curl (8.5.0-2ubuntu10.6) noble-security; urgency=medium
* SECURITY UPDATE: netrc and redirect credential leak
- debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
- debian/patches/CVE-2024-11053.patch: address several netrc parser
flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
tests/data/test478, tests/data/test479, tests/data/test480,
tests/unit/unit1304.c.
- CVE-2024-11053
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 11 Dec 2024 11:44:19 -0500
curl (8.5.0-2ubuntu10.5) noble-security; urgency=medium
* SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
- debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
comparison in lib/hsts.c.
- CVE-2024-9681
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Wed, 06 Nov 2024 10:48:09 -0330
curl (8.5.0-2ubuntu10.4) noble-security; urgency=medium
* SECURITY UPDATE: OCSP stapling bypass with GnuTLS
- debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in
lib/vtls/gtls.c.
- CVE-2024-8096
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 06 Sep 2024 07:27:11 -0400
curl (8.5.0-2ubuntu10.3) noble-proposed; urgency=medium
* SRU: LP: #2076340: No-change rebuild to pick up changed build flags
on ppc64 and s390x.
-- Matthias Klose <doko@ubuntu.com> Fri, 09 Aug 2024 04:33:21 +0200
curl (8.5.0-2ubuntu10.2) noble-security; urgency=medium
* SECURITY UPDATE: ASN.1 date parser overread
- debian/patches/CVE-2024-7264-pre1.patch: clean up GTime2str in
lib/vtls/x509asn1.c.
- debian/patches/CVE-2024-7264.patch: unittests and fixes for gtime2str
in lib/vtls/x509asn1.c, lib/vtls/x509asn1.h, tests/data/Makefile.inc,
tests/data/test1656, tests/unit/Makefile.inc, tests/unit/unit1656.c.
- CVE-2024-7264
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 01 Aug 2024 09:43:08 -0400
curl (8.5.0-2ubuntu10.1) noble-security; urgency=medium
* SECURITY UPDATE: Usage of disabled protocol
- debian/patches/CVE-2024-2004-pre1.patch: test1474: removed.
- debian/patches/CVE-2024-2004.patch: fix disabling all protocols in
lib/setopt.c, tests/data/Makefile.inc, tests/data/test1474.
- CVE-2024-2004
* SECURITY UPDATE: HTTP/2 push headers memory-leak
- debian/patches/CVE-2024-2398.patch: push headers better cleanup in
lib/http2.c.
- CVE-2024-2398
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Apr 2024 12:00:57 -0400
curl (8.5.0-2ubuntu10) noble; urgency=high
* No change rebuild against libgnutls30t64, libnettle8t64, libpsl5t64,
libssl3t64.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 08 Apr 2024 16:38:07 +0200
curl (8.5.0-2ubuntu9) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 00:50:18 +0000
curl (8.5.0-2ubuntu8) noble; urgency=medium
* Drop build-dependency on stunnel4 for i386: we already don't run tests
on i386.
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 24 Mar 2024 03:10:54 +0000
curl (8.5.0-2ubuntu7) noble; urgency=medium
* Rename libraries for 64-bit time_t transition. Closes: #1061992,
#1065315.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 15 Mar 2024 10:19:32 -0700
curl (8.5.0-2ubuntu6) noble; urgency=medium
* Build without forcing the nocheck profile.
-- Dan Bungert <daniel.bungert@canonical.com> Mon, 11 Mar 2024 14:51:34 -0600
curl (8.5.0-2ubuntu5) noble; urgency=medium
* Build with nocheck profile.
-- Matthias Klose <doko@ubuntu.com> Thu, 07 Mar 2024 10:56:24 +0100
curl (8.5.0-2ubuntu3) noble; urgency=medium
* No-change rebuild against libssl3t64
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Mar 2024 17:36:56 +0000
curl (8.5.0-2ubuntu2) noble; urgency=medium
* SECURITY UPDATE: OCSP verification bypass with TLS session reuse
- debian/patches/CVE-2024-0853.patch: when verifystatus fails, remove
session id from cache in lib/vtls/openssl.c.
- CVE-2024-0853
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 31 Jan 2024 11:09:34 -0500
curl (8.5.0-2ubuntu1) noble; urgency=medium
* Merge with Debian unstable (LP: #2045886). Remaining changes:
- debian/control: Don't build-depend on python3-impacket on i386
so we can drop it (and its dependencies) from the i386 partial port.
It's only used for the tests, which do not block the build in any case.
-- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Tue, 02 Jan 2024 09:32:27 +0000
curl (8.5.0-2) unstable; urgency=medium
* d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault
(closes: #1057855)
-- Samuel Henrique <samueloph@debian.org> Fri, 29 Dec 2023 15:34:11 -0300
curl (8.5.0-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 8.5.0
- Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646)
- Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645)
* d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION
* d/p/90_gnutls.patch: Update patch
* d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to
fix tests
* d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream
tarball
[ Carlos Henrique Lima Melara ]
* d/control: change Maintainer field to curl packaging team
* d/README.Debian: add readme to explain curl's team creation
* d/control: add myself to Uploaders
-- Samuel Henrique <samueloph@debian.org> Wed, 06 Dec 2023 20:15:49 +0000
curl (8.4.0-2ubuntu1) noble; urgency=medium
* Merge from Debian unstable (LP: #2039798). Remaining changes:
- debian/control: Don't build-depend on python3-impacket on i386
so we can drop it (and its dependencies) from the i386 partial port.
It's only used for the tests, which do not block the build in any case.
* Drop patches for CVEs fixed upstream:
- debian/patches/CVE-2023-38039.patch
- debian/patches/CVE-2023-38545.patch
- debian/patches/CVE-2023-38546.patch
* Drop delta merged in Debian:
- debian/tests/control
- debian/tests/curl-ldapi-test
-- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Wed, 01 Nov 2023 12:06:23 +0000
curl (8.4.0-2) unstable; urgency=medium
* d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
"--version" output
-- Samuel Henrique <samueloph@debian.org> Sat, 14 Oct 2023 12:19:21 +0100
curl (8.4.0-1) unstable; urgency=medium
* New upstream version 8.4.0
* d/libcurl*.symbols: New symbol curl_multi_get_handles
* d/patches:
- Remove patches from 8.4.0 release
- 90_gnutls.patch: Update patch
-- Samuel Henrique <samueloph@debian.org> Fri, 13 Oct 2023 00:53:16 +0100
curl (8.3.0-3) unstable; urgency=high
* Add patches to fix CVE-2023-38545 and CVE-2023-38546
-- Samuel Henrique <samueloph@debian.org> Thu, 05 Oct 2023 22:26:40 +0100
curl (8.3.0-2) unstable; urgency=medium
* d/rules: Add test 3102 to TESTS_FAILS_ON_IPV6_ONLY_MACHINES
* d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf
- test650_fix_an_end_tag_typo.patch
- tests_increase_the_default_server_logs_lock_timeout.patch
* d/p/lib_use_wrapper_for_curl_mime_data_fseek_callback.patch: New patch to
fix armel/armhf FTBFS
-- Samuel Henrique <samueloph@debian.org> Sun, 01 Oct 2023 15:01:42 +0100
curl (8.3.0-1) unstable; urgency=medium
* New upstream version 8.3.0
- Fix CVE-2023-38039: HTTP headers eat all memory
* debian/: Remove files used for the nss packaging
* d/patches:
- Refresh patches
- gen_pl_escape_all_dashes.patch: Drop merged patch
- 90_gnutls.patch: Update patch
* d/libcurl*.symbols: New symbol curl_global_trace
-- Samuel Henrique <samueloph@debian.org> Thu, 14 Sep 2023 16:13:10 +0530
curl (8.2.1-2) unstable; urgency=medium
[ Andreas Hasenack ]
* Move ldap-test to a script and add retry logic
[ Samuel Henrique ]
* Build without nss, dropped by upstream in the next release
* d/p/gen_pl_escape_all_dashes.patch: New patch to fix manpage generation
(closes: #1043309, #1043339)
-- Samuel Henrique <samueloph@debian.org> Fri, 25 Aug 2023 20:05:02 +0100
curl (8.2.1-1ubuntu3.1) mantic-security; urgency=medium
* SECURITY UPDATE: SOCKS5 heap buffer overflow
- debian/patches/CVE-2023-38545.patch: return error if hostname too
long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
tests/data/test728.
- CVE-2023-38545
* SECURITY UPDATE: cookie injection with none file
- debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
in lib/cookie.c, lib/cookie.h, lib/easy.c.
- CVE-2023-38546
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 03 Oct 2023 20:03:05 -0400
curl (8.2.1-1ubuntu3) mantic; urgency=medium
* SECURITY UPDATE: HTTP headers eat all memory
- debian/patches/CVE-2023-38039.patch: return error when receiving too
large header set in lib/c-hyper.c, lib/cf-h1-proxy.c, lib/http.c,
lib/http.h, lib/pingpong.c, lib/urldata.h.
- CVE-2023-38039
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Sep 2023 09:05:17 -0400
curl (8.2.1-1ubuntu2) mantic; urgency=medium
* d/t/control, d/t/curl-ldapi-test: move test-command to an actual
test script and add a retry logic (LP: #2030911)
-- Andreas Hasenack <andreas@canonical.com> Wed, 09 Aug 2023 17:10:40 -0300
curl (8.2.1-1ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 05 Aug 2023 16:06:26 +0200
curl (8.2.1-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 8.2.1
[ Sergio Durigan Junior ]
* d/p/{90_gnutls,99_nss}.patch:
Update GNUTls/NSS patches to unbreak tests/http/clients
* Drop unnecessary patches.
d/p/CVE-2023-27533.patch
d/p/CVE-2023-27534.patch
d/p/CVE-2023-27535.patch
d/p/CVE-2023-27536.patch
d/p/CVE-2023-27537.patch
d/p/CVE-2023-27538.patch
d/p/CVE-2023-28319.patch
d/p/CVE-2023-28320-1.patch
d/p/CVE-2023-28320.patch
d/p/CVE-2023-28321.patch
d/p/CVE-2023-28322.patch
d/p/CVE-2023-32001.patch
d/p/Use-OpenLDAP-specific-functionality.patch
d/p/fix-unix-domain-socket.patch
-- Sergio Durigan Junior <sergiodj@debian.org> Thu, 03 Aug 2023 20:00:01 -0400
curl (7.88.1-11) unstable; urgency=medium
[ Carlos Henrique Lima Melara ]
* Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen():
- Done by d/p/CVE-2023-32001.patch (Closes: #1041812).
[ John Scott ]
* LDAP backend: correct the usage of OpenLDAP-specific functionality being
disabled with an upstream patch (Closes: #1041964)
This corrects the improper fetching of binary attributes.
* debian/tests: add a DEP-8 test that getting binary LDAP attributes works now
-- Samuel Henrique <samueloph@debian.org> Fri, 28 Jul 2023 21:11:25 +0100
curl (7.88.1-10ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 19 May 2023 08:46:54 +0200
curl (7.88.1-10) unstable; urgency=medium
* Add new patches to fix CVEs (closes: #1036239):
- CVE-2023-28319: UAF in SSH sha256 fingerprint check
- CVE-2023-28320: siglongjmp race condition
- CVE-2023-28321: IDN wildcard match
- CVE-2023-28322: more POST-after-PUT confusion
* d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
CVE-2023-28320
-- Samuel Henrique <samueloph@debian.org> Thu, 18 May 2023 23:43:40 +0100
curl (7.88.1-9ubuntu1) mantic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 02 May 2023 08:47:52 +0200
curl (7.88.1-9) unstable; urgency=medium
[ Sergio Durigan Junior ]
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359)
[ Samuel Henrique ]
* Update list of tests that fail on IPv6-only envs and don't skip them on
autopkgtest
* d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix
(closes: #1033963)
-- Samuel Henrique <samueloph@debian.org> Sat, 15 Apr 2023 20:03:44 +0100
curl (7.88.1-8ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 27 Mar 2023 07:50:29 +0200
curl (7.88.1-8) unstable; urgency=medium
[ Samuel Henrique ]
* d/gbp.conf: Push gbp conf with sane defaults
* d/salsa-ci.yml: Disable dh_auto_test with DEB_BUILD_OPTIONS
* d/rules: Add new build profiles to limit builds to a single TLS backend
* d/tests: Add new autopkgtests that runs curl's test suite
[ Sergio Durigan Junior ]
* d/rules: Remove -D_DEB_HOST_ARCH from curl-config's CFLAGS.
-- Samuel Henrique <samueloph@debian.org> Sun, 26 Mar 2023 11:36:24 +0100
curl (7.88.1-7ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 22 Mar 2023 11:51:25 +0100
curl (7.88.1-7) unstable; urgency=medium
* Bump Standards-Version to 4.6.2
* d/p/06_always-disable-valgrind.patch: Remove unused patch
* d/patches: Refresh all patches
* Import 5 new upstream patches fixing CVES:
- CVE-2023-27533: TELNET option IAC injection
- CVE-2023-27534: SFTP path ~ resolving discrepancy
- CVE-2023-27535: FTP too eager connection reuse
- CVE-2023-27536: GSS delegation too eager connection re-use
- CVE-2023-27537: HSTS double-free
- CVE-2023-27538: SSH connection too eager reuse still
-- Samuel Henrique <samueloph@debian.org> Tue, 21 Mar 2023 22:39:05 +0000
curl (7.88.1-6ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 13 Mar 2023 10:10:19 +0100
curl (7.88.1-6) unstable; urgency=medium
* d/rules: Ignore test results from tests that fail on IPv6-only builders
(closes: #1032343)
* d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs
forever)
-- Samuel Henrique <samueloph@debian.org> Wed, 08 Mar 2023 20:57:09 +0000
curl (7.88.1-5) unstable; urgency=medium
* Fix stringification of _DEB_HOST_ARCH macro.
- d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Use _DEB_HOST_ARCH directly.
- d/rules: Quote _DEB_HOST_ARCH when passing it with -D.
-- Sergio Durigan Junior <sergiodj@debian.org> Mon, 06 Mar 2023 10:22:32 -0500
curl (7.88.1-4) unstable; urgency=medium
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Prepend "/nss/" before the library name.
-- Sergio Durigan Junior <sergiodj@debian.org> Sun, 05 Mar 2023 18:38:13 -0500
curl (7.88.1-3) unstable; urgency=medium
* d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch:
Use correct paths when loading libnss{pem,ckbi}.so. (Closes: #726073)
* d/rules: Pass _DEB_HOST_ARCH via C{,XX}FLAGS; reenable NSS PEM tests.
* d/control: B-D on nss-plugin-pem (test only).
Also, make libcurl3-nss depend on nss-plugin-pem as well.
-- Sergio Durigan Junior <sergiodj@debian.org> Sun, 05 Mar 2023 12:59:58 -0500
curl (7.88.1-2) unstable; urgency=medium
* Multiple test improvements, which will increase the reliability of the
package, especially when backporting fixes on stable and oldstable:
- Test results are now critical to the build process, if a test fails,
the build will fail.
- Add two new test build-dependencies to increase coverage: locales-all
and gnutls-bin.
- Only run non-flaky tests.
- Print logs of failed tests.
- Run all tests even if there was a failure.
- Ignore results of known failing tests (for Debian).
- Disable valgrind through a test parameter instead of patching
upstream source code.
-- Samuel Henrique <samueloph@debian.org> Fri, 03 Mar 2023 08:28:19 +0000
curl (7.88.1-1ubuntu1) lunar; urgency=medium
* Merge from Debian unstable (LP: #2008123). Remaining changes:
+ Drop patches for CVEs fixed upsteam.
- debian/patches/CVE-2023-23914_5-1.patch
- debian/patches/CVE-2023-23914_5-2.patch
- debian/patches/CVE-2023-23914_5-3.patch
- debian/patches/CVE-2023-23914_5-4.patch
- debian/patches/CVE-2023-23914_5-5.patch
- debian/patches/CVE-2023-23916.patch
+ Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Wed, 22 Feb 2023 17:14:26 +0000
curl (7.88.1-1) unstable; urgency=medium
* New upstream version 7.88.1
- Fix the following CVEs (closes: #1031371)
~ CVE-2023-23916: HTTP multi-header compression denial of service
~ CVE-2023-23915: HSTS amnesia with --parallel
~ CVE-2023-23914: HSTS ignored on multiple requests
- Fix curl_multi_socket_action regression (closes: #1029231)
* d/patches: Drop backported patch added to fix regression in setopt/getinfo
* d/copyright: Drop removed file from copyright
* d/control: Update BD to drop transitional package libidn11-dev
-- Samuel Henrique <samueloph@debian.org> Mon, 20 Feb 2023 22:35:53 +0000
curl (7.87.0-2ubuntu2) lunar; urgency=medium
* SECURITY UPDATE: multiple HSTS issues
- debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
lib/url.c, lib/urldata.h.
- debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
in src/tool_operate.c.
- debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
name again in lib/hsts.c.
- debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
- debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
tests/data/Makefile.inc, tests/data/test446.
- CVE-2023-23914
- CVE-2023-23915
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
- CVE-2023-23916
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 17 Feb 2023 08:19:10 -0500
curl (7.87.0-2ubuntu1) lunar; urgency=low
* Merge from Debian unstable. Remaining changes:
- Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 01 Feb 2023 11:24:47 +0100
curl (7.87.0-2) unstable; urgency=medium
* d/patches: Add new upstream patch to fix regression in setopt/getinfo
(closes: #1027564)
* d/p/build-Divide-mit-krb5...patch: Refresh patch
-- Samuel Henrique <samueloph@debian.org> Sun, 15 Jan 2023 21:12:09 +0000
curl (7.87.0-1ubuntu1) lunar; urgency=medium
* Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 08 Jan 2023 00:40:54 +0000
curl (7.87.0-1) unstable; urgency=medium
* New upstream version 7.87.0
* d/patches:
- Update patches
- Drop all backported patches that are applied in the new release
* d/copyright: Remove missing file
* d/*.lintian-overrides: Remove unused overrides
[ Simon McVittie ]
* Make -dev packages 'Multi-Arch: same' back again (closes: #1024668)
-- Samuel Henrique <samueloph@debian.org> Fri, 23 Dec 2022 20:36:01 +0000
curl (7.86.0-3) unstable; urgency=medium
* Fix two HSTS-related CVEs.
- d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN
decoded name in HSTS checks.
(Closes: #1026829, CVE-2022-43551)
- d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free
smb's/telnet's protocol struct in *_done().
(Closes: #1026830, CVE-2022-43552)
-- Sergio Durigan Junior <sergiodj@debian.org> Wed, 21 Dec 2022 15:55:18 -0500
curl (7.86.0-2) unstable; urgency=medium
[ Debian Janitor ]
* Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev,
libcurl4-openssl-dev: Drop Multi-Arch: same.
[ Samuel Henrique ]
* d/patches: Backport three upstream patches to fix noproxy option.
-- Samuel Henrique <samueloph@debian.org> Tue, 15 Nov 2022 21:04:55 +0000
curl (7.86.0-1) unstable; urgency=medium
* New upstream version 7.86.0
- Fix HSTS bypass via IDN:
curl's HSTS check could be bypassed to trick it to keep using HTTP.
(closes: CVE-2022-42916)
- Fix HTTP proxy double-free (closes: CVE-2022-42915)
- Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260)
- Fix POST following PUT confusion (closes: CVE-2022-32221)
-- Samuel Henrique <samueloph@debian.org> Thu, 27 Oct 2022 20:38:24 +0100
curl (7.85.0-1) unstable; urgency=medium
* New upstream version 7.85.0
- Fix control code in cookie denial of service:
When curl retrieves and parses cookies from an HTTP(S) server, it
accepts cookies using control codes (byte values below 32). When cookies
that contain such control codes are later sent back to an HTTP(S) server,
it might make the server return a 400 response. Effectively allowing a
"sister site" to deny service to siblings
(closes: #1018831, CVE-2022-35252)
- Fix FTBFS on riscv64 with gcc-12 (closes: #1015835)
* Bump Standards-Version to 4.6.1
* Add lintian overrides for old-style-config-script-multiarch-path triggered
for curl-config
* d/patches:
- 11_omit-directories-from-config.patch: Update patch
- 20_ftbfs_import_sched.patch: Drop patch, applied upstream
* d/rules: Fix configure args, remove bogus '--without-ssl'
* d/copyright: Update the whole file
* d/(control|watch): Update upstream's URL
-- Samuel Henrique <samueloph@debian.org> Fri, 02 Sep 2022 13:00:10 +0100
curl (7.84.0-2) unstable; urgency=medium
* d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS
(closes: #1014596)
-- Samuel Henrique <samueloph@debian.org> Mon, 11 Jul 2022 22:50:01 +0100
curl (7.84.0-1) unstable; urgency=medium
* New upstream version 7.84.0
- Fix the following CVEs:
~ Improper Enforcement of Message Integrity During Transmission in a
Communication Channel (CVE-2022-32208)
~ Improper Preservation of Permissions (CVE-2022-32207)
~ Allocation of Resources Without Limits or Throttling (CVE-2022-32205,
CVE-2022-32206)
-- Samuel Henrique <samueloph@debian.org> Mon, 27 Jun 2022 22:06:25 +0100
curl (7.83.1-2) unstable; urgency=medium
* d/p/fix_multiline_header_regression.patch: New upstream patch to fix
regression (closes: #1012263, #1011696)
-- Samuel Henrique <samueloph@debian.org> Tue, 14 Jun 2022 18:05:23 +0100
curl (7.83.1-1) unstable; urgency=medium
* New upstream version 7.83.1
- Fix the following CVEs:
~ HSTS bypass via trailing dot (CVE-2022-30115)
~ TLS and SSH connection too eager reuse (CVE-2022-27782)
~ CERTINFO never-ending busy-loop (CVE-2022-27781)
~ percent-encoded path separator in URL host (CVE-2022-27780)
~ cookie for trailing dot TLD (CVE-2022-27779)
~ curl removes wrong file on error (CVE-2022-27778)
-- Samuel Henrique <samueloph@debian.org> Wed, 11 May 2022 17:46:48 +0100
curl (7.83.0-1) unstable; urgency=medium
* New upstream version 7.83.0
- Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776)
- Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775)
- Fix credential leak on redirect (closes: #1010254, CVE-2022-27774)
- Fix OAUTH2 bearer bypass in connection re-use
(closes: #1010295, CVE-2022-22576)
* d/libcurl*.symbols: update symbols files to add curl_easy_header and
curl_easy_nextheader
* d/patches:
- Refresh patches
- 12_fix_openssl_cm_check.patch: remove patch, applied upstream
-- Samuel Henrique <samueloph@debian.org> Thu, 28 Apr 2022 18:53:32 +0100
curl (7.82.0-2) unstable; urgency=medium
* d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN
check (closes: #1007739, #1007740)
* d/control:
- Set libcurl4-doc as Multi-Arch: foreign
- Remove ancient version requirements for dependencies
* d/salsa-ci.yml: Disable reprotest until it acknowledges
SALSA_CI_DPKG_BUILDPACKAGE_ARGS
-- Samuel Henrique <samueloph@debian.org> Sat, 19 Mar 2022 13:55:00 +0000
curl (7.82.0-1) unstable; urgency=medium
* New upstream version 7.82.0
* d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to
avoid long build times
* Update and refresh patches: 13_fix-man-formatting.patch has been merged
upstream
* d/rules:
- Add --with-nss-deprecated, required to build with nss now
(upstream will drop support in August)
- Look for nocheck build profile in DEB_BUILD_PROFILES instead of
DEB_BUILD_OPTIONS (wider coverage)
-- Samuel Henrique <samueloph@debian.org> Sat, 05 Mar 2022 13:40:14 +0000
curl (7.81.0-1) unstable; urgency=medium
* New upstream version 7.81.0
* d/p/13_fix-man-formatting.patch: Refresh patch
-- Samuel Henrique <samueloph@debian.org> Wed, 05 Jan 2022 09:31:32 -0300
curl (7.80.0-3) unstable; urgency=medium
* Revert "Revert "debian/control: Add Build-Depends on libssh-dev for
Ubuntu".
As per #1002598, the blocker has been solved.
Note that this does not changes Debian's curl to libssh, it still
uses libssh2.
Discussions about changing to libssh are ongoing at #897950
-- Samuel Henrique <samueloph@debian.org> Sun, 26 Dec 2021 13:22:18 -0300
curl (7.80.0-2) unstable; urgency=medium
* Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu"
(closes: #1002597)
The change had side effects on Debian due to the inclusion of the new
Build-dep, even though it doesn't changes the resulting binary. It cause
issues for architecture bootstraping.
We are gonna reintroduce this change once the issues are fixed, to allow
Ubuntu to remove its delta.
See discussions at #1002598 and #1002597 for details
-- Samuel Henrique <samueloph@debian.org> Sat, 25 Dec 2021 10:47:13 -0300
curl (7.80.0-1) unstable; urgency=medium
[ Samuel Henrique ]
* New upstream version 7.80.0
* Bump Standards-Version to 4.6.0
* Add new symbol curl_url_strerror to symbols files
* Compile with zstd support (closes: #983660)
* d/p/12_use-python3-in-tests.patch: Drop patch, merged upstream
* d/p/13_fix-man-formatting.patch: Update patch
* d/p/14_fix-compatibility-impacket-0-9-23.patch: Drop patch, merged upstream
[ Jeremy Bicha ]
* debian/control: Add Build-Depends on libssh-dev for Ubuntu
-- Samuel Henrique <samueloph@debian.org> Fri, 24 Dec 2021 11:42:57 -0300
curl (7.79.1-2) unstable; urgency=medium
* d/rules: Make test failures non-fatal again.
Unfortunately there are some test failures happening on a few
architectures, so we have to make the build pass even if not all tests
are succeeding, at least until we have time to properly investigate
the reason for these failures.
-- Sergio Durigan Junior <sergiodj@debian.org> Mon, 08 Nov 2021 23:54:35 -0500
curl (7.79.1-1) unstable; urgency=medium
[ Samuel Henrique ]
* Add myself as an Uploader
* Add sergiodj as an uploader
* New upstream version 7.79.1 (closes: #989046)
- Changes since 7.74.0:
~ vtls: fix connection reuse checks for issuer cert and case sensitivity
(closes: #991492, CVE-2021-22924)
~ Fix User-Agent header missing in some cases (closes: #994940)
~ Fix TELNET stack contents disclosure (closes: #989228, CVE-2021-22898)
* d/rules: Add --with-{openssl|gnutls|nss} to configure args
* Update all patches.
Remove patches:
- 07_do-not-disable-debug-symbols: Obsolete as per
https://github.com/curl/curl/issues/7216.
- 14_transfer-strip-credentials-from-the-auto-referer-hea:
Originally from upstream, part of the release now.
- 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession:
Originally from upstream, part of the release now.
- fix-regression-microseconds-instead-of-seconds:
Originally from upstream, part of the release now.
Update patches:
- 12_use-python3-in-tests: Update and forward upstream.
- 90_gnutls: Update
- 99_nss: Update
- 13_fix-man-formatting: Update
[ Debian Janitor ]
* Use secure URI in Homepage field.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database,
Bug-Submit (from ./configure), Repository, Repository-Browse.
* Avoid explicitly specifying -Wl,--as-needed linker flag.
[ Helmut Grohne ]
* Also remove -ffile-prefix-map from curl-config (closes: #990128)
* Explicitly disable zstd support (closes: #992505)
[ Sergio Durigan Junior ]
* d/control: Add Rules-Requires-Root: no.
* d/copyright: Add public-domain license text.
* Enable GPG-checking of orig tarball.
- d/upstream/signing-key.asc: Upstream public key.
- d/watch: Add "pgpmode=auto" as an option.
* Bump debhelper-compat to 13.
- d/control: B-D on debhelper-compat = 13.
- d/rules: After the override_dh_auto_install target has been run,
we know that we can safely get rid of the contents inside the
debian/tmp/ directory. This is needed because otherwise dh_missing
will complain about uninstalled files, which will make the build
fail when using debhelper-compat 13.
* d/rules: Some minor cleanup and removal of unneeded comments.
* d/rules: Honour "nocheck" build option.
* Make OpenSSL and GNUTLS builds fail if tests fail
- d/rules: Adjust rule to make OpenSSL and GNUTLS builds fail if their
tests fail. Unfortunately, it's still not possible to make the NSS
build fail if its tests fail; we're still investigating the failures
there with it.
- d/p/14_fix-compatibility-impacket-0-9-23.patch: Needed patch
to make tests pass with impacket 0.9.23+.
-- Samuel Henrique <samueloph@debian.org> Mon, 08 Nov 2021 21:14:47 +0000
curl (7.74.0-1.3) unstable; urgency=medium
* Non-maintainer upload.
* Add upstream patch bc7ecc7 so curl -w times shown as seconds with
fractions (Closes: #989064)
-- Paul Gevers <elbrus@debian.org> Fri, 25 Jun 2021 20:59:54 +0200
curl (7.74.0-1.2) unstable; urgency=medium
* Non-maintainer upload.
* transfer: strip credentials from the auto-referer header field
(CVE-2021-22876) (Closes: #986269)
* vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
(CVE-2021-22890) (Closes: #986270)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 03 Apr 2021 14:43:39 +0200
curl (7.74.0-1.1) unstable; urgency=medium
* Non-maintainer upload.
[ Bruno Kleinert ]
* Fixed "Please build-depend on libidn2-dev instead of obsolete transition
package libidn2-0-dev" (Closes: #974996)
-- Samuel Henrique <samueloph@debian.org> Wed, 10 Feb 2021 00:42:40 +0000
curl (7.74.0-1) unstable; urgency=medium
* New upstream release
+ Fix inferior OCSP verification as per CVE-2020-8286 (Closes: #977161)
https://curl.se/docs/CVE-2020-8286.html
+ Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162)
https://curl.se/docs/CVE-2020-8285.html
+ Fix trusting FTP PASV responses as per CVE-2020-8284 (Closes: #977163)
https://curl.se/docs/CVE-2020-8284.html
* Update debian/watch to new upstream download page layout
* Update 12_use-python3-in-tests.patch due to renamed file
* Refresh patches
* Fix cross-build due to python build dependencies.
Thanks to Helmut Grohne for the patch (Closes: #969004)
* Fix formatting in some man pages.
Thanks to Bjarni Ingi Gislason for the patch (Closes: #963559)
* Update list of documentation files to install
* Update symbols
* Bump Standards-Version to 4.5.1 (no changes needed)
* Drop removed file from d/copyright
-- Alessandro Ghedini <ghedo@debian.org> Thu, 31 Dec 2020 15:22:05 +0100
curl (7.72.0-1) unstable; urgency=medium
* New upstream release
+ Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169
(Closes: #965280)
https://curl.haxx.se/docs/CVE-2020-8169.html
+ Fix local file overwrite with -J option as per CVE-2020-8177
(Closes: #965281)
https://curl.haxx.se/docs/CVE-2020-8177.html
+ Fix wrong connect-only connection as per CVE-2020-8231 (Closes: #968831)
https://curl.haxx.se/docs/CVE-2020-8231.html
* Refresh patches
* Do not install *.la files.
Thanks to Pino Toscano for the patch. (Closes: #955785)
* Update list of doc files
* Update copyright for polarssl -> mbedtls rename
* Use python3 executable in tests
-- Alessandro Ghedini <ghedo@debian.org> Mon, 24 Aug 2020 10:26:12 +0200
curl (7.68.0-1) unstable; urgency=medium
* New upstream release
* Bump Standards-Version to 4.5.0 (no changes needed)
* Update symbols files
* Configure default CA file with OpenSSL again (Closes: #948441)
-- Alessandro Ghedini <ghedo@debian.org> Sat, 22 Feb 2020 14:37:19 +0000
curl (7.67.0-2) unstable; urgency=medium
* Restore :native annotation for python3 Build-Depends.
Thanks to Helmut Grohne for the patch (Closes: #945928)
-- Alessandro Ghedini <ghedo@debian.org> Sun, 01 Dec 2019 13:29:28 +0000
curl (7.67.0-1) unstable; urgency=medium
* New upstream release
* Replace python with python3 in Build-Depends (Closes: #942984)
* Bump Standards-Version to 4.4.1 (no changes needed)
-- Alessandro Ghedini <ghedo@debian.org> Sat, 30 Nov 2019 12:45:07 +0000
curl (7.66.0-1) unstable; urgency=medium
* New upstream release (Closes: #940024)
+ Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
https://curl.haxx.se/docs/CVE-2019-5481.html
+ Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
(Closes: #940010)
https://curl.haxx.se/docs/CVE-2019-5482.html
* Refresh patches
* Enable brotli support (Closes: #940129)
* Update *.symbols files
-- Alessandro Ghedini <ghedo@debian.org> Sun, 15 Sep 2019 15:47:05 +0100
curl (7.65.3-1) unstable; urgency=medium
* New upstream release
* Drop 12_fix-man-errors.patch (merged upstream)
* Remove Ian Jackson from Uploaders as he has never done an upload
-- Alessandro Ghedini <ghedo@debian.org> Fri, 09 Aug 2019 19:45:02 +0100
curl (7.65.1-1) unstable; urgency=medium
* New upstream release
+ Reduce verbose output (Closes: #926148)
+ Fix parsing URLs with link local addresses (Closes: #926812)
* Drop patches merged upstream
* Refresh patches
* Bump STandards-Version to 4.4.0 (no changes needed)
* Update entry in copyright for renamed files
* Fix some man errors.
Thanks to Bjarni Ingi Gislason for the patch (Closes: #926352)
* Add Build-Depends-Package field to symbols files
-- Alessandro Ghedini <ghedo@debian.org> Sat, 13 Jul 2019 12:37:09 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libcurl3t64-gnutls`.
Generated by dwww version 1.16 on Sat Dec 13 16:16:02 CET 2025.