Package "libcurl4"

Name:	libcurl4
Description:	easy-to-use client-side URL transfer library (OpenSSL flavour)
Latest version:	7.81.0-1ubuntu1.20
Release:	jammy (22.04)
Level:	security
Repository:	main
Head package:	curl
Homepage:	https://curl.haxx.se

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Download "libcurl4"

32-bit deb package

64-bit deb package

APT INSTALL

Other versions of "libcurl4" in Jammy

Repository	Area	Version
base	main	7.81.0-1
updates	main	7.81.0-1ubuntu1.20

Changelog

Version: 7.81.0-1ubuntu1.15 2023-12-06 14:06:56 UTC

curl (7.81.0-1ubuntu1.15) jammy-security; urgency=medium * SECURITY UPDATE: cookie mixed case PSL bypass - debian/patches/CVE-2023-46218.patch: lowercase the domain names before PSL checks in lib/cookie.c. - CVE-2023-46218 -- Marc Deslauriers <email address hidden> Wed, 29 Nov 2023 14:23:00 -0500

Source diff to previous version

CVE-2023-46218

curl: cookie mixed case PSL bypass

Version: 7.81.0-1ubuntu1.14 2023-10-11 13:06:52 UTC

Version: 7.81.0-1ubuntu1.14	2023-10-11 13:06:52 UTC
curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium * SECURITY UPDATE: SOCKS5 heap buffer overflow - debian/patches/CVE-2023-38545.patch: return error if hostname too long for remote resolve in lib/socks.c, tests/data/Makefile.inc, tests/data/test728. - CVE-2023-38545 * SECURITY UPDATE: cookie injection with none file - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields in lib/cookie.c, lib/cookie.h, lib/easy.c. - CVE-2023-38546 -- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:15:41 -0400
Source diff to previous version

curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium * SECURITY UPDATE: SOCKS5 heap buffer overflow - debian/patches/CVE-2023-38545.patch: return error if hostname too long for remote resolve in lib/socks.c, tests/data/Makefile.inc, tests/data/test728. - CVE-2023-38545 * SECURITY UPDATE: cookie injection with none file - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields in lib/cookie.c, lib/cookie.h, lib/easy.c. - CVE-2023-38546 -- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:15:41 -0400

Source diff to previous version

Version: 7.81.0-1ubuntu1.13 2023-07-19 20:07:01 UTC

curl (7.81.0-1ubuntu1.13) jammy-security; urgency=medium * SECURITY REGRESSION: broken ssl cert wildcard handling (LP: #2028170) - debian/patches/CVE-2023-28321.patch: fix missing line in backport. -- Marc Deslauriers <email address hidden> Wed, 19 Jul 2023 12:23:36 -0400

Source diff to previous version

2028170	curl 7.81.0-1ubuntu1.11 fails verifying proper ssl cert w/ subj-alt-name
CVE-2023-28321	An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject

Version: 7.81.0-1ubuntu1.11 2023-07-19 13:07:17 UTC

curl (7.81.0-1ubuntu1.11) jammy-security; urgency=medium * SECURITY UPDATE: improper certificate validation vulnerability - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c. - CVE-2023-28321 * SECURITY UPDATE: information disclosure vulnerability - debian/patches/CVE-2023-28322.patch: unify the upload/method handling in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c, lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c, lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c, lib/vssh/wolfssh.c. - CVE-2023-28322 -- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 10:25:41 -0400

Source diff to previous version

CVE-2023-28321	An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject
CVE-2023-28322	An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOP

Version: 7.81.0-1ubuntu1.10 2023-03-20 14:07:10 UTC

curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium * SECURITY UPDATE: TELNET option IAC injection - debian/patches/CVE-2023-27533.patch: only accept option arguments in ascii in lib/telnet.c. - CVE-2023-27533 * SECURITY UPDATE: SFTP path ~ resolving discrepancy - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir ends with one in lib/curl_path.c. - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf in lib/curl_path.c. - CVE-2023-27534 * SECURITY UPDATE: FTP too eager connection reuse - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c, lib/vauth/digest_sspi.c, lib/vtls/vtls.c. - debian/patches/CVE-2023-27535.patch: add more conditions for connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h. - CVE-2023-27535 * SECURITY UPDATE: GSS delegation too eager connection re-use - debian/patches/CVE-2023-27536.patch: only reuse connections with same GSS delegation in lib/url.c, lib/urldata.h. - CVE-2023-27536 * SECURITY UPDATE: SSH connection too eager reuse still - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse check in lib/url.c. - CVE-2023-27538 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 12:37:02 -0400

CVE-2023-27533	RESERVED
CVE-2023-27534	RESERVED
CVE-2023-27535	RESERVED
CVE-2023-27536	RESERVED
CVE-2023-27538	RESERVED

About - Send Feedback to @ubuntu_updates

Package "libcurl4"

Links

Download "libcurl4"

Other versions of "libcurl4" in Jammy

Changelog

Share this page

Bookmarks

Latest updates

proposed

updates

security

PPA updates