UbuntuUpdates.org

Package "libcurl4-gnutls-dev"

Name: libcurl4-gnutls-dev

Description:

Development files and documentation for libcurl (GnuTLS)

Latest version: 7.22.0-3ubuntu4.17
Release: precise (12.04)
Level: security
Repository: main
Head package: curl
Homepage: http://curl.haxx.se

Links

Save this URL for the latest version of "libcurl4-gnutls-dev": https://www.ubuntuupdates.org/libcurl4-gnutls-dev


Download "libcurl4-gnutls-dev"


Other versions of "libcurl4-gnutls-dev" in Precise

Repository Area Version
base main 7.22.0-3ubuntu4
updates main 7.22.0-3ubuntu4.17

Changelog

Version: 7.22.0-3ubuntu4.17 2016-11-03 18:06:33 UTC

  curl (7.22.0-3ubuntu4.17) precise-security; urgency=medium

  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

 -- Marc Deslauriers <email address hidden> Thu, 03 Nov 2016 08:03:52 -0400

Source diff to previous version
CVE-2016-7141 curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authen
CVE-2016-7167 Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.

Version: 7.22.0-3ubuntu4.16 2016-08-08 19:06:45 UTC

  curl (7.22.0-3ubuntu4.16) precise-security; urgency=medium

  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
      client cert is used in lib/url.c, lib/urldata.h, lib/sslgen.c.
    - CVE-2016-5419
  * SECURITY UPDATE: re-using connections with wrong client cert
    - debian/patches/CVE-2016-5420.patch: only reuse connections with the
      same client cert in lib/sslgen.c.
    - CVE-2016-5420

 -- Marc Deslauriers <email address hidden> Fri, 05 Aug 2016 11:27:56 -0400

Source diff to previous version
CVE-2016-5419 TLS session resumption client cert bypass
CVE-2016-5420 Re-using connection with wrong client cert

Version: 7.22.0-3ubuntu4.15 2016-01-27 20:06:34 UTC

  curl (7.22.0-3ubuntu4.15) precise-security; urgency=medium

  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/ntlm-backports.patch: backport misc NTLM fixes.
    - debian/patches/CVE-2014-0015.patch: refreshed.
    - debian/patches/CVE-2014-0138.patch: refreshed.
    - debian/patches/CVE-2014-3143.patch: refreshed.
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

 -- Marc Deslauriers Wed, 27 Jan 2016 08:02:54 -0500

Source diff to previous version
CVE-2014-0015 cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-depe
CVE-2014-0138 libcurl wrong re-use of connections
CVE-2014-3143 RESERVED
CVE-2016-0755 NTLM credentials not-checked for proxy connection re-use

Version: 7.22.0-3ubuntu4.14 2015-04-30 14:06:35 UTC

  curl (7.22.0-3ubuntu4.14) precise-security; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
      each exchange and close Negotiate connections when done in
      lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
    - CVE-2015-3148

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2015 14:03:35 -0400

Source diff to previous version
CVE-2015-3143 cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unau
CVE-2015-3148 cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as othe

Version: 7.22.0-3ubuntu4.12 2015-01-15 15:07:05 UTC

  curl (7.22.0-3ubuntu4.12) precise-security; urgency=medium

  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c.
    - CVE-2014-8150
 -- Marc Deslauriers <email address hidden> Wed, 14 Jan 2015 08:51:55 -0500

CVE-2014-8150 URL request injection



About   -   Send Feedback to @ubuntu_updates