ubuntu/+source/curl:ubuntu/yakkety-updates

Last commit made on 2016-11-03
Get this branch:
git clone -b ubuntu/yakkety-updates https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/yakkety-updates
Repository:
lp:ubuntu/+source/curl

Recent commits

d4c7e76... by Marc Deslauriers on 2016-11-02

Import patches-unapplied version 7.50.1-1ubuntu1.1 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: 753b89cc7839375e8ce5ba344e0e8ae9d3bfd2da

New changelog entries:
  * SECURITY UPDATE: Incorrect reuse of client certificates with NSS
    - debian/patches/CVE-2016-7141.patch: refuse previously loaded
      certificate from file in lib/vtls/nss.c.
    - CVE-2016-7141
  * SECURITY UPDATE: curl escape and unescape integer overflows
    - debian/patches/CVE-2016-7167.patch: deny negative string length
      inputs in lib/escape.c.
    - CVE-2016-7167
  * SECURITY UPDATE: cookie injection for other servers
    - debian/patches/CVE-2016-8615.patch: ignore lines that are too long in
      lib/cookie.c.
    - CVE-2016-8615
  * SECURITY UPDATE: case insensitive password comparison
    - debian/patches/CVE-2016-8616.patch: use case sensitive user/password
      comparisons in lib/url.c.
    - CVE-2016-8616
  * SECURITY UPDATE: OOB write via unchecked multiplication
    - debian/patches/CVE-2016-8617.patch: check for integer overflow on
      large input in lib/base64.c.
    - CVE-2016-8617
  * SECURITY UPDATE: double-free in curl_maprintf
    - debian/patches/CVE-2016-8618.patch: detect wrap-around when growing
      allocation in lib/mprintf.c.
    - CVE-2016-8618
  * SECURITY UPDATE: double-free in krb5 code
    - debian/patches/CVE-2016-8619.patch: avoid realloc in lib/security.c.
    - CVE-2016-8619
  * SECURITY UPDATE: glob parser write/read out of bounds
    - debian/patches/CVE-2016-8620.patch: stay within bounds in
      src/tool_urlglob.c.
    - CVE-2016-8620
  * SECURITY UPDATE: curl_getdate read out of bounds
    - debian/patches/CVE-2016-8621.patch: handle cut off numbers better in
      lib/parsedate.c, added tests to tests/data/test517,
      tests/libtest/lib517.c.
    - CVE-2016-8621
  * SECURITY UPDATE: URL unescape heap overflow via integer truncation
    - debian/patches/CVE-2016-8622.patch: avoid integer overflow in
      lib/dict.c, lib/escape.c, update docs/libcurl/curl_easy_unescape.3.
    - CVE-2016-8622
  * SECURITY UPDATE: Use-after-free via shared cookies
    - debian/patches/CVE-2016-8623.patch: hold deep copies of all cookies
      in lib/cookie.c, lib/cookie.h, lib/http.c.
    - CVE-2016-8623
  * SECURITY UPDATE: invalid URL parsing with #
    - debian/patches/CVE-2016-8624.patch: accept # as end of host name in
      lib/url.c.
    - CVE-2016-8624

753b89c... by Gianfranco Costamagna on 2016-08-03

Import patches-unapplied version 7.50.1-1ubuntu1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 66b33c5f29c1408e27467e38ecd7c7b31dd66572

New changelog entries:
  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2
  * Drop libgnutls28-dev change, the rename didn't happen in Debian
  * Readd stunnel build dependency, we can build-depend from
    universe now.

66b33c5... by Alessandro Ghedini on 2016-08-03

Import patches-unapplied version 7.50.1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8b4c7744d4da5add144aa6bd29761210313409cc

New changelog entries:
  * New upstream release (Closes: #827900)
    - Fix TLS session resumption client cert bypass as per CVE-2016-5419
      https://curl.haxx.se/docs/adv_20160803A.html
    - Fix re-using connection with wrong client cert as per CVE-2016-5420
      https://curl.haxx.se/docs/adv_20160803B.html
    - Fix use of connection struct after free as per CVE-2016-5421
      https://curl.haxx.se/docs/adv_20160803C.html
    - Support OpenSSL 1.1 (Closes: #828127)
  * Fix 04_workaround_as_needed_bug.patch.
    Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131)
  * Bump Standards-Version to 3.9.8 (no changes needed)
  * Update Vcs-* URLs
  * Refresh patches
  * Add 08_enable-zsh.patch to re-enable zsh completion generation
  * Remove 08_fix-zsh-completion.patch (was already disabled)
  * Add 09_fix-typo.patch to fix spelling-error-in-manpage
  * Add 10_disable-network-tests.patch to disable networked tests
    (Closes: #830273)
  * Improve cross Build-Depends satisfiability.
    Thanks to Helmut Grohne for the patch (Closes: #818092)

8b4c774... by Alessandro Ghedini on 2016-01-27

Import patches-unapplied version 7.47.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 216e12551539b1c0c178d5c291b177949e413aeb

New changelog entries:
  * New upstream release
    - Fix NTLM credentials not-checked for proxy connection re-use
      as per CVE-2016-0755
      http://curl.haxx.se/docs/adv_20160127A.html
    - Set uyrgency=high accordingly
  * Remove hard-coded dependency on libgnutls (Closes: #812542)
  * Drop 08_fix-zsh-completion.patch (merged upstream)
  * Refresh patches

216e125... by Alessandro Ghedini on 2015-12-27

Import patches-unapplied version 7.46.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c3f832d3b634c2828a2f06d266c842ce8957933b

New changelog entries:
  * New upstream release
    - Initialize OpenSSL algorithms after loading config (Closes: #805408)
  * Install curl zsh completion (Closes: #805509)
    - Add 08_fix-zsh-completion.patch to fix zsh completion generation

c3f832d... by Alessandro Ghedini on 2015-10-07

Import patches-unapplied version 7.45.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: fb7c49c5c6567aeab539f32c911132196c4ddd91

New changelog entries:
  * New upstream release
  * Drop 08_spelling.patch (merged upstream)

fb7c49c... by Alessandro Ghedini on 2015-09-10

Import patches-unapplied version 7.44.0-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1548a565de44e7cd16b536a920af2c03366db7eb

New changelog entries:
  * Enable HTTP/2 support (Closes: #796302)

1548a56... by Alessandro Ghedini on 2015-08-12

Import patches-unapplied version 7.44.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 285e6edfe5eee7d389bd3ce4f47a48c2af910e1c

New changelog entries:
  * New upstream release
  * Refresh patches
  * Update symbols files
  * Add 08_spelling.patch to fix some spelling errors

285e6ed... by Alessandro Ghedini on 2015-06-17

Import patches-unapplied version 7.43.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 737b10960db678dea9f10062c392653f1401dddb

New changelog entries:
  * New upstream release
    - Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
      http://curl.haxx.se/docs/adv_20150617A.html
    - Fix SMB send off unrelated memory contents as per CVE-2015-3237
      http://curl.haxx.se/docs/adv_20150617B.html
  * Refresh patches
  * Fix spelling-error-in-description

737b109... by Alessandro Ghedini on 2015-06-07

Import patches-unapplied version 7.42.1-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a58a94f426e34015adc99630fc60b06e55a5f8b5

New changelog entries:
  * Update copyright
  * Set both CA bundle and CA path default values for OpenSSL and GnuTLS
    backends
  * Bump versioned depends on libgnutls to workaround lack of nettle versioned
    symbols (Closes: #787960)