Ubuntu
curl package

lp:ubuntu/saucy-security/curl

  1. Saucy (13.10)
  2. saucy-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/saucy-security/curl
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

76. By Marc Deslauriers

* SECURITY UPDATE: wrong re-use of connections
  - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
    HTTP logic, and extend new connection logic to other protocols in
    lib/http.c, lib/url.c, lib/urldata.h, add new tests to
    tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
  - CVE-2014-0138
* SECURITY UPDATE: incorrect wildcard SSL certificate validation with
  literal IP addresses
  - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
    lib/hostcheck.c, added tests to tests/data/Makefile.am,
    tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c.
  - CVE-2014-0139
* debian/patches/fix_test172.path: fix expired cookie causing test to
  fail.

75. By Marc Deslauriers

* SECURITY UPDATE: information disclosure via incorrect NTLM credential
  reuse
  - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
    auth is used in lib/url.c.
  - CVE-2014-0015

74. By Marc Deslauriers

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled in GnuTLS backend.
  - debian/patches/CVE-2013-6422.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
  - CVE-2013-6422

73. By Marc Deslauriers

* SECURITY UPDATE: missing CN verification when signature verification is
  disabled.
  - debian/patches/CVE-2013-4545.patch: still verify host when
    CURLOPT_SSL_VERIFYPEER isn't set in lib/ssluse.c.
  - CVE-2013-4545

72. By Merge-o-Matic

* Merge from Debian unstable. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Fixes freeipa-client join. (LP: #1220928)

71. By oussama

* Merge from Debian, Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.

70. By Sebastien Bacher

* Resynchronize on Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.

69. By Sebastien Bacher

* Resynchronize on Debian. Remaining changes:
  - Drop dependencies not in main:
    + Build-Depends: Drop stunnel4 and libssh2-1-dev.
    + Drop libssh2-1-dev from binary package Depends.
  - Add new libcurl3-udeb package.
  - Add new curl-udeb package.
* Add warning to debian/patches/series.

68. By Seth Arnold

* SECURITY UPDATE: Incorrect cookie domain handling in tailmatch()
  - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match
    when sending cookies. Patch from YAMADA Yasuharu.
  - http://curl.haxx.se/curl-tailmatch.patch
  - CVE-2013-1944

67. By Barry Warsaw

debian/patches/08_lp1124508.patch: Backport fix for upstream bug 1194,
segfault in curl_multi_cleanup() when multi->closure_handle is NULL.
(LP: #1124508)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/trusty/curl
This branch contains Public information 
Everyone can see this information.

Subscribers