Jul 2022 15:14:51 -0500
  • curl (7.84.0-1) unstable; urgency=medium

  * New upstream version 7.84.0

 -- Samuel Henrique <email address hidden>  Mon, 27 Jun 2022 22:06:25 +0100
  • curl (7.83.1-2) unstable; urgency=medium

  * d/p/fix_multiline_header_regression.patch: New upstream patch to fix
    regression (closes: #1012263, #1011696)

 -- Samuel Henrique <email address hidden>  Tue, 14 Jun 2022 18:05:23 +0100
  • curl (7.83.1-1ubuntu1) kinetic; urgency=medium

  * Apply upstream patch to fix multi-line header support (LP: #1976619)

 -- Olivier Gayot <email address hidden>  Thu, 02 Jun 2022 13:44:50 +0200
  • curl (7.83.1-1) unstable; urgency=medium

  * New upstream version 7.83.1
    - Fix the following CVEs:
      ~ HSTS bypass via trailing dot (CVE-2022-30115)
      ~ TLS and SSH connection too eager reuse (CVE-2022-27782)
      ~ CERTINFO never-ending busy-loop (CVE-2022-27781)
      ~ percent-encoded path separator in URL host (CVE-2022-27780)
      ~ cookie for trailing dot TLD (CVE-2022-27779)
      ~ curl removes wrong file on error (CVE-2022-27778)

 -- Samuel Henrique <email address hidden>  Wed, 11 May 2022 17:46:48 +0100
  • curl (7.83.0-1) unstable; urgency=medium

  * New upstream version 7.83.0
    - Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
    - Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
    - Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
    - Fix OAUTH2 bearer bypass in connection re-use
      (closes: #1010295, CVE-2022-22576)
  * d/libcurl*.symbols: update symbols files to add curl_easy_header and
    curl_easy_nextheader
  * d/patches:
    - Refresh patches
    - 12_fix_openssl_cm_check.patch: remove patch, applied upstream

 -- Samuel Henrique <email address hidden>  Thu, 28 Apr 2022 18:53:32 +0100
  • curl (7.81.0-1) unstable; urgency=medium

  * New upstream version 7.81.0
  * d/p/13_fix-man-formatting.patch: Refresh patch

 -- Samuel Henrique <email address hidden>  Wed, 05 Jan 2022 09:31:32 -0300