Change logs for curl source package in Xenial

  • curl (7.47.0-1ubuntu2.8) xenial-security; urgency=medium
    
      * SECURITY UPDATE: RTSP bad headers buffer over-read
        - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
          bad response-line is parsed in lib/http.c.
        - CVE-2018-1000301
    
     -- Marc Deslauriers <email address hidden>  Tue, 08 May 2018 13:52:59 -0400
  • curl (7.47.0-1ubuntu2.7) xenial-security; urgency=medium
    
      * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
        - debian/patches/CVE-2018-1000120-pre1.patch: avoid using
          curl_easy_unescape() internally in lib/ftp.c.
        - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
          listing in nocwd mode in lib/ftp.c, add test to tests/*.
        - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
          ftp_done in lib/ftp.c.
        - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
          in error code in lib/ftp.c.
        - debian/patches/CVE-2018-1000120.patch: reject path components with
          control codes in lib/ftp.c, add test to tests/*.
        - CVE-2018-1000120
      * SECURITY UPDATE: LDAP NULL pointer dereference
        - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
          results for NULL before using in lib/openldap.c.
        - CVE-2018-1000121
      * SECURITY UPDATE: RTSP RTP buffer over-read
        - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
          go beyond buffer end in lib/transfer.c.
        - CVE-2018-1000122
    
     -- Marc Deslauriers <email address hidden>  Wed, 14 Mar 2018 09:04:46 -0400
  • curl (7.47.0-1ubuntu2.6) xenial-security; urgency=medium
    
      * SECURITY UPDATE: Out of bounds read in code handling HTTP/2
        - debian/patches/CVE-2018-1000005.patch: fix incorrect
          trailer buffer size in lib/http2.c.
        - CVE-2018-1000005
      * SECURITY UPDATE: leak authentication data
        - debian/patches/CVE-2018-1000007.patch: prevent custom
          authorization headers in redirects in lib/http.c,
          lib/url.c, lib/urldata.h, tests/data/Makefile.in,
          tests/data/test317, tests/data/test318.
        - CVE-2018-1000007
    
     -- <email address hidden> (Leonidas S. Barbosa)  Mon, 29 Jan 2018 16:06:08 -0300
  • curl (7.47.0-1ubuntu2.5) xenial-security; urgency=medium
    
      * SECURITY UPDATE: NTLM buffer overflow via integer overflow
        - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
          size in lib/curl_ntlm_core.c
        - CVE-2017-8816
      * SECURITY UPDATE: FTP wildcard out of bounds read
        - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
          setcharset in lib/curl_fnmatch.c, added tests to
          tests/data/Makefile.inc, tests/data/test1163.
        - CVE-2017-8817
    
     -- Marc Deslauriers <email address hidden>  Tue, 28 Nov 2017 08:03:58 -0500
  • curl (7.47.0-1ubuntu2.4) xenial-security; urgency=medium
    
      * SECURITY UPDATE: IMAP FETCH response out of bounds read
        - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
        - CVE-2017-1000257
    
     -- Marc Deslauriers <email address hidden>  Tue, 17 Oct 2017 13:53:46 -0400
  • curl (7.47.0-1ubuntu2.3) xenial-security; urgency=medium
    
      * SECURITY UPDATE: printf floating point buffer overflow
        - debian/patches/CVE-2016-9586.patch: fix floating point buffer
          overflow issues in lib/mprintf.c, added test to tests/data/test557,
          tests/libtest/lib557.c.
        - CVE-2016-9586
      * SECURITY UPDATE: TFTP sends more than buffer size
        - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
          don't fit in lib/tftp.c.
        - CVE-2017-1000100
      * SECURITY UPDATE: URL globbing out of bounds read
        - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
          a strtoul() overflow range in src/tool_urlglob.c, added test to
          tests/data/Makefile.inc, tests/data/test1289.
        - CVE-2017-1000101
      * SECURITY UPDATE: FTP PWD response parser out of bounds read
        - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
          even on bad input in lib/ftp.c, added test to
          tests/data/Makefile.inc, tests/data/test1152.
        - CVE-2017-1000254
      * SECURITY UPDATE: --write-out out of buffer read
        - debian/patches/CVE-2017-7407-1.patch: fix a buffer read overrun in
          src/tool_writeout.c added test to tests/data/Makefile.inc,
          tests/data/test1440, tests/data/test1441.
        - debian/patches/CVE-2017-7407-2.patch: check for end of input in
          src/tool_writeout.c added test to tests/data/Makefile.inc,
          tests/data/test1442.
        - CVE-2017-7407
    
     -- Marc Deslauriers <email address hidden>  Wed, 04 Oct 2017 08:52:42 -0400
  • curl (7.47.0-1ubuntu2.2) xenial-security; urgency=medium
    
      * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
        - debian/patches/CVE-2016-7141.patch: refuse previously loaded
          certificate from file in lib/vtls/nss.c.
        - CVE-2016-7141
      * SECURITY UPDATE: curl escape and unescape integer overflows
        - debian/patches/CVE-2016-7167.patch: deny negative string length
          inputs in lib/escape.c.
        - CVE-2016-7167
      * SECURITY UPDATE: cookie injection for other servers
        - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
          lib/cookie.c.
        - CVE-2016-8615
      * SECURITY UPDATE: case insensitive password comparison
        - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
          comparisons in lib/url.c.
        - CVE-2016-8616
      * SECURITY UPDATE: OOB write via unchecked multiplication
        - debian/patches/CVE-2016-8617.patch: check for integer overflow on
          large input in lib/base64.c.
        - CVE-2016-8617
      * SECURITY UPDATE: double-free in curl_maprintf
        - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
          allocation in lib/mprintf.c.
        - CVE-2016-8618
      * SECURITY UPDATE: double-free in krb5 code
        - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
        - CVE-2016-8619
      * SECURITY UPDATE: glob parser write/read out of bounds
        - debian/patches/CVE-2016-8620.patch: stay within bounds in
          src/tool_urlglob.c.
        - CVE-2016-8620
      * SECURITY UPDATE: curl_getdate read out of bounds
        - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
          lib/parsedate.c, added tests to tests/data/test517,
          tests/libtest/lib517.c.
        - CVE-2016-8621
      * SECURITY UPDATE: URL unescape heap overflow via integer truncation
        - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
          lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
        - CVE-2016-8622
      * SECURITY UPDATE: Use-after-free via shared cookies
        - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
          in lib/cookie.c, lib/cookie.h, lib/http.c.
        - CVE-2016-8623
      * SECURITY UPDATE: invalid URL parsing with #
        - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
          lib/url.c.
        - CVE-2016-8624
    
     -- Marc Deslauriers <email address hidden>  Wed, 02 Nov 2016 14:24:49 -0400
  • curl (7.47.0-1ubuntu2.1) xenial-security; urgency=medium
    
      * SECURITY UPDATE: TLS session resumption client cert bypass
        - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
          client cert is used in lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
        - CVE-2016-5419
      * SECURITY UPDATE: re-using connections with wrong client cert
        - debian/patches/CVE-2016-5420.patch: only reuse connections with the
          same client cert in lib/vtls/vtls.c.
        - CVE-2016-5420
      * SECURITY UPDATE: use of connection struct after free
        - debian/patches/CVE-2016-5421.patch: clear connection pointer for easy
          handles in lib/multi.c.
        - CVE-2016-5421
    
     -- Marc Deslauriers <email address hidden>  Fri, 05 Aug 2016 11:17:47 -0400
  • curl (7.47.0-1ubuntu2) xenial; urgency=medium
    
      * No-change rebuild for gnutls transition.
    
     -- Matthias Klose <email address hidden>  Wed, 17 Feb 2016 22:40:53 +0000
  • curl (7.47.0-1ubuntu1) xenial; urgency=medium
    
      * Merge from Debian. Remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
          + Drop libssh2-1-dev from binary package Depends.
          + debian/control: drop --with-nghttp2
        - Switch build depends from transitional libgnutsl28-dev to
          libgnutls-dev
    
    curl (7.47.0-1) unstable; urgency=high
    
      * New upstream release
        - Fix NTLM credentials not-checked for proxy connection re-use
          as per CVE-2016-0755
          http://curl.haxx.se/docs/adv_20160127A.html
        - Set uyrgency=high accordingly
      * Remove hard-coded dependency on libgnutls (Closes: #812542)
      * Drop 08_fix-zsh-completion.patch (merged upstream)
      * Refresh patches
    
     -- Marc Deslauriers <email address hidden>  Wed, 27 Jan 2016 14:59:25 -0500
  • curl (7.46.0-1ubuntu1) xenial; urgency=medium
    
      * Merge from Debian. Remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
          + Drop libssh2-1-dev from binary package Depends.
          + debian/control: drop --with-nghttp2
        - Switch build depends from transitional libgnutsl28-dev to
          libgnutls-dev
    
    curl (7.46.0-1) unstable; urgency=medium
    
      * New upstream release
        - Initialize OpenSSL algorithms after loading config (Closes: #805408)
      * Install curl zsh completion (Closes: #805509)
        - Add 08_fix-zsh-completion.patch to fix zsh completion generation
    
     -- Marc Deslauriers <email address hidden>  Fri, 22 Jan 2016 09:38:38 -0500
  • curl (7.45.0-1ubuntu1) xenial; urgency=medium
    
      * Merge from Debian. Remaining changes:
        - Drop dependencies not in main:
          + Build-Depends: Drop stunnel4, libssh2-1-dev, and libnghttp2-dev.
          + Drop libssh2-1-dev from binary package Depends.
          + debian/control: drop --with-nghttp2
        - Switch build depends from transitional libgnutsl28-dev to
          libgnutls-dev
    
    curl (7.45.0-1) unstable; urgency=medium
    
      * New upstream release
      * Drop 08_spelling.patch (merged upstream)
    
    curl (7.44.0-2) unstable; urgency=medium
    
      * Enable HTTP/2 support (Closes: #796302)
    
    curl (7.44.0-1) unstable; urgency=medium
    
      * New upstream release
      * Refresh patches
      * Update symbols files
      * Add 08_spelling.patch to fix some spelling errors
    
     -- Marc Deslauriers <email address hidden>  Wed, 04 Nov 2015 15:47:36 -0600
  • curl (7.43.0-1ubuntu2) wily; urgency=medium
    
      * debian/control:
        - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
    
     -- Robert Ancell <email address hidden>  Tue, 11 Aug 2015 11:41:50 +1200