Author: Robert Ancell
Revision Date: 2015-08-11 11:41:50 UTC

* debian/control:
  - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev

Author: Robert Ancell
Revision Date: 2015-08-11 11:41:50 UTC

* debian/control:
  - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev

Author: Marc Deslauriers
Revision Date: 2015-04-29 09:09:44 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
  - debian/patches/CVE-2015-3144.patch: check for valid length in
    lib/url.c.
  - CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
    done in lib/http.c.
  - CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
  - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
    docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
    tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
  - CVE-2015-3153

Author: Marc Deslauriers
Revision Date: 2015-04-29 09:09:44 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
  - debian/patches/CVE-2015-3144.patch: check for valid length in
    lib/url.c.
  - CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
    done in lib/http.c.
  - CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
  - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
    docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
    tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
  - CVE-2015-3153

Author: Marc Deslauriers
Revision Date: 2015-04-29 14:03:35 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148

Author: Marc Deslauriers
Revision Date: 2015-04-29 14:03:35 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148

Author: Marc Deslauriers
Revision Date: 2015-04-29 14:03:00 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148

Author: Marc Deslauriers
Revision Date: 2015-04-29 14:03:00 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148

Author: Marc Deslauriers
Revision Date: 2015-04-29 10:23:26 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
  - debian/patches/CVE-2015-3144.patch: check for valid length in
    lib/url.c.
  - CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
  - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
    docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
    tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
  - CVE-2015-3153

Author: Marc Deslauriers
Revision Date: 2015-04-29 10:23:26 UTC

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: host name out of boundary memory access
  - debian/patches/CVE-2015-3144.patch: check for valid length in
    lib/url.c.
  - CVE-2015-3144
* SECURITY UPDATE: cookie parser out of boundary memory access
  - debian/patches/CVE-2015-3145.patch: properly handle a single double
    quote in lib/cookie.c.
  - CVE-2015-3145
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148
* SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
  - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
    docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
    tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
  - CVE-2015-3153

Author: Marc Deslauriers
Revision Date: 2015-01-14 16:46:45 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

Author: Marc Deslauriers
Revision Date: 2015-01-14 16:46:45 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

Author: Marc Deslauriers
Revision Date: 2015-01-14 07:57:00 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
    tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
  - CVE-2014-8150

Author: Marc Deslauriers
Revision Date: 2015-01-14 07:57:00 UTC

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529,
    tests/libtest/Makefile.inc, tests/libtest/lib1529.c.
  - CVE-2014-8150

Author: Brian Murray
Revision Date: 2014-10-02 13:26:57 UTC

debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream
commit fixing timeout return value for curl_poll and curl_wait_ms.
Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663)

Author: Brian Murray
Revision Date: 2014-10-02 13:26:57 UTC

debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream
commit fixing timeout return value for curl_poll and curl_wait_ms.
Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663)

Author: Marc Deslauriers
Revision Date: 2014-04-01 10:16:55 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/hostcheck.c, added tests to tests/data/Makefile.am,
    tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.

Author: Marc Deslauriers
Revision Date: 2014-04-01 10:16:55 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/hostcheck.c, added tests to tests/data/Makefile.am,
    tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.

Author: Marc Deslauriers
Revision Date: 2014-04-01 09:59:44 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

Author: Marc Deslauriers
Revision Date: 2014-04-01 09:59:44 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

Author: Marc Deslauriers
Revision Date: 2014-04-01 09:25:23 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/hostcheck.c, added tests to tests/data/Makefile.am,
    tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.

Author: Marc Deslauriers
Revision Date: 2014-04-01 09:25:23 UTC

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/hostcheck.c, added tests to tests/data/Makefile.am,
    tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.

Author: Marc Deslauriers
Revision Date: 2013-12-17 12:47:31 UTC

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

Author: Marc Deslauriers
Revision Date: 2013-12-17 12:47:31 UTC

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

Author: Merge-o-Matic
Revision Date: 2013-08-12 15:39:32 UTC

* Merge from Debian unstable. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)

Author: Dave Chiluk
Revision Date: 2013-08-21 13:09:13 UTC

Reset timecond when clearing session-info variables (LP: #1179781)
This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"

Author: Dave Chiluk
Revision Date: 2013-08-23 14:58:40 UTC

Reset timecond when clearing session-info variables (LP: #1179781)
This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"

Author: Dave Chiluk
Revision Date: 2013-08-23 16:05:09 UTC

Reset timecond when clearing session-info variables (LP: #1179781)
This fixes CURLINFO_CONDITION_UNMET incorrectly reporting "1"

Author: Merge-o-Matic
Revision Date: 2013-08-12 15:39:32 UTC

* Merge from Debian unstable. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)

Author: Luke Yelavich
Revision Date: 2013-07-24 02:10:13 UTC

Merge branch lp:~obounaim/ubuntu/saucy/curl/merge-from-debian

Author: Seth Arnold
Revision Date: 2013-04-11 14:11:37 UTC

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

Author: Seth Arnold
Revision Date: 2013-04-11 14:11:37 UTC

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

Author: Seth Arnold
Revision Date: 2013-04-11 13:55:41 UTC

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

Author: Seth Arnold
Revision Date: 2013-04-11 13:55:41 UTC

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

Author: Seth Arnold
Revision Date: 2013-04-10 15:16:17 UTC

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

Author: Matt Fischer
Revision Date: 2012-12-10 03:25:44 UTC

initial merge

Author: Colin Watson
Revision Date: 2012-08-20 13:54:01 UTC

* Resynchronise with Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.

Author: Andres Rodriguez
Revision Date: 2012-03-22 18:40:30 UTC

debian/control: Add missing Depends on libcrypto1.0.0-udeb.

Author: Marc Deslauriers
Revision Date: 2012-01-24 08:29:10 UTC

* SECURITY UPDATE: URL sanitization vulnerability
  - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control
    codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}.
  - CVE-2012-0036

Author: Marc Deslauriers
Revision Date: 2012-01-24 08:29:10 UTC

* SECURITY UPDATE: URL sanitization vulnerability
  - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control
    codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}.
  - CVE-2012-0036

Author: Marc Deslauriers
Revision Date: 2012-01-24 08:28:19 UTC

* SECURITY UPDATE: URL sanitization vulnerability
  - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control
    codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}.
  - CVE-2012-0036

Author: Marc Deslauriers
Revision Date: 2012-01-24 08:28:19 UTC

* SECURITY UPDATE: URL sanitization vulnerability
  - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control
    codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}.
  - CVE-2012-0036

Author: James Page
Revision Date: 2011-09-14 17:31:37 UTC

[ James Page, Colin Watson ]
Add new libcurl3-udeb package, stripped down for use during installation
(LP: #831496).

Author: Colin Watson
Revision Date: 2011-09-15 18:12:40 UTC

We don't need a *-minimal-* package stack at build time; a udeb is enough.

Author: James Page
Revision Date: 2011-09-15 09:20:02 UTC

Fixed typo

Author: Steve Beattie
Revision Date: 2011-06-24 11:36:02 UTC

debian/patches/timeout_bug_736216: cherry pick upstream
git revision d4e000906ac4ef243258a5c9a819a7cde247d16a to fix
handshake timeout bug (LP: #736216). Thanks to Sidnei da Silva
and Michael Vogt

Author: Steve Langasek
Revision Date: 2011-04-11 22:54:53 UTC

Build for multiarch.

Author: Artur Rona
Revision Date: 2011-01-26 02:50:18 UTC

* Merge from debian unstable. Remaining changes: (LP: #707756)
  - debian/control:
    + Build-Depends: Replace libssh2-1-dev with openssh-server.
      Drop stunnel since it's in universe, as well.
    + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.
    Above changes are necessary to be independent from the universe.

Author: Marc Deslauriers
Revision Date: 2009-03-03 19:58:20 UTC

* SECURITY UPDATE: add fix for CVE-2009-0037 back in
  - debian/patches/security_CVE-2009-0037.patch: updated patch to add missing
    section to lib/easy.c
  - CVE-2009-0037

Author: Nick Ellery
Revision Date: 2008-10-10 23:32:54 UTC

Added Recommends: on ca-certificate for curl package (LP: #152781).

Author: Matthias Klose
Revision Date: 2008-02-08 13:24:07 UTC

Use automake-1.9, as used by upstream.

Author: Matthias Klose
Revision Date: 2007-08-09 09:16:47 UTC

* Merge with Debian; remaining changes:
  - Drop the stunnel build dependency.

Author: Matthias Klose
Revision Date: 2007-03-05 01:14:05 UTC

* Rebuild for changes in the amd64 toolchain.
* Set Ubuntu maintainer address.

Author: Martin Pitt
Revision Date: 2006-07-04 15:23:50 UTC

Bump libgnutls-dev dependency to >= 1.4 to build against gnutls13.

Author: Martin Pitt
Revision Date: 2006-03-16 11:30:25 UTC

* SECURITY UPDATE: Arbitrary remote code execution with long tftp:// URLs.
* lib/tftp.c: Fix unbounded sprintf() to avoid buffer overflow. Thanks to
  Ulf Harnhammar for discovering this.
* CVE-2006-1061

Author: Matthias Klose
Revision Date: 2005-07-26 19:03:01 UTC

Synchronize with Debian.

Author: LaMont Jones
Revision Date: 2005-03-23 18:41:29 UTC

Fix the version numbers internal to debian/rules. Closes; #8088

Author: Domenico Andreoli
Revision Date: 2004-06-04 19:09:25 UTC

* Reverted to version 7.11.2 (closes: #252348).
* Disabled support for libidn (closes: #252367). This is to leave
  curl in unstable as much similar as possible to the one in testing.

Author: Kees Cook
Revision Date: 2009-12-12 04:16:18 UTC

releasing version 7.19.7-1ubuntu1

Author: Kees Cook
Revision Date: 2009-12-12 04:16:18 UTC

releasing version 7.19.7-1ubuntu1

Author: Bhavani Shankar
Revision Date: 2010-06-20 13:56:28 UTC

* Merge from debian unstable. Remaining changes: LP: #596334
  - Keep build deps in main:
    - Drop build dependencies: stunnel, libssh2-1-dev
    - Add build-dependency on openssh-server
    - Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.

Author: Kees Cook
Revision Date: 2009-12-11 19:33:21 UTC

* Merge with Debian testing. Remaining changes:
  - Keep build deps in main:
    - Drop build dependencies: stunnel, libdb4.6-dev, libssh2-1-dev
    - Add build-dependency on openssh-server
    - Drop libssh2-1-dev from libcurl4-openssl-dev's Depends.

Author: Kees Cook
Revision Date: 2009-08-13 09:08:28 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - add debian/patches/cert-null-cn.patch: backported upstream changes.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 09:08:28 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - add debian/patches/cert-null-cn.patch: backported upstream changes.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 14:32:50 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - add debian/patches/cert-null-cn: backported upstream changes.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 09:14:00 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - lib/ssluse.c: backported upstream changes, applied inline.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 09:14:00 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - lib/ssluse.c: backported upstream changes, applied inline.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 09:12:09 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - add debian/patches/cert-null-cn: backported upstream changes.
  - CVE-2009-2417

Author: Kees Cook
Revision Date: 2009-08-13 09:12:09 UTC

* SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
  - add debian/patches/cert-null-cn: backported upstream changes.
  - CVE-2009-2417

Author: Marc Deslauriers
Revision Date: 2009-02-26 15:38:56 UTC

* SECURITY UPDATE: Local file exposure via redirect
  - debian/patches/security-CVE-2009-0037.patch: add logic to
    include/curl/curl.h, lib/{easy,url}.c and lib/urldata.h to limit what
    protocols curl will automatically follow via a redirect. By default, it
    now follows all protocols except FILE and SCP.
  - CVE-2009-0037

Author: Marc Deslauriers
Revision Date: 2009-02-26 15:38:56 UTC

* SECURITY UPDATE: Local file exposure via redirect
  - debian/patches/security-CVE-2009-0037.patch: add logic to
    include/curl/curl.h, lib/{easy,url}.c and lib/urldata.h to limit what
    protocols curl will automatically follow via a redirect. By default, it
    now follows all protocols except FILE and SCP.
  - CVE-2009-0037

Author: Kees Cook
Revision Date: 2007-06-27 12:16:00 UTC

lib/gtls.c: actually perform expiration and activation verifications
(CVE-2007-3564).

Author: Kees Cook
Revision Date: 2007-06-27 12:16:00 UTC

lib/gtls.c: actually perform expiration and activation verifications
(CVE-2007-3564).

Author: Kees Cook
Revision Date: 2007-06-27 12:16:00 UTC

lib/gtls.c: actually perform expiration and activation verifications
(CVE-2007-3564).

Author: Cody A.W. Somerville
Revision Date: 2006-11-27 07:12:42 UTC

* lib/multi.c: Upstream patch to fix segmentation fault.
 (Closes Ubuntu: #68074, SRU bug #73447).
* Reference: http://sourceforge.net/support/tracker.php?aid=1523466.

Author: Kees Cook
Revision Date: 2007-06-27 12:16:00 UTC

lib/gtls.c: actually perform expiration and activation verifications
(CVE-2007-3564).

Author: Gustavo Niemeyer
Revision Date: 2007-09-11 12:21:00 UTC

Fix POST corruption when using gnutls (LP: #137849).

Author: Martin Pitt
Revision Date: 2005-12-12 14:01:23 UTC

* SECURITY UPDATE:
* lib/url.c: Allocate two extra bytes for short URL string to allow room for
  extra slash and 0 terminator.
* CVE-2005-4077

Author: Martin Pitt
Revision Date: 2005-12-12 17:48:09 UTC

debian/rules: Bump libcurl2 version.

Author: Martin Pitt
Revision Date: 2005-12-12 14:22:32 UTC

* SECURITY UPDATE: Local arbitrary code execution.
* lib/url.c: Allocate two extra bytes for short URL string to allow room for
  extra slash and 0 terminator.
* CVE-2005-4077