UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax
Latest version: 8.5.0-2ubuntu10.6
Release: noble (24.04)
Level: updates
Repository: main
Homepage: https://curl.se/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "curl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "curl" in Noble

Repository Area Version
base main 8.5.0-2ubuntu10
security main 8.5.0-2ubuntu10.6

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.5.0-2ubuntu10.6 2024-12-16 18:07:09 UTC

  curl (8.5.0-2ubuntu10.6) noble-security; urgency=medium

  * SECURITY UPDATE: netrc and redirect credential leak
    - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
      redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
    - debian/patches/CVE-2024-11053.patch: address several netrc parser
      flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
      tests/data/test478, tests/data/test479, tests/data/test480,
      tests/unit/unit1304.c.
    - CVE-2024-11053

 -- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 11:44:19 -0500
Source diff to previous version
CVE-2024-11053 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll

Version: 8.5.0-2ubuntu10.5 2024-11-18 19:07:18 UTC

  curl (8.5.0-2ubuntu10.5) noble-security; urgency=medium

  * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
    - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
      comparison in lib/hsts.c.
    - CVE-2024-9681

 -- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:48:09 -0330
Source diff to previous version
CVE-2024-9681 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth

Version: 8.5.0-2ubuntu10.4 2024-09-16 16:07:01 UTC

  curl (8.5.0-2ubuntu10.4) noble-security; urgency=medium

  * SECURITY UPDATE: OCSP stapling bypass with GnuTLS
    - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in
      lib/vtls/gtls.c.
    - CVE-2024-8096

 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2024 07:27:11 -0400
Source diff to previous version
CVE-2024-8096 When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is v

Version: 8.5.0-2ubuntu10.3 2024-08-22 17:07:20 UTC

  curl (8.5.0-2ubuntu10.3) noble-proposed; urgency=medium

  * SRU: LP: #2076340: No-change rebuild to pick up changed build flags
    on ppc64 and s390x.

 -- Matthias Klose <email address hidden> Fri, 09 Aug 2024 04:33:21 +0200
Source diff to previous version

Version: 8.5.0-2ubuntu10.2 2024-08-05 15:07:12 UTC

  curl (8.5.0-2ubuntu10.2) noble-security; urgency=medium

  * SECURITY UPDATE: ASN.1 date parser overread
    - debian/patches/CVE-2024-7264-pre1.patch: clean up GTime2str in
      lib/vtls/x509asn1.c.
    - debian/patches/CVE-2024-7264.patch: unittests and fixes for gtime2str
      in lib/vtls/x509asn1.c, lib/vtls/x509asn1.h, tests/data/Makefile.inc,
      tests/data/test1656, tests/unit/Makefile.inc, tests/unit/unit1656.c.
    - CVE-2024-7264

 -- Marc Deslauriers <email address hidden> Thu, 01 Aug 2024 09:43:08 -0400
CVE-2024-7264 libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect fiel


About   -   Send Feedback to @ubuntu_updates