ubuntu/+source/curl:applied/ubuntu/precise-updates

Last commit made on 2016-11-03
Get this branch:
git clone -b applied/ubuntu/precise-updates https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/precise-updates
Repository:
lp:ubuntu/+source/curl

Recent commits

6feb9bb... by Marc Deslauriers on 2016-11-03

Import patches-applied version 7.22.0-3ubuntu4.17 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: fd7a144ec90e701df6183187bc2511666ea3ef6d
Unapplied parent: 8d478b69d673f2d5b70941708aed7effd946ab45

New changelog entries:
  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

8d478b6... by Marc Deslauriers on 2016-11-03

Build with NSS.

Gbp-Pq: nss.

fe8057a... by Marc Deslauriers on 2016-11-03

Build with GnuTLS.

Gbp-Pq: gnutls.

095de23... by Marc Deslauriers on 2016-11-03

[PATCH] urlparse: accept '#' as end of host name

Gbp-Pq: CVE-2016-8624.patch.

a661333... by Marc Deslauriers on 2016-11-03

[PATCH] cookies: getlist() now holds deep copies of all cookies

Gbp-Pq: CVE-2016-8623.patch.

b2b5a80... by Marc Deslauriers on 2016-11-03

[PATCH] unescape: avoid integer overflow

Gbp-Pq: CVE-2016-8622.patch.

9783ee6... by Marc Deslauriers on 2016-11-03

[PATCH] parsedate: handle cut off numbers better

Gbp-Pq: CVE-2016-8621.patch.

7871342... by Marc Deslauriers on 2016-11-03

[PATCH] krb5: avoid realloc(0)

Gbp-Pq: CVE-2016-8619.patch.

7b367bc... by Marc Deslauriers on 2016-11-03

[PATCH] aprintf: detect wrap-around when growing allocation

Gbp-Pq: CVE-2016-8618.patch.

0c72c4e... by Marc Deslauriers on 2016-11-03

[PATCH] base64: check for integer overflow on large input

Gbp-Pq: CVE-2016-8617.patch.