Format: 1.8 Date: Tue, 03 Mar 2015 00:40:34 -0500 Source: curl Binary: curl curl-udeb libcurl3 libcurl3-udeb libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source Version: 7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1 Distribution: precise Urgency: high Maintainer: Ubuntu Developers Changed-By: Stéphane Graber Description: curl - command line tool for transferring data with URL syntax curl-udeb - Get a file from an HTTP, HTTPS or FTP server (udeb) libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl3-udeb - Multi-protocol file transfer library (OpenSSL) (udeb) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Closes: 546607 570436 624024 628697 644126 648902 650498 651619 658276 659591 666089 670126 685402 690551 690764 690968 693110 700002 701713 704093 705274 705783 712585 714050 714502 719856 723603 724361 731309 731855 Launchpad-Bugs-Fixed: 855291 1003049 1124508 1220928 Changes: curl (7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1) precise; urgency=medium . * No-change backport to precise . curl (7.35.0-1ubuntu2.3) trusty-security; urgency=medium . * SECURITY UPDATE: URL request injection - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529, tests/libtest/Makefile.inc, tests/libtest/lib1529.c. - CVE-2014-8150 . curl (7.35.0-1ubuntu2.2) trusty-security; urgency=medium . * SECURITY UPDATE: sensitive data disclosure via duphandle read out of bounds - debian/patches/CVE-2014-3707.patch: properly copy memory aread in lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h, src/Makefile.inc, src/tool_setup.h, src/tool_strdup.{c,h}. - CVE-2014-3707 . curl (7.35.0-1ubuntu2.1) trusty-security; urgency=medium . * SECURITY UPDATE: incorrect cookie handling via partial literal IP addresses - debian/patches/CVE-2014-3613.patch: only use full host matches for hosts used as IP address in lib/cookie.c, added tests to tests/data/test1105, tests/data/test31, tests/data/test8. - CVE-2014-3613 * SECURITY UPDATE: incorrect cookie handling for TLDs - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for TLDs in lib/cookie.c, added test to tests/data/test61. - CVE-2014-3620 . curl (7.35.0-1ubuntu2) trusty; urgency=medium . * SECURITY UPDATE: wrong re-use of connections - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM HTTP logic, and extend new connection logic to other protocols in lib/http.c, lib/url.c, lib/urldata.h, add new tests to tests/data/Makefile.am, tests/data/test1418, tests/data/test1419. - CVE-2014-0138 * SECURITY UPDATE: incorrect wildcard SSL certificate validation with literal IP addresses - debian/patches/CVE-2014-0139.patch: fix wildcard logic in lib/hostcheck.c, added tests to tests/data/Makefile.am, tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c. - CVE-2014-0139 * debian/patches/fix_test172.path: fix expired cookie causing test to fail. . curl (7.35.0-1ubuntu1) trusty; urgency=medium . * Resynchronize on Debian, remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.35.0-1) unstable; urgency=high . * New upstream release - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 http://curl.haxx.se/docs/adv_20140129.html - Set urgency=high accordingly * Refresh patches . curl (7.34.0-1ubuntu1) trusty; urgency=low . * Resynchronize on Debian, remaining changes - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Dropped undocumented Build-Depends change to automake1.9. . curl (7.34.0-1) unstable; urgency=high . * New upstream release - Fix GnuTLS checking of a certificate CN or SAN name field when the digital signature verification is turned off as per CVE-2013-6422 http://curl.haxx.se/docs/adv_20131217.html - Set urgency=high accordingly * Drop patches merged upstream: - 08_fix-typo.patch - 09_fix-urlglob.patch . curl (7.33.0-2) unstable; urgency=low . * Make -dev packages Multi-Arch: same too (Closes: #731309) * Bump Standards-Version to 3.9.5 (no changes needed) * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855) . curl (7.33.0-1ubuntu1) trusty; urgency=low . * Resynchronize on Debian, remaining changes - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.33.0-1) unstable; urgency=low . * New upstream release - Handle arbitrary-length username and password (Closes: #719856) * Remove Luk from Uploaders as per his request (Closes: #723603) * Do not Build-Depends on specific automake version (Closes: #724361) * Fix lintian vcs-field-not-canonical * Add 08_fix-typo.patch * Refresh patches . curl (7.32.0-1ubuntu1) saucy; urgency=low . * Merge from Debian unstable. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Fixes freeipa-client join. (LP: #1220928) . curl (7.32.0-1) unstable; urgency=low . * New upstream release * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502) * Drop 08_typo.patch (merged upstream) * Drop 09_openssl-recv.patch (merged upstream) * Refresh 90_gnutls.patch and 99_nss.patch * Refresh 06_always-disable-valgrind.patch * Enable threaded DNS resolver (Closes: #570436) See NEWS.Debian for more info . curl (7.31.0-2ubuntu1) saucy; urgency=low . * Merge from Debian, Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.31.0-2) unstable; urgency=high . * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) * Set urgency=high because of the security fix in the previous upload . curl (7.31.0-1ubuntu1) saucy; urgency=low . * Resynchronize on Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.31.0-1) unstable; urgency=low . * New upstream release - Fix URL decode buffer boundary flaw as per CVE-2013-2174 http://curl.haxx.se/docs/adv_20130622.html * Make curl Multi-Arch: foreign (Closes: #712585) * Drop 08_reset-timecond.patch (merged upstream) * Refresh patches * Add 08_typo.patch to fix a couple of typos in one of the manpages . curl (7.30.0-2) unstable; urgency=low . * Move textual docs to the -doc package too * Move manpages from -dev packages to -doc as well - Add Breaks+Replaces accordingly * Remove outdated Replaces/Conflicts * Update watch file version to 3 * Add 08_reset-timecond.patch (Closes: #705783) . curl (7.30.0-1ubuntu1) saucy; urgency=low . * Resynchronize on Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Add warning to debian/patches/series. . curl (7.30.0-1) unstable; urgency=low . * New upstream release * Update upstream copyright years * Drop patches merged upstream: - 08_NULL-pointer-dereference-on-close.patch - 09_CVE-213-1944.patch - 10_test1218-another-cookie-tailmatch-test.patch * Update patches: - 03_keep_symbols_compat.patch - 90_gnutls.patch - 99_nss.patch * Add libcurl4-doc package: - Move *.pdf and *.html files to the libcurl4-doc package - Add Suggests for -doc package to -dev packages - Move examples to the -doc package * Add Build-Depends on python which is used by some tests . curl (7.29.0-2.1) unstable; urgency=high . * Non-maintainer upload. . [ Alessandro Ghedini ] * Do not compress *.pdf files (Closes: #704093) . [ Salvatore Bonaccorso ] * Add 09_CVE-213-1944.patch. Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage. Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). (Closes: #705274) * Add testcase for CVE-2013-1944. . curl (7.29.0-2) unstable; urgency=low . * Fix a segfault when closing an unused multi handle (Closes: #701713) * Mention LDAPS in packages' long descriptions * Clean-up d/rules - Switch to short-form dh - Enable test suite on hurd and kfreebsd too - Enable GSSAPI support on hurd too . curl (7.29.0-1ubuntu3) raring; urgency=low . * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch() - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match when sending cookies. Patch from YAMADA Yasuharu. - http://curl.haxx.se/curl-tailmatch.patch - CVE-2013-1944 . curl (7.29.0-1ubuntu2) raring; urgency=low . * debian/patches/08_lp1124508.patch: Backport fix for upstream bug 1194, segfault in curl_multi_cleanup() when multi->closure_handle is NULL. (LP: #1124508) . curl (7.29.0-1ubuntu1) raring; urgency=low . * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Add warning to debian/patches/series. . curl (7.29.0-1) unstable; urgency=high . * New upstream release - Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication as per CVE-2013-0249 (Closes: #700002) http://curl.haxx.se/docs/adv_20130206.html - Set urgency=high accordingly * Install all the examples * Update 90_gnutls.patch and 99_nss.patch * Refresh patches * Correctly pass CPPFLAGS to ./configure * Upload to unstable . curl (7.28.1-1) experimental; urgency=low . * New upstream release * Drop 05_fix-git-over-https.patch and 08_fix-git-auth.patch (merged upstream) * Update 07_do-not-disable-debug-symbols.patch * Refresh patches * Add NEWS entry about change in CURLOPT_SSL_VERIFYHOST semantics . curl (7.28.0-3ubuntu1) raring; urgency=low . * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.28.0-3) unstable; urgency=low . * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug anymore (Closes: #693110) * Update 05_fix-git-over-https.patch to reflect new upstream patch * Add 08_fix-git-auth.patch to fix HTTPS authentication (Closes: #690764) . curl (7.28.0-2ubuntu2) raring; urgency=low . * Turn debian/libcurl3-udeb.install and debian/libcurl3-udeb.links back into symlinks. . curl (7.28.0-2ubuntu1) raring; urgency=low . * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.28.0-2) unstable; urgency=low . * Add 05_fix-git-over-https.patch (Closes: #690551) * Add 06_always-disable-valgrind.patch (Closes: #690968) . curl (7.28.0-1) unstable; urgency=low . * New upstream release - gnutls: do not fail on non-fatal handshake errors (Closes: #685402) * Remove versioned build depends on libssh2 (already in stable) * Bump Standards-Version to 3.9.4 (no changes needed) * Refresh 01_runtests_gdb.patch * Update *.symbols files * Build depend on ca-certifcates to avoid test failure . curl (7.27.0-1ubuntu1) quantal; urgency=low . * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. . curl (7.27.0-1) unstable; urgency=low . * New upstream release * Update upstream copyright * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch . curl (7.26.0-1ubuntu1) quantal; urgency=low . * Resynchronise with Debian. Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from binary package Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. * Adjust udeb configure flags handling to something easier to merge in future. . curl (7.26.0-1) unstable; urgency=low . * New upstream release - Reject numerical IPv6 addresses outside brackets (Closes: #670126) * Email change: Alessandro Ghedini -> ghedo@debian.org * Stricter Depends on libcurl3 (Closes: #666089) * Remove Ramakrishnan (as per his request), move myself to Maintainer Thank you for all your work so far * Disable memory tracking, but keep debug enabled - Remove memdebug symbols (used by curl only) * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch * Disable not-quite-working symbols hiding . curl (7.25.0-1ubuntu2) quantal; urgency=low . * Drop libssh2-1-dev Depends (not in main) from libcurl4-gnutls-dev and libcurl4-nss-dev too. . curl (7.25.0-1ubuntu1) quantal; urgency=low . * Merge from Debian testing (LP: #1003049). Remaining changes: - Drop dependencies not in main: + Build-Depends: Drop stunnel4 and libssh2-1-dev. + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. - Add new libcurl3-udeb package. - Add new curl-udeb package. - Also closes (LP: #855291) * debian/patches/CVE-2012-0036.patch: Dropped. CVE resolved upstream. . curl (7.25.0-1) unstable; urgency=low . * New upstream release - Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276) - Allow negative numbers as option value (Closes: #659591) * Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends * Bump debhelper compat level to 9 - Make *.links files executable to simplify rules file * Pass --as-needed ld flag to avoid unneeded dependencies - Add workaround_as_needed_bug to workaround a libtool bug - Drop dont_link_to_krb5 (not needed because of --as-needed) * Do some clean-up in debian/rules * Update debian/copyright format as in Debian Policy 3.9.3 * Bump Standards-Version to 3.9.3 * Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict) * Add openssh-server to build depends to enable some more tests * Update upstream copyright years * Refresh patches . curl (7.24.0-1) unstable; urgency=high . * New upstream release - Improve documentation for the --capath option (Closes: #628697) - Fix URL sanitization vulnerability as per CVE-2012-0036 http://curl.haxx.se/docs/adv_20120124.html - Fix SSL CBC IV vulnerability as per CVE-2011-3389 http://curl.haxx.se/docs/adv_20120124B.html - Set urgency=high accordingly * Remove curl_links_with_rt patch (curl links to librt anyway) * Improve descriptions of -dev and -dbg packages * Drop fix_manpage_spelling and versioned patches (merged upstream) * Refresh patches * Add keep_symbols_compat patch to not break backwards ABI compatibility * Enable libssh2 support for GnuTLS and NSS flavours too (libssh2 now uses libgcrypt instead of libssl) . curl (7.23.1-3) unstable; urgency=low . * Enable security hardening flags * Remove libdb-dev from B-D (not used) * Improve short and long descriptions * Provide proper *.symbols files (Closes: #651619) * Do not version Curl_* symbols (for internal use only) * Do not override dh_makeshlibs version anymore . curl (7.23.1-2) unstable; urgency=low . * Bump shlibs version for libcurl3-nss (Closes: #650498) . curl (7.23.1-1) unstable; urgency=low . * New upstream release - Do not use gnutls_priority_set_direct and gnutls_certificate_type_set_priority anymore (Closes: #624024) * Refresh patches * Add --enable-debug flag to configure (Closes: #648902) * One Provides/Replaces per line * libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126) * Specify only 3 components for Standards-Version (the fourth is not really needed) * Move ca-certificates to Recommends in lib* packages (Closes: #546607) * Add NSS flavour to versioned symbols Checksums-Sha1: e742d7eb2e17367982ffe1546f4bb36576a3d3bb 2813 curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.dsc 35c2b1f8c56912ab7bebaa61cf4494c94a0ed0d1 3544496 curl_7.35.0.orig.tar.gz 0ab28ee0e9b0c0020ffbda3407a8e9729447a4c6 44817 curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.debian.tar.gz Checksums-Sha256: 818d3b65aac1414bad75931df77367708d97b5c62e8094cf1940696ae67cd958 2813 curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.dsc 917d118fc5d61e9dd1538d6519bd93bbebf2e866882419781c2e0fdb2bc42121 3544496 curl_7.35.0.orig.tar.gz 1648f38c9122f4ccd9f93415352f152047c0e9f142ef78df0fa43ea66ce26627 44817 curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.debian.tar.gz Files: 63561dc92c33ccbf23208d200a561cac 2813 web optional curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.dsc f5ae45ed6e86debb721b68392b5ce13c 3544496 web optional curl_7.35.0.orig.tar.gz 86d4cdd54b4803c027fae4ff6da45753 44817 web optional curl_7.35.0-1ubuntu2.3~ubuntu12.04.1~ppa1.debian.tar.gz Original-Maintainer: Alessandro Ghedini