UbuntuUpdates.org

Package "libcurl3-nss"

Name: libcurl3-nss

Description:

easy-to-use client-side URL transfer library (NSS flavour)

Latest version: 7.58.0-2ubuntu3.24
Release: bionic (18.04)
Level: security
Repository: main
Head package: curl
Homepage: http://curl.haxx.se

Links


Download "libcurl3-nss"


Other versions of "libcurl3-nss" in Bionic

Repository Area Version
base main 7.58.0-2ubuntu3
updates main 7.58.0-2ubuntu3.24

Changelog

Version: 7.58.0-2ubuntu3.19 2022-06-27 16:06:22 UTC

  curl (7.58.0-2ubuntu3.19) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP compression denial of service
    - debian/patches/CVE-2022-32206.patch: return error on too many
      compression steps in lib/content_encoding.c.
    - CVE-2022-32206
  * SECURITY UPDATE: FTP-KRB bad msg verification
    - debian/patches/CVE-2022-32208.patch: return error properly
      on decode errors in lib/krb5.c.
    - CVE-2022-32208

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 Jun 2022 13:00:50 -0300

Source diff to previous version

Version: 7.58.0-2ubuntu3.18 2022-05-11 14:06:19 UTC

  curl (7.58.0-2ubuntu3.18) bionic-security; urgency=medium

  * SECURITY UPDATE: CERTINFO never-ending busy-loop
    - debian/patches/CVE-2022-27781.patch: return error if seemingly stuck
      in a cert loop in lib/vtls/nss.c.
    - CVE-2022-27781
  * SECURITY UPDATE: TLS and SSH connection too eager reuse
    - debian/patches/CVE-2022-27782.patch: check more TLS details for
      connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h,
      lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c.
    - CVE-2022-27782

 -- Marc Deslauriers <email address hidden> Mon, 09 May 2022 14:12:53 -0400

Source diff to previous version
CVE-2022-27781 curl: CERTINFO never-ending busy-loop
CVE-2022-27782 curl: TLS and SSH connection too eager reuse

Version: 7.58.0-2ubuntu3.17 2022-04-28 20:06:22 UTC

  curl (7.58.0-2ubuntu3.17) bionic-security; urgency=medium

  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776

 -- Leonidas Da Silva Barbosa <email address hidden> Mon, 25 Apr 2022 14:19:19 -0300

Source diff to previous version
CVE-2022-22576 OAUTH2 bearer bypass in connection re-use
CVE-2022-27774 Credential leak on redirect
CVE-2022-27775 Bad local IPv6 connection reuse
CVE-2022-27776 Auth/cookie leak on redirect

Version: 7.58.0-2ubuntu3.16 2021-09-21 13:06:17 UTC

  curl (7.58.0-2ubuntu3.16) bionic-security; urgency=medium

  * SECURITY REGRESSION: regression in smtp starttls (LP: #1944120)
    - debian/patches/CVE-2021-22947.patch: fix bad patch backport.

 -- Marc Deslauriers <email address hidden> Mon, 20 Sep 2021 08:02:14 -0400

Source diff to previous version
1944120 Regression in USN-5079-1
CVE-2021-22947 STARTTLS protocol injection via MITM

Version: 7.58.0-2ubuntu3.15 2021-09-15 12:06:19 UTC

  curl (7.58.0-2ubuntu3.15) bionic-security; urgency=medium

  * SECURITY UPDATE: Protocol downgrade required TLS bypassed
    - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
      HTTPS proxy in lib/ftp.c, lib/urldata.h.
    - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
      lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
      tests/data/test984, tests/data/test985, tests/data/test986.
    - CVE-2021-22946
  * SECURITY UPDATE: STARTTLS protocol injection via MITM
    - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
      pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
      tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
      tests/data/test982, tests/data/test983.
    - CVE-2021-22947

 -- Marc Deslauriers <email address hidden> Fri, 10 Sep 2021 10:29:24 -0400

CVE-2021-22946 Protocol downgrade required TLS bypassed
CVE-2021-22947 STARTTLS protocol injection via MITM



About   -   Send Feedback to @ubuntu_updates