ubuntu/+source/curl:ubuntu/artful-security

Last commit made on 2018-07-11
Get this branch:
git clone -b ubuntu/artful-security https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/artful-security
Repository:
lp:ubuntu/+source/curl

Recent commits

ef476be... by Marc Deslauriers on 2018-07-04

Import patches-unapplied version 7.55.1-1ubuntu2.6 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 12b3ad5049beecc88556ca1100eb1250ddec29b6

New changelog entries:
  * SECURITY UPDATE: SMTP send heap buffer overflow
    - debian/patches/CVE-2018-0500.patch: use the upload buffer size for
      scratch buffer malloc in lib/smtp.c.
    - CVE-2018-0500

12b3ad5... by Marc Deslauriers on 2018-05-08

Import patches-unapplied version 7.55.1-1ubuntu2.5 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: ef71c54962ade6f736fa193aade60db914d7a59f

New changelog entries:
  * SECURITY UPDATE: FTP shutdown response buffer overflow
    - debian/patches/CVE-2018-1000300.patch: check data size in
      lib/pingpong.c.
    - CVE-2018-1000303
  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

ef71c54... by Marc Deslauriers on 2018-03-14

Import patches-unapplied version 7.55.1-1ubuntu2.4 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 942c303e1dfb0015dacfc38aa393853620a8711b

New changelog entries:
  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120-pre.patch: URL decode path for dir
      listing in nocwd mode in lib/ftp.c, add test to tests/*.
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

942c303... by Leonidas S. Barbosa on 2018-01-29

Import patches-unapplied version 7.55.1-1ubuntu2.3 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 5def085e6fd4a3e977ff0a926ce5e505a1afe7d5

New changelog entries:
  * SECURITY UPDATE: Out of bounds read in code handling HTTP/2
    - debian/patches/CVE-2018-1000005.patch: fix incorrect
      trailer buffer size in lib/http2.c.
    - CVE-2018-1000005
  * SECURITY UPDATE: leak authentication data
    - debian/patches/CVE-2018-1000007.patch: prevent custom
      authorization headers in redirects in lib/http.c,
      lib/url.c, lib/urldata.h, tests/data/Makefile.in,
      tests/data/test317, tests/data/test318.
    - CVE-2018-1000007
  * Removing test that fails to check manpage after CVE-2018-1000007.

5def085... by Marc Deslauriers on 2017-11-28

Import patches-unapplied version 7.55.1-1ubuntu2.2 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 1b4bc566edd939ad28dba65af9d1a59084a0e21e

New changelog entries:
  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

1b4bc56... by Marc Deslauriers on 2017-10-20

Import patches-unapplied version 7.55.1-1ubuntu2.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: f2c6fdbd42dce219a21f512269db073cc6f3563c

New changelog entries:
  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

f2c6fdb... by Marc Deslauriers on 2017-10-04

Import patches-unapplied version 7.55.1-1ubuntu2 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 77981d8206026856a3f250d24883c5fb930d115e

New changelog entries:
  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.inc, tests/data/test1152.
    - CVE-2017-1000254

77981d8... by Gianfranco Costamagna on 2017-09-03

Import patches-unapplied version 7.55.1-1ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 6651943a39abf91dc2329186d792d355b90ff0fd

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

6651943... by Alessandro Ghedini on 2017-09-02

Import patches-unapplied version 7.55.1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6d29eddfc82b336741d6c3fbfa46928f6bb372ac

New changelog entries:
  * New upstream release
    - Fix FTBFS on powerpc (Closes: #872502)
  * Apply upstream patch to fix connection timeouts with NetworkManager
    (Closes: #873181)
  * Refresh patches
  * Bump Standards-Version to 4.1.0 (no changes needed)

6d29edd... by Alessandro Ghedini on 2017-08-12

Import patches-unapplied version 7.55.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4351b6803570cab64e28b6dc27b17a3ae74bfceb

New changelog entries:
  * New upstream release
    - Fix TFTP sends more than buffer size as per CVE-2017-1000100
      (Closes: #871555)
    - Fix URL globbing out of bounds read as per CVE-2017-1000101
      (Closes: #871554)
  * Refresh patches and drop patches merged upstream
  * Update Standards-Version to 4.0.1 (no changes needed)
  * Drop -dbg package