Created by James Westby on 2011-06-24 and last modified on 2015-01-14
Get this branch:
bzr branch lp:ubuntu/lucid-updates/curl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

51. By Marc Deslauriers on 2015-01-14

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
  - CVE-2014-8150

50. By Marc Deslauriers on 2014-11-06

* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
  - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
    lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
  - CVE-2014-3707

49. By Marc Deslauriers on 2014-09-12

* SECURITY UPDATE: incorrect cookie handling via partial literal IP
  - debian/patches/CVE-2014-3613.patch: only use full host matches for
    hosts used as IP address in lib/cookie.c, added tests to
    tests/data/test1105, tests/data/test31, tests/data/test8.
  - CVE-2014-3613
* debian/patches/disable_test519.path: disable test 519 as previous
  security update causes it to hang.
* debian/patches/versioned: added Curl_* so test suite works during

48. By Marc Deslauriers on 2014-04-14

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

47. By Marc Deslauriers on 2014-01-31

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

46. By Marc Deslauriers on 2013-12-06

* SECURITY REGRESSION: can't disable cert checking in command line tool
  (LP: #1258366)
  - debian/patches/CVE-2013-4545.patch: properly disable host
    verification when insecure mode is used in src/main.c.
  - CVE-2013-4545

45. By Marc Deslauriers on 2013-11-29

* SECURITY UPDATE: missing CN verification when signature verification is
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

44. By Marc Deslauriers on 2013-06-27

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in URL decoder
  - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c.
  - CVE-2013-2174

43. By Seth Arnold on 2013-04-11

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

42. By Steve Beattie on 2011-06-08

* SECURITY UPDATE: libcurl unconditional credential delegation during
  GSSAPI authentication vulnerability.
  - debian/patches/0001-Curl_input_negotiate-do-not-delegate-credentials.patch:
    do not delegate credentials when doing GSSAPI authentication
  - CVE-2011-2192
* SECURITY UPDATE: libcurl zlib automatic decompression callback
  data buffer overflow
  - debian/patches/libcurl-contentencoding.patch: restrict amount of
    callback data sent to an application
  - CVE-2010-0734

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.