lp:ubuntu/precise-updates/curl

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

69. By Marc Deslauriers on 2015-04-29

* SECURITY UPDATE: NTLM connection reuse when unauthenticated
  - debian/patches/CVE-2015-3143.patch: require credentials to match in
    lib/url.c.
  - CVE-2015-3143
* SECURITY UPDATE: negotiate not treated as connection-oriented
  - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
    each exchange and close Negotiate connections when done in
    lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
  - CVE-2015-3148

68. By Marc Deslauriers on 2015-01-14

* SECURITY UPDATE: URL request injection
  - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
    lib/url.c.
  - CVE-2014-8150

67. By Marc Deslauriers on 2014-11-06

* SECURITY UPDATE: sensitive data disclosure via duphandle read out of
  bounds
  - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
    lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
    src/Makefile.inc.
  - CVE-2014-3707

66. By Marc Deslauriers on 2014-09-12

* SECURITY UPDATE: incorrect cookie handling via partial literal IP
  addresses
  - debian/patches/CVE-2014-3613.patch: only use full host matches for
    hosts used as IP address in lib/cookie.c, added tests to
    tests/data/test1105, tests/data/test31, tests/data/test8.
  - CVE-2014-3613

65. By Marc Deslauriers on 2014-04-01

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

64. By Marc Deslauriers on 2014-01-31

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  reuse
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

63. By Marc Deslauriers on 2013-12-17

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

62. By Marc Deslauriers on 2013-12-06

* SECURITY REGRESSION: can't disable cert checking in command line tool
  (LP: #1258366)
  - debian/patches/CVE-2013-4545.patch: properly disable host
    verification when insecure mode is used in src/main.c.
  - CVE-2013-4545

61. By Marc Deslauriers on 2013-11-29

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled.
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

60. By Marc Deslauriers on 2013-06-27

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in URL decoder
  - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
    added tests to tests/data/Makefile.am, tests/data/test1396,
    tests/unit/Makefile.inc, tests/unit/unit1396.c.
  - CVE-2013-2174