-
curl (7.38.0-3ubuntu2.3) vivid-security; urgency=medium
* SECURITY UPDATE: NTLM credentials not-checked for proxy connection
re-use
- debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
Proxy credentials in lib/url.c.
- CVE-2016-0755
-- Marc Deslauriers <email address hidden> Tue, 26 Jan 2016 10:02:06 -0500
-
curl (7.38.0-3ubuntu2.2) vivid-security; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
- debian/patches/CVE-2015-3144.patch: check for valid length in
lib/url.c.
- CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
- debian/patches/CVE-2015-3145.patch: properly handle a single double
quote in lib/cookie.c.
- CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: close Negotiate connections when
done in lib/http.c.
- CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
- debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
- CVE-2015-3153
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 09:09:44 -0400
-
curl (7.38.0-3ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: URL request injection
- debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
- CVE-2014-8150
-- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 07:57:00 -0500
-
curl (7.38.0-3ubuntu1) vivid; urgency=medium
* Merge from Debian. Remaining changes:
- Drop dependencies not in main:
+ Build-Depends: Drop stunnel4 and libssh2-1-dev.
+ Drop libssh2-1-dev from binary package Depends.
- Add new libcurl3-udeb package.
- Add new curl-udeb package.
* Dropped patches:
- debian/patches/09_fix-timeout-in-poll-and-wait.patch: upstream
- debian/patches/CVE-2014-3613.patch: upstream
- debian/patches/CVE-2014-3620.patch: upstream
curl (7.38.0-3) unstable; urgency=high
* Enable all hardening options (Closes: #763372)
* Fix duphandle read out of bounds as per CVE-2014-3707
http://curl.haxx.se/docs/adv_20141105.html
* Set urgency=high accordingly
curl (7.38.0-2) unstable; urgency=medium
* Check for libtoolize instead of libtool during build.
Thanks to Helmut Grohne for the patch (Closes: #761740)
* Add README.source note regarding ordering of patches (Closes: #762193)
* Add 10_fix-resolver.patch from upstream (Closes: #762014)
curl (7.38.0-1) unstable; urgency=medium
* New upstream release
- Only use full host matches for hosts used as IP address
as per CVE-2014-3613
http://curl.haxx.se/docs/adv_20140910A.html
- Reject incoming cookies set for TLDs as per CVE-2014-3620
http://curl.haxx.se/docs/adv_20140910B.html
* Drop 08_link-curl-to-nss.patch (merged upstream)
* Refresh patches
* Fix wildcard-matches-nothing-in-dep5-copyright
* Add 08_fix-spelling.patch
-- Marc Deslauriers <email address hidden> Mon, 10 Nov 2014 08:48:21 -0500
-
curl (7.37.1-1ubuntu3) utopic; urgency=medium
* debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream
commit fixing timeout return value for curl_poll and curl_wait_ms.
Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663)
-- Brian Murray <email address hidden> Thu, 02 Oct 2014 13:26:57 -0700