UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax

Latest version: 7.81.0-1ubuntu1.19
Release: jammy (22.04)
Level: security
Repository: main
Homepage: https://curl.haxx.se

Links


Download "curl"


Other versions of "curl" in Jammy

Repository Area Version
base main 7.81.0-1
updates main 7.81.0-1ubuntu1.19

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.81.0-1ubuntu1.14 2023-10-11 13:06:52 UTC

  curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:15:41 -0400

Source diff to previous version

Version: 7.81.0-1ubuntu1.13 2023-07-19 20:07:01 UTC

  curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium

  * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170)
    - debian/patches/CVE-2023-28321.patch: fix missing line in backport.

 -- Marc Deslauriers <email address hidden> Wed, 19 Jul 2023 12:23:36 -0400

Source diff to previous version
2028170 curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-name
CVE-2023-28321 An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject

Version: 7.81.0-1ubuntu1.11 2023-07-19 13:07:17 UTC

  curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322

 -- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 10:25:41 -0400

Source diff to previous version
CVE-2023-28321 An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject
CVE-2023-28322 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOP

Version: 7.81.0-1ubuntu1.10 2023-03-20 14:07:10 UTC

  curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 12:37:02 -0400

Source diff to previous version
CVE-2023-27533 RESERVED
CVE-2023-27534 RESERVED
CVE-2023-27535 RESERVED
CVE-2023-27536 RESERVED
CVE-2023-27538 RESERVED

Version: 7.81.0-1ubuntu1.8 2023-02-27 14:07:03 UTC

  curl (7.81.0-1ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
      tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:20:05 -0500

CVE-2023-23914 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs a
CVE-2023-23915 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly whe
CVE-2023-23916 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, mea



About   -   Send Feedback to @ubuntu_updates