[ubuntu/resolute-updates] curl 8.18.0-1ubuntu2.1 (Accepted)

Ubuntu Archive Robot ubuntu-archive-robot at lists.canonical.com
Mon May 4 12:28:38 UTC 2026 

curl (8.18.0-1ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: connection reuse ignores TLS requirement
    - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls
      connection if new requires TLS in lib/url.c.
    - CVE-2026-4873
  * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection
    - debian/patches/CVE-2026-5545.patch: improve connection reuse on
      negotiate in lib/url.c.
    - CVE-2026-5545
  * SECURITY UPDATE: wrong reuse of SMB connection
    - debian/patches/CVE-2026-5773.patch: disable connection reuse for
      SMB(S) in lib/smb.c.
    - CVE-2026-5773
  * SECURITY UPDATE: proxy credentials leak over redirect-to proxy
    - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code
      in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.
    - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB
      use in tests/data/test445.
    - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as
      well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.
    - CVE-2026-6253
  * SECURITY UPDATE: stale custom cookie host causes cookie leak
    - debian/patches/CVE-2026-6276.patch: move cookiehost to struct
      SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,
      lib/urldata.h, tests/*.
    - CVE-2026-6276
  * SECURITY UPDATE: netrc credential leak with reused proxy connection
    - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes
      pushed over insecure connections in lib/http2.c.
    - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in
      lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.
    - debian/patches/CVE-2026-6429.patch: clear credentials better on
      redirect in lib/http.c, tests/*.
    - CVE-2026-6429
  * SECURITY UPDATE: cross-proxy Digest auth state leak
    - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when
      switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.
    - CVE-2026-7168

Date: 2026-04-29 15:08:10.499817+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/curl/8.18.0-1ubuntu2.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Resolute-changes mailing list