UbuntuUpdates.org

Package "libcurl4-gnutls-dev"

Name: libcurl4-gnutls-dev

Description:

development files and documentation for libcurl (GnuTLS flavour)
Latest version: 7.81.0-1ubuntu1.16
Release: jammy (22.04)
Level: security
Repository: main
Head package: curl
Homepage: https://curl.haxx.se

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libcurl4-gnutls-dev"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "libcurl4-gnutls-dev" in Jammy

Repository Area Version
base main 7.81.0-1
updates main 7.81.0-1ubuntu1.16

Changelog

Version: 7.81.0-1ubuntu1.10 2023-03-20 14:07:10 UTC

  curl (7.81.0-1ubuntu1.10) jammy-security; urgency=medium

  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp
      in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c,
      lib/vauth/digest_sspi.c, lib/vtls/vtls.c.
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538

 -- Marc Deslauriers <email address hidden> Tue, 14 Mar 2023 12:37:02 -0400
Source diff to previous version
CVE-2023-27533 RESERVED
CVE-2023-27534 RESERVED
CVE-2023-27535 RESERVED
CVE-2023-27536 RESERVED
CVE-2023-27538 RESERVED

Version: 7.81.0-1ubuntu1.8 2023-02-27 14:07:03 UTC

  curl (7.81.0-1ubuntu1.8) jammy-security; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
      tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test418.
    - CVE-2023-23916

 -- Marc Deslauriers <email address hidden> Wed, 15 Feb 2023 08:20:05 -0500
Source diff to previous version
CVE-2023-23914 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs a
CVE-2023-23915 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly whe
CVE-2023-23916 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, mea

Version: 7.81.0-1ubuntu1.7 2023-01-05 19:07:32 UTC

  curl (7.81.0-1ubuntu1.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Another HSTS bypass via IDN
    - debian/patches/CVE-2022-43551.patch: use the IDN decoded name in HSTS
      checks in lib/http.c.
    - CVE-2022-43551
  * SECURITY UPDATE: HTTP Proxy deny use-after-free
    - debian/patches/CVE-2022-43552.patch: do not free the protocol struct
      in *_done() in lib/smb.c, lib/telnet.c.
    - CVE-2022-43552

 -- Marc Deslauriers <email address hidden> Wed, 04 Jan 2023 09:53:07 -0500
Source diff to previous version
CVE-2022-43551 A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instruct
CVE-2022-43552 HTTP Proxy deny use-after-free

Version: 7.81.0-1ubuntu1.6 2022-10-26 19:07:25 UTC

  curl (7.81.0-1ubuntu1.6) jammy-security; urgency=medium

  * SECURITY UPDATE: POST following PUT confusion
    - debian/patches/CVE-2022-32221.patch: when POST is set, reset the
      'upload' field in lib/setopt.c.
    - CVE-2022-32221
  * SECURITY UPDATE: HTTP proxy double-free
    - debian/patches/CVE-2022-42915.patch: restore the protocol pointer on
      error in lib/http_proxy.c, lib/url.c.
    - CVE-2022-42915
  * SECURITY UPDATE: HSTS bypass via IDN
    - debian/patches/CVE-2022-42916.patch: use IDN decoded names for HSTS
      checks in lib/url.c.
    - CVE-2022-42916

 -- Marc Deslauriers <email address hidden> Tue, 18 Oct 2022 12:35:33 -0400
Source diff to previous version
CVE-2022-32221 POST following PUT confusion
CVE-2022-42915 HTTP proxy double-free
CVE-2022-42916 HSTS bypass via IDN

Version: 7.81.0-1ubuntu1.4 2022-09-01 22:06:24 UTC

  curl (7.81.0-1ubuntu1.4) jammy-security; urgency=medium

  * SECURITY UPDATE: when curl sends back cookies with control bytes a
    HTTP(S) server may return a 400 response
    - debian/patches/CVE-2022-35252.patch: adds invalid_octets function
      to lib/cookie.c to reject cookies with control bytes
    - CVE-2022-35252

 -- Mark Esler <email address hidden> Wed, 31 Aug 2022 14:18:07 -0500


About   -   Send Feedback to @ubuntu_updates