UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax

Latest version: 7.74.0-1ubuntu2.3
Release: hirsute (21.04)
Level: security
Repository: main
Homepage: http://curl.haxx.se

Links


Download "curl"


Other versions of "curl" in Hirsute

Repository Area Version
base main 7.74.0-1ubuntu2
updates main 7.74.0-1ubuntu2.3

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.74.0-1ubuntu2.3 2021-09-15 12:06:23 UTC

  curl (7.74.0-1ubuntu2.3) hirsute-security; urgency=medium

  * SECURITY UPDATE: UAF and double-free in MQTT sending
    - debian/patches/CVE-2021-22945.patch: clear the leftovers pointer when
      sending succeeds in lib/mqtt.c.
    - CVE-2021-22945
  * SECURITY UPDATE: Protocol downgrade required TLS bypassed
    - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
      lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
      tests/data/test984, tests/data/test985, tests/data/test986.
    - CVE-2021-22946
  * SECURITY UPDATE: STARTTLS protocol injection via MITM
    - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
      pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
      tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
      tests/data/test982, tests/data/test983.
    - CVE-2021-22947

 -- Marc Deslauriers <email address hidden> Tue, 07 Sep 2021 12:02:51 -0400

Source diff to previous version
CVE-2021-22945 UAF and double-free in MQTT sending
CVE-2021-22946 Protocol downgrade required TLS bypassed
CVE-2021-22947 STARTTLS protocol injection via MITM

Version: 7.74.0-1ubuntu2.1 2021-07-22 20:06:34 UTC

  curl (7.74.0-1ubuntu2.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: TELNET stack contents disclosure
    - debian/patches/CVE-2021-22898.patch: check sscanf() for correct
      number of matches in lib/telnet.c.
    - CVE-2021-22898
  * SECURITY UPDATE: Bad connection reuse due to flawed path name checks
    - debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
      issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
      lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
    - CVE-2021-22924
  * SECURITY UPDATE: TELNET stack contents disclosure again
    - debian/patches/CVE-2021-22925.patch: fix option parser to not send
      uninitialized contents in lib/telnet.c.
    - CVE-2021-22925

 -- Marc Deslauriers <email address hidden> Wed, 21 Jul 2021 08:03:25 -0400

CVE-2021-22898 curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is use
CVE-2021-22924 Bad connection reuse due to flawed path name checks
CVE-2021-22925 TELNET stack contents disclosure again



About   -   Send Feedback to @ubuntu_updates