-
curl (7.68.0-1ubuntu4.3) groovy-security; urgency=medium
* SECURITY UPDATE: data leak via referer header field
- debian/patches/CVE-2021-22876.patch: strip credentials from the
auto-referer header field in lib/transfer.c.
- CVE-2021-22876
* SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
- debian/patches/CVE-2021-22890.patch: make sure we set and extract the
correct session in lib/vtls/*.
- CVE-2021-22890
-- Marc Deslauriers <email address hidden> Mon, 22 Mar 2021 10:34:32 -0400
-
curl (7.68.0-1ubuntu4.2) groovy-security; urgency=medium
* SECURITY UPDATE: wrong connect-only connection
- debian/patches/CVE-2020-8231.patch: remember last connection by id,
not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
lib/urldata.h.
- CVE-2020-8231
* SECURITY UPDATE: FTP redirect to malicious host via PASV response
- debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
- CVE-2020-8284
* SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
- debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
recurse in lib/ftp.c.
- CVE-2020-8285
* SECURITY UPDATE: Inferior OCSP verification
- debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
the certificate id in lib/vtls/openssl.c.
- CVE-2020-8286
-- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:49:53 -0500
-
curl (7.68.0-1ubuntu4) groovy; urgency=medium
* No change rebuild against new libnettle8 and libhogweed6 ABI.
-- Dimitri John Ledkov <email address hidden> Mon, 29 Jun 2020 22:23:05 +0100
-
curl (7.68.0-1ubuntu3) groovy; urgency=medium
* SECURITY UPDATE: Partial password leak over DNS on HTTP redirect
- debian/patches/CVE-2020-8169.patch: make the updated credentials
URL-encoded in the URL in lib/url.c, tests/data/test1168,
tests/data/Makefile.inc.
- CVE-2020-8169
* SECURITY UPDATE: curl overwrite local file with -J
- debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
src/tool_cb_hdr.c, src/tool_getparam.c.
- CVE-2020-8177
-- Marc Deslauriers <email address hidden> Mon, 29 Jun 2020 10:47:54 -0400
-
curl (7.68.0-1ubuntu2) focal; urgency=medium
* debian/patches/git_tls13_gnutls.patch:
- Ensure TLS 1.3 works with GnuTLS, thanks Dirkjan Bussink for writting
the patch and pointing it out on launchpad! (lp: #1872698)
-- Sebastien Bacher <email address hidden> Wed, 15 Apr 2020 08:27:03 +0200