Package "curl"
| Name: |
curl
|
Description: |
command line tool for transferring data with URL syntax
|
| Latest version: |
8.5.0-2ubuntu10.8 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
main |
| Homepage: |
https://curl.se/ |
Links
Download "curl"
Other versions of "curl" in Noble
Packages in group
Deleted packages are displayed in grey.
Changelog
|
curl (8.5.0-2ubuntu10.8) noble-security; urgency=medium
* SECURITY UPDATE: bad reuse of HTTP Negotiate connection
- debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
HTTP Negotiate in lib/url.c.
- debian/patches/CVE-2026-1965-2.patch: fix copy and paste
url_match_auth_nego mistake in lib/url.c.
- CVE-2026-1965
* SECURITY UPDATE: token leak with redirect and netrc
- debian/patches/CVE-2026-3783.patch: only send bearer if auth is
allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.
- CVE-2026-3783
* SECURITY UPDATE: wrong proxy connection reuse with credentials
- debian/patches/CVE-2026-3784.patch: add additional tests in
lib/url.c.
- CVE-2026-3784
* SECURITY UPDATE: netrc and default credential leak
- debian/patches/CVE-2025-0167.patch: 'default' with no credentials is
not a match in lib/netrc.c, tests/data/Makefile.inc,
tests/data/test486.
- CVE-2025-0167
-- Marc Deslauriers <email address hidden> Tue, 10 Mar 2026 10:42:35 -0400
|
| Source diff to previous version |
| CVE-2026-1965 |
libcurl can in some circumstances reuse the wrong connection when aske ... |
| CVE-2026-3783 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that ... |
| CVE-2026-3784 |
curl would wrongly reuse an existing HTTP proxy connection doing CONNE ... |
| CVE-2025-0167 |
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the follo |
|
|
curl (8.5.0-2ubuntu10.7) noble-security; urgency=medium
* SECURITY UPDATE: predictable websocket frame mask
- debian/patches/CVE-2025-10148.patch: get a new mask for each
new outgoing frame in lib/ws.c
- CVE-2025-10148
* SECURITY UPDATE: multi-threaded TSL options leak
- debian/patches/CVE-2025-14017.patch: call ldap_init() before
setting the options in lib/ldap.c
- CVE-2025-14017
* SECURITY UPDATE: bearer token leak on cross-protocol redirect
- debian/patches/CVE-2025-14524.patch: if redirected,
require permission to use bearer in lib/curl_sasl.c
- CVE-2025-14524
* SECURITY UPDATE: OpenSSL partial chain store policy bypass
- debian/patches/CVE-2025-14819.patch: toggling
CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in
lib/vtls/openssl.c.
- CVE-2025-14819
* SECURITY UPDATE: ssh known_hosts validation bypass
- debian/patches/CVE-2025-15079.patch: set both knownhosts
options to the same file in lib/vssh/libssh.c
- CVE-2025-15079
* SECURITY UPDATE: improper local ssh agent authentication
- debian/patches/CVE-2025-15224.patch: require private key
or user-agent for public key auth in lib/vssh/libssh.c
- CVE-2025-15224
-- Elise Hlady <email address hidden> Wed, 18 Feb 2026 10:57:28 -0800
|
| Source diff to previous version |
| CVE-2025-10148 |
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask tha |
| CVE-2025-14017 |
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a |
| CVE-2025-14524 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, |
| CVE-2025-14819 |
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally |
| CVE-2025-15079 |
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts |
| CVE-2025-15224 |
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi |
|
|
curl (8.5.0-2ubuntu10.6) noble-security; urgency=medium
* SECURITY UPDATE: netrc and redirect credential leak
- debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
- debian/patches/CVE-2024-11053.patch: address several netrc parser
flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
tests/data/test478, tests/data/test479, tests/data/test480,
tests/unit/unit1304.c.
- CVE-2024-11053
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 11:44:19 -0500
|
| Source diff to previous version |
| CVE-2024-11053 |
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll |
|
|
curl (8.5.0-2ubuntu10.5) noble-security; urgency=medium
* SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
- debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
comparison in lib/hsts.c.
- CVE-2024-9681
-- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:48:09 -0330
|
| Source diff to previous version |
| CVE-2024-9681 |
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth |
|
|
curl (8.5.0-2ubuntu10.4) noble-security; urgency=medium
* SECURITY UPDATE: OCSP stapling bypass with GnuTLS
- debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in
lib/vtls/gtls.c.
- CVE-2024-8096
-- Marc Deslauriers <email address hidden> Fri, 06 Sep 2024 07:27:11 -0400
|
| CVE-2024-8096 |
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is v |
|
About
-
Send Feedback to @ubuntu_updates
