Changelog
curl (7.64.0-4+deb10u2) buster-security; urgency=high
* Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
(Closes: #965280)
https://curl.haxx.se/docs/CVE-2020-8169.html
* Fix local file overwrite as per CVE-2020-8177 (Closes: #965281)
https://curl.se/docs/CVE-2020-8177.html
* Fix use of wrong connect-only connection as per CVE-2020-8231
(Closes: #968831)
https://curl.se/docs/CVE-2020-8231.html
* Don't trust FTP PASV responses by default as per CVE-2020-8284
(Closes: #977163)
* Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
https://curl.se/docs/CVE-2020-8285.html
* Make the OCSP verification verify the certificate id as per CVE-2020-8286
(Closes: #977161)
https://curl.se/docs/CVE-2020-8286.html
* Fix credentials leak with automatic referer as per CVE-2021-22876
https://curl.se/docs/CVE-2021-22876.html
* Fix TLS 1.3 session ticket proxy host mixup as per CVE-2021-22890
https://curl.se/docs/CVE-2021-22890.html
-- Alessandro Ghedini <email address hidden> Tue, 30 Mar 2021 21:56:00 +0100