Package "libcurl4"

Name: libcurl4


easy-to-use client-side URL transfer library (OpenSSL flavour)

Latest version: 7.68.0-1ubuntu2.22
Release: focal (20.04)
Level: security
Repository: main
Head package: curl
Homepage: http://curl.haxx.se


Download "libcurl4"

Other versions of "libcurl4" in Focal

Repository Area Version
base main 7.68.0-1ubuntu2
updates main 7.68.0-1ubuntu2.22


Version: 7.68.0-1ubuntu2.22 2024-03-27 14:06:51 UTC

  curl (7.68.0-1ubuntu2.22) focal-security; urgency=medium

  * SECURITY UPDATE: HTTP/2 push headers memory-leak
    - debian/patches/CVE-2024-2398.patch: push headers better cleanup in
    - CVE-2024-2398

 -- Marc Deslauriers <email address hidden> Tue, 19 Mar 2024 09:53:11 -0400

Source diff to previous version
CVE-2024-2398 HTTP/2 push headers memory-leak

Version: 7.68.0-1ubuntu2.21 2023-12-06 14:06:55 UTC

  curl (7.68.0-1ubuntu2.21) focal-security; urgency=medium

  * SECURITY UPDATE: cookie mixed case PSL bypass
    - debian/patches/CVE-2023-46218.patch: lowercase the domain names
      before PSL checks in lib/cookie.c.
    - CVE-2023-46218

 -- Marc Deslauriers <email address hidden> Wed, 29 Nov 2023 14:26:14 -0500

Source diff to previous version
CVE-2023-46218 curl: cookie mixed case PSL bypass

Version: 7.68.0-1ubuntu2.20 2023-10-11 13:06:49 UTC

  curl (7.68.0-1ubuntu2.20) focal-security; urgency=medium

  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 13:20:00 -0400

Source diff to previous version

Version: 7.68.0-1ubuntu2.19 2023-07-19 13:07:12 UTC

  curl (7.68.0-1ubuntu2.19) focal-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c.
    - CVE-2023-28322

 -- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 10:44:42 -0400

Source diff to previous version
CVE-2023-28321 An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject
CVE-2023-28322 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOP

Version: 7.68.0-1ubuntu2.18 2023-03-20 14:07:07 UTC

  curl (7.68.0-1ubuntu2.18) focal-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: properly handle tilde character
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 13:13:49 -0400

CVE-2023-27533 RESERVED
CVE-2023-27534 RESERVED
CVE-2023-27535 RESERVED
CVE-2023-27536 RESERVED
CVE-2023-27538 RESERVED

About   -   Send Feedback to @ubuntu_updates