UbuntuUpdates.org

Package "libcurl4"

Name: libcurl4

Description:

easy-to-use client-side URL transfer library (OpenSSL flavour)

Latest version: 7.58.0-2ubuntu3.16
Release: bionic (18.04)
Level: updates
Repository: main
Head package: curl
Homepage: http://curl.haxx.se

Links


Download "libcurl4"


Other versions of "libcurl4" in Bionic

Repository Area Version
security main 7.58.0-2ubuntu3.16

Changelog

Version: 7.58.0-2ubuntu3.16 2021-09-21 14:06:15 UTC

  curl (7.58.0-2ubuntu3.16) bionic-security; urgency=medium

  * SECURITY REGRESSION: regression in smtp starttls (LP: #1944120)
    - debian/patches/CVE-2021-22947.patch: fix bad patch backport.

 -- Marc Deslauriers <email address hidden> Mon, 20 Sep 2021 08:02:14 -0400

Source diff to previous version
1944120 Regression in USN-5079-1
CVE-2021-22947 STARTTLS protocol injection via MITM

Version: 7.58.0-2ubuntu3.15 2021-09-15 12:06:20 UTC

  curl (7.58.0-2ubuntu3.15) bionic-security; urgency=medium

  * SECURITY UPDATE: Protocol downgrade required TLS bypassed
    - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
      HTTPS proxy in lib/ftp.c, lib/urldata.h.
    - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
      lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
      tests/data/test984, tests/data/test985, tests/data/test986.
    - CVE-2021-22946
  * SECURITY UPDATE: STARTTLS protocol injection via MITM
    - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
      pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
      tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
      tests/data/test982, tests/data/test983.
    - CVE-2021-22947

 -- Marc Deslauriers <email address hidden> Fri, 10 Sep 2021 10:29:24 -0400

Source diff to previous version
CVE-2021-22946 Protocol downgrade required TLS bypassed
CVE-2021-22947 STARTTLS protocol injection via MITM

Version: 7.58.0-2ubuntu3.14 2021-07-22 21:06:19 UTC

  curl (7.58.0-2ubuntu3.14) bionic-security; urgency=medium

  * SECURITY UPDATE: TELNET stack contents disclosure
    - debian/patches/CVE-2021-22898.patch: check sscanf() for correct
      number of matches in lib/telnet.c.
    - CVE-2021-22898
  * SECURITY UPDATE: Bad connection reuse due to flawed path name checks
    - debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
      issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
      lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
    - CVE-2021-22924
  * SECURITY UPDATE: TELNET stack contents disclosure again
    - debian/patches/CVE-2021-22925.patch: fix option parser to not send
      uninitialized contents in lib/telnet.c.
    - CVE-2021-22925

 -- Marc Deslauriers <email address hidden> Wed, 21 Jul 2021 08:37:41 -0400

Source diff to previous version
CVE-2021-22898 curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is use
CVE-2021-22924 Bad connection reuse due to flawed path name checks
CVE-2021-22925 TELNET stack contents disclosure again

Version: 7.58.0-2ubuntu3.13 2021-03-31 13:07:06 UTC

  curl (7.58.0-2ubuntu3.13) bionic-security; urgency=medium

  * SECURITY UPDATE: data leak via referer header field
    - debian/patches/urlapi.patch: backport url api support in
      include/curl/Makefile.am, include/curl/curl.h, include/curl/urlapi.h,
      lib/Makefile.inc, lib/urlapi-int.h, lib/urlapi.c,
      lib/curl_setup_once.h, lib/url.c, lib/url.h, lib/escape.c,
      lib/escape.h, docs/libcurl/symbols-in-versions.
    - debian/libcurl*.symbols: added new symbols.
    - debian/patches/CVE-2021-22876.patch: strip credentials from the
      auto-referer header field in lib/transfer.c.
    - CVE-2021-22876

 -- Marc Deslauriers <email address hidden> Tue, 23 Mar 2021 09:13:58 -0400

Source diff to previous version
CVE-2021-22876 Automatic referer leaks credentials

Version: 7.58.0-2ubuntu3.12 2020-12-09 14:07:09 UTC

  curl (7.58.0-2ubuntu3.12) bionic-security; urgency=medium

  * SECURITY UPDATE: FTP redirect to malicious host via PASV response
    - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
      default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
    - CVE-2020-8284
  * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
    - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
      recurse in lib/ftp.c.
    - CVE-2020-8285
  * SECURITY UPDATE: Inferior OCSP verification
    - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
      the certificate id in lib/vtls/openssl.c.
    - CVE-2020-8286

 -- Marc Deslauriers <email address hidden> Tue, 01 Dec 2020 13:01:10 -0500

CVE-2020-8284 trusting FTP PASV responses
CVE-2020-8285 FTP wildcard stack overflow
CVE-2020-8286 Inferior OCSP verification



About   -   Send Feedback to @ubuntu_updates