UbuntuUpdates.org

Package "libcurl3t64-gnutls"

Name: libcurl3t64-gnutls

Description:

easy-to-use client-side URL transfer library (GnuTLS flavour)

Latest version: 8.18.0-1ubuntu2.3
Release: resolute (26.04)
Level: updates
Repository: main
Head package: curl
Homepage: https://curl.se/

Links


Download "libcurl3t64-gnutls"


Other versions of "libcurl3t64-gnutls" in Resolute

Repository Area Version
base main 8.18.0-1ubuntu2
security main 8.18.0-1ubuntu2.3

Changelog

Version: 8.18.0-1ubuntu2.3 2026-07-10 01:09:26 UTC

  curl (8.18.0-1ubuntu2.3) resolute-security; urgency=medium

  * SECURITY UPDATE: Use after free in curl_easy_reset.
    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in
      include/curl/curl.h, lib/http2.c,
      lib/setopt.c, lib/url.c, and lib/urldata.h
    - CVE-2026-10536
  * SECURITY UPDATE: Denial of service in QUIC UDP.
    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets
      and enforce an upper bound in
      lib/vquic/vquic.c
    - CVE-2026-11352
  * SECURITY UPDATE: Improper certificate validation in native_ca_store.
    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to
      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to
      calculate every easy transfer if a native CA store shall be used or
      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c
    - CVE-2026-11564
  * SECURITY UPDATE: Memory exhaustion in ws.c
    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless
      there is sufficient space left in the websocket send buffer in
      lib/ws.c.
    - CVE-2026-11586
  * SECURITY UPDATE: Improper validation in config2setopts.
    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in
      src/config2setopts.c.
    - CVE-2026-12064

 -- Kyle Kernick <email address hidden> Mon, 06 Jul 2026 10:45:44 -0600

Source diff to previous version
CVE-2026-10536 A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CUR
CVE-2026-11352 An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client.
CVE-2026-11564 libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle th
CVE-2026-11586 By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a
CVE-2026-12064 When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl

Version: 8.18.0-1ubuntu2.2 2026-07-01 05:07:44 UTC

  curl (8.18.0-1ubuntu2.2) resolute-security; urgency=medium

  * SECURITY UPDATE: Connection reuse for starttls protocols.
    - debian/patches/CVE-2026-8286.patch: When a connection is tested for
      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),
      the SSL configuration must match the existing connection in lib/url.c
    - CVE-2026-8286
  * SECURITY UPDATE: Connection reuse in SASL.
    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in
      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,
      lib/openldap.c, and lib/pop3.c
    - CVE-2026-8458
  * SECURITY UPDATE: Cookie injection in is_public_suffix.
    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking
      PSL in lib/cookie.c.
    - CVE-2026-8924
  * SECURITY UPDATE: Double-free in gsasl.
    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle
      NULL argument in lib/vauth/gsasl.c.
    - CVE-2026-8925
  * SECURITY UPDATE: Information disclosure in netrc.
    - debian/patches/CVE-2026-8926.patch: Do not return a password from
      parsenetrc() when the requested login did not match the credentials
      found for the matched machine in lib/netrc.c.
    - CVE-2026-8926
  * SECURITY UPDATE: Information disclosure in libcurl
    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as
      previous and flush state in lib/url.c and lib/urldata.h.
    - debian/patches/CVE-2026-9079.patch: Verify NULLed proxy credentials
      in lib/setopt.c.
    - debian/patches/CVE-2026-9545.patch: Hard fail when certificate
      verification fails in lib/vquic/curl_ngtcp2.c.
    - CVE-2026-8927
    - CVE-2026-9079
    - CVE-2026-9545
  * SECURITY UPDATE: Use-after-free in curl_easy_parse
    - debian/patches/CVE-2026-9080.patch: Introduce magic struct field to
      assert against NULL pointers in lib/multi_ev.c
    - CVE-2026-9080
  * SECURITY UPDATE: Man-in-the-middle in libcurl.
    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in
      in lib/vssh/libssh.c
    - CVE-2026-9547

 -- Kyle Kernick <email address hidden> Thu, 25 Jun 2026 15:11:42 -0600

Source diff to previous version

Version: 8.18.0-1ubuntu2.1 2026-05-04 15:36:28 UTC

  curl (8.18.0-1ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: connection reuse ignores TLS requirement
    - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls
      connection if new requires TLS in lib/url.c.
    - CVE-2026-4873
  * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-5545.patch: improve connection reuse on
      negotiate in lib/url.c.
    - CVE-2026-5545
  * SECURITY UPDATE: wrong reuse of SMB connection
    - debian/patches/CVE-2026-5773.patch: disable connection reuse for
      SMB(S) in lib/smb.c.
    - CVE-2026-5773
  * SECURITY UPDATE: proxy credentials leak over redirect-to proxy
    - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code
      in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.
    - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB
      use in tests/data/test445.
    - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as
      well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.
    - CVE-2026-6253
  * SECURITY UPDATE: stale custom cookie host causes cookie leak
    - debian/patches/CVE-2026-6276.patch: move cookiehost to struct
      SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,
      lib/urldata.h, tests/*.
    - CVE-2026-6276
  * SECURITY UPDATE: netrc credential leak with reused proxy connection
    - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes
      pushed over insecure connections in lib/http2.c.
    - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in
      lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.
    - debian/patches/CVE-2026-6429.patch: clear credentials better on
      redirect in lib/http.c, tests/*.
    - CVE-2026-6429
  * SECURITY UPDATE: cross-proxy Digest auth state leak
    - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when
      switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.
    - CVE-2026-7168

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400




About   -   Send Feedback to @ubuntu_updates