[ubuntu/cosmic-proposed] curl 7.60.0-2ubuntu1 (Accepted)
Steve Langasek
steve.langasek at ubuntu.com
Tue Jun 5 00:20:12 UTC 2018
curl (7.60.0-2ubuntu1) cosmic; urgency=low
* Merge from Debian unstable. Remaining changes:
- Use an if statement to conditionally disable libssh2 in Ubuntu-only
* Dropped changes, included in Debian:
- Build-depend on libssl-dev instead of libssl1.0-dev.
- Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
- debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
- debian/patches/90_gnutls.patch: Retain symbol versioning compatibility
for non-OpenSSL builds.
* Dropped changes, include upstream:
- SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
- debian/patches/CVE-2018-1000120.patch: reject path components with
control codes in lib/ftp.c, add test to tests/*.
- CVE-2018-1000120
- SECURITY UPDATE: LDAP NULL pointer dereference
- debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
results for NULL before using in lib/openldap.c.
- CVE-2018-1000121
- SECURITY UPDATE: RTSP RTP buffer over-read
- debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
go beyond buffer end in lib/transfer.c.
- CVE-2018-1000122
- SECURITY UPDATE: FTP shutdown response buffer overflow
- debian/patches/CVE-2018-1000300.patch: check data size in
lib/pingpong.c.
- CVE-2018-1000303
- SECURITY UPDATE: RTSP bad headers buffer over-read
- debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
bad response-line is parsed in lib/http.c.
- CVE-2018-1000301
curl (7.60.0-2) unstable; urgency=medium
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
curl (7.60.0-1) unstable; urgency=medium
* New upstream release (Closes: #891997, #893546, #898856)
+ Fix use of IPv6 literals with NO_PROXY
+ Fix NIL byte out of bounds write due to FTP path trickery
as per CVE-2018-1000120
https://curl.haxx.se/docs/adv_2018-9cd6.html
+ Fix LDAP NULL pointer dereference as per CVE-2018-1000121
https://curl.haxx.se/docs/adv_2018-97a2.html
+ Fix RTSP RTP buffer over-read as per CVE-2018-1000122
https://curl.haxx.se/docs/adv_2018-b047.html
+ Fix heap buffer overflow when closing down an FTP connection
with very long server command replies as per CVE-2018-1000300
https://curl.haxx.se/docs/adv_2018-82c2.html
+ Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
* Refresh patches
* Bump Standards-Version to 4.1.4 (no changes needed)
Date: Mon, 04 Jun 2018 16:27:47 -0700
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.60.0-2ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 04 Jun 2018 16:27:47 -0700
Source: curl
Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.60.0-2ubuntu1
Distribution: cosmic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Langasek <steve.langasek at ubuntu.com>
Description:
curl - command line tool for transferring data with URL syntax
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 858398 891997 893546 898856
Changes:
curl (7.60.0-2ubuntu1) cosmic; urgency=low
.
* Merge from Debian unstable. Remaining changes:
- Use an if statement to conditionally disable libssh2 in Ubuntu-only
* Dropped changes, included in Debian:
- Build-depend on libssl-dev instead of libssl1.0-dev.
- Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
- debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
- debian/patches/90_gnutls.patch: Retain symbol versioning compatibility
for non-OpenSSL builds.
* Dropped changes, include upstream:
- SECURITY UPDATE: FTP path trickery leads to NIL byte OOB write
- debian/patches/CVE-2018-1000120.patch: reject path components with
control codes in lib/ftp.c, add test to tests/*.
- CVE-2018-1000120
- SECURITY UPDATE: LDAP NULL pointer dereference
- debian/patches/CVE-2018-1000121.patch: check ldap_get_attribute_ber()
results for NULL before using in lib/openldap.c.
- CVE-2018-1000121
- SECURITY UPDATE: RTSP RTP buffer over-read
- debian/patches/CVE-2018-1000122.patch: make sure excess reads don't
go beyond buffer end in lib/transfer.c.
- CVE-2018-1000122
- SECURITY UPDATE: FTP shutdown response buffer overflow
- debian/patches/CVE-2018-1000300.patch: check data size in
lib/pingpong.c.
- CVE-2018-1000303
- SECURITY UPDATE: RTSP bad headers buffer over-read
- debian/patches/CVE-2018-1000301.patch: restore buffer pointer when
bad response-line is parsed in lib/http.c.
- CVE-2018-1000301
.
curl (7.60.0-2) unstable; urgency=medium
.
[ Steve Langasek ]
* Build-depend on libssl-dev instead of libssl1.0-dev.
* Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
openssl 1.0 and openssl 1.1.
* debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
claiming compatibility.
* debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
non-OpenSSL builds. Closes: #858398.
* Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk
.
curl (7.60.0-1) unstable; urgency=medium
.
* New upstream release (Closes: #891997, #893546, #898856)
+ Fix use of IPv6 literals with NO_PROXY
+ Fix NIL byte out of bounds write due to FTP path trickery
as per CVE-2018-1000120
https://curl.haxx.se/docs/adv_2018-9cd6.html
+ Fix LDAP NULL pointer dereference as per CVE-2018-1000121
https://curl.haxx.se/docs/adv_2018-97a2.html
+ Fix RTSP RTP buffer over-read as per CVE-2018-1000122
https://curl.haxx.se/docs/adv_2018-b047.html
+ Fix heap buffer overflow when closing down an FTP connection
with very long server command replies as per CVE-2018-1000300
https://curl.haxx.se/docs/adv_2018-82c2.html
+ Fix heap buffer over-read when parsing bad RTSP headers
as per CVE-2018-1000301
https://curl.haxx.se/docs/adv_2018-b138.html
* Refresh patches
* Bump Standards-Version to 4.1.4 (no changes needed)
Checksums-Sha1:
a1a08b81c63c5864fe83aa149b9b8b7752779178 2806 curl_7.60.0-2ubuntu1.dsc
31c68f25832ee3af7480a48d1d5dffbe6771df17 3949173 curl_7.60.0.orig.tar.gz
5f5acfaf0058cf7c6c8b5fdc4a0e471b94a3b34c 32508 curl_7.60.0-2ubuntu1.debian.tar.xz
54c46e461116b59ef00ea465d05291659c61015e 7580 curl_7.60.0-2ubuntu1_source.buildinfo
Checksums-Sha256:
4c512e2baf021b9d35d35c6c447f8cb27b6b6c9f466f2cdf14a6672fd4fc7bb4 2806 curl_7.60.0-2ubuntu1.dsc
e9c37986337743f37fd14fe8737f246e97aec94b39d1b71e8a5973f72a9fc4f5 3949173 curl_7.60.0.orig.tar.gz
11d769b646018c3b2140211d25a066facbc0df910fdbfef37af8be5fc73d7c2f 32508 curl_7.60.0-2ubuntu1.debian.tar.xz
84f88b7f8eff83aa022f0ac2c5c72220fd12fc22ac91c1b1d41a9866fe1a1be8 7580 curl_7.60.0-2ubuntu1_source.buildinfo
Files:
adc90e38bab32d415235ee88eabd8deb 2806 web optional curl_7.60.0-2ubuntu1.dsc
48eb126345d3b0f0a71a486b7f5d0307 3949173 web optional curl_7.60.0.orig.tar.gz
22a9e0f4c5fb4347eb51895731c95ba0 32508 web optional curl_7.60.0-2ubuntu1.debian.tar.xz
580fc3036021347e27e4ab3fd17c56af 7580 web optional curl_7.60.0-2ubuntu1_source.buildinfo
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAlsV1RwaHHN0ZXZlLmxh
bmdhc2VrQHVidW50dS5jb20ACgkQVo0w8yGyEz3dbA//e+4FbQ5EhdhnNoFcrew+
XXgx81+pKeDpQE0v4E9lkIZy/8OarS+7marr1yDZdo+7DlxOQHltG0FYhdoq7c8p
MwI5ZYEkPUOejwVHFDCha3WYdUygt9AxynMSkJABB2+zBIxZLorB4j2b+N7ZeNg4
YzZG1SnUT/rV+bMHxdwhoW+It3ZeXLXMFS7z/bbU+1hneH/lOi+Fp0ddrin9xFrH
tKEiyhStzo+DKLTSU7sjqJ/hhRt1Nku+oCaiILVKciR6wsbRByiVQ+1Tew8C/XvX
X4Pp8hLanqMWo3kPRmVwIxLUIs8vJ/IS9auZKideZEbpX5ptTLpOB69V2NaUgLwD
o0Fmxu29gclUCu5HZM7WYjjhJjA7uBmnXnKzIqUXgKa2zKBpNqKssdV8VHfisSOS
VMkLTg6GdYhPU360x3Vml+e0Zq4ex1Du3dOO/ewPi6YYJhZ8xBQ/AbD2VClrhOAZ
YTqsC4Th3ej4iC1TAAV0gNoZOlW67qBW68Z0PFhRFdaWHY4WJwtu69x5hRynwQyf
GHswDihn2YaPY19STEOSFU77M1KFs3iu6hIYFG3+g8Vn5Ts64mbik7C/r/3LYC1V
kH6MhXbfDNly1AELKdLShpSMl68sIo0RaeNQGbeKTz2AUqfm3u4XRtHu6s8o+Ztp
yC1ryHSUbIYfB7YvCiumpHQ=
=Q9DA
-----END PGP SIGNATURE-----
More information about the Cosmic-changes
mailing list