lp:ubuntu/quantal-security/curl

Created by Ubuntu Package Importer on 2013-02-21 and last modified on 2014-04-01
Get this branch:
bzr branch lp:ubuntu/quantal-security/curl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

70. By Marc Deslauriers on 2014-04-01

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/ssluse.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.
* debian/patches/disable_test519.path: disable test 519 as security
  update causes it to hang. Fixing this would require backporting new
  logic into tests/server/sws.c.

69. By Marc Deslauriers on 2014-01-31

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  reuse
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

68. By Marc Deslauriers on 2013-12-17

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

67. By Marc Deslauriers on 2013-12-06

* SECURITY REGRESSION: can't disable cert checking in command line tool
  (LP: #1258366)
  - debian/patches/CVE-2013-4545.patch: properly disable host
    verification when insecure mode is used in src/tool_operate.c.
  - CVE-2013-4545

66. By Marc Deslauriers on 2013-11-29

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled.
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

65. By Marc Deslauriers on 2013-06-27

* SECURITY UPDATE: denial of service and possible code execution via
  heap overflow in URL decoder
  - debian/patches/CVE-2013-2174.patch: fix overflow in lib/escape.c,
    added tests to tests/data/Makefile.am, tests/data/test1396,
    tests/unit/Makefile.inc, tests/unit/unit1396.c.
  - CVE-2013-2174

64. By Seth Arnold on 2013-04-10

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/05_curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

63. By Marc Deslauriers on 2013-02-12

* SECURITY UPDATE: arbitrary code execution via sasl buffer overflow
  - debian/patches/CVE-2013-0249.patch: properly limit lengths in
    lib/curl_sasl.c.
  - CVE-2013-0249

62. By Colin Watson on 2012-08-20

* Resynchronise with Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.

61. By Colin Watson on 2012-05-28

* Resynchronise with Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Adjust udeb configure flags handling to something easier to merge in
  future.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/raring/curl
This branch contains Public information 
Everyone can see this information.

Subscribers