UbuntuUpdates.org

Package "curl"

Name: curl

Description:

command line tool for transferring data with URL syntax

Latest version: 7.68.0-1ubuntu2.6
Release: focal (20.04)
Level: security
Repository: main
Homepage: http://curl.haxx.se

Links


Download "curl"


Other versions of "curl" in Focal

Repository Area Version
base main 7.68.0-1ubuntu2
updates main 7.68.0-1ubuntu2.6

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.68.0-1ubuntu2.6 2021-07-22 20:06:28 UTC

  curl (7.68.0-1ubuntu2.6) focal-security; urgency=medium

  * SECURITY UPDATE: TELNET stack contents disclosure
    - debian/patches/CVE-2021-22898.patch: check sscanf() for correct
      number of matches in lib/telnet.c.
    - CVE-2021-22898
  * SECURITY UPDATE: Bad connection reuse due to flawed path name checks
    - debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
      issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
      lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
    - CVE-2021-22924
  * SECURITY UPDATE: TELNET stack contents disclosure again
    - debian/patches/CVE-2021-22925.patch: fix option parser to not send
      uninitialized contents in lib/telnet.c.
    - CVE-2021-22925

 -- Marc Deslauriers <email address hidden> Wed, 21 Jul 2021 08:35:58 -0400

Source diff to previous version
CVE-2021-22898 curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is use
CVE-2021-22924 Bad connection reuse due to flawed path name checks
CVE-2021-22925 TELNET stack contents disclosure again

Version: 7.68.0-1ubuntu2.5 2021-03-31 12:06:21 UTC

  curl (7.68.0-1ubuntu2.5) focal-security; urgency=medium

  * SECURITY UPDATE: data leak via referer header field
    - debian/patches/CVE-2021-22876.patch: strip credentials from the
      auto-referer header field in lib/transfer.c.
    - CVE-2021-22876
  * SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
    - debian/patches/CVE-2021-22890.patch: make sure we set and extract the
      correct session in lib/vtls/*.
    - CVE-2021-22890

 -- Marc Deslauriers <email address hidden> Tue, 23 Mar 2021 09:13:04 -0400

Source diff to previous version
CVE-2021-22876 Automatic referer leaks credentials
CVE-2021-22890 TLS 1.3 session ticket proxy host mixup

Version: 7.68.0-1ubuntu2.4 2020-12-09 13:06:23 UTC

  curl (7.68.0-1ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: FTP redirect to malicious host via PASV response
    - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
      default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
    - CVE-2020-8284
  * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
    - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
      recurse in lib/ftp.c.
    - CVE-2020-8285
  * SECURITY UPDATE: Inferior OCSP verification
    - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
      the certificate id in lib/vtls/openssl.c.
    - CVE-2020-8286

 -- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:59:13 -0500

Source diff to previous version
CVE-2020-8284 trusting FTP PASV responses
CVE-2020-8285 FTP wildcard stack overflow
CVE-2020-8286 Inferior OCSP verification

Version: 7.68.0-1ubuntu2.2 2020-08-19 13:06:20 UTC

  curl (7.68.0-1ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: wrong connect-only connection
    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
      lib/urldata.h.
    - CVE-2020-8231

 -- Marc Deslauriers <email address hidden> Thu, 13 Aug 2020 13:34:56 -0400

Source diff to previous version
CVE-2020-8231 RESERVED

Version: 7.68.0-1ubuntu2.1 2020-06-24 13:06:47 UTC

  curl (7.68.0-1ubuntu2.1) focal-security; urgency=medium

  * SECURITY UPDATE: Partial password leak over DNS on HTTP redirect
    - debian/patches/CVE-2020-8169.patch: make the updated credentials
      URL-encoded in the URL in lib/url.c, tests/data/test1168,
      tests/data/Makefile.inc.
    - CVE-2020-8169
  * SECURITY UPDATE: curl overwrite local file with -J
    - debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
      src/tool_cb_hdr.c, src/tool_getparam.c.
    - CVE-2020-8177

 -- Marc Deslauriers <email address hidden> Wed, 17 Jun 2020 09:03:28 -0400




About   -   Send Feedback to @ubuntu_updates