-
curl (7.27.0-1ubuntu1.9) quantal-security; urgency=medium
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/CVE-2014-0139.patch: fix wildcard logic in
lib/ssluse.c.
- CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
fail.
* debian/patches/disable_test519.path: disable test 519 as security
update causes it to hang. Fixing this would require backporting new
logic into tests/server/sws.c.
-- Marc Deslauriers <email address hidden> Tue, 01 Apr 2014 09:59:44 -0400
-
curl (7.27.0-1ubuntu1.8) quantal-security; urgency=medium
* SECURITY UPDATE: information disclosure via incorrect NTLM credential
reuse
- debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
auth is used in lib/url.c.
- CVE-2014-0015
-- Marc Deslauriers <email address hidden> Fri, 31 Jan 2014 08:33:44 -0500
-
curl (7.27.0-1ubuntu1.7) quantal-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled in GnuTLS backend.
- debian/patches/CVE-2013-6422.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
- CVE-2013-6422
-- Marc Deslauriers <email address hidden> Tue, 17 Dec 2013 12:49:18 -0500
-
curl (7.27.0-1ubuntu1.6) quantal-security; urgency=low
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/patches/CVE-2013-4545.patch: properly disable host
verification when insecure mode is used in src/tool_operate.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 06 Dec 2013 07:47:06 -0500
-
curl (7.27.0-1ubuntu1.5) quantal-security; urgency=low
* SECURITY UPDATE: missing CN verification when signature verification is
disabled.
- debian/patches/CVE-2013-4545.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
- CVE-2013-4545
-- Marc Deslauriers <email address hidden> Fri, 29 Nov 2013 08:32:41 -0500
-
curl (7.27.0-1ubuntu1.4) quantal; urgency=low
* Reset timecond when clearing session-info variables (LP: #1179781)
This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"
-- Dave Chiluk <email address hidden> Fri, 23 Aug 2013 14:58:40 -0700
-
curl (7.27.0-1ubuntu1.3) quantal-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in URL decoder
- debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
added tests to tests/data/Makefile.am, tests/data/test1396,
tests/unit/Makefile.inc, tests/unit/unit1396.c.
- CVE-2013-2174
-- Marc Deslauriers <email address hidden> Thu, 27 Jun 2013 14:06:10 -0400
-
curl (7.27.0-1ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
- debian/patches/05_curl-tailmatch.patch: enforce strict subdomain match
when sending cookies. Patch from YAMADA Yasuharu.
- http://curl.haxx.se/curl-tailmatch.patch
- CVE-2013-1944
-- Seth Arnold <email address hidden> Wed, 10 Apr 2013 16:08:21 -0700
-
curl (7.27.0-1ubuntu1.1) quantal-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via sasl buffer overflow
- debian/patches/CVE-2013-0249.patch: properly limit lengths in
lib/curl_sasl.c.
- CVE-2013-0249
-- Marc Deslauriers <email address hidden> Tue, 12 Feb 2013 08:45:55 -0500
-
curl (7.27.0-1ubuntu1) quantal; urgency=low
* Resynchronise with Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.27.0-1) unstable; urgency=low
* New upstream release
* Update upstream copyright
* Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch
-- Colin Watson <email address hidden> Mon, 20 Aug 2012 13:54:01 +0100
-
curl (7.26.0-1ubuntu1) quantal; urgency=low
* Resynchronise with Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Adjust udeb configure flags handling to something easier to merge in
future.
curl (7.26.0-1) unstable; urgency=low
* New upstream release
- Reject numerical IPv6 addresses outside brackets (Closes: #670126)
* Email change: Alessandro Ghedini -> <email address hidden>
* Stricter Depends on libcurl3 (Closes: #666089)
* Remove Ramakrishnan (as per his request), move myself to Maintainer
Thank you for all your work so far
* Disable memory tracking, but keep debug enabled
- Remove memdebug symbols (used by curl only)
* Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch
* Disable not-quite-working symbols hiding
-- Colin Watson <email address hidden> Mon, 28 May 2012 12:21:13 +0100
-
curl (7.25.0-1ubuntu2) quantal; urgency=low
* Drop libssh2-1-dev Depends (not in main) from libcurl4-gnutls-dev and
libcurl4-nss-dev too.
-- Colin Watson <email address hidden> Tue, 22 May 2012 22:58:51 +0100
-
curl (7.25.0-1ubuntu1) quantal; urgency=low
* Merge from Debian testing (LP: #1003049). Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
- Also closes (LP: #855291)
* debian/patches/CVE-2012-0036.patch: Dropped. CVE resolved upstream.
curl (7.25.0-1) unstable; urgency=low
* New upstream release
- Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276)
- Allow negative numbers as option value (Closes: #659591)
* Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends
* Bump debhelper compat level to 9
- Make *.links files executable to simplify rules file
* Pass --as-needed ld flag to avoid unneeded dependencies
- Add workaround_as_needed_bug to workaround a libtool bug
- Drop dont_link_to_krb5 (not needed because of --as-needed)
* Do some clean-up in debian/rules
* Update debian/copyright format as in Debian Policy 3.9.3
* Bump Standards-Version to 3.9.3
* Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict)
* Add openssh-server to build depends to enable some more tests
* Update upstream copyright years
* Refresh patches
curl (7.24.0-1) unstable; urgency=high
* New upstream release
- Improve documentation for the --capath option (Closes: #628697)
- Fix URL sanitization vulnerability as per CVE-2012-0036
http://curl.haxx.se/docs/adv_20120124.html
- Fix SSL CBC IV vulnerability as per CVE-2011-3389
http://curl.haxx.se/docs/adv_20120124B.html
- Set urgency=high accordingly
* Remove curl_links_with_rt patch (curl links to librt anyway)
* Improve descriptions of -dev and -dbg packages
* Drop fix_manpage_spelling and versioned patches (merged upstream)
* Refresh patches
* Add keep_symbols_compat patch to not break backwards ABI compatibility
* Enable libssh2 support for GnuTLS and NSS flavours too
(libssh2 now uses libgcrypt instead of libssl)
curl (7.23.1-3) unstable; urgency=low
* Enable security hardening flags
* Remove libdb-dev from B-D (not used)
* Improve short and long descriptions
* Provide proper *.symbols files (Closes: #651619)
* Do not version Curl_* symbols (for internal use only)
* Do not override dh_makeshlibs version anymore
curl (7.23.1-2) unstable; urgency=low
* Bump shlibs version for libcurl3-nss (Closes: #650498)
curl (7.23.1-1) unstable; urgency=low
* New upstream release
- Do not use gnutls_priority_set_direct and
gnutls_certificate_type_set_priority anymore (Closes: #624024)
* Refresh patches
* Add --enable-debug flag to configure (Closes: #648902)
* One Provides/Replaces per line
* libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126)
* Specify only 3 components for Standards-Version
(the fourth is not really needed)
* Move ca-certificates to Recommends in lib* packages (Closes: #546607)
* Add NSS flavour to versioned symbols
-- Andres Rodriguez <email address hidden> Tue, 22 May 2012 14:53:29 -0400
-
curl (7.22.0-3ubuntu4) precise; urgency=low
* debian/control: Add missing Depends on libcrypto1.0.0-udeb.
-- Andres Rodriguez <email address hidden> Thu, 22 Mar 2012 18:40:30 -0400
