ubuntu/+source/curl:ubuntu/zesty-devel

Last commit made on 2017-11-29
Get this branch:
git clone -b ubuntu/zesty-devel https://git.launchpad.net/ubuntu/+source/curl
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/zesty-devel
Repository:
lp:ubuntu/+source/curl

Recent commits

841f5f9... by Marc Deslauriers on 2017-11-28

Import patches-unapplied version 7.52.1-4ubuntu1.4 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 3946fe11e85c6c2f99764e9df54f1eda8610491a

New changelog entries:
  * SECURITY UPDATE: NTLM buffer overflow via integer overflow
    - debian/patches/CVE-2017-8816.patch: avoid integer overflow for malloc
      size in lib/curl_ntlm_core.c
    - CVE-2017-8816
  * SECURITY UPDATE: FTP wildcard out of bounds read
    - debian/patches/CVE-2017-8817.patch: fix heap buffer overflow in
      setcharset in lib/curl_fnmatch.c, added tests to
      tests/data/Makefile.inc, tests/data/test1163.
    - CVE-2017-8817

3946fe1... by Marc Deslauriers on 2017-10-17

Import patches-unapplied version 7.52.1-4ubuntu1.3 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 46baed7bc91a53f66a9e6f055729bbbbe9070c14

New changelog entries:
  * SECURITY UPDATE: IMAP FETCH response out of bounds read
    - debian/patches/CVE-2017-1000257.patch: check size in lib/imap.c.
    - CVE-2017-1000257

46baed7... by Marc Deslauriers on 2017-10-04

Import patches-unapplied version 7.52.1-4ubuntu1.2 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: f774b7cf8e3fab97a6098de8ae1fe725ea7edcc7

New changelog entries:
  * SECURITY UPDATE: TFTP sends more than buffer size
    - debian/patches/CVE-2017-1000100.patch: reject file name lengths that
      don't fit in lib/tftp.c.
    - CVE-2017-1000100
  * SECURITY UPDATE: URL globbing out of bounds read
    - debian/patches/CVE-2017-1000101.patch: do not continue parsing after
      a strtoul() overflow range in src/tool_urlglob.c, added test to
      tests/data/Makefile.inc, tests/data/test1289.
    - CVE-2017-1000101
  * SECURITY UPDATE: FTP PWD response parser out of bounds read
    - debian/patches/CVE-2017-1000254.patch: zero terminate the entry path
      even on bad input in lib/ftp.c, added test to
      tests/data/Makefile.inc, tests/data/test1152.
    - CVE-2017-1000254
  * SECURITY UPDATE: --write-out out of buffer read
    - debian/patches/CVE-2017-7407-2.patch: check for end of input in
      src/tool_writeout.c added test to tests/data/Makefile.inc,
      tests/data/test1442.
    - CVE-2017-7407

f774b7c... by Steve Beattie on 2017-04-17

Import patches-unapplied version 7.52.1-4ubuntu1.1 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 673cd3e2d6819c27a0a42bcc399612af8820a969

New changelog entries:
  * SECURITY UPDATE: TLS session resumption client cert bypass
    - debian/patches/CVE-2017-7468: Move the sessionid flag to
      ssl_primary_config so that ssl and proxy_ssl will each have
      their own sessionid flag.
    - CVE-2017-7468

673cd3e... by Gianfranco Costamagna on 2017-04-09

Import patches-unapplied version 7.52.1-4ubuntu1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: dd837796fb533d4d814394d9f0851edbf065386b

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop libssh2-1-dev, and libnghttp2-dev.
      + Drop libssh2-1-dev from binary package Depends.
      + debian/control: drop --with-nghttp2

dd83779... by Alessandro Ghedini on 2017-04-08

Import patches-unapplied version 7.52.1-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2919bea5483dd62172975384d3da1ce4ff50d86b

New changelog entries:
  * Fix regression in CONNECT response handling (Closes: #857613)
  * Fix buffer read overrun on --write-out as per CVE-2017-7407
    https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)

2919bea... by Alessandro Ghedini on 2017-02-21

Import patches-unapplied version 7.52.1-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4eeb0572ddc390c50cde0b831b99f8c367d5ab29

New changelog entries:
  * Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
    https://curl.haxx.se/docs/adv_20170222.html

4eeb057... by Alessandro Ghedini on 2017-01-29

Import patches-unapplied version 7.52.1-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1c9418b78e159b6f66fb9553f7e1b3e56f3c0943

New changelog entries:
  * Fix HTTPS connection timeout with OpenSSL (Closes: #852317)

1c9418b... by Alessandro Ghedini on 2017-01-12

Import patches-unapplied version 7.52.1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 761b2a090edddb86ec3104e30714bf721dbd30be

New changelog entries:
  * New upstream release
    - Fix printf floating point buffer overflow as per CVE-2016-9586
      (Closes: #848958)
  * B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
  * Another attempt at making -dev packages multi-arch.
    Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
  * Enable support for PSL (Closes: #847958)
  * Re-enable support for IDN (Closes: #849539)
  * Drop 10_disable-network-tests.patch.
    It didn't really work, and the issue is not urgent.
  * Switch curl binary back to libcurl3/OpenSSL.
    While the GnuTLS flavour mostly worked fine, there are a bunch of features
    that are not implemented.

761b2a0... by Alessandro Ghedini on 2016-11-03

Import patches-unapplied version 7.51.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 66b33c5f29c1408e27467e38ecd7c7b31dd66572

New changelog entries:
  * New upstream release
    - Fix cookie injection for other servers as per CVE-2016-8615
      https://curl.haxx.se/docs/adv_20161102A.html
    - Fix case insensitive password comparison as per CVE-2016-8616
      https://curl.haxx.se/docs/adv_20161102B.html
    - Fix OOB write via unchecked multiplication as per CVE-2016-8617
      https://curl.haxx.se/docs/adv_20161102C.html
    - Fix double-free in curl_maprintf as per CVE-2016-8618
      https://curl.haxx.se/docs/adv_20161102D.html
    - Fix double-free in krb5 code as per CVE-2016-8619
      https://curl.haxx.se/docs/adv_20161102E.html
    - Fix glob parser write/read out of bounds as per CVE-2016-8620
      https://curl.haxx.se/docs/adv_20161102F.html
    - Fix curl_getdate read out of bounds as per CVE-2016-8621
      https://curl.haxx.se/docs/adv_20161102G.html
    - Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
      https://curl.haxx.se/docs/adv_20161102H.html
    - Fix use-after-free via shared cookies as per CVE-2016-8623
      https://curl.haxx.se/docs/adv_20161102I.html
    - Fix invalid URL parsing with '#' as per CVE-2016-8624
      https://curl.haxx.se/docs/adv_20161102J.html
    - Fix IDNA 2003 makes curl use wrong host
      https://curl.haxx.se/docs/adv_20161102K.html
    - Fix escape and unescape integer overflows as
      per CVE-2016-7167 (Closes: #837945)
      https://curl.haxx.se/docs/adv_20160914.html
    - Fix incorrect reuse of client certificates (NSS backend)
      as per CVE-2016-7141 (Closes: #836918)
      https://curl.haxx.se/docs/adv_20160907.html
  * Drop 02_art_http_scripting.patch (file not shipped anymore)
  * Refresh patches
  * Temporarily disable IDN support
  * Don't install pdf and html docs (they are not shipped in the tarball anymore)
  * Install markdown docs
  * Disable more network tests (Closes: #830273)