UbuntuUpdates.org

Package "libcurl4-openssl-dev"

Name: libcurl4-openssl-dev

Description:

development files and documentation for libcurl (OpenSSL flavour)

Latest version: 8.18.0-1ubuntu2.2
Release: resolute (26.04)
Level: security
Repository: main
Head package: curl
Homepage: https://curl.se/

Links


Download "libcurl4-openssl-dev"


Other versions of "libcurl4-openssl-dev" in Resolute

Repository Area Version
base main 8.18.0-1ubuntu2
updates main 8.18.0-1ubuntu2.2

Changelog

Version: 8.18.0-1ubuntu2.2 2026-07-01 02:08:29 UTC

  curl (8.18.0-1ubuntu2.2) resolute-security; urgency=medium

  * SECURITY UPDATE: Connection reuse for starttls protocols.
    - debian/patches/CVE-2026-8286.patch: When a connection is tested for
      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),
      the SSL configuration must match the existing connection in lib/url.c
    - CVE-2026-8286
  * SECURITY UPDATE: Connection reuse in SASL.
    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in
      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,
      lib/openldap.c, and lib/pop3.c
    - CVE-2026-8458
  * SECURITY UPDATE: Cookie injection in is_public_suffix.
    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking
      PSL in lib/cookie.c.
    - CVE-2026-8924
  * SECURITY UPDATE: Double-free in gsasl.
    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle
      NULL argument in lib/vauth/gsasl.c.
    - CVE-2026-8925
  * SECURITY UPDATE: Information disclosure in netrc.
    - debian/patches/CVE-2026-8926.patch: Do not return a password from
      parsenetrc() when the requested login did not match the credentials
      found for the matched machine in lib/netrc.c.
    - CVE-2026-8926
  * SECURITY UPDATE: Information disclosure in libcurl
    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as
      previous and flush state in lib/url.c and lib/urldata.h.
    - debian/patches/CVE-2026-9079.patch: Verify NULLed proxy credentials
      in lib/setopt.c.
    - debian/patches/CVE-2026-9545.patch: Hard fail when certificate
      verification fails in lib/vquic/curl_ngtcp2.c.
    - CVE-2026-8927
    - CVE-2026-9079
    - CVE-2026-9545
  * SECURITY UPDATE: Use-after-free in curl_easy_parse
    - debian/patches/CVE-2026-9080.patch: Introduce magic struct field to
      assert against NULL pointers in lib/multi_ev.c
    - CVE-2026-9080
  * SECURITY UPDATE: Man-in-the-middle in libcurl.
    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in
      in lib/vssh/libssh.c
    - CVE-2026-9547

 -- Kyle Kernick <email address hidden> Thu, 25 Jun 2026 15:11:42 -0600

Source diff to previous version

Version: 8.18.0-1ubuntu2.1 2026-05-04 15:36:28 UTC

  curl (8.18.0-1ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: connection reuse ignores TLS requirement
    - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls
      connection if new requires TLS in lib/url.c.
    - CVE-2026-4873
  * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-5545.patch: improve connection reuse on
      negotiate in lib/url.c.
    - CVE-2026-5545
  * SECURITY UPDATE: wrong reuse of SMB connection
    - debian/patches/CVE-2026-5773.patch: disable connection reuse for
      SMB(S) in lib/smb.c.
    - CVE-2026-5773
  * SECURITY UPDATE: proxy credentials leak over redirect-to proxy
    - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code
      in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.
    - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB
      use in tests/data/test445.
    - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as
      well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.
    - CVE-2026-6253
  * SECURITY UPDATE: stale custom cookie host causes cookie leak
    - debian/patches/CVE-2026-6276.patch: move cookiehost to struct
      SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,
      lib/urldata.h, tests/*.
    - CVE-2026-6276
  * SECURITY UPDATE: netrc credential leak with reused proxy connection
    - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes
      pushed over insecure connections in lib/http2.c.
    - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in
      lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.
    - debian/patches/CVE-2026-6429.patch: clear credentials better on
      redirect in lib/http.c, tests/*.
    - CVE-2026-6429
  * SECURITY UPDATE: cross-proxy Digest auth state leak
    - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when
      switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.
    - CVE-2026-7168

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2026 07:35:43 -0400




About   -   Send Feedback to @ubuntu_updates