Package "libcurl4-openssl-dev"

Name:	libcurl4-openssl-dev
Description:	development files and documentation for libcurl (OpenSSL flavour)
Latest version:	8.14.1-2ubuntu1.3
Release:	questing (25.10)
Level:	updates
Repository:	main
Head package:	curl
Homepage:	https://curl.se/

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Download "libcurl4-openssl-dev"

32-bit deb package

64-bit deb package

APT INSTALL

Other versions of "libcurl4-openssl-dev" in Questing

Repository	Area	Version
base	main	8.14.1-2ubuntu1
security	main	8.14.1-2ubuntu1.3

Changelog

Version: 8.14.1-2ubuntu1.3 2026-05-04 15:36:14 UTC

Version: 8.14.1-2ubuntu1.3	2026-05-04 15:36:14 UTC
curl (8.14.1-2ubuntu1.3) questing-security; urgency=medium * SECURITY UPDATE: connection reuse ignores TLS requirement - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls connection if new requires TLS in lib/url.c. - CVE-2026-4873 * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection - debian/patches/CVE-2026-5545.patch: improve connection reuse on negotiate in lib/url.c. - CVE-2026-5545 * SECURITY UPDATE: wrong reuse of SMB connection - debian/patches/CVE-2026-5773.patch: disable connection reuse for SMB(S) in lib/smb.c. - CVE-2026-5773 * SECURITY UPDATE: proxy credentials leak over redirect-to proxy - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/. - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB use in tests/data/test445. - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as well on port or scheme change in lib/http.c, lib/transfer., tests/. - CVE-2026-6253 SECURITY UPDATE: stale custom cookie host causes cookie leak - debian/patches/CVE-2026-6276.patch: move cookiehost to struct SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c, lib/urldata.h, tests/. - CVE-2026-6276 SECURITY UPDATE: netrc credential leak with reused proxy connection - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes pushed over insecure connections in lib/http2.c. - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in lib/http2.c, lib/urlapi-int.h, lib/urlapi.c. - debian/patches/CVE-2026-6429.patch: clear credentials better on redirect in lib/http.c, tests/. - CVE-2026-6429 SECURITY UPDATE: cross-proxy Digest auth state leak - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when switching in lib/setopt.c, lib/vauth/vauth.h, tests/*. - CVE-2026-7168 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400
Source diff to previous version

curl (8.14.1-2ubuntu1.3) questing-security; urgency=medium * SECURITY UPDATE: connection reuse ignores TLS requirement - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls connection if new requires TLS in lib/url.c. - CVE-2026-4873 * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection - debian/patches/CVE-2026-5545.patch: improve connection reuse on negotiate in lib/url.c. - CVE-2026-5545 * SECURITY UPDATE: wrong reuse of SMB connection - debian/patches/CVE-2026-5773.patch: disable connection reuse for SMB(S) in lib/smb.c. - CVE-2026-5773 * SECURITY UPDATE: proxy credentials leak over redirect-to proxy - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*. - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB use in tests/data/test445. - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as well on port or scheme change in lib/http.c, lib/transfer.*, tests/*. - CVE-2026-6253 * SECURITY UPDATE: stale custom cookie host causes cookie leak - debian/patches/CVE-2026-6276.patch: move cookiehost to struct SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c, lib/urldata.h, tests/*. - CVE-2026-6276 * SECURITY UPDATE: netrc credential leak with reused proxy connection - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes pushed over insecure connections in lib/http2.c. - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in lib/http2.c, lib/urlapi-int.h, lib/urlapi.c. - debian/patches/CVE-2026-6429.patch: clear credentials better on redirect in lib/http.c, tests/*. - CVE-2026-6429 * SECURITY UPDATE: cross-proxy Digest auth state leak - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when switching in lib/setopt.c, lib/vauth/vauth.h, tests/*. - CVE-2026-7168 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400

Source diff to previous version

Version: 8.14.1-2ubuntu1.2 2026-03-11 23:08:09 UTC

curl (8.14.1-2ubuntu1.2) questing-security; urgency=medium * SECURITY UPDATE: bad reuse of HTTP Negotiate connection - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using HTTP Negotiate in lib/url.c. - debian/patches/CVE-2026-1965-2.patch: fix copy and paste url_match_auth_nego mistake in lib/url.c. - CVE-2026-1965 * SECURITY UPDATE: token leak with redirect and netrc - debian/patches/CVE-2026-3783.patch: only send bearer if auth is allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006. - CVE-2026-3783 * SECURITY UPDATE: wrong proxy connection reuse with credentials - debian/patches/CVE-2026-3784.patch: add additional tests in lib/url.c, tests/http/test_13_proxy_auth.py, tests/http/testenv/curl.py. - CVE-2026-3784 * SECURITY UPDATE: use after free in SMB connection reuse - debian/patches/CVE-2026-3805.patch: free the path in the request struct properly in lib/smb.c. - CVE-2026-3805 -- Marc Deslauriers <email address hidden> Mon, 09 Mar 2026 09:15:00 -0400

Source diff to previous version

CVE-2026-1965	libcurl can in some circumstances reuse the wrong connection when aske ...
CVE-2026-3783	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that ...
CVE-2026-3784	curl would wrongly reuse an existing HTTP proxy connection doing CONNE ...
CVE-2026-3805	When doing a second SMB request to the same host again, curl would wro ...

Version: 8.14.1-2ubuntu1.1 2026-02-25 07:08:23 UTC

curl (8.14.1-2ubuntu1.1) questing-security; urgency=medium * SECURITY UPDATE: cookie path out-of-bounds read - debian/patches/CVE-2025-9086.patch: don't treat the leading slash as trailing in lib/cookie.c - CVE-2025-9086 * SECURITY UPDATE: predictable websocket frame mask - debian/patches/CVE-2025-10148.patch: get a new mask for each new outgoing frame in lib/ws.c - CVE-2025-10148 * SECURITY UPDATE: wcurl output file directory escape - debian/patches/CVE-2025-11563.patch: dont percent-decode '/' or '\' in output file name in scripts/wcurl.c - CVE-2025-11563 * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver unconditionally in lib/vquic/vquic-tls.c. - CVE-2025-13034 * SECURITY UPDATE: multi-threaded TSL options leak - debian/patches/CVE-2025-14017.patch: call ldap_init() before setting the options in lib/ldap.c - CVE-2025-14017 * SECURITY UPDATE: bearer token leak on cross-protocol redirect - debian/patches/CVE-2025-14524.patch: if redirected, require permission to use bearer in lib/curl_sasl.c - CVE-2025-14524 * SECURITY UPDATE: OpenSSL partial chain store policy bypass - debian/patches/CVE-2025-14819.patch: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in lib/vtls/openssl.c. - CVE-2025-14819 -- Elise Hlady <email address hidden> Tue, 17 Feb 2026 15:07:06 -0800

CVE-2025-9086	1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same
CVE-2025-10148	curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask tha
CVE-2025-13034	When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certif
CVE-2025-14017	When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally a
CVE-2025-14524	When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,
CVE-2025-14819	When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally

About - Send Feedback to @ubuntu_updates

Package "libcurl4-openssl-dev"

Links

Download "libcurl4-openssl-dev"

Other versions of "libcurl4-openssl-dev" in Questing

Changelog

Share this page

Bookmarks

Latest updates

updates

security

proposed

backports

PPA updates