Package "curl"
Name: |
curl
|
Description: |
Get a file from an HTTP, HTTPS or FTP server
|
Latest version: |
7.22.0-3ubuntu4.29 |
Release: |
precise (12.04) |
Level: |
security |
Repository: |
main |
Homepage: |
http://curl.haxx.se |
Links
Download "curl"
Other versions of "curl" in Precise
Packages in group
Deleted packages are displayed in grey.
Changelog
curl (7.22.0-3ubuntu4.29) precise-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: FTP redirect to malicious host via PASV response
- debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
default in lib/url.c, src/main.c.
- CVE-2020-8284
* SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
- debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
recurse in lib/ftp.c.
- CVE-2020-8285
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Dec 2020 11:42:29 -0300
|
Source diff to previous version |
|
curl (7.22.0-3ubuntu4.17) precise-security; urgency=medium
* SECURITY UPDATE: Incorrect reuse of client certificates with NSS
- debian/patches/CVE-2016-7141.patch: refuse previously loaded
certificate from file in lib/nss.c.
- CVE-2016-7141
* SECURITY UPDATE: curl escape and unescape integer overflows
- debian/patches/CVE-2016-7167.patch: deny negative string length
inputs in lib/escape.c.
- CVE-2016-7167
* SECURITY UPDATE: cookie injection for other servers
- debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
lib/cookie.c.
- CVE-2016-8615
* SECURITY UPDATE: case insensitive password comparison
- debian/patches/CVE-2016-8616.patch: use case sensitive user/password
comparisons in lib/url.c.
- CVE-2016-8616
* SECURITY UPDATE: OOB write via unchecked multiplication
- debian/patches/CVE-2016-8617.patch: check for integer overflow on
large input in lib/base64.c.
- CVE-2016-8617
* SECURITY UPDATE: double-free in curl_maprintf
- debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
allocation in lib/mprintf.c.
- CVE-2016-8618
* SECURITY UPDATE: double-free in krb5 code
- debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
- CVE-2016-8619
* SECURITY UPDATE: curl_getdate read out of bounds
- debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
lib/parsedate.c, added tests to tests/data/test517,
tests/libtest/lib517.c.
- CVE-2016-8621
* SECURITY UPDATE: URL unescape heap overflow via integer truncation
- debian/patches/CVE-2016-8622.patch: avoid integer overflow in
lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
- CVE-2016-8622
* SECURITY UPDATE: Use-after-free via shared cookies
- debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
in lib/cookie.c, lib/cookie.h, lib/http.c.
- CVE-2016-8623
* SECURITY UPDATE: invalid URL parsing with #
- debian/patches/CVE-2016-8624.patch: accept # as end of host name in
lib/url.c.
- CVE-2016-8624
-- Marc Deslauriers <email address hidden> Thu, 03 Nov 2016 08:03:52 -0400
|
Source diff to previous version |
CVE-2016-7141 |
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authen |
CVE-2016-7167 |
Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7. |
|
curl (7.22.0-3ubuntu4.16) precise-security; urgency=medium
* SECURITY UPDATE: TLS session resumption client cert bypass
- debian/patches/CVE-2016-5419.patch: switch off SSL session id when
client cert is used in lib/url.c, lib/urldata.h, lib/sslgen.c.
- CVE-2016-5419
* SECURITY UPDATE: re-using connections with wrong client cert
- debian/patches/CVE-2016-5420.patch: only reuse connections with the
same client cert in lib/sslgen.c.
- CVE-2016-5420
-- Marc Deslauriers <email address hidden> Fri, 05 Aug 2016 11:27:56 -0400
|
Source diff to previous version |
|
curl (7.22.0-3ubuntu4.15) precise-security; urgency=medium
* SECURITY UPDATE: NTLM credentials not-checked for proxy connection
re-use
- debian/patches/ntlm-backports.patch: backport misc NTLM fixes.
- debian/patches/CVE-2014-0015.patch: refreshed.
- debian/patches/CVE-2014-0138.patch: refreshed.
- debian/patches/CVE-2014-3143.patch: refreshed.
- debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
Proxy credentials in lib/url.c.
- CVE-2016-0755
-- Marc Deslauriers Wed, 27 Jan 2016 08:02:54 -0500
|
Source diff to previous version |
CVE-2014-0015 |
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-depe |
CVE-2014-0138 |
libcurl wrong re-use of connections |
CVE-2014-3143 |
RESERVED |
CVE-2016-0755 |
NTLM credentials not-checked for proxy connection re-use |
|
curl (7.22.0-3ubuntu4.14) precise-security; urgency=medium
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/CVE-2015-3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
each exchange and close Negotiate connections when done in
lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
- CVE-2015-3148
-- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 14:03:35 -0400
|
CVE-2015-3143 |
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unau |
CVE-2015-3148 |
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as othe |
|
About
-
Send Feedback to @ubuntu_updates