Package "libcurl4-openssl-dev"
| Name: |
libcurl4-openssl-dev
|
Description: |
development files and documentation for libcurl (OpenSSL flavour)
|
| Latest version: |
8.5.0-2ubuntu10.9 |
| Release: |
noble (24.04) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
curl |
| Homepage: |
https://curl.se/ |
Links
Download "libcurl4-openssl-dev"
Other versions of "libcurl4-openssl-dev" in Noble
Changelog
|
curl (8.5.0-2ubuntu10.9) noble-security; urgency=medium
* SECURITY UPDATE: connection reuse ignores TLS requirement
- debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls
connection if new requires TLS in lib/url.c.
- CVE-2026-4873
* SECURITY UPDATE: wrong reuse of HTTP Negotiate connection
- debian/patches/CVE-2026-5545.patch: improve connection reuse on
negotiate in lib/url.c.
- CVE-2026-5545
* SECURITY UPDATE: wrong reuse of SMB connection
- debian/patches/CVE-2026-5773.patch: disable connection reuse for
SMB(S) in lib/smb.c.
- CVE-2026-5773
* SECURITY UPDATE: proxy credentials leak over redirect-to proxy
- debian/patches/CVE-2026-6253.patch: clear the proxy credentials as
well on port or scheme change in lib/transfer.*, tests/*.
- CVE-2026-6253
* SECURITY UPDATE: stale custom cookie host causes cookie leak
- debian/patches/CVE-2026-6276.patch: move cookiehost to struct
SingleRequest in lib/http.c, lib/url.c, lib/urldata.h, tests/*.
- CVE-2026-6276
* SECURITY UPDATE: netrc credential leak with reused proxy connection
- debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes
pushed over insecure connections in lib/http2.c.
- debian/patches/CVE-2026-6429-pre2.patch: same origin tests in
lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.
- debian/patches/CVE-2026-6429.patch: clear credentials better on
redirect in lib/transfer.c, tests/*.
- CVE-2026-6429
* SECURITY UPDATE: cross-proxy Digest auth state leak
- debian/patches/CVE-2026-7168.patch: clear proxy auth properties when
switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.
- CVE-2026-7168
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400
|
| Source diff to previous version |
|
curl (8.5.0-2ubuntu10.8) noble-security; urgency=medium
* SECURITY UPDATE: bad reuse of HTTP Negotiate connection
- debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
HTTP Negotiate in lib/url.c.
- debian/patches/CVE-2026-1965-2.patch: fix copy and paste
url_match_auth_nego mistake in lib/url.c.
- CVE-2026-1965
* SECURITY UPDATE: token leak with redirect and netrc
- debian/patches/CVE-2026-3783.patch: only send bearer if auth is
allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.
- CVE-2026-3783
* SECURITY UPDATE: wrong proxy connection reuse with credentials
- debian/patches/CVE-2026-3784.patch: add additional tests in
lib/url.c.
- CVE-2026-3784
* SECURITY UPDATE: netrc and default credential leak
- debian/patches/CVE-2025-0167.patch: 'default' with no credentials is
not a match in lib/netrc.c, tests/data/Makefile.inc,
tests/data/test486.
- CVE-2025-0167
-- Marc Deslauriers <email address hidden> Tue, 10 Mar 2026 10:42:35 -0400
|
| Source diff to previous version |
| CVE-2026-1965 |
libcurl can in some circumstances reuse the wrong connection when aske ... |
| CVE-2026-3783 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that ... |
| CVE-2026-3784 |
curl would wrongly reuse an existing HTTP proxy connection doing CONNE ... |
| CVE-2025-0167 |
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the follo |
|
|
curl (8.5.0-2ubuntu10.7) noble-security; urgency=medium
* SECURITY UPDATE: predictable websocket frame mask
- debian/patches/CVE-2025-10148.patch: get a new mask for each
new outgoing frame in lib/ws.c
- CVE-2025-10148
* SECURITY UPDATE: multi-threaded TSL options leak
- debian/patches/CVE-2025-14017.patch: call ldap_init() before
setting the options in lib/ldap.c
- CVE-2025-14017
* SECURITY UPDATE: bearer token leak on cross-protocol redirect
- debian/patches/CVE-2025-14524.patch: if redirected,
require permission to use bearer in lib/curl_sasl.c
- CVE-2025-14524
* SECURITY UPDATE: OpenSSL partial chain store policy bypass
- debian/patches/CVE-2025-14819.patch: toggling
CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in
lib/vtls/openssl.c.
- CVE-2025-14819
* SECURITY UPDATE: ssh known_hosts validation bypass
- debian/patches/CVE-2025-15079.patch: set both knownhosts
options to the same file in lib/vssh/libssh.c
- CVE-2025-15079
* SECURITY UPDATE: improper local ssh agent authentication
- debian/patches/CVE-2025-15224.patch: require private key
or user-agent for public key auth in lib/vssh/libssh.c
- CVE-2025-15224
-- Elise Hlady <email address hidden> Wed, 18 Feb 2026 10:57:28 -0800
|
| Source diff to previous version |
| CVE-2025-10148 |
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask tha |
| CVE-2025-14017 |
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a |
| CVE-2025-14524 |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, |
| CVE-2025-14819 |
When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally |
| CVE-2025-15079 |
When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts |
| CVE-2025-15224 |
When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate usi |
|
|
curl (8.5.0-2ubuntu10.6) noble-security; urgency=medium
* SECURITY UPDATE: netrc and redirect credential leak
- debian/patches/CVE-2024-11053-pre1.patch: use same credentials on
redirect in lib/transfer.c, lib/url.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test998, tests/data/test999.
- debian/patches/CVE-2024-11053.patch: address several netrc parser
flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,
tests/data/test478, tests/data/test479, tests/data/test480,
tests/unit/unit1304.c.
- CVE-2024-11053
-- Marc Deslauriers <email address hidden> Wed, 11 Dec 2024 11:44:19 -0500
|
| Source diff to previous version |
| CVE-2024-11053 |
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the foll |
|
|
curl (8.5.0-2ubuntu10.5) noble-security; urgency=medium
* SECURITY UPDATE: HSTS expiry overwrites parent cache entry.
- debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname
comparison in lib/hsts.c.
- CVE-2024-9681
-- Hlib Korzhynskyy <email address hidden> Wed, 06 Nov 2024 10:48:09 -0330
|
| CVE-2024-9681 |
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than oth |
|
About
-
Send Feedback to @ubuntu_updates
