UbuntuUpdates.org

Package "libcurl4-doc"

Name: libcurl4-doc

Description:

documentation for libcurl
Latest version: 8.5.0-2ubuntu10.7
Release: noble (24.04)
Level: updates
Repository: main
Head package: curl
Homepage: https://curl.se/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libcurl4-doc"

All arch deb package
APT INSTALL

Other versions of "libcurl4-doc" in Noble

Repository Area Version
base main 8.5.0-2ubuntu10
security main 8.5.0-2ubuntu10.7

Changelog

Version: 8.5.0-2ubuntu10.7 2026-02-25 07:08:11 UTC

  curl (8.5.0-2ubuntu10.7) noble-security; urgency=medium

  * SECURITY UPDATE: predictable websocket frame mask
    - debian/patches/CVE-2025-10148.patch: get a new mask for each
    new outgoing frame in lib/ws.c
    - CVE-2025-10148
  * SECURITY UPDATE: multi-threaded TSL options leak
    - debian/patches/CVE-2025-14017.patch: call ldap_init() before
    setting the options in lib/ldap.c
    - CVE-2025-14017
  * SECURITY UPDATE: bearer token leak on cross-protocol redirect
    - debian/patches/CVE-2025-14524.patch: if redirected,
    require permission to use bearer in lib/curl_sasl.c
    - CVE-2025-14524
  * SECURITY UPDATE: OpenSSL partial chain store policy bypass
    - debian/patches/CVE-2025-14819.patch: toggling
      CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in
      lib/vtls/openssl.c.
    - CVE-2025-14819
  * SECURITY UPDATE: ssh known_hosts validation bypass
    - debian/patches/CVE-2025-15079.patch: set both knownhosts
    options to the same file in lib/vssh/libssh.c
    - CVE-2025-15079
  * SECURITY UPDATE: improper local ssh agent authentication
    - debian/patches/CVE-2025-15224.patch: require private key
    or user-agent for public key auth in lib/vssh/libssh.c
    - CVE-2025-15224

 -- Elise Hlady <email address hidden> Wed, 18 Feb 2026 10:57:28 -0800
Source diff to previous version
CVE-2025-10148 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask tha
CVE-2025-14017 When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a
CVE-2025-14524 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,
CVE-2025-14819 When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally
CVE-2025-15079 When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts
CVE-2025-15224 When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi

Version: 8.5.0-2ubuntu10.6 2024-12-16 18:07:09 UTC

  curl (8.5.0-2ubuntu10.6) noble-security; urgency=medium

  * SECURITY UPDATE: netrc and redirect credential leak
    - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
      redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
    - debian/patches/CVE-2024-11053.patch: address several netrc parser
      flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
      tests/data/test478, tests/data/test479, tests/data/test480,
      tests/unit/unit1304.c.
    - CVE-2024-11053

 -- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 11:44:19 -0500
Source diff to previous version
CVE-2024-11053 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll

Version: 8.5.0-2ubuntu10.5 2024-11-18 19:07:18 UTC

  curl (8.5.0-2ubuntu10.5) noble-security; urgency=medium

  * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
    - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
      comparison in lib/hsts.c.
    - CVE-2024-9681

 -- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:48:09 -0330
Source diff to previous version
CVE-2024-9681 When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth

Version: 8.5.0-2ubuntu10.4 2024-09-16 16:07:01 UTC

  curl (8.5.0-2ubuntu10.4) noble-security; urgency=medium

  * SECURITY UPDATE: OCSP stapling bypass with GnuTLS
    - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in
      lib/vtls/gtls.c.
    - CVE-2024-8096

 -- Marc Deslauriers <email address hidden> Fri, 06 Sep 2024 07:27:11 -0400
Source diff to previous version
CVE-2024-8096 When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is v

Version: 8.5.0-2ubuntu10.3 2024-08-22 17:07:20 UTC

  curl (8.5.0-2ubuntu10.3) noble-proposed; urgency=medium

  * SRU: LP: #2076340: No-change rebuild to pick up changed build flags
    on ppc64 and s390x.

 -- Matthias Klose <email address hidden> Fri, 09 Aug 2024 04:33:21 +0200


About   -   Send Feedback to @ubuntu_updates