Superseded
by curl - 7.85.0-1ubuntu0.1~bpo22.04.1~ppa1
Published
Changelog
curl (7.85.0-1~bpo22.04.1~ppa1) jammy; urgency=medium
* No-change backport to jammy.
curl (7.85.0-1) unstable; urgency=medium
* New upstream version 7.85.0
- Fix control code in cookie denial of service:
When curl retrieves and parses cookies from an HTTP(S) server, it
accepts cookies using control codes (byte values below 32). When cookies
that contain such control codes are later sent back to an HTTP(S) server,
it might make the server return a 400 response. Effectively allowing a
"sister site" to deny service to siblings
(closes: #1018831, CVE-2022-35252)
- Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
* Bump Standards-Version to 4.6.1
* Add lintian overrides for old-style-config-script-multiarch-path triggered
for curl-config
* d/patches:
- 11_omit-directories-from-config.patch: Update patch
- 20_ftbfs_import_sched.patch: Drop patch, applied upstream
* d/rules: Fix configure args, remove bogus '--without-ssl'
* d/copyright: Update the whole file
* d/(control|watch): Update upstream's URL
curl (7.84.0-2) unstable; urgency=medium
* d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
(closes: #1014596)
curl (7.84.0-1) unstable; urgency=medium
* New upstream version 7.84.0
- Fix the following CVEs:
~ Improper Enforcement of Message Integrity During Transmission in a
Communication Channel (CVE-2022-32208)
~ Improper Preservation of Permissions (CVE-2022-32207)
~ Allocation of Resources Without Limits or Throttling (CVE-2022-32205,
CVE-2022-32206)
curl (7.83.1-2) unstable; urgency=medium
* d/p/fix_multiline_header_regression.patch: New upstream patch to fix
regression (closes: #1012263, #1011696)
curl (7.83.1-1) unstable; urgency=medium
* New upstream version 7.83.1
- Fix the following CVEs:
~ HSTS bypass via trailing dot (CVE-2022-30115)
~ TLS and SSH connection too eager reuse (CVE-2022-27782)
~ CERTINFO never-ending busy-loop (CVE-2022-27781)
~ percent-encoded path separator in URL host (CVE-2022-27780)
~ cookie for trailing dot TLD (CVE-2022-27779)
~ curl removes wrong file on error (CVE-2022-27778)
curl (7.83.0-1) unstable; urgency=medium
* New upstream version 7.83.0
- Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
- Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
- Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
- Fix OAUTH2 bearer bypass in connection re-use
(closes: #1010295, CVE-2022-22576)
* d/libcurl*.symbols: update symbols files to add curl_easy_header and
curl_easy_nextheader
* d/patches:
- Refresh patches
- 12_fix_openssl_cm_check.patch: remove patch, applied upstream
curl (7.82.0-2) unstable; urgency=medium
* d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN
check (closes: #1007739, #1007740)
* d/control:
- Set libcurl4-doc as Multi-Arch: foreign
- Remove ancient version requirements for dependencies
* d/salsa-ci.yml: Disable reprotest until it acknowledges
SALSA_CI_DPKG_BUILDPACKAGE_ARGS
curl (7.82.0-1) unstable; urgency=medium
* New upstream version 7.82.0
* d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to
avoid long build times
* Update and refresh patches: 13_fix-man-formatting.patch has been merged
upstream
* d/rules:
- Add --with-nss-deprecated, required to build with nss now
(upstream will drop support in August)
- Look for nocheck build profile in DEB_BUILD_PROFILES instead of
DEB_BUILD_OPTIONS (wider coverage)
-- Nico Onorata <email address hidden> Sun, 18 Sep 2022 21:49:56 +0200