ubuntu/+source/curl:ubuntu/precise-devel

Last commit made on 2016-11-03
Get this branch:
git clone -b ubuntu/precise-devel https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-devel
Repository:
lp:ubuntu/+source/curl

Recent commits

3ff818e... by Marc Deslauriers on 2016-11-03

Import patches-unapplied version 7.22.0-3ubuntu4.17 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: b51c5cd554802e4a24197a78cfb6cdb987e57c5c

New changelog entries:
  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

b51c5cd... by Marc Deslauriers on 2016-08-05

Import patches-unapplied version 7.22.0-3ubuntu4.16 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 1ae503ebdb7dddab87ee770eaaf0f5d3e3ae2246

New changelog entries:
  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2016-5419.patch: switch off SSL session id when
      client cert is used in lib/url.c, lib/urldata.h, lib/sslgen.c.
    - CVE-2016-5419
  * SECURITY UPDATE: re-using connections with wrong client cert
    - debian/patches/CVE-2016-5420.patch: only reuse connections with the
      same client cert in lib/sslgen.c.
    - CVE-2016-5420

1ae503e... by Marc Deslauriers on 2016-01-27

Import patches-unapplied version 7.22.0-3ubuntu4.15 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 3cb75c4b4b6be65234728c96c3c4364eff70ba0a

New changelog entries:
  * SECURITY UPDATE: NTLM credentials not-checked for proxy connection
    re-use
    - debian/patches/ntlm-backports.patch: backport misc NTLM fixes.
    - debian/patches/CVE-2014-0015.patch: refreshed.
    - debian/patches/CVE-2014-0138.patch: refreshed.
    - debian/patches/CVE-2014-3143.patch: refreshed.
    - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare
      Proxy credentials in lib/url.c.
    - CVE-2016-0755

3cb75c4... by Marc Deslauriers on 2015-04-29

Import patches-unapplied version 7.22.0-3ubuntu4.14 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: ddc3957fb5a1d8251d9771c6ae7d7e0dcbcd31b8

New changelog entries:
  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: don't clear GSSAPI state between
      each exchange and close Negotiate connections when done in
      lib/http.c, lib/http_negotiate.c, lib/http_negotiate_sspi.c.
    - CVE-2015-3148

ddc3957... by Marc Deslauriers on 2015-01-14

Import patches-unapplied version 7.22.0-3ubuntu4.12 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 9629b14134fc94a866d61f5f99eb404be199dfbd

New changelog entries:
  * SECURITY UPDATE: URL request injection
    - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in
      lib/url.c.
    - CVE-2014-8150

9629b14... by Marc Deslauriers on 2014-11-06

Import patches-unapplied version 7.22.0-3ubuntu4.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 82185e31feccde2bba7d3d207caaa24cde96c469

New changelog entries:
  * SECURITY UPDATE: sensitive data disclosure via duphandle read out of
    bounds
    - debian/patches/CVE-2014-3707.patch: properly copy memory aread in
      lib/formdata.c, lib/strdup.{c,h}, lib/url.c, lib/urldata.h,
      src/Makefile.inc.
    - CVE-2014-3707

82185e3... by Marc Deslauriers on 2014-09-12

Import patches-unapplied version 7.22.0-3ubuntu4.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: a88c4f82461e640d8a7245f0cf175ec1f77cb910

New changelog entries:
  * SECURITY UPDATE: incorrect cookie handling via partial literal IP
    addresses
    - debian/patches/CVE-2014-3613.patch: only use full host matches for
      hosts used as IP address in lib/cookie.c, added tests to
      tests/data/test1105, tests/data/test31, tests/data/test8.
    - CVE-2014-3613

a88c4f8... by Marc Deslauriers on 2014-04-01

Import patches-unapplied version 7.22.0-3ubuntu4.8 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 7d4a97834ac71a2dc8a533a562abceeb54245367

New changelog entries:
  * SECURITY UPDATE: wrong re-use of connections
    - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM
      HTTP logic, and extend new connection logic to other protocols in
      lib/http.c, lib/url.c, lib/urldata.h, add new tests to
      tests/data/Makefile.am, tests/data/test1418, tests/data/test1419.
    - CVE-2014-0138
  * SECURITY UPDATE: incorrect wildcard SSL certificate validation with
    literal IP addresses
    - debian/patches/CVE-2014-0139.patch: fix wildcard logic in
      lib/ssluse.c.
    - CVE-2014-0139
  * debian/patches/fix_test172.path: fix expired cookie causing test to
    fail.
  * debian/patches/disable_test519.path: disable test 519 as security
    update causes it to hang. Fixing this would require backporting new
    logic into tests/server/sws.c.

7d4a978... by Marc Deslauriers on 2014-01-31

Import patches-unapplied version 7.22.0-3ubuntu4.7 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 0b886d23a8f735c514585536d2a0840b1778223b

New changelog entries:
  * SECURITY UPDATE: information disclosure via incorrect NTLM credential
    reuse
    - debian/patches/CVE-2014-0015.patch: don't reuse connections if NTLM
      auth is used in lib/url.c.
    - CVE-2014-0015

0b886d2... by Marc Deslauriers on 2013-12-17

Import patches-unapplied version 7.22.0-3ubuntu4.6 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 4dfc6efdef68f2d7e9889c320cd887be51bd082b

New changelog entries:
  * SECURITY UPDATE: missing CN verification when signature verification is
    disabled in GnuTLS backend.
    - debian/patches/CVE-2013-6422.patch: still verify host when
      CURLOPT_SSL_VERIFYPEER isn't set in lib/gtls.c.
    - CVE-2013-6422