-
curl (7.35.0-1ubuntu2.20) trusty-security; urgency=medium
* SECURITY UPDATE: SMTP end-of-response out-of-bounds read
- debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
strtol in lib/smtp.c.
- CVE-2019-3823
-- Marc Deslauriers <email address hidden> Tue, 29 Jan 2019 09:03:19 -0500
-
curl (7.35.0-1ubuntu2.19) trusty-security; urgency=medium
* SECURITY UPDATE: SASL password overflow via integer overflow
- debian/patches/CVE-2018-16839-pre1.patch: prevent size overflows in
lib/curl_sasl.c.
- debian/patches/CVE-2018-16839-pre2.patch: fix integer overflow check
in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/curl_sasl.c.
- debian/patches/CVE-2018-16839.patch: fix check in lib/curl_sasl.c.
- CVE-2018-16839
* SECURITY UPDATE: warning message out-of-buffer read
- debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
- CVE number pending
-- Marc Deslauriers <email address hidden> Mon, 29 Oct 2018 08:15:06 -0400
-
curl (7.35.0-1ubuntu2.17) trusty-security; urgency=medium
* SECURITY UPDATE: Buffer overrun
- debian/patches/CVE-2018-14618.patch: fix in
lib/curl_ntlm_core.c.
- CVE-2018-14618
-- <email address hidden> (Leonidas S. Barbosa) Wed, 12 Sep 2018 15:20:26 -0300
-
curl (7.35.0-1ubuntu2.16) trusty-security; urgency=medium
* SECURITY UPDATE: RTSP bad headers buffer over-read
- debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
bad response-line is parsed in lib/http.c.
- CVE-2018-1000301
-- Marc Deslauriers <email address hidden> Tue, 08 May 2018 14:05:52 -0400
-
curl (7.35.0-1ubuntu2.15) trusty-security; urgency=medium
* SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
- debian/patches/CVE-2018-1000120-pre1.patch: avoid using
curl_easy_unescape() internally in lib/ftp.c.
- debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
listing in nocwd mode in lib/ftp.c, add test to tests/*.
- debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
ftp_done in lib/ftp.c.
- debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
in error code in lib/ftp.c.
- debian/patches/CVE-2018-1000120.patch: reject path components with
control codes in lib/ftp.c, add test to tests/*.
- CVE-2018-1000120
* SECURITY UPDATE: LDAP NULL pointer dereference
- debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
results for NULL before using in lib/openldap.c.
- CVE-2018-1000121
* SECURITY UPDATE: RTSP RTP buffer over-read
- debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
go beyond buffer end in lib/transfer.c.
- CVE-2018-1000122
-- Marc Deslauriers <email address hidden> Wed, 14 Mar 2018 09:18:48 -0400
-
curl (7.35.0-1ubuntu2.14) trusty-security; urgency=medium
* SECURITY UPDATE: leak authentication data
- debian/patches/CVE-2018-1000007.patch: prevent custom
authorization headers in redirects in lib/http.c,
lib/url.c, lib/urldata.h, tests/data/Makefile.in,
tests/data/test317, tests/data/test318.
- CVE-2018-1000007
-- <email address hidden> (Leonidas S. Barbosa) Mon, 29 Jan 2018 17:53:40 -0300
-
curl (7.35.0-1ubuntu2.13) trusty-security; urgency=medium
* SECURITY UPDATE: FTP wildcard out of bounds read
- debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
setcharset in lib/curl_fnmatch.c, added tests to
tests/data/Makefile.am, tests/data/test1163.
- CVE-2017-8817
-- Marc Deslauriers <email address hidden> Tue, 28 Nov 2017 08:05:35 -0500
-
curl (7.35.0-1ubuntu2.12) trusty-security; urgency=medium
* SECURITY UPDATE: IMAP FETCH response out of bounds read
- debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
- CVE-2017-1000257
-- Marc Deslauriers <email address hidden> Tue, 17 Oct 2017 13:54:46 -0400
-
curl (7.35.0-1ubuntu2.11) trusty-security; urgency=medium
* SECURITY UPDATE: printf floating point buffer overflow
- debian/patches/CVE-2016-9586.patch: fix floating point buffer
overflow issues in lib/mprintf.c, added test to tests/data/test557,
tests/libtest/lib557.c.
- CVE-2016-9586
* SECURITY UPDATE: TFTP sends more than buffer size
- debian/patches/CVE-2017-1000100.patch: reject file name lengths that
don't fit in lib/tftp.c.
- CVE-2017-1000100
* SECURITY UPDATE: URL globbing out of bounds read
- debian/patches/CVE-2017-1000101.patch: do not continue parsing after
a strtoul() overflow range in src/tool_urlglob.c, added test to
tests/data/Makefile.am, tests/data/test1289.
- CVE-2017-1000101
* SECURITY UPDATE: FTP PWD response parser out of bounds read
- debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
even on bad input in lib/ftp.c, added test to
tests/data/Makefile.am, tests/data/test1152.
- CVE-2017-1000254
* SECURITY UPDATE: --write-out out of buffer read
- debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in
src/tool_writeout.c added test to tests/data/Makefile.am,
tests/data/test1440, tests/data/test1441.
- debian/patches/CVE-2017-7407-2.patch: check for end of input in
src/tool_writeout.c added test to tests/data/Makefile.am,
tests/data/test1442.
- CVE-2017-7407
-- Marc Deslauriers <email address hidden> Wed, 04 Oct 2017 09:02:01 -0400
-
curl (7.35.0-1ubuntu2.10) trusty-security; urgency=medium
* SECURITY UPDATE: Incorrect reuse of client certificates with NSS
- debian/patches/CVE-2016-7141.patch: refuse previously loaded
certificate from file in lib/vtls/nss.c.
- CVE-2016-7141
* SECURITY UPDATE: curl escape and unescape integer overflows
- debian/patches/CVE-2016-7167.patch: deny negative string length
inputs in lib/escape.c.
- CVE-2016-7167
* SECURITY UPDATE: cookie injection for other servers
- debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
lib/cookie.c.
- CVE-2016-8615
* SECURITY UPDATE: case insensitive password comparison
- debian/patches/CVE-2016-8616.patch: use case sensitive user/password
comparisons in lib/url.c.
- CVE-2016-8616
* SECURITY UPDATE: OOB write via unchecked multiplication
- debian/patches/CVE-2016-8617.patch: check for integer overflow on
large input in lib/base64.c.
- CVE-2016-8617
* SECURITY UPDATE: double-free in curl_maprintf
- debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
allocation in lib/mprintf.c.
- CVE-2016-8618
* SECURITY UPDATE: double-free in krb5 code
- debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
- CVE-2016-8619
* SECURITY UPDATE: glob parser write/read out of bounds
- debian/patches/CVE-2016-8620.patch: stay within bounds in
src/tool_urlglob.c.
- CVE-2016-8620
* SECURITY UPDATE: curl_getdate read out of bounds
- debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
lib/parsedate.c, added tests to tests/data/test517,
tests/libtest/lib517.c.
- CVE-2016-8621
* SECURITY UPDATE: URL unescape heap overflow via integer truncation
- debian/patches/CVE-2016-8622.patch: avoid integer overflow in
lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
- CVE-2016-8622
* SECURITY UPDATE: Use-after-free via shared cookies
- debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
in lib/cookie.c, lib/cookie.h, lib/http.c.
- CVE-2016-8623
* SECURITY UPDATE: invalid URL parsing with #
- debian/patches/CVE-2016-8624.patch: accept # as end of host name in
lib/url.c.
- CVE-2016-8624
-- Marc Deslauriers <email address hidden> Wed, 02 Nov 2016 15:17:12 -0400
-
curl (7.35.0-1ubuntu2.9) trusty; urgency=medium
[ Joe Afflerbach ]
* debian/patches/curl-chunk-fix.patch:
- fix problem with chunked encoded data (LP: #1613698)
-- Gianfranco Costamagna <email address hidden> Sun, 28 Aug 2016 21:27:34 +0200
-
curl (7.35.0-1ubuntu2.8) trusty-security; urgency=medium
* SECURITY UPDATE: TLS session resumption client cert bypass
- debian/patches/CVE-2016-5419.patch: switch off SSL session id when
client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2016-5419
* SECURITY UPDATE: re-using connections with wrong client cert
- debian/patches/CVE-2016-5420.patch: only reuse connections with the
same client cert in lib/vtls/vtls.c.
- CVE-2016-5420
* SECURITY UPDATE: use of connection struct after free
- debian/patches/CVE-2016-5421.patch: clear connection pointer for easy
handles in lib/multi.c.
- CVE-2016-5421
-- Marc Deslauriers <email address hidden> Fri, 05 Aug 2016 11:23:04 -0400
-
curl (7.35.0-1ubuntu2.7) trusty; urgency=medium
[ Matthew Hall ]
* debian/patches/libcurl_broken_pkcs12.patch:
- fix p12 client certificates (LP: #1556330)
-- Gianfranco Costamagna <email address hidden> Sat, 12 Mar 2016 17:22:33 +0100
-
curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium
* SECURITY UPDATE: NTLM credentials not-checked for proxy connection
re-use
- debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
Proxy credentials in lib/url.c.
- CVE-2016-0755
-- Marc Deslauriers <email address hidden> Tue, 26 Jan 2016 12:10:58 -0500
-
curl (7.35.0-1ubuntu2.5) trusty-security; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: cookie parser out of boundary memory access
- debian/patches/CVE-2015-3145.patch: properly handle a single double
quote in lib/cookie.c.
- CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
each exchange and close Negotiate connections when done in
lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
- CVE-2015-3148
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 14:03:00 -0400
-
curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
- CVE-2014-8150
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 08:49:32 -0500
-
curl (7.35.0-1ubuntu2.2) trusty-security; urgency=medium
* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
bounds
- debian/patches/CVE-2014-3707.patch: properly copy memory aread in
lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}.
- CVE-2014-3707
-- Marc Deslauriers <email address hidden> Thu, 06 Nov 2014 10:53:58 -0500
-
curl (7.35.0-1ubuntu2.1) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect cookie handling via partial literal IP
addresses
- debian/patches/CVE-2014-3613.patch: only use full host matches for
hosts used as IP address in lib/cookie.c, added tests to
tests/data/test1105, tests/data/test31, tests/data/test8.
- CVE-2014-3613
* SECURITY UPDATE: incorrect cookie handling for TLDs
- debian/patches/CVE-2014-3620.patch: reject incoming cookies set for
TLDs in lib/cookie.c, added test to tests/data/test61.
- CVE-2014-3620
-- Marc Deslauriers <email address hidden> Thu, 11 Sep 2014 08:21:24 -0400
-
curl (7.35.0-1ubuntu2) trusty; urgency=medium
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/CVE-2014-0139.patch: fix wildcard logic in
lib/hostcheck.c, added tests to tests/data/Makefile.am,
tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
- CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
fail.
-- Marc Deslauriers <email address hidden> Tue, 01 Apr 2014 09:25:23 -0400
-
curl (7.35.0-1ubuntu1) trusty; urgency=medium
* Resynchronize on Debian, remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.35.0-1) unstable; urgency=high
* New upstream release
- Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
- Set urgency=high accordingly
* Refresh patches
-- Marc Deslauriers <email address hidden> Fri, 31 Jan 2014 08:42:28 -0500
-
curl (7.34.0-1ubuntu1) trusty; urgency=low
* Resynchronize on Debian, remaining changes
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Dropped undocumented Build-Depends change to automake1.9.
curl (7.34.0-1) unstable; urgency=high
* New upstream release
- Fix GnuTLS checking of a certificate CN or SAN name field when the
digital signature verification is turned off as per CVE-2013-6422
http://curl.haxx.se/docs/adv_20131217.html
- Set urgency=high accordingly
* Drop patches merged upstream:
- 08_fix-typo.patch
- 09_fix-urlglob.patch
curl (7.33.0-2) unstable; urgency=low
* Make -dev packages Multi-Arch: same too (Closes: #731309)
* Bump Standards-Version to 3.9.5 (no changes needed)
* Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855)
-- Marc Deslauriers <email address hidden> Fri, 20 Dec 2013 09:13:22 -0500
-
curl (7.33.0-1ubuntu1) trusty; urgency=low
* Resynchronize on Debian, remaining changes
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
curl (7.33.0-1) unstable; urgency=low
* New upstream release
- Handle arbitrary-length username and password (Closes: #719856)
* Remove Luk from Uploaders as per his request (Closes: #723603)
* Do not Build-Depends on specific automake version (Closes: #724361)
* Fix lintian vcs-field-not-canonical
* Add 08_fix-typo.patch
* Refresh patches
curl (7.32.0-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)
-- Sebastien Bacher <email address hidden> Wed, 06 Nov 2013 10:45:28 +0100
-
curl (7.32.0-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)
curl (7.32.0-1) unstable; urgency=low
* New upstream release
* Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
* Drop 08_typo.patch (merged upstream)
* Drop 09_openssl-recv.patch (merged upstream)
* Refresh 90_gnutls.patch and 99_nss.patch
* Refresh 06_always-disable-valgrind.patch
* Enable threaded DNS resolver (Closes: #570436)
See NEWS.Debian for more info
-- Ubuntu Merge-o-Matic <email address hidden> Mon, 12 Aug 2013 15:39:32 +0000
