[ubuntu/lunar-proposed] curl 7.87.0-2ubuntu2 (Accepted)

[Marc Deslauriers]

curl (7.87.0-2ubuntu2) lunar; urgency=medium

  * SECURITY UPDATE: multiple HSTS issues
    - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
      among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
      docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
      lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
      lib/url.c, lib/urldata.h.
    - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
      in src/tool_operate.c.
    - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
      name again in lib/hsts.c.
    - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
      verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
    - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
      tests/data/Makefile.inc, tests/data/test446.
    - CVE-2023-23914
    - CVE-2023-23915
  * SECURITY UPDATE: HTTP multi-header compression denial of service
    - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
      each header in lib/content_encoding.c, lib/urldata.h,
      tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
    - CVE-2023-23916

Date: Fri, 17 Feb 2023 08:19:10 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.87.0-2ubuntu2
-------------- next part --------------
Format: 1.8
Date: Fri, 17 Feb 2023 08:19:10 -0500
Source: curl
Built-For-Profiles: noudeb
Architecture: source
Version: 7.87.0-2ubuntu2
Distribution: lunar
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 curl (7.87.0-2ubuntu2) lunar; urgency=medium
 .
   * SECURITY UPDATE: multiple HSTS issues
     - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
       among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
       docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
       lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
       lib/url.c, lib/urldata.h.
     - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
       in src/tool_operate.c.
     - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
       name again in lib/hsts.c.
     - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
       verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
     - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
       tests/data/Makefile.inc, tests/data/test446.
     - CVE-2023-23914
     - CVE-2023-23915
   * SECURITY UPDATE: HTTP multi-header compression denial of service
     - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
       each header in lib/content_encoding.c, lib/urldata.h,
       tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
     - CVE-2023-23916
Checksums-Sha1:
 3359a1de7338b96c923eb5a73932956ad10a19e8 3070 curl_7.87.0-2ubuntu2.dsc
 c17497cdd0f60a5b37bf207dbb08465a6ee4165b 45728 curl_7.87.0-2ubuntu2.debian.tar.xz
 5621f6cd36a7eb733fbaa9c9f07a7a4f9642a0d9 10086 curl_7.87.0-2ubuntu2_source.buildinfo
Checksums-Sha256:
 b120337439fae9ba4c91df46cc7b2914941ebd31ba4232c23eb19c13954708d0 3070 curl_7.87.0-2ubuntu2.dsc
 6694f39200309bc16512524816408653952849fefa12c7810180029272d963ef 45728 curl_7.87.0-2ubuntu2.debian.tar.xz
 ed6ac96fc0a2adb83bbee2bfb9c42cd3167f683e11ca3e72806ea37550b4d15b 10086 curl_7.87.0-2ubuntu2_source.buildinfo
Files:
 0a70f440eb742b9ce9c85d157434cb43 3070 web optional curl_7.87.0-2ubuntu2.dsc
 ade71522dc5931a813b51cbfb84d2a32 45728 web optional curl_7.87.0-2ubuntu2.debian.tar.xz
 dd108205da5eead6f835499a0c8b6841 10086 web optional curl_7.87.0-2ubuntu2_source.buildinfo
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>