UbuntuUpdates.org

Package "libcurl3-nss"

Name: libcurl3-nss

Description:

easy-to-use client-side URL transfer library (NSS flavour)
Latest version: 7.81.0-1ubuntu1.24
Release: jammy (22.04)
Level: security
Repository: main
Head package: curl
Homepage: https://curl.haxx.se

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libcurl3-nss"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libcurl3-nss" in Jammy

Repository Area Version
base main 7.81.0-1
updates main 7.81.0-1ubuntu1.24

Changelog

Version: 7.81.0-1ubuntu1.24 2026-05-04 15:34:37 UTC

  curl (7.81.0-1ubuntu1.24) jammy-security; urgency=medium

  * SECURITY UPDATE: connection reuse ignores TLS requirement
    - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls
      connection if new requires TLS in lib/url.c.
    - CVE-2026-4873
  * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-5545.patch: improve connection reuse on
      negotiate in lib/url.c.
    - CVE-2026-5545
  * SECURITY UPDATE: wrong reuse of SMB connection
    - debian/patches/CVE-2026-5773.patch: disable connection reuse for
      SMB(S) in lib/smb.c.
    - CVE-2026-5773
  * SECURITY UPDATE: proxy credentials leak over redirect-to proxy
    - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as
      well on port or scheme change in lib/transfer.*, tests/*.
    - CVE-2026-6253
  * SECURITY UPDATE: stale custom cookie host causes cookie leak
    - debian/patches/CVE-2026-6276.patch: move cookiehost to struct
      SingleRequest in lib/http.c, lib/url.c, lib/urldata.h, tests/*.
    - CVE-2026-6276
  * SECURITY UPDATE: netrc credential leak with reused proxy connection
    - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes
      pushed over insecure connections in lib/http2.c.
    - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in
      lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.
    - debian/patches/CVE-2026-6429.patch: clear credentials better on
      redirect in lib/transfer.c, tests/*.
    - CVE-2026-6429
  * SECURITY UPDATE: cross-proxy Digest auth state leak
    - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when
      switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.
    - CVE-2026-7168
  * debian/rules: run test suite with extra debugging information.

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400
Source diff to previous version

Version: 7.81.0-1ubuntu1.23 2026-03-11 15:11:28 UTC

  curl (7.81.0-1ubuntu1.23) jammy-security; urgency=medium

  * SECURITY UPDATE: bad reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
      HTTP Negotiate in lib/url.c.
    - debian/patches/CVE-2026-1965-2.patch: fix copy and paste
      url_match_auth_nego mistake in lib/url.c.
    - CVE-2026-1965
  * SECURITY UPDATE: token leak with redirect and netrc
    - debian/patches/CVE-2026-3783.patch: only send bearer if auth is
      allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.
    - CVE-2026-3783
  * SECURITY UPDATE: wrong proxy connection reuse with credentials
    - debian/patches/CVE-2026-3784.patch: add additional tests in
      lib/url.c.
    - CVE-2026-3784
  * SECURITY UPDATE: netrc and default credential leak
    - debian/patches/CVE-2025-0167.patch: 'default' with no credentials is
      not a match in lib/netrc.c, tests/data/Makefile.inc,
      tests/data/test486.
    - CVE-2025-0167

 -- Marc Deslauriers <email address hidden> Tue, 10 Mar 2026 14:25:36 -0400
Source diff to previous version
CVE-2025-0167 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the follo

Version: 7.81.0-1ubuntu1.22 2026-02-25 03:08:28 UTC

  curl (7.81.0-1ubuntu1.22) jammy-security; urgency=medium

  * SECURITY UPDATE: multi-threaded TSL options leak
    - debian/patches/CVE-2025-14017.patch: call ldap_init() before
    setting the options in lib/ldap.c
    - CVE-2025-14017
  * SECURITY UPDATE: bearer token leak on cross-protocol redirect
    - debian/patches/CVE-2025-14524.patch: if redirected,
    require permission to use bearer in lib/curl_sasl.c
    - CVE-2025-14524
  * SECURITY UPDATE: ssh known_hosts validation bypass
    - debian/patches/CVE-2025-15079.patch: set both knownhosts
    options to the same file in lib/vssh/libssh.c
    - CVE-2025-15079
  * SECURITY UPDATE: improper local ssh agent authentication
    - debian/patches/CVE-2025-15224.patch: require private key
    or user-agent for public key auth in lib/vssh/libssh.c
    - CVE-2025-15224

 -- Elise Hlady <email address hidden> Wed, 18 Feb 2026 13:33:48 -0800
Source diff to previous version
CVE-2025-14017 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a
CVE-2025-14524 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,
CVE-2025-15079 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts
CVE-2025-15224 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi

Version: 7.81.0-1ubuntu1.21 2025-09-29 15:07:02 UTC

  curl (7.81.0-1ubuntu1.21) jammy-security; urgency=medium

  * SECURITY REGRESSION: incorrect Cookie header field size check
    (LP: #2118865)
    - debian/patches/CVE-2022-32205-2.patch: rectify the field size check
      in lib/http.c.

 -- Marc Deslauriers <email address hidden> Tue, 23 Sep 2025 07:24:37 -0400
Source diff to previous version
2118865 libcurl outgoing Cookie header field size check is broken
CVE-2022-32205 A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficient

Version: 7.81.0-1ubuntu1.20 2024-12-16 16:07:05 UTC

  curl (7.81.0-1ubuntu1.20) jammy-security; urgency=medium

  * SECURITY UPDATE: netrc and redirect credential leak
    - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
      redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
    - debian/patches/CVE-2024-11053.patch: address several netrc parser
      flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
      tests/data/test478, tests/data/test479, tests/data/test480,
      tests/unit/unit1304.c, tests/data/DISABLED.
    - CVE-2024-11053

 -- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 12:26:37 -0500
CVE-2024-11053 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll


About   -   Send Feedback to @ubuntu_updates