UbuntuUpdates.org

Package "libcurl4-gnutls-dev"

Name: libcurl4-gnutls-dev

Description:

development files and documentation for libcurl (GnuTLS flavour)
Latest version: 7.81.0-1ubuntu1.22
Release: jammy (22.04)
Level: security
Repository: main
Head package: curl
Homepage: https://curl.haxx.se

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libcurl4-gnutls-dev"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libcurl4-gnutls-dev" in Jammy

Repository Area Version
base main 7.81.0-1
updates main 7.81.0-1ubuntu1.22

Changelog

Version: 7.81.0-1ubuntu1.22 2026-02-25 03:08:28 UTC

  curl (7.81.0-1ubuntu1.22) jammy-security; urgency=medium

  * SECURITY UPDATE: multi-threaded TSL options leak
    - debian/patches/CVE-2025-14017.patch: call ldap_init() before
    setting the options in lib/ldap.c
    - CVE-2025-14017
  * SECURITY UPDATE: bearer token leak on cross-protocol redirect
    - debian/patches/CVE-2025-14524.patch: if redirected,
    require permission to use bearer in lib/curl_sasl.c
    - CVE-2025-14524
  * SECURITY UPDATE: ssh known_hosts validation bypass
    - debian/patches/CVE-2025-15079.patch: set both knownhosts
    options to the same file in lib/vssh/libssh.c
    - CVE-2025-15079
  * SECURITY UPDATE: improper local ssh agent authentication
    - debian/patches/CVE-2025-15224.patch: require private key
    or user-agent for public key auth in lib/vssh/libssh.c
    - CVE-2025-15224

 -- Elise Hlady <email address hidden> Wed, 18 Feb 2026 13:33:48 -0800
Source diff to previous version
CVE-2025-14017 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a
CVE-2025-14524 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,
CVE-2025-15079 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts
CVE-2025-15224 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi

Version: 7.81.0-1ubuntu1.21 2025-09-29 15:07:02 UTC

  curl (7.81.0-1ubuntu1.21) jammy-security; urgency=medium

  * SECURITY REGRESSION: incorrect Cookie header field size check
    (LP: #2118865)
    - debian/patches/CVE-2022-32205-2.patch: rectify the field size check
      in lib/http.c.

 -- Marc Deslauriers <email address hidden> Tue, 23 Sep 2025 07:24:37 -0400
Source diff to previous version
2118865 libcurl outgoing Cookie header field size check is broken
CVE-2022-32205 A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficient

Version: 7.81.0-1ubuntu1.20 2024-12-16 16:07:05 UTC

  curl (7.81.0-1ubuntu1.20) jammy-security; urgency=medium

  * SECURITY UPDATE: netrc and redirect credential leak
    - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
      redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
    - debian/patches/CVE-2024-11053.patch: address several netrc parser
      flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
      tests/data/test478, tests/data/test479, tests/data/test480,
      tests/unit/unit1304.c, tests/data/DISABLED.
    - CVE-2024-11053

 -- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 12:26:37 -0500
Source diff to previous version
CVE-2024-11053 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll

Version: 7.81.0-1ubuntu1.19 2024-11-18 18:06:50 UTC

  curl (7.81.0-1ubuntu1.19) jammy-security; urgency=medium

  * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
    - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
      comparison in lib/hsts.c.
    - CVE-2024-9681

 -- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:54:59 -0330
Source diff to previous version
CVE-2024-9681 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth

Version: 7.81.0-1ubuntu1.18 2024-09-16 15:07:07 UTC

  curl (7.81.0-1ubuntu1.18) jammy-security; urgency=medium

  * SECURITY UPDATE: OCSP stapling bypass with GnuTLS
    - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in
      lib/vtls/gtls.c.
    - CVE-2024-8096

 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2024 07:38:40 -0400
CVE-2024-8096 When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is v


About   -   Send Feedback to @ubuntu_updates