Ubuntu
curl package

Change log for curl package in Ubuntu

150 of 373 results FirstPreviousLast
Published in mantic-updates
Published in mantic-security 
curl (8.2.1-1ubuntu3.1) mantic-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden>  Tue, 03 Oct 2023 20:03:05 -0400
Published in focal-updates
Published in focal-security 
curl (7.68.0-1ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden>  Tue, 03 Oct 2023 13:20:00 -0400
Published in jammy-updates
Published in jammy-security 
curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden>  Tue, 03 Oct 2023 13:15:41 -0400
Published in lunar-updates
Published in lunar-security 
curl (7.88.1-8ubuntu2.3) lunar-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden>  Tue, 03 Oct 2023 11:22:25 -0400
Published in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
curl (8.2.1-1ubuntu3) mantic; urgency=medium

  * SECURITY UPDATE: HTTP headers eat all memory
    - debian/patches/CVE-2023-38039.patch: return error when receiving too
      large header set in lib/c-hyper.c, lib/cf-h1-proxy.c, lib/http.c,
      lib/http.h, lib/pingpong.c, lib/urldata.h.
    - CVE-2023-38039

 -- Marc Deslauriers <email address hidden>  Mon, 11 Sep 2023 09:05:17 -0400

Available diffs

Superseded in lunar-updates
Superseded in lunar-security 
curl (7.88.1-8ubuntu2.2) lunar-security; urgency=medium

  * SECURITY UPDATE: HTTP headers eat all memory
    - debian/patches/CVE-2023-38039.patch: return error when receiving too
      large header set in lib/c-hyper.c, lib/http_proxy.c, lib/http.c,
      lib/http.h, lib/pingpong.c, lib/urldata.h.
    - CVE-2023-38039

 -- Marc Deslauriers <email address hidden>  Mon, 11 Sep 2023 09:09:46 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
curl (8.2.1-1ubuntu2) mantic; urgency=medium

  * d/t/control, d/t/curl-ldapi-test: move test-command to an actual
    test script and add a retry logic (LP: #2030911)

 -- Andreas Hasenack <email address hidden>  Wed, 09 Aug 2023 17:10:40 -0300
Superseded in mantic-proposed 
curl (8.2.1-1ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in mantic-proposed 
curl (7.88.1-11ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium

  * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
    - debian/patches/CVE-2023-28321.patch: fix missing line in backport.

 -- Marc Deslauriers <email address hidden>  Wed, 19 Jul 2023 12:23:36 -0400
Superseded in mantic-proposed 
curl (7.88.1-10ubuntu2) mantic; urgency=medium

  * SECURITY UPDATE: fopen race condition
    - debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
    - CVE-2023-32001

 -- Marc Deslauriers <email address hidden>  Tue, 18 Jul 2023 08:02:18 -0400
Superseded in focal-updates
Superseded in focal-security 
curl (7.68.0-1ubuntu2.19) focal-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c.
    - CVE-2023-28322

 -- Marc Deslauriers <email address hidden>  Mon, 17 Jul 2023 10:44:42 -0400
Superseded in lunar-updates
Superseded in lunar-security 
curl (7.88.1-8ubuntu2.1) lunar-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/vtls/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322
  * SECURITY UPDATE: fopen race condition
    - debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
    - CVE-2023-32001

 -- Marc Deslauriers <email address hidden>  Mon, 17 Jul 2023 07:53:10 -0400
Published in kinetic-updates
Published in kinetic-security 
curl (7.85.0-1ubuntu0.6) kinetic-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/vtls/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322
  * SECURITY UPDATE: fopen race condition
    - debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
    - CVE-2023-32001

 -- Marc Deslauriers <email address hidden>  Mon, 17 Jul 2023 08:03:23 -0400
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322

 -- Marc Deslauriers <email address hidden>  Mon, 17 Jul 2023 10:25:41 -0400
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
curl (7.88.1-10ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in mantic-release
Deleted in mantic-proposed (Reason: Moved to mantic) 
curl (7.88.1-9ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in lunar-updates
Deleted in lunar-proposed (Reason: moved to -updates) 
curl (7.88.1-8ubuntu2) lunar; urgency=medium

  * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
    Don't prepend "nss" when opening libnssckbi.so. Rename definition
    to _DEB_TARGET_ARCH. (LP: #2016439)
  * d/rules: Declare DEB_TARGET_MULTIARCH. Rename definition to
    _DEB_TARGET_ARCH.

 -- Sergio Durigan Junior <email address hidden>  Thu, 20 Apr 2023 17:30:44 -0400
Superseded in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.88.1-8ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.88.1-7ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in lunar-proposed 
curl (7.88.1-6ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: HSTS double-free
    - debian/patches/CVE-2023-27537.patch: clarify documentation in
      docs/libcurl/opts/CURLSHOPT_SHARE.3.
    - CVE-2023-27537
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Mon, 20 Mar 2023 10:27:46 -0400
Superseded in kinetic-updates
Superseded in kinetic-security 
curl (7.85.0-1ubuntu0.5) kinetic-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2023 09:55:46 -0400
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2023 12:37:02 -0400
Superseded in focal-updates
Superseded in focal-security 
curl (7.68.0-1ubuntu2.18) focal-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: properly handle tilde character
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Tue, 14 Mar 2023 13:13:49 -0400
Published in bionic-updates
Published in bionic-security 
curl (7.58.0-2ubuntu3.24) bionic-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: properly handle tilde character
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden>  Wed, 15 Mar 2023 08:58:03 -0400
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.88.1-6ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.88.1-1ubuntu1) lunar; urgency=medium

  * Merge from Debian unstable (LP: #2008123). Remaining changes:
    + Drop patches for CVEs fixed upsteam.
      - debian/patches/CVE-2023-23914_5-1.patch
      - debian/patches/CVE-2023-23914_5-2.patch
      - debian/patches/CVE-2023-23914_5-3.patch
      - debian/patches/CVE-2023-23914_5-4.patch
      - debian/patches/CVE-2023-23914_5-5.patch
      - debian/patches/CVE-2023-23916.patch
    + Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.

 -- Danilo Egea Gondolfo <email address hidden>  Wed, 22 Feb 2023 17:14:26 +0000
Superseded in lunar-proposed 
curl (7.87.0-2ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Fri, 17 Feb 2023 08:19:10 -0500
Superseded in bionic-updates
Superseded in bionic-security 
curl (7.58.0-2ubuntu3.23) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2023 08:34:26 -0500
Superseded in focal-updates
Superseded in focal-security 
curl (7.68.0-1ubuntu2.16) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2023 08:31:00 -0500
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
      tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2023 08:20:05 -0500
Superseded in kinetic-updates
Superseded in kinetic-security 
curl (7.85.0-1ubuntu0.3) kinetic-security; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
      tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2023 08:12:14 -0500
Superseded in lunar-proposed 
curl (7.87.0-2ubuntu1) lunar; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.87.0-1ubuntu1) lunar; urgency=medium

  * Don't build-depend on python3-impacket on i386 so we can drop it
    (and its dependencies) from the i386 partial port.  It's only used for
    the tests, which do not block the build in any case.

 -- Steve Langasek <email address hidden>  Sun, 08 Jan 2023 00:40:54 +0000
Superseded in bionic-updates
Superseded in bionic-security 
curl (7.58.0-2ubuntu3.22) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jan 2023 12:08:06 -0500
Superseded in focal-updates
Superseded in focal-security 
curl (7.68.0-1ubuntu2.15) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jan 2023 12:03:45 -0500
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Another HSTS bypass via IDN
    - debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
      checks in lib/http.c.
    - CVE-2022-43551
  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jan 2023 09:53:07 -0500
Superseded in kinetic-updates
Superseded in kinetic-security 
curl (7.85.0-1ubuntu0.2) kinetic-security; urgency=medium

  * SECURITY UPDATE: Another HSTS bypass via IDN
    - debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
      checks in lib/http.c.
    - CVE-2022-43551
  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden>  Wed, 04 Jan 2023 09:49:54 -0500

Available diffs

Superseded in lunar-proposed 
curl (7.87.0-1) unstable; urgency=medium

  * New upstream version 7.87.0
  * d/patches:
    - Update patches
    - Drop all backported patches that are applied in the new release
  * d/copyright: Remove missing file
  * d/*.lintian-overrides: Remove unused overrides

  [ Simon McVittie ]
  * Make -dev packages 'Multi-Arch: same' back again (closes: #1024668)

 -- Samuel Henrique <email address hidden>  Fri, 23 Dec 2022 20:36:01 +0000

Available diffs

Superseded in lunar-proposed 
curl (7.86.0-3) unstable; urgency=medium

  * Fix two HSTS-related CVEs.
    - d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN
      decoded name in HSTS checks.
      (Closes: #1026829, CVE-2022-43551)
    - d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free
      smb's/telnet's protocol struct in *_done().
      (Closes: #1026830, CVE-2022-43552)

 -- Sergio Durigan Junior <email address hidden>  Wed, 21 Dec 2022 15:55:18 -0500
Superseded in lunar-proposed 
curl (7.86.0-2build1) lunar; urgency=medium

  * No-change rebuild against libldap-2

 -- Steve Langasek <email address hidden>  Thu, 15 Dec 2022 19:46:07 +0000
Superseded in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar) 
curl (7.86.0-2) unstable; urgency=medium

  [ Debian Janitor ]
  * Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev,
    libcurl4-openssl-dev: Drop Multi-Arch: same.

  [ Samuel Henrique ]
  * d/patches: Backport three upstream patches to fix noproxy option.

 -- Samuel Henrique <email address hidden>  Tue, 15 Nov 2022 21:04:55 +0000

Available diffs

Superseded in lunar-proposed 
curl (7.86.0-1) unstable; urgency=medium

  * New upstream version 7.86.0
    - Fix HSTS bypass via IDN:
      curl's HSTS check could be bypassed to trick it to keep using HTTP.
      (closes: CVE-2022-42916)
    - Fix HTTP proxy double-free (closes: CVE-2022-42915)
    - Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260)
    - Fix POST following PUT confusion (closes: CVE-2022-32221)

 -- Samuel Henrique <email address hidden>  Thu, 27 Oct 2022 20:38:24 +0100
Superseded in lunar-proposed
Superseded in lunar-proposed
Superseded in kinetic-updates
Superseded in kinetic-security 
curl (7.85.0-1ubuntu0.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221
  * SECURITY UPDATE: .netrc parser out-of-bounds access
    - debian/patches/CVE-2022-35260.patch: replace fgets with Curl_get_line
      in lib/curl_get_line.c, lib/netrc.c.
    - CVE-2022-35260
  * SECURITY UPDATE: HTTP proxy double-free
    - debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
      error in lib/http_proxy.c, lib/url.c.
    - CVE-2022-42915
  * SECURITY UPDATE: HSTS bypass via IDN
    - debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
      checks in lib/url.c.
    - CVE-2022-42916

 -- Marc Deslauriers <email address hidden>  Wed, 26 Oct 2022 06:47:08 -0400
Superseded in jammy-updates
Superseded in jammy-security 
curl (7.81.0-1ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221
  * SECURITY UPDATE: HTTP proxy double-free
    - debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
      error in lib/http_proxy.c, lib/url.c.
    - CVE-2022-42915
  * SECURITY UPDATE: HSTS bypass via IDN
    - debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
      checks in lib/url.c.
    - CVE-2022-42916

 -- Marc Deslauriers <email address hidden>  Tue, 18 Oct 2022 12:35:33 -0400
Superseded in bionic-updates
Superseded in bionic-security 
curl (7.58.0-2ubuntu3.21) bionic-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221

 -- Marc Deslauriers <email address hidden>  Tue, 18 Oct 2022 12:45:13 -0400
Superseded in focal-updates
Superseded in focal-security 
curl (7.68.0-1ubuntu2.14) focal-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221

 -- Marc Deslauriers <email address hidden>  Tue, 18 Oct 2022 12:44:11 -0400
Superseded in lunar-release
Published in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic) 
curl (7.85.0-1) unstable; urgency=medium

  * New upstream version 7.85.0
    - Fix control code in cookie denial of service:
      When curl retrieves and parses cookies from an HTTP(S) server, it
      accepts cookies using control codes (byte values below 32). When cookies
      that contain such control codes are later sent back to an HTTP(S) server,
      it might make the server return a 400 response. Effectively allowing a
      "sister site" to deny service to siblings
      (closes: #1018831, CVE-2022-35252)
    - Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
  * Bump Standards-Version to 4.6.1
  * Add lintian overrides for old-style-config-script-multiarch-path triggered
    for curl-config
  * d/patches:
    - 11_omit-directories-from-config.patch: Update patch
    - 20_ftbfs_import_sched.patch: Drop patch, applied upstream
  * d/rules: Fix configure args, remove bogus '--without-ssl'
  * d/copyright: Update the whole file
  * d/(control|watch): Update upstream's URL

 -- Samuel Henrique <email address hidden>  Fri, 02 Sep 2022 13:00:10 +0100
Superseded in kinetic-release
Deleted in kinetic-proposed (Reason: Moved to kinetic) 
curl (7.84.0-2ubuntu2) kinetic; urgency=medium

  * SECURITY UPDATE: when curl sends back cookies with control bytes a
    HTTP(S) server may return a 400 response
    - debian/patches/CVE-2022-35252.patch: adds invalid_octets function
      to lib/cookie.c to reject cookies with control bytes
    - CVE-2022-35252

 -- Mark Esler <email address hidden>  Wed, 31 Aug 2022 14:06:26 -0500
Superseded in bionic-updates
Superseded in bionic-security 
curl (7.58.0-2ubuntu3.20) bionic-security; urgency=medium

  * SECURITY UPDATE: when curl sends back cookies with control bytes a
    HTTP(S) server may return a 400 response
    - debian/patches/CVE-2022-35252.patch: adds invalid_octets function
      to lib/cookie.c to reject cookies with control bytes
    - CVE-2022-35252

 -- Mark Esler <email address hidden>  Wed, 31 Aug 2022 14:18:59 -0500
150 of 373 results FirstPreviousLast