Change logs for curl source package in Trusty

  • curl (7.35.0-1ubuntu2.17) trusty-security; urgency=medium
    
      * SECURITY UPDATE: Buffer overrun
        - debian/patches/CVE-2018-14618.patch: fix in
          lib/curl_ntlm_core.c.
        - CVE-2018-14618
    
     -- <email address hidden> (Leonidas S. Barbosa)  Wed, 12 Sep 2018 15:20:26 -0300
  • curl (7.35.0-1ubuntu2.16) trusty-security; urgency=medium
    
      * SECURITY UPDATE: RTSP bad headers buffer over-read
        - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
          bad response-line is parsed in lib/http.c.
        - CVE-2018-1000301
    
     -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 14:05:52 -0400
  • curl (7.35.0-1ubuntu2.15) trusty-security; urgency=medium
    
      * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
        - debian/patches/CVE-2018-1000120-pre1.patch: avoid using
          curl_easy_unescape() internally in lib/ftp.c.
        - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
          listing in nocwd mode in lib/ftp.c, add test to tests/*.
        - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
          ftp_done in lib/ftp.c.
        - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
          in error code in lib/ftp.c.
        - debian/patches/CVE-2018-1000120.patch: reject path components with
          control codes in lib/ftp.c, add test to tests/*.
        - CVE-2018-1000120
      * SECURITY UPDATE: LDAP NULL pointer dereference
        - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
          results for NULL before using in lib/openldap.c.
        - CVE-2018-1000121
      * SECURITY UPDATE: RTSP RTP buffer over-read
        - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
          go beyond buffer end in lib/transfer.c.
        - CVE-2018-1000122
    
     -- Marc Deslauriers <email address hidden>  Wed, 14 Mar 2018 09:18:48 -0400
  • curl (7.35.0-1ubuntu2.14) trusty-security; urgency=medium
    
      * SECURITY UPDATE: leak authentication data
        - debian/patches/CVE-2018-1000007.patch: prevent custom
          authorization headers in redirects in lib/http.c,
          lib/url.c, lib/urldata.h, tests/data/Makefile.in,
          tests/data/test317, tests/data/test318.
        - CVE-2018-1000007
    
     -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Jan 2018 17:53:40 -0300
  • curl (7.35.0-1ubuntu2.13) trusty-security; urgency=medium
    
      * SECURITY UPDATE: FTP wildcard out of bounds read
        - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
          setcharset in lib/curl_fnmatch.c, added tests to
          tests/data/Makefile.am, tests/data/test1163.
        - CVE-2017-8817
    
     -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 08:05:35 -0500
  • curl (7.35.0-1ubuntu2.12) trusty-security; urgency=medium
    
      * SECURITY UPDATE: IMAP FETCH response out of bounds read
        - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
        - CVE-2017-1000257
    
     -- Marc Deslauriers <email address hidden>  Tue, 17 Oct 2017 13:54:46 -0400
  • curl (7.35.0-1ubuntu2.11) trusty-security; urgency=medium
    
      * SECURITY UPDATE: printf floating point buffer overflow
        - debian/patches/CVE-2016-9586.patch: fix floating point buffer
          overflow issues in lib/mprintf.c, added test to tests/data/test557,
          tests/libtest/lib557.c.
        - CVE-2016-9586
      * SECURITY UPDATE: TFTP sends more than buffer size
        - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
          don't fit in lib/tftp.c.
        - CVE-2017-1000100
      * SECURITY UPDATE: URL globbing out of bounds read
        - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
          a strtoul() overflow range in src/tool_urlglob.c, added test to
          tests/data/Makefile.am, tests/data/test1289.
        - CVE-2017-1000101
      * SECURITY UPDATE: FTP PWD response parser out of bounds read
        - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
          even on bad input in lib/ftp.c, added test to
          tests/data/Makefile.am, tests/data/test1152.
        - CVE-2017-1000254
      * SECURITY UPDATE: --write-out out of buffer read
        - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in
          src/tool_writeout.c added test to tests/data/Makefile.am,
          tests/data/test1440, tests/data/test1441.
        - debian/patches/CVE-2017-7407-2.patch: check for end of input in
          src/tool_writeout.c added test to tests/data/Makefile.am,
          tests/data/test1442.
        - CVE-2017-7407
    
     -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 09:02:01 -0400
  • curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium
    
      * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
        - debian/patches/CVE-2016-7141.patch: refuse previously loaded
          certificate from file in lib/vtls/nss.c.
        - CVE-2016-7141
      * SECURITY UPDATE: curl escape and unescape integer overflows
        - debian/patches/CVE-2016-7167.patch: deny negative string length
          inputs in lib/escape.c.
        - CVE-2016-7167
      * SECURITY UPDATE: cookie injection for other servers
        - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
          lib/cookie.c.
        - CVE-2016-8615
      * SECURITY UPDATE: case insensitive password comparison
        - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
          comparisons in lib/url.c.
        - CVE-2016-8616
      * SECURITY UPDATE: OOB write via unchecked multiplication
        - debian/patches/CVE-2016-8617.patch: check for integer overflow on
          large input in lib/base64.c.
        - CVE-2016-8617
      * SECURITY UPDATE: double-free in curl_maprintf
        - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
          allocation in lib/mprintf.c.
        - CVE-2016-8618
      * SECURITY UPDATE: double-free in krb5 code
        - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
        - CVE-2016-8619
      * SECURITY UPDATE: glob parser write/read out of bounds
        - debian/patches/CVE-2016-8620.patch: stay within bounds in
          src/tool_urlglob.c.
        - CVE-2016-8620
      * SECURITY UPDATE: curl_getdate read out of bounds
        - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
          lib/parsedate.c, added tests to tests/data/test517,
          tests/libtest/lib517.c.
        - CVE-2016-8621
      * SECURITY UPDATE: URL unescape heap overflow via integer truncation
        - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
          lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
        - CVE-2016-8622
      * SECURITY UPDATE: Use-after-free via shared cookies
        - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
          in lib/cookie.c, lib/cookie.h, lib/http.c.
        - CVE-2016-8623
      * SECURITY UPDATE: invalid URL parsing with #
        - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
          lib/url.c.
        - CVE-2016-8624
    
     -- Marc Deslauriers <email address hidden>  Wed, 02 Nov 2016 15:17:12 -0400
  • curl (7.35.0-1ubuntu2.9) trusty; urgency=medium
    
      [ Joe Afflerbach ]
      * debian/patches/curl-chunk-fix.patch:
        - fix problem with chunked encoded data (LP: #1613698)
    
     -- Gianfranco Costamagna <email address hidden>  Sun, 28 Aug 2016 21:27:34 +0200
  • curl (7.35.0-1ubuntu2.8) trusty-security; urgency=medium
    
      * SECURITY UPDATE: TLS session resumption client cert bypass
        - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
          client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
        - CVE-2016-5419
      * SECURITY UPDATE: re-using connections with wrong client cert
        - debian/patches/CVE-2016-5420.patch: only reuse connections with the
          same client cert in lib/vtls/vtls.c.
        - CVE-2016-5420
      * SECURITY UPDATE: use of connection struct after free
        - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy
          handles in lib/multi.c.
        - CVE-2016-5421
    
     -- Marc Deslauriers <email address hidden>  Fri, 05 Aug 2016 11:23:04 -0400
  • curl (7.35.0-1ubuntu2.7) trusty; urgency=medium
    
      [ Matthew Hall ]
      * debian/patches/libcurl_broken_pkcs12.patch:
        - fix p12 client certificates (LP: #1556330)
    
     -- Gianfranco Costamagna <email address hidden>  Sat, 12 Mar 2016 17:22:33 +0100
  • curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium
    
      * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
        re-use
        - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
          Proxy credentials in lib/url.c.
        - CVE-2016-0755
    
     -- Marc Deslauriers <email address hidden>  Tue, 26 Jan 2016 12:10:58 -0500
  • curl (7.35.0-1ubuntu2.5) trusty-security; urgency=medium
    
      * SECURITY UPDATE: NTLM connection reuse when unauthenticated
        - debian/patches/CVE-2015-3143.patch: require credentials to match in
          lib/url.c.
        - CVE-2015-3143
      * SECURITY UPDATE: cookie parser out of boundary memory access
        - debian/patches/CVE-2015-3145.patch: properly handle a single double
          quote in lib/cookie.c.
        - CVE-2015-3145
      * SECURITY UPDATE: negotiate not treated as connection-oriented
        - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
          each exchange and close Negotiate connections when done in
          lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
        - CVE-2015-3148
    
     -- Marc Deslauriers <email address hidden>  Wed, 29 Apr 2015 14:03:00 -0400
  • curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium
    
      * SECURITY UPDATE: URL request injection
        - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
          lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
          tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
        - CVE-2014-8150
     -- Marc Deslauriers <email address hidden>   Wed, 14 Jan 2015 08:49:32 -0500
  • curl (7.35.0-1ubuntu2.2) trusty-security; urgency=medium
    
      * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
        bounds
        - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
          lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
          src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
        - CVE-2014-3707
     -- Marc Deslauriers <email address hidden>   Thu, 06 Nov 2014 10:53:58 -0500
  • curl (7.35.0-1ubuntu2.1) trusty-security; urgency=medium
    
      * SECURITY UPDATE: incorrect cookie handling via partial literal IP
        addresses
        - debian/patches/CVE-2014-3613.patch: only use full host matches for
          hosts used as IP address in lib/cookie.c, added tests to
          tests/data/test1105, tests/data/test31, tests/data/test8.
        - CVE-2014-3613
      * SECURITY UPDATE: incorrect cookie handling for TLDs
        - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for
          TLDs in lib/cookie.c, added test to tests/data/test61.
        - CVE-2014-3620
     -- Marc Deslauriers <email address hidden>   Thu, 11 Sep 2014 08:21:24 -0400
  • curl (7.35.0-1ubuntu2) trusty; urgency=medium
    
      * SECURITY UPDATE: wrong re-use of connections
        - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
          HTTP logic, and extend new connection logic to other protocols in
          lib/http.c, lib/url.c, lib/urldata.h, add new tests to
          tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
        - CVE-2014-0138
      * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
        literal IP addresses
        - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
          lib/hostcheck.c, added tests to tests/data/Makefile.am,
          tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
        - CVE-2014-0139
      * debian/patches/fix_test172.path: fix expired cookie causing test to
        fail.
     -- Marc Deslauriers <email address hidden>   Tue, 01 Apr 2014 09:25:23 -0400
  • curl (7.35.0-1ubuntu1) trusty; urgency=medium
    
      * Resynchronize on Debian, remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4 and libssh2-1-dev.
          + Drop libssh2-1-dev from binary package Depends.
        - Add new libcurl3-udeb package.
        - Add new curl-udeb package.
    
    curl (7.35.0-1) unstable; urgency=high
    
      * New upstream release
        - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
          http://curl.haxx.se/docs/adv_20140129.html
        - Set urgency=high accordingly
      * Refresh patches
     -- Marc Deslauriers <email address hidden>   Fri, 31 Jan 2014 08:42:28 -0500
  • curl (7.34.0-1ubuntu1) trusty; urgency=low
    
      * Resynchronize on Debian, remaining changes
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4 and libssh2-1-dev.
          + Drop libssh2-1-dev from binary package Depends.
        - Add new libcurl3-udeb package.
        - Add new curl-udeb package.
      * Dropped undocumented Build-Depends change to automake1.9.
    
    curl (7.34.0-1) unstable; urgency=high
    
      * New upstream release
        - Fix GnuTLS checking of a certificate CN or SAN name field when the
          digital signature verification is turned off as per CVE-2013-6422
          http://curl.haxx.se/docs/adv_20131217.html
        - Set urgency=high accordingly
      * Drop patches merged upstream:
        - 08_fix-typo.patch
        - 09_fix-urlglob.patch
    
    curl (7.33.0-2) unstable; urgency=low
    
      * Make -dev packages Multi-Arch: same too (Closes: #731309)
      * Bump Standards-Version to 3.9.5 (no changes needed)
      * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855)
     -- Marc Deslauriers <email address hidden>   Fri, 20 Dec 2013 09:13:22 -0500
  • curl (7.33.0-1ubuntu1) trusty; urgency=low
    
      * Resynchronize on Debian, remaining changes
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4 and libssh2-1-dev.
          + Drop libssh2-1-dev from binary package Depends.
        - Add new libcurl3-udeb package.
        - Add new curl-udeb package.
    
    curl (7.33.0-1) unstable; urgency=low
    
      * New upstream release
        - Handle arbitrary-length username and password (Closes: #719856)
      * Remove Luk from Uploaders as per his request (Closes: #723603)
      * Do not Build-Depends on specific automake version (Closes: #724361)
      * Fix lintian vcs-field-not-canonical
      * Add 08_fix-typo.patch
      * Refresh patches
    
    curl (7.32.0-1ubuntu1) saucy; urgency=low
    
      * Merge from Debian unstable.  Remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4 and libssh2-1-dev.
          + Drop libssh2-1-dev from binary package Depends.
        - Add new libcurl3-udeb package.
        - Add new curl-udeb package.
      * Fixes freeipa-client join. (LP: #1220928)
     -- Sebastien Bacher <email address hidden>   Wed, 06 Nov 2013 10:45:28 +0100
  • curl (7.32.0-1ubuntu1) saucy; urgency=low
    
      * Merge from Debian unstable.  Remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4 and libssh2-1-dev.
          + Drop libssh2-1-dev from binary package Depends.
        - Add new libcurl3-udeb package.
        - Add new curl-udeb package.
      * Fixes freeipa-client join. (LP: #1220928)
    
    curl (7.32.0-1) unstable; urgency=low
    
      * New upstream release
      * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
      * Drop 08_typo.patch (merged upstream)
      * Drop 09_openssl-recv.patch (merged upstream)
      * Refresh 90_gnutls.patch and 99_nss.patch
      * Refresh 06_always-disable-valgrind.patch
      * Enable threaded DNS resolver (Closes: #570436)
        See NEWS.Debian for more info
     -- Ubuntu Merge-o-Matic <email address hidden>   Mon, 12 Aug 2013 15:39:32 +0000