UbuntuUpdates.org

Package "curl"

Name: curl

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • easy-to-use client-side URL transfer library (NSS flavour)
  • development files and documentation for libcurl (NSS flavour)
Latest version: 7.88.1-8ubuntu2.4
Release: lunar (23.04)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "curl" in Lunar

Repository Area Version
base main 7.88.1-8ubuntu1
base universe 7.88.1-8ubuntu1
security main 7.88.1-8ubuntu2.4
updates main 7.88.1-8ubuntu2.4
updates universe 7.88.1-8ubuntu2.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 7.88.1-8ubuntu2.4 2023-12-06 14:06:58 UTC

  curl (7.88.1-8ubuntu2.4) lunar-security; urgency=medium

  * SECURITY UPDATE: cookie mixed case PSL bypass
    - debian/patches/CVE-2023-46218.patch: lowercase the domain names
      before PSL checks in lib/cookie.c.
    - CVE-2023-46218
  * SECURITY UPDATE: HSTS long file name clears contents
    - debian/patches/CVE-2023-46219.patch: create short(er) temporary file
      name in lib/fopen.c.
    - CVE-2023-46219

 -- Marc Deslauriers <email address hidden> Wed, 29 Nov 2023 14:21:53 -0500
Source diff to previous version
CVE-2023-46218 curl: cookie mixed case PSL bypass
CVE-2023-46219 curl: HSTS long file name clears contents

Version: 7.88.1-8ubuntu2.3 2023-10-11 13:06:54 UTC

  curl (7.88.1-8ubuntu2.3) lunar-security; urgency=medium

  * SECURITY UPDATE: SOCKS5 heap buffer overflow
    - debian/patches/CVE-2023-38545.patch: return error if hostname too
      long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
      tests/data/test728.
    - CVE-2023-38545
  * SECURITY UPDATE: cookie injection with none file
    - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
      in lib/cookie.c, lib/cookie.h, lib/easy.c.
    - CVE-2023-38546

 -- Marc Deslauriers <email address hidden> Tue, 03 Oct 2023 11:22:25 -0400
Source diff to previous version

Version: 7.88.1-8ubuntu2.2 2023-09-13 14:08:51 UTC

  curl (7.88.1-8ubuntu2.2) lunar-security; urgency=medium

  * SECURITY UPDATE: HTTP headers eat all memory
    - debian/patches/CVE-2023-38039.patch: return error when receiving too
      large header set in lib/c-hyper.c, lib/http_proxy.c, lib/http.c,
      lib/http.h, lib/pingpong.c, lib/urldata.h.
    - CVE-2023-38039

 -- Marc Deslauriers <email address hidden> Mon, 11 Sep 2023 09:09:46 -0400
Source diff to previous version

Version: 7.88.1-8ubuntu2.1 2023-07-19 13:07:24 UTC

  curl (7.88.1-8ubuntu2.1) lunar-security; urgency=medium

  * SECURITY UPDATE: improper certificate validation vulnerability
    - debian/patches/CVE-2023-28321.patch: fix host name wildcard checking
      in lib/vtls/hostcheck.c, tests/data/test1397, tests/unit/unit1397.c.
    - CVE-2023-28321
  * SECURITY UPDATE: information disclosure vulnerability
    - debian/patches/CVE-2023-28322.patch: unify the upload/method handling
      in lib/curl_rtmp.c, lib/file.c, lib/ftp.c, lib/http.c, lib/imap.c,
      lib/rtsp.c, lib/setopt.c, lib/smb.c, lib/smtp.c, lib/tftp.c,
      lib/transfer.c, lib/urldata.h, lib/vssh/libssh.c, lib/vssh/libssh2.c,
      lib/vssh/wolfssh.c.
    - CVE-2023-28322
  * SECURITY UPDATE: fopen race condition
    - debian/patches/CVE-2023-32001.patch: fix race in lib/fopen.c.
    - CVE-2023-32001

 -- Marc Deslauriers <email address hidden> Mon, 17 Jul 2023 07:53:10 -0400
CVE-2023-28321 An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject
CVE-2023-28322 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOP


About   -   Send Feedback to @ubuntu_updates