diff -Nru curl-7.42.1/debian/changelog curl-7.42.1/debian/changelog --- curl-7.42.1/debian/changelog 2015-06-07 18:15:42.000000000 +0200 +++ curl-7.42.1/debian/changelog 2015-06-08 10:36:03.000000000 +0200 @@ -1,3 +1,23 @@ +curl (7.42.1-3ubuntu1) wily; urgency=low + + * Merge from Debian (LP: #1459685). Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + * Dropped patches: + - debian/patches/CVE-2015-3143.patch: upstream + - debian/patches/CVE-2015-3148.patch: upstream + - debian/patches/CVE-2015-3144.patch: upstream + - debian/patches/CVE-2015-3153.patch: upstream + - debian/patches/CVE-2014-8150.patch: upstream + - debian/patches/CVE-2015-3145.patch: upstream + * Dropped changes: + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + they seems to be broken since pre-trusty + + -- Gianfranco Costamagna Mon, 08 Jun 2015 10:35:57 +0200 + curl (7.42.1-3) unstable; urgency=medium * Update copyright @@ -55,6 +75,57 @@ -- Alessandro Ghedini Thu, 08 Jan 2015 10:47:24 +0100 +curl (7.38.0-3ubuntu3) wily; urgency=medium + + * SECURITY UPDATE: NTLM connection reuse when unauthenticated + - debian/patches/CVE-2015-3143.patch: require credentials to match in + lib/url.c. + - CVE-2015-3143 + * SECURITY UPDATE: host name out of boundary memory access + - debian/patches/CVE-2015-3144.patch: check for valid length in + lib/url.c. + - CVE-2015-3144 + * SECURITY UPDATE: cookie parser out of boundary memory access + - debian/patches/CVE-2015-3145.patch: properly handle a single double + quote in lib/cookie.c. + - CVE-2015-3145 + * SECURITY UPDATE: negotiate not treated as connection-oriented + - debian/patches/CVE-2015-3148.patch: close Negotiate connections when + done in lib/http.c. + - CVE-2015-3148 + * SECURITY UPDATE: sensitive HTTP server headers disclosure to proxies + - debian/patches/CVE-2015-3153.patch: make HTTP headers separated in + docs/libcurl/opts/CURLOPT_HEADEROPT.3, lib/url.c, + tests/data/test1527, tests/data/test287, tests/libtest/lib1527.c. + - CVE-2015-3153 + + -- Marc Deslauriers Tue, 05 May 2015 14:17:51 -0400 + +curl (7.38.0-3ubuntu2) vivid; urgency=medium + + * SECURITY UPDATE: URL request injection + - debian/patches/CVE-2014-8150.patch: drop bad chars from URL in + lib/url.c, added test to tests/data/Makefile.am, tests/data/test1529, + tests/libtest/Makefile.inc, tests/libtest/lib1529.c. + - CVE-2014-8150 + + -- Marc Deslauriers Wed, 14 Jan 2015 07:57:00 -0500 + +curl (7.38.0-3ubuntu1) vivid; urgency=medium + + * Merge from Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Dropped patches: + - debian/patches/09_fix-timeout-in-poll-and-wait.patch: upstream + - debian/patches/CVE-2014-3613.patch: upstream + - debian/patches/CVE-2014-3620.patch: upstream + + -- Marc Deslauriers Mon, 10 Nov 2014 08:48:21 -0500 + curl (7.38.0-3) unstable; urgency=high * Enable all hardening options (Closes: #763372) @@ -88,6 +159,40 @@ -- Alessandro Ghedini Wed, 10 Sep 2014 20:11:02 +0200 +curl (7.37.1-1ubuntu3) utopic; urgency=medium + + * debian/patches/09_fix-timeout-in-poll-and-wait.patch: apply upstream + commit fixing timeout return value for curl_poll and curl_wait_ms. + Thanks to Grzegorz Gutowski for finding the patch. (LP: #1375663) + + -- Brian Murray Thu, 02 Oct 2014 13:26:57 -0700 + +curl (7.37.1-1ubuntu2) utopic; urgency=medium + + * SECURITY UPDATE: incorrect cookie handling via partial literal IP + addresses + - debian/patches/CVE-2014-3613.patch: only use full host matches for + hosts used as IP address in lib/cookie.c, added tests to + tests/data/test1105, tests/data/test31, tests/data/test8. + - CVE-2014-3613 + * SECURITY UPDATE: incorrect cookie handling for TLDs + - debian/patches/CVE-2014-3620.patch: reject incoming cookies set for + TLDs in lib/cookie.c, added test to tests/data/test61. + - CVE-2014-3620 + + -- Marc Deslauriers Thu, 11 Sep 2014 08:15:47 -0400 + +curl (7.37.1-1ubuntu1) utopic; urgency=low + + * Merge from Debian unstable (LP: #1348564). Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Gianfranco Costamagna Fri, 25 Jul 2014 12:03:28 +0200 + curl (7.37.1-1) unstable; urgency=medium * New upstream release @@ -108,6 +213,17 @@ -- Alessandro Ghedini Wed, 21 May 2014 15:22:38 +0200 +curl (7.36.0-2ubuntu1) utopic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Michael Vogt Wed, 30 Apr 2014 13:34:14 +0200 + curl (7.36.0-2) unstable; urgency=medium * Move Depends on -dev packages needed to use static libraries to Suggests @@ -130,6 +246,36 @@ -- Alessandro Ghedini Sun, 30 Mar 2014 15:36:35 +0200 +curl (7.35.0-1ubuntu2) trusty; urgency=medium + + * SECURITY UPDATE: wrong re-use of connections + - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM + HTTP logic, and extend new connection logic to other protocols in + lib/http.c, lib/url.c, lib/urldata.h, add new tests to + tests/data/Makefile.am, tests/data/test1418, tests/data/test1419. + - CVE-2014-0138 + * SECURITY UPDATE: incorrect wildcard SSL certificate validation with + literal IP addresses + - debian/patches/CVE-2014-0139.patch: fix wildcard logic in + lib/hostcheck.c, added tests to tests/data/Makefile.am, + tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c. + - CVE-2014-0139 + * debian/patches/fix_test172.path: fix expired cookie causing test to + fail. + + -- Marc Deslauriers Tue, 01 Apr 2014 09:25:23 -0400 + +curl (7.35.0-1ubuntu1) trusty; urgency=medium + + * Resynchronize on Debian, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Marc Deslauriers Fri, 31 Jan 2014 08:42:28 -0500 + curl (7.35.0-1) unstable; urgency=high * New upstream release @@ -140,6 +286,18 @@ -- Alessandro Ghedini Wed, 29 Jan 2014 11:16:57 +0100 +curl (7.34.0-1ubuntu1) trusty; urgency=low + + * Resynchronize on Debian, remaining changes + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Dropped undocumented Build-Depends change to automake1.9. + + -- Marc Deslauriers Fri, 20 Dec 2013 09:13:22 -0500 + curl (7.34.0-1) unstable; urgency=high * New upstream release @@ -161,6 +319,17 @@ -- Alessandro Ghedini Wed, 11 Dec 2013 18:44:37 +0100 +curl (7.33.0-1ubuntu1) trusty; urgency=low + + * Resynchronize on Debian, remaining changes + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Sebastien Bacher Wed, 06 Nov 2013 10:45:28 +0100 + curl (7.33.0-1) unstable; urgency=low * New upstream release @@ -173,6 +342,18 @@ -- Alessandro Ghedini Mon, 14 Oct 2013 22:11:14 +0200 +curl (7.32.0-1ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Fixes freeipa-client join. (LP: #1220928) + + -- Ubuntu Merge-o-Matic Mon, 12 Aug 2013 15:39:32 +0000 + curl (7.32.0-1) unstable; urgency=low * New upstream release @@ -186,6 +367,17 @@ -- Alessandro Ghedini Mon, 12 Aug 2013 12:19:05 +0200 +curl (7.31.0-2ubuntu1) saucy; urgency=low + + * Merge from Debian, Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Oussama Bounaim Tue, 23 Jul 2013 18:42:00 +0100 + curl (7.31.0-2) unstable; urgency=high * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) @@ -193,6 +385,17 @@ -- Alessandro Ghedini Wed, 26 Jun 2013 11:47:00 +0200 +curl (7.31.0-1ubuntu1) saucy; urgency=low + + * Resynchronize on Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Sebastien Bacher Mon, 24 Jun 2013 13:36:52 +0200 + curl (7.31.0-1) unstable; urgency=low * New upstream release @@ -216,6 +419,18 @@ -- Alessandro Ghedini Fri, 10 May 2013 17:46:46 +0200 +curl (7.30.0-1ubuntu1) saucy; urgency=low + + * Resynchronize on Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Add warning to debian/patches/series. + + -- Sebastien Bacher Tue, 07 May 2013 12:16:37 +0200 + curl (7.30.0-1) unstable; urgency=low * New upstream release @@ -264,6 +479,36 @@ -- Alessandro Ghedini Mon, 11 Mar 2013 19:02:56 +0100 +curl (7.29.0-1ubuntu3) raring; urgency=low + + * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch() + - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match + when sending cookies. Patch from YAMADA Yasuharu. + - http://curl.haxx.se/curl-tailmatch.patch + - CVE-2013-1944 + + -- Seth Arnold Wed, 10 Apr 2013 15:16:17 -0700 + +curl (7.29.0-1ubuntu2) raring; urgency=low + + * debian/patches/08_lp1124508.patch: Backport fix for upstream bug 1194, + segfault in curl_multi_cleanup() when multi->closure_handle is NULL. + (LP: #1124508) + + -- Barry Warsaw Wed, 03 Apr 2013 17:26:06 -0400 + +curl (7.29.0-1ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Add warning to debian/patches/series. + + -- Marc Deslauriers Tue, 12 Feb 2013 08:54:32 -0500 + curl (7.29.0-1) unstable; urgency=high * New upstream release @@ -290,6 +535,17 @@ -- Alessandro Ghedini Mon, 26 Nov 2012 17:51:27 +0100 +curl (7.28.0-3ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Wed, 28 Nov 2012 17:56:05 +0000 + curl (7.28.0-3) unstable; urgency=low * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug @@ -299,6 +555,24 @@ -- Alessandro Ghedini Sat, 17 Nov 2012 14:07:21 +0100 +curl (7.28.0-2ubuntu2) raring; urgency=low + + * Turn debian/libcurl3-udeb.install and debian/libcurl3-udeb.links back + into symlinks. + + -- Colin Watson Wed, 31 Oct 2012 10:55:24 +0000 + +curl (7.28.0-2ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Wed, 31 Oct 2012 06:51:15 +0000 + curl (7.28.0-2) unstable; urgency=low * Add 05_fix-git-over-https.patch (Closes: #690551) @@ -318,6 +592,17 @@ -- Alessandro Ghedini Thu, 11 Oct 2012 19:11:09 +0200 +curl (7.27.0-1ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Mon, 20 Aug 2012 13:54:01 +0100 + curl (7.27.0-1) unstable; urgency=low * New upstream release @@ -326,6 +611,19 @@ -- Alessandro Ghedini Wed, 08 Aug 2012 17:22:00 +0200 +curl (7.26.0-1ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Adjust udeb configure flags handling to something easier to merge in + future. + + -- Colin Watson Mon, 28 May 2012 12:21:13 +0100 + curl (7.26.0-1) unstable; urgency=low * New upstream release @@ -341,6 +639,26 @@ -- Alessandro Ghedini Fri, 25 May 2012 15:19:51 +0200 +curl (7.25.0-1ubuntu2) quantal; urgency=low + + * Drop libssh2-1-dev Depends (not in main) from libcurl4-gnutls-dev and + libcurl4-nss-dev too. + + -- Colin Watson Tue, 22 May 2012 22:58:51 +0100 + +curl (7.25.0-1ubuntu1) quantal; urgency=low + + * Merge from Debian testing (LP: #1003049). Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + - Also closes (LP: #855291) + * debian/patches/CVE-2012-0036.patch: Dropped. CVE resolved upstream. + + -- Andres Rodriguez Tue, 22 May 2012 14:53:29 -0400 + curl (7.25.0-1) unstable; urgency=low * New upstream release @@ -414,6 +732,43 @@ -- Alessandro Ghedini Sun, 27 Nov 2011 18:45:01 +0100 +curl (7.22.0-3ubuntu4) precise; urgency=low + + * debian/control: Add missing Depends on libcrypto1.0.0-udeb. + + -- Andres Rodriguez Thu, 22 Mar 2012 18:40:30 -0400 + +curl (7.22.0-3ubuntu3) precise; urgency=low + + [ Andres Rodriguez ] + * Add curl-udeb package (LP: #940425) + + [ Dave Walker (Daviey) ] + * debian/rules: Remove --add-udeb= for libcurl3, and appended to + debian/shlibs.local at build time, which this package seems to + be using for undocumented reasoning. + + -- Dave Walker (Daviey) Fri, 09 Mar 2012 23:45:09 +0000 + +curl (7.22.0-3ubuntu2) precise; urgency=low + + * SECURITY UPDATE: URL sanitization vulnerability + - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control + codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}. + - CVE-2012-0036 + + -- Marc Deslauriers Tue, 24 Jan 2012 08:26:50 -0500 + +curl (7.22.0-3ubuntu1) precise; urgency=low + + * Merge from Debian unstable, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package. + + -- Timo Aaltonen Fri, 25 Nov 2011 17:30:45 +0200 + curl (7.22.0-3) unstable; urgency=low [ Ramakrishnan Muthukrishnan ] @@ -452,6 +807,19 @@ -- Alessandro Ghedini Sun, 13 Nov 2011 21:07:32 +0100 +curl (7.21.7-3ubuntu1) precise; urgency=low + + * Merge from Debian testing, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package, stripped down for use during + installation (LP: #831496). + * Dropped changes: + - debian/patches/timeout_bug_736216: applied upstream. + + -- James Page Thu, 20 Oct 2011 09:28:24 +0100 + curl (7.21.7-3) unstable; urgency=low * debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the @@ -479,6 +847,33 @@ -- Ramakrishnan Muthukrishnan Sat, 30 Jul 2011 17:57:08 +0530 +curl (7.21.6-3ubuntu3) oneiric; urgency=low + + [ James Page, Colin Watson ] + * Add new libcurl3-udeb package, stripped down for use during installation + (LP: #831496). + + -- James Page Wed, 14 Sep 2011 17:31:37 +0100 + +curl (7.21.6-3ubuntu2) oneiric; urgency=low + + * debian/patches/timeout_bug_736216: cherry pick upstream + git revision d4e000906ac4ef243258a5c9a819a7cde247d16a to fix + handshake timeout bug (LP: #736216). Thanks to Sidnei da Silva + and Michael Vogt + + -- Jamie Strandboge Wed, 13 Jul 2011 12:08:54 -0500 + +curl (7.21.6-3ubuntu1) oneiric; urgency=low + + * Restore Ubuntu changes accidentally dropped in previous sync: + - Drop dependencies not in main: + + Build-Depends: Replace libssh2-1-dev with openssh-server. + Drop stunnel since it's in universe, as well. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + + -- Steve Langasek Thu, 30 Jun 2011 23:40:23 +0000 + curl (7.21.6-3) unstable; urgency=low * Apply the Multiarch patch from Steve Langasek. diff -Nru curl-7.42.1/debian/control curl-7.42.1/debian/control --- curl-7.42.1/debian/control 2015-06-07 18:15:42.000000000 +0200 +++ curl-7.42.1/debian/control 2015-06-08 10:34:54.000000000 +0200 @@ -1,7 +1,8 @@ Source: curl Section: web Priority: optional -Maintainer: Alessandro Ghedini +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Alessandro Ghedini Uploaders: Ian Jackson Build-Depends: debhelper (>= 9), autoconf, @@ -14,13 +15,11 @@ libldap2-dev, libnss3-dev, librtmp-dev (>= 2.4+20131018.git79459a2-3~), - libssh2-1-dev, libssl-dev, libtool, openssh-server, python, quilt, - stunnel4, zlib1g-dev Build-Conflicts: autoconf2.13, automake1.4 Standards-Version: 3.9.6 @@ -128,7 +127,6 @@ libkrb5-dev, libldap2-dev, librtmp-dev, - libssh2-1-dev, libssl-dev, pkg-config, zlib1g-dev @@ -167,7 +165,6 @@ libkrb5-dev, libldap2-dev, librtmp-dev, - libssh2-1-dev, pkg-config, zlib1g-dev Multi-Arch: same @@ -205,7 +202,6 @@ libldap2-dev, libnss3-dev, librtmp-dev, - libssh2-1-dev, pkg-config, zlib1g-dev Multi-Arch: same