UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax
Latest version: 7.81.0-1ubuntu1.23
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://curl.haxx.se

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "curl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "curl" in Jammy

Repository Area Version
base main 7.81.0-1
updates main 7.81.0-1ubuntu1.22

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.81.0-1ubuntu1.23 2026-03-11 15:11:28 UTC

  curl (7.81.0-1ubuntu1.23) jammy-security; urgency=medium

  * SECURITY UPDATE: bad reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
      HTTP Negotiate in lib/url.c.
    - debian/patches/CVE-2026-1965-2.patch: fix copy and paste
      url_match_auth_nego mistake in lib/url.c.
    - CVE-2026-1965
  * SECURITY UPDATE: token leak with redirect and netrc
    - debian/patches/CVE-2026-3783.patch: only send bearer if auth is
      allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.
    - CVE-2026-3783
  * SECURITY UPDATE: wrong proxy connection reuse with credentials
    - debian/patches/CVE-2026-3784.patch: add additional tests in
      lib/url.c.
    - CVE-2026-3784
  * SECURITY UPDATE: netrc and default credential leak
    - debian/patches/CVE-2025-0167.patch: 'default' with no credentials is
      not a match in lib/netrc.c, tests/data/Makefile.inc,
      tests/data/test486.
    - CVE-2025-0167

 -- Marc Deslauriers <email address hidden> Tue, 10 Mar 2026 14:25:36 -0400
Source diff to previous version
CVE-2025-0167 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the follo

Version: 7.81.0-1ubuntu1.22 2026-02-25 03:08:28 UTC

  curl (7.81.0-1ubuntu1.22) jammy-security; urgency=medium

  * SECURITY UPDATE: multi-threaded TSL options leak
    - debian/patches/CVE-2025-14017.patch: call ldap_init() before
    setting the options in lib/ldap.c
    - CVE-2025-14017
  * SECURITY UPDATE: bearer token leak on cross-protocol redirect
    - debian/patches/CVE-2025-14524.patch: if redirected,
    require permission to use bearer in lib/curl_sasl.c
    - CVE-2025-14524
  * SECURITY UPDATE: ssh known_hosts validation bypass
    - debian/patches/CVE-2025-15079.patch: set both knownhosts
    options to the same file in lib/vssh/libssh.c
    - CVE-2025-15079
  * SECURITY UPDATE: improper local ssh agent authentication
    - debian/patches/CVE-2025-15224.patch: require private key
    or user-agent for public key auth in lib/vssh/libssh.c
    - CVE-2025-15224

 -- Elise Hlady <email address hidden> Wed, 18 Feb 2026 13:33:48 -0800
Source diff to previous version
CVE-2025-14017 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a
CVE-2025-14524 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,
CVE-2025-15079 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts
CVE-2025-15224 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi

Version: 7.81.0-1ubuntu1.21 2025-09-29 15:07:02 UTC

  curl (7.81.0-1ubuntu1.21) jammy-security; urgency=medium

  * SECURITY REGRESSION: incorrect Cookie header field size check
    (LP: #2118865)
    - debian/patches/CVE-2022-32205-2.patch: rectify the field size check
      in lib/http.c.

 -- Marc Deslauriers <email address hidden> Tue, 23 Sep 2025 07:24:37 -0400
Source diff to previous version
2118865 libcurl outgoing Cookie header field size check is broken
CVE-2022-32205 A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficient

Version: 7.81.0-1ubuntu1.20 2024-12-16 16:07:05 UTC

  curl (7.81.0-1ubuntu1.20) jammy-security; urgency=medium

  * SECURITY UPDATE: netrc and redirect credential leak
    - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
      redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
    - debian/patches/CVE-2024-11053.patch: address several netrc parser
      flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
      tests/data/test478, tests/data/test479, tests/data/test480,
      tests/unit/unit1304.c, tests/data/DISABLED.
    - CVE-2024-11053

 -- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 12:26:37 -0500
Source diff to previous version
CVE-2024-11053 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll

Version: 7.81.0-1ubuntu1.19 2024-11-18 18:06:50 UTC

  curl (7.81.0-1ubuntu1.19) jammy-security; urgency=medium

  * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
    - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
      comparison in lib/hsts.c.
    - CVE-2024-9681

 -- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:54:59 -0330
CVE-2024-9681 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth


About   -   Send Feedback to @ubuntu_updates