[ubuntu/wily-proposed] curl 7.38.0-3ubuntu3 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Tue May 5 18:22:11 UTC 2015 

curl (7.38.0-3ubuntu3) wily; urgency=medium

  * SECURITY UPDATE: NTLM connection reuse when unauthenticated
    - debian/patches/CVE-2015-3143.patch: require credentials to match in
      lib/url.c.
    - CVE-2015-3143
  * SECURITY UPDATE: host name out of boundary memory access
    - debian/patches/CVE-2015-3144.patch: check for valid length in
      lib/url.c.
    - CVE-2015-3144
  * SECURITY UPDATE: cookie parser out of boundary memory access
    - debian/patches/CVE-2015-3145.patch: properly handle a single double
      quote in lib/cookie.c.
    - CVE-2015-3145
  * SECURITY UPDATE: negotiate not treated as connection-oriented
    - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
      done in lib/http.c.
    - CVE-2015-3148
  * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
    - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
      docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
      tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
    - CVE-2015-3153

Date: Tue, 05 May 2015 14:17:51 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.38.0-3ubuntu3
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 May 2015 14:17:51 -0400
Source: curl
Binary: curl curl-udeb libcurl3 libcurl3-udeb libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source
Version: 7.38.0-3ubuntu3
Distribution: wily
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 curl       - command line tool for transferring data with URL syntax
 curl-udeb  - Get a file from an HTTP, HTTPS or FTP server (udeb)
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl3-udeb - Multi-protocol file transfer library (OpenSSL) (udeb)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Changes:
 curl (7.38.0-3ubuntu3) wily; urgency=medium
 .
   * SECURITY UPDATE: NTLM connection reuse when unauthenticated
     - debian/patches/CVE-2015-3143.patch: require credentials to match in
       lib/url.c.
     - CVE-2015-3143
   * SECURITY UPDATE: host name out of boundary memory access
     - debian/patches/CVE-2015-3144.patch: check for valid length in
       lib/url.c.
     - CVE-2015-3144
   * SECURITY UPDATE: cookie parser out of boundary memory access
     - debian/patches/CVE-2015-3145.patch: properly handle a single double
       quote in lib/cookie.c.
     - CVE-2015-3145
   * SECURITY UPDATE: negotiate not treated as connection-oriented
     - debian/patches/CVE-2015-3148.patch: close Negotiate connections when
       done in lib/http.c.
     - CVE-2015-3148
   * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies
     - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in
       docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c,
       tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c.
     - CVE-2015-3153
Checksums-Sha1:
 72f27bc884e061bc23b1e6e9a1958606d3bbd510 2841 curl_7.38.0-3ubuntu3.dsc
 08b71bb8460aab213110c77a4031aa1ae8187d7a 36108 curl_7.38.0-3ubuntu3.debian.tar.xz
Checksums-Sha256:
 83cbb35e1b525bb0803d5b06d0bd75a9da5c09bf250a06bcfd9dfea564f02815 2841 curl_7.38.0-3ubuntu3.dsc
 129a7324e8365a78777a41df7e7ca395937dd1701568e4a35c48e6d4efd304ca 36108 curl_7.38.0-3ubuntu3.debian.tar.xz
Files:
 47e33f4417b973f35c307fcc63384015 2841 web optional curl_7.38.0-3ubuntu3.dsc
 c7d0b9c7a7f766795b6c9c36f92795af 36108 web optional curl_7.38.0-3ubuntu3.debian.tar.xz
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVSQmtAAoJEGVp2FWnRL6Tq7AP/RL9WxX9Qw9d1vpPYRBj4CF6
uIFRsEihYbiPgPTF/R7rmS3r800yMojWiKT/d/x9A7HapWqFI6ihtMUHLzIQkWVP
PBcmOV3lpNwEpZw19ZkuCpjODOryJ9M+EAtPYirxtC6XOBI+ZDEHtIAam3rRRE8F
e+uhFXmvfkpWp0ZGnDU2gGyQb2+ANKhBVTSUU98xTQYxsGW9A1oWRYq8mwWGtW1b
fOkseF7xUk6CT5HEoVJuZQ08ytEtzPsbABJSbPsw/975hw8PlXR3s16uo91g4e6m
MO7S4hYafUwItOKDDe4M/9WALXRKVsJpG9xlgz4HPNo6qEowCRVc0OIFTktNGqHZ
4CqHmtp3KDnDRlDVBBUKB1fU3oUqtO3Aaw/kcgzZXjzJBNqAXrTiw1l3kwnjMIV9
DfBU3BqyIkbeFnSQ9PIBZmN6eMycURCMjK4JYn5B6QTfLelMiJ4gA8yALbhAK016
KqfovEtfOxBu0ANHWz1+GO20oobT28iC7HghS1wHBJw6ki3HljjRRfI2KUqD+ewh
FCz+LWWCAE5erpStFimE4fqmHnXNQOhvhE6x1I4erl2/DrzZ/DWchdiHtATEGAQy
w5+lpOzxGsXsev3KuOcHsycNHZIGBC7bCVUH/8jGhzmt1zekmlVjKTVG7NUyH91m
Mfrf32Tygk4gCZRxHUdp
=mtXI
-----END PGP SIGNATURE-----

More information about the Wily-changes mailing list