lp:ubuntu/precise-updates/curl
- Get this branch:
- bzr branch lp:ubuntu/precise-updates/curl
Branch merges
Branch information
Recent revisions
- 69. By Marc Deslauriers
-
* SECURITY UPDATE: NTLM connection reuse when unauthenticated
- debian/patches/ CVE-2015- 3143.patch: require credentials to match in
lib/url.c.
- CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
- debian/patches/ CVE-2015- 3148.patch: don't clear GSSAPI state between
each exchange and close Negotiate connections when done in
lib/http.c, lib/http_negotiate. c, lib/http_ negotiate_ sspi.c.
- CVE-2015-3148 - 68. By Marc Deslauriers
-
* SECURITY UPDATE: URL request injection
- debian/patches/ CVE-2014- 8150.patch: drop bad chars from URL in
lib/url.c.
- CVE-2014-8150 - 67. By Marc Deslauriers
-
* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
bounds
- debian/patches/ CVE-2014- 3707.patch: properly copy memory aread in
lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
src/Makefile. inc.
- CVE-2014-3707 - 66. By Marc Deslauriers
-
* SECURITY UPDATE: incorrect cookie handling via partial literal IP
addresses
- debian/patches/ CVE-2014- 3613.patch: only use full host matches for
hosts used as IP address in lib/cookie.c, added tests to
tests/data/test1105, tests/data/test31, tests/data/test8.
- CVE-2014-3613 - 65. By Marc Deslauriers
-
* SECURITY UPDATE: wrong re-use of connections
- debian/patches/ CVE-2014- 0138.patch: fix possible issues with NTLM
HTTP logic, and extend new connection logic to other protocols in
lib/http.c, lib/url.c, lib/urldata.h, add new tests to
tests/data/Makefile. am, tests/data/ test1418, tests/data/ test1419.
- CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
literal IP addresses
- debian/patches/ CVE-2014- 0139.patch: fix wildcard logic in
lib/ssluse.c.
- CVE-2014-0139
* debian/patches/ fix_test172. path: fix expired cookie causing test to
fail.
* debian/patches/ disable_ test519. path: disable test 519 as security
update causes it to hang. Fixing this would require backporting new
logic into tests/server/sws.c. - 64. By Marc Deslauriers
-
* SECURITY UPDATE: information disclosure via incorrect NTLM credential
reuse
- debian/patches/ CVE-2014- 0015.patch: don't reuse connections if NTLM
auth is used in lib/url.c.
- CVE-2014-0015 - 63. By Marc Deslauriers
-
* SECURITY UPDATE: missing CN verification when signature verification is
disabled in GnuTLS backend.
- debian/patches/ CVE-2013- 6422.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
- CVE-2013-6422 - 62. By Marc Deslauriers
-
* SECURITY REGRESSION: can't disable cert checking in command line tool
(LP: #1258366)
- debian/patches/ CVE-2013- 4545.patch: properly disable host
verification when insecure mode is used in src/main.c.
- CVE-2013-4545 - 61. By Marc Deslauriers
-
* SECURITY UPDATE: missing CN verification when signature verification is
disabled.
- debian/patches/ CVE-2013- 4545.patch: still verify host when
CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
- CVE-2013-4545 - 60. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in URL decoder
- debian/patches/ CVE-2013- 2174.patch: fix overflow in lib/escape.c,
added tests to tests/data/Makefile. am, tests/data/ test1396,
tests/unit/Makefile. inc, tests/unit/ unit1396. c.
- CVE-2013-2174
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/raring/curl