UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax
Latest version: 7.47.0-1ubuntu2.19
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://curl.haxx.se

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "curl"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "curl" in Xenial

Repository Area Version
base main 7.47.0-1ubuntu2
updates main 7.47.0-1ubuntu2.19

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.47.0-1ubuntu2.19 2021-03-31 12:06:18 UTC

  curl (7.47.0-1ubuntu2.19) xenial-security; urgency=medium

  * SECURITY UPDATE: data leak via referer header field
    - debian/patches/urlapi.patch: backport url api support in
      include/curl/Makefile.am, include/curl/curl.h, include/curl/urlapi.h,
      lib/Makefile.inc, lib/urlapi-int.h, lib/urlapi.c,
      lib/curl_setup_once.h, lib/url.c, lib/url.h, lib/escape.c,
      lib/escape.h, docs/libcurl/symbols-in-versions.
    - debian/libcurl*.symbols: added new symbols.
    - debian/patches/CVE-2021-22876.patch: strip credentials from the
      auto-referer header field in lib/transfer.c.
    - CVE-2021-22876

 -- Marc Deslauriers <email address hidden> Tue, 23 Mar 2021 09:16:53 -0400
Source diff to previous version
CVE-2021-22876 Automatic referer leaks credentials

Version: 7.47.0-1ubuntu2.18 2020-12-09 13:06:18 UTC

  curl (7.47.0-1ubuntu2.18) xenial-security; urgency=medium

  * SECURITY UPDATE: FTP redirect to malicious host via PASV response
    - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
      default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
    - CVE-2020-8284
  * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
    - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
      recurse in lib/ftp.c.
    - CVE-2020-8285
  * SECURITY UPDATE: Inferior OCSP verification
    - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
      the certificate id in lib/vtls/openssl.c.
    - CVE-2020-8286

 -- Marc Deslauriers <email address hidden> Tue, 01 Dec 2020 13:16:27 -0500
Source diff to previous version
CVE-2020-8284 trusting FTP PASV responses
CVE-2020-8285 FTP wildcard stack overflow
CVE-2020-8286 Inferior OCSP verification

Version: 7.47.0-1ubuntu2.16 2020-08-19 13:06:16 UTC

  curl (7.47.0-1ubuntu2.16) xenial-security; urgency=medium

  * SECURITY UPDATE: wrong connect-only connection
    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
      lib/urldata.h.
    - CVE-2020-8231

 -- Marc Deslauriers <email address hidden> Thu, 13 Aug 2020 13:42:55 -0400
Source diff to previous version
CVE-2020-8231 RESERVED

Version: 7.47.0-1ubuntu2.15 2020-06-24 13:06:36 UTC

  curl (7.47.0-1ubuntu2.15) xenial-security; urgency=medium

  * SECURITY UPDATE: curl overwrite local file with -J
    - debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
      src/tool_cb_hdr.c, src/tool_getparam.c.
    - CVE-2020-8177

 -- Marc Deslauriers <email address hidden> Wed, 17 Jun 2020 09:21:55 -0400
Source diff to previous version

Version: 7.47.0-1ubuntu2.14 2019-09-11 08:06:49 UTC
No changelog available yet.


About   -   Send Feedback to @ubuntu_updates