lp://staging/ubuntu/lucid-security/curl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

51. By Marc Deslauriers on 2015-01-14

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

50. By Marc Deslauriers on 2014-11-06

* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
  bounds
  - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
    lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
    src/Makefile.inc.
  - CVE-2014-3707

49. By Marc Deslauriers on 2014-09-12

* SECURITY UPDATE: incorrect cookie handling via partial literal IP
  addresses
  - debian/patches/CVE-2014-3613.patch: only use full host matches for
    hosts used as IP address in lib/cookie.c, added tests to
    tests/data/test1105, tests/data/test31, tests/data/test8.
  - CVE-2014-3613
* debian/patches/disable_test519.path: disable test 519 as previous
  security update causes it to hang.
* debian/patches/versioned: added Curl_* so test suite works during
  build.

48. By Marc Deslauriers on 2014-04-14

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

47. By Marc Deslauriers on 2014-01-31

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  reuse
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

46. By Marc Deslauriers on 2013-12-06

* SECURITY REGRESSION: can't disable cert checking in command line tool
  (LP: #1258366)
  - debian/patches/CVE-2013-4545.patch: properly disable host
    verification when insecure mode is used in src/main.c.
  - CVE-2013-4545

45. By Marc Deslauriers on 2013-11-29

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled.
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

44. By Marc Deslauriers on 2013-06-27

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in URL decoder
  - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c.
  - CVE-2013-2174

43. By Seth Arnold on 2013-04-11

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

42. By Steve Beattie on 2011-06-08

* SECURITY UPDATE: libcurl unconditional credential delegation during
  GSSAPI authentication vulnerability.
  - debian/patches/0001-Curl_input_negotiate-do-not-delegate-credentials.patch:
    do not delegate credentials when doing GSSAPI authentication
  - CVE-2011-2192
* SECURITY UPDATE: libcurl zlib automatic decompression callback
  data buffer overflow
  - debian/patches/libcurl-contentencoding.patch: restrict amount of
    callback data sent to an application
  - CVE-2010-0734