ubuntu/+source/curl:ubuntu/xenial-updates

Last commit made on 2019-09-11
Get this branch:
git clone -b ubuntu/xenial-updates https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-updates
Repository:
lp:ubuntu/+source/curl

Recent commits

31b2321... by Alex Murray on 2019-09-06

Import patches-unapplied version 7.47.0-1ubuntu2.14 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: f447e332723f0a54454918ac3ac7449e1d08727e

New changelog entries:
  * SECURITY UPDATE: double-free when using kerberos over FTP may cause
    denial-of-service
    - debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
      double-free on large memory allocation failures
    - CVE-2019-5481
  * SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
    cause denial-of-service or remote code-execution
    - debian/patches/CVE-2019-5482.patch: ensure to use the correct block
      size when calling recvfrom() if the server returns an OACK without
      specifying a block size in lib/tftp.c
    - CVE-2019-5482

f447e33... by Marc Deslauriers on 2019-05-16

Import patches-unapplied version 7.47.0-1ubuntu2.13 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 4e0d487f6e0c8e957301fd0bb7ade904f8ac7238

New changelog entries:
  * SECURITY UPDATE: TFTP receive buffer overflow
    - debian/patches/CVE-2019-5346.patch: use the current blksize in
      lib/tftp.c.
    - CVE-2019-5346

4e0d487... by Marc Deslauriers on 2019-01-29

Import patches-unapplied version 7.47.0-1ubuntu2.12 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: a5ecd0bc001a5374d9199666d7661dc4bddeb58b

New changelog entries:
  * SECURITY UPDATE: NTLM type-2 out-of-bounds buffer read
    - debian/patches/CVE-2018-16890.patch: fix size check condition for
      type2 received data in lib/curl_ntlm_msgs.c.
    - CVE-2018-16890
  * SECURITY UPDATE: NTLMv2 type-3 header stack buffer overflow
    - debian/patches/CVE-2019-3822.patch: ix *_type3_message size check to
      avoid buffer overflow in lib/curl_ntlm_msgs.c.
    - CVE-2019-3822
  * SECURITY UPDATE: SMTP end-of-response out-of-bounds read
    - debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in
      strtol in lib/smtp.c.
    - CVE-2019-3823

a5ecd0b... by Marc Deslauriers on 2018-10-29

Import patches-unapplied version 7.47.0-1ubuntu2.11 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: b041e62f9cd4c530db1d120f639dc317edbb2eee

New changelog entries:
  * SECURITY UPDATE: SASL password overflow via integer overflow
    - debian/patches/CVE-2018-16839-pre1.patch: prevent size overflows in
      lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839-pre2.patch: fix integer overflow check
      in lib/curl_ntlm_core.c, lib/curl_setup.h, lib/curl_sasl.c.
    - debian/patches/CVE-2018-16839.patch: fix check in lib/curl_sasl.c.
    - CVE-2018-16839
  * SECURITY UPDATE: warning message out-of-buffer read
    - debian/patches/oob-read.patch: fix bad arithmetic in src/tool_msgs.c.
    - CVE number pending

b041e62... by Leonidas S. Barbosa on 2018-09-13

Import patches-unapplied version 7.47.0-1ubuntu2.9 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 05af0fb36885b31598f27f2187c35cc877f92404

New changelog entries:
  * SECURITY UPDATE: Buffer overrun
    - debian/patches/CVE-2018-14618.patch: fix in
      lib/curl_ntlm_core.c.
    - CVE-2018-14618

05af0fb... by Marc Deslauriers on 2018-05-08

Import patches-unapplied version 7.47.0-1ubuntu2.8 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 859f4d61f7ce685e4b7de0fa6e6e1a31bd568aba

New changelog entries:
  * SECURITY UPDATE: RTSP bad headers buffer over-read
    - debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
      bad response-line is parsed in lib/http.c.
    - CVE-2018-1000301

859f4d6... by Marc Deslauriers on 2018-03-14

Import patches-unapplied version 7.47.0-1ubuntu2.7 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 02cf93b55e00a3d61b74e3bbd49b6a1e5788a4b8

New changelog entries:
  * SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
    - debian/patches/CVE-2018-1000120-pre1.patch: avoid using
      curl_easy_unescape() internally in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre2.patch: URL decode path for dir
      listing in nocwd mode in lib/ftp.c, add test to tests/*.
    - debian/patches/CVE-2018-1000120-pre3.patch: remove dead code in
      ftp_done in lib/ftp.c.
    - debian/patches/CVE-2018-1000120-pre4.patch: don't clobber the passed
      in error code in lib/ftp.c.
    - debian/patches/CVE-2018-1000120.patch: reject path components with
      control codes in lib/ftp.c, add test to tests/*.
    - CVE-2018-1000120
  * SECURITY UPDATE: LDAP NULL pointer dereference
    - debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
      results for NULL before using in lib/openldap.c.
    - CVE-2018-1000121
  * SECURITY UPDATE: RTSP RTP buffer over-read
    - debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
      go beyond buffer end in lib/transfer.c.
    - CVE-2018-1000122

02cf93b... by Leonidas S. Barbosa on 2018-01-29

Import patches-unapplied version 7.47.0-1ubuntu2.6 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d3e493354dc5cfda7754c556a7a1d58e1c92654d

New changelog entries:
  * SECURITY UPDATE: Out of bounds read in code handling HTTP/2
    - debian/patches/CVE-2018-1000005.patch: fix incorrect
      trailer buffer size in lib/http2.c.
    - CVE-2018-1000005
  * SECURITY UPDATE: leak authentication data
    - debian/patches/CVE-2018-1000007.patch: prevent custom
      authorization headers in redirects in lib/http.c,
      lib/url.c, lib/urldata.h, tests/data/Makefile.in,
      tests/data/test317, tests/data/test318.
    - CVE-2018-1000007

d3e4933... by Marc Deslauriers on 2017-11-28

Import patches-unapplied version 7.47.0-1ubuntu2.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: d9f534b43f2d328f1c80740bcd8d01d048b1e919

New changelog entries:
  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

d9f534b... by Marc Deslauriers on 2017-10-17

Import patches-unapplied version 7.47.0-1ubuntu2.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5f7fde388006221af3669962a44cfc310b6e05c9

New changelog entries:
  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257