lp://staging/ubuntu/quantal-updates/curl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

70. By Marc Deslauriers on 2014-04-01

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

69. By Marc Deslauriers on 2014-01-31

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  reuse
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

68. By Marc Deslauriers on 2013-12-17

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

67. By Marc Deslauriers on 2013-12-06

* SECURITY REGRESSION: can't disable cert checking in command line tool
  (LP: #1258366)
  - debian/patches/CVE-2013-4545.patch: properly disable host
    verification when insecure mode is used in src/tool_operate.c.
  - CVE-2013-4545

66. By Marc Deslauriers on 2013-11-29

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled.
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

65. By Marc Deslauriers on 2013-06-27

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in URL decoder
  - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
    added tests to tests/data/Makefile.am, tests/data/test1396,
    tests/unit/Makefile.inc, tests/unit/unit1396.c.
  - CVE-2013-2174

64. By Seth Arnold on 2013-04-10

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/05_curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

63. By Marc Deslauriers on 2013-02-12

* SECURITY UPDATE: arbitrary code execution via sasl buffer overflow
  - debian/patches/CVE-2013-0249.patch: properly limit lengths in
    lib/curl_sasl.c.
  - CVE-2013-0249

62. By Colin Watson on 2012-08-20

* Resynchronise with Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.

61. By Colin Watson on 2012-05-28

* Resynchronise with Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Adjust udeb configure flags handling to something easier to merge in
  future.