Ubuntu
curl package

Change logs for curl source package in Noble

  1. Noble (24.04)
  2. Change log 
  • curl (8.5.0-2ubuntu10.1) noble-security; urgency=medium

  * SECURITY UPDATE: Usage of disabled protocol
    - debian/patches/CVE-2024-2004-pre1.patch: test1474: removed.
    - debian/patches/CVE-2024-2004.patch: fix disabling all protocols in
      lib/setopt.c, tests/data/Makefile.inc, tests/data/test1474.
    - CVE-2024-2004
  * SECURITY UPDATE: HTTP/2 push headers memory-leak
    - debian/patches/CVE-2024-2398.patch: push headers better cleanup in
      lib/http2.c.
    - CVE-2024-2398

 -- Marc Deslauriers <email address hidden>  Mon, 22 Apr 2024 12:00:57 -0400
  • curl (8.5.0-2ubuntu10) noble; urgency=high

  * No change rebuild against libgnutls30t64, libnettle8t64, libpsl5t64,
    libssl3t64.

 -- Julian Andres Klode <email address hidden>  Mon, 08 Apr 2024 16:38:07 +0200
  • curl (8.5.0-2ubuntu9) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 00:50:18 +0000
  • curl (8.5.0-2ubuntu8) noble; urgency=medium

  * Drop build-dependency on stunnel4 for i386: we already don't run tests
    on i386.

 -- Steve Langasek <email address hidden>  Sun, 24 Mar 2024 03:10:54 +0000
  • curl (8.5.0-2ubuntu7) noble; urgency=medium

  * Rename libraries for 64-bit time_t transition.  Closes: #1061992,
    #1065315.

 -- Steve Langasek <email address hidden>  Fri, 15 Mar 2024 10:19:32 -0700
  • curl (8.5.0-2ubuntu6) noble; urgency=medium

  * Build without forcing the nocheck profile.

 -- Dan Bungert <email address hidden>  Mon, 11 Mar 2024 14:51:34 -0600
  • curl (8.5.0-2ubuntu5) noble; urgency=medium

  * Build with nocheck profile.

 -- Matthias Klose <email address hidden>  Thu, 07 Mar 2024 10:56:24 +0100
  • curl (8.5.0-2ubuntu4) noble; urgency=medium

  * Build with nocheck profile.

 -- Matthias Klose <email address hidden>  Thu, 07 Mar 2024 10:56:24 +0100
  • curl (8.5.0-2ubuntu3) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <email address hidden>  Mon, 04 Mar 2024 17:36:56 +0000
  • curl (8.5.0-2ubuntu2) noble; urgency=medium

  * SECURITY UPDATE: OCSP verification bypass with TLS session reuse
    - debian/patches/CVE-2024-0853.patch: when verifystatus fails, remove
      session id from cache in lib/vtls/openssl.c.
    - CVE-2024-0853

 -- Marc Deslauriers <email address hidden>  Wed, 31 Jan 2024 11:09:34 -0500
  • curl (8.5.0-2ubuntu1) noble; urgency=medium

  * Merge with Debian unstable (LP: #2045886). Remaining changes:
    - debian/control: Don't build-depend on python3-impacket on i386
      so we can drop it (and its dependencies) from the i386 partial port.
      It's only used for the tests, which do not block the build in any case.

curl (8.5.0-2) unstable; urgency=medium

  * d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault
    (closes: #1057855)

curl (8.5.0-1) unstable; urgency=medium

  [ Samuel Henrique ]
  * New upstream version 8.5.0
    - Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646)
    - Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645)
  * d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION
  * d/p/90_gnutls.patch: Update patch
  * d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to
    fix tests
  * d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream
    tarball

  [ Carlos Henrique Lima Melara ]
  * d/control: change Maintainer field to curl packaging team
  * d/README.Debian: add readme to explain curl's team creation
  * d/control: add myself to Uploaders

 -- Danilo Egea Gondolfo <email address hidden>  Tue, 02 Jan 2024 09:32:27 +0000
  • curl (8.4.0-2ubuntu1) noble; urgency=medium

  * Merge from Debian unstable (LP: #2039798). Remaining changes:
    - debian/control: Don't build-depend on python3-impacket on i386
      so we can drop it (and its dependencies) from the i386 partial port.
      It's only used for the tests, which do not block the build in any case.
  * Drop patches for CVEs fixed upstream:
    - debian/patches/CVE-2023-38039.patch
    - debian/patches/CVE-2023-38545.patch
    - debian/patches/CVE-2023-38546.patch
  * Drop delta merged in Debian
    - debian/tests/control
    - debian/tests/curl-ldapi-test

 -- Danilo Egea Gondolfo <email address hidden>  Wed, 01 Nov 2023 12:06:23 +0000
  • curl (8.2.1-1ubuntu3.1) mantic-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden>  Tue, 03 Oct 2023 20:03:05 -0400
  • curl (8.2.1-1ubuntu3) mantic; urgency=medium

  * SECURITY UPDATE: HTTP headers eat all memory
    - debian/patches/CVE-2023-38039.patch: return error when receiving too
      large header set in lib/c-hyper.c, lib/cf-h1-proxy.c, lib/http.c,
      lib/http.h, lib/pingpong.c, lib/urldata.h.
    - CVE-2023-38039

 -- Marc Deslauriers <email address hidden>  Mon, 11 Sep 2023 09:05:17 -0400