[ubuntu/resolute-proposed] curl 8.18.0-1ubuntu2 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Wed Mar 11 12:26:17 UTC 2026
curl (8.18.0-1ubuntu2) resolute; urgency=medium
* SECURITY UPDATE: bad reuse of HTTP Negotiate connection
- debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
HTTP Negotiate in lib/url.c.
- debian/patches/CVE-2026-1965-2.patch: fix copy and paste
url_match_auth_nego mistake in lib/url.c.
- CVE-2026-1965
* SECURITY UPDATE: token leak with redirect and netrc
- debian/patches/CVE-2026-3783.patch: only send bearer if auth is
allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.
- CVE-2026-3783
* SECURITY UPDATE: wrong proxy connection reuse with credentials
- debian/patches/CVE-2026-3784.patch: add additional tests in
lib/url.c, tests/http/test_13_proxy_auth.py,
tests/http/testenv/curl.py.
- CVE-2026-3784
* SECURITY UPDATE: use after free in SMB connection reuse
- debian/patches/CVE-2026-3805.patch: free the path in the request
struct properly in lib/smb.c.
- CVE-2026-3805
Date: Mon, 09 Mar 2026 08:30:05 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/8.18.0-1ubuntu2
-------------- next part --------------
Format: 1.8
Date: Mon, 09 Mar 2026 08:30:05 -0400
Source: curl
Built-For-Profiles: noudeb
Architecture: source
Version: 8.18.0-1ubuntu2
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
curl (8.18.0-1ubuntu2) resolute; urgency=medium
.
* SECURITY UPDATE: bad reuse of HTTP Negotiate connection
- debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using
HTTP Negotiate in lib/url.c.
- debian/patches/CVE-2026-1965-2.patch: fix copy and paste
url_match_auth_nego mistake in lib/url.c.
- CVE-2026-1965
* SECURITY UPDATE: token leak with redirect and netrc
- debian/patches/CVE-2026-3783.patch: only send bearer if auth is
allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.
- CVE-2026-3783
* SECURITY UPDATE: wrong proxy connection reuse with credentials
- debian/patches/CVE-2026-3784.patch: add additional tests in
lib/url.c, tests/http/test_13_proxy_auth.py,
tests/http/testenv/curl.py.
- CVE-2026-3784
* SECURITY UPDATE: use after free in SMB connection reuse
- debian/patches/CVE-2026-3805.patch: free the path in the request
struct properly in lib/smb.c.
- CVE-2026-3805
Checksums-Sha1:
cc151cd911db16079464652601aedc58d6621cfe 3259 curl_8.18.0-1ubuntu2.dsc
e19f8c90a646e625327843c5357fa57eae2c1622 60024 curl_8.18.0-1ubuntu2.debian.tar.xz
df5593d43c8a0ecdc8719f2e88c254ee16e88c45 10152 curl_8.18.0-1ubuntu2_source.buildinfo
Checksums-Sha256:
07e0fa94a501c5b3d276cf7bdfed98124dd507d7add95c700d932642cda6269f 3259 curl_8.18.0-1ubuntu2.dsc
078ea50868e1846bde4abbbce9e3eb0138bb6912b69fb51dac5cfd9495f99a58 60024 curl_8.18.0-1ubuntu2.debian.tar.xz
301251a33375caca8d789b6c77ffeb0ce434e62fb63699716b22d82cbb35a685 10152 curl_8.18.0-1ubuntu2_source.buildinfo
Files:
262e459a9e674eebbb766a5db943eb93 3259 web optional curl_8.18.0-1ubuntu2.dsc
0639e530715ac69e8235b5d465866e34 60024 web optional curl_8.18.0-1ubuntu2.debian.tar.xz
faff06590ddbb26e5e28a116a1b2a86b 10152 web optional curl_8.18.0-1ubuntu2_source.buildinfo
Original-Maintainer: Debian Curl Maintainers <team+curl at tracker.debian.org>
More information about the Resolute-changes
mailing list