Accepted curl 7.74.0-1.3+deb11u7~bpo11+1 (source) into buster-backports
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Mar 2023 22:13:33 +0000
Source: curl
Built-For-Profiles: nocheck
Architecture: source
Version: 7.74.0-1.3+deb11u7~bpo11+1
Distribution: buster-backports
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 989064 990128 1018831 1030863
Changes:
curl (7.74.0-1.3+deb11u7~bpo11+1) buster-backports; urgency=medium
.
* Rebuild for buster-backports.
.
curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium
.
* Fix CVE-2023-23916: HTTP multi-header compression denial of service:
- Done by d/p/CVE-2023-23916.patch.
.
curl (7.74.0-1.3+deb11u6) bullseye-security; urgency=high
.
* Follow up to CVE-2022-27774:
The revised patch for this CVE in 7.74.0-1.3+deb11u5 contained a defect
such that it incorrectly manages redirects with authentication. As a
result, authetication credentials are cleared in some instances where they
should be retained, breaking certain requests. The patch is corrected in
this version (closes: #1030863).
.
curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high
.
* Follow up to CVE-2022-27774:
The patch included to address this CVE in 7.74.0-1.3+deb11u2 was not
effective and the vulnerability was still present. The patch is corrected
and the vulberability addressed in this version. Thanks to Kamil Dudka
for providing the patches used in CentOS 8 and 9 and upon which the
corrected patch is based.
.
curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high
.
* Fix backport of patch for CVE-2021-22946, which was passing a wrong first
argument to ftp_state_user_resp, this was likely causing a regression when
using ftp.
* Backport two patches from upstream to solve 2 CVEs:
CVE-2022-32221.patch, CVE-2022-43552.patch.
- CVE-2022-32221
POST following PUT confusion When doing HTTP(S) transfers, libcurl might
erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data
to send, even when the CURLOPT_POSTFIELDS option has been set, if the
same handle previously was used to issue a PUT request which used that
callback.
.
This flaw may surprise the application and cause it to misbehave and
either send off the wrong data or use memory after free or similar in the
subsequent POST request.
- CVE-2022-43552
HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all
protocols it supports through an HTTP proxy. HTTP proxies can (and often
do) deny such tunnel operations using an appropriate HTTP error response
code.
.
When getting denied to tunnel the specific protocols SMB or TELNET, curl
would use a heap-allocated struct after it had been freed, in its
transfer shutdown code path.
.
curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
.
* cookie: reject cookies with "control bytes" (CVE-2022-35252)
(Closes: #1018831)
* test8: verify that "ctrl-byte cookies" are ignored
.
curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload.
* CVE-2021-22898:
curl suffers from an information disclosure when the `-t` command line
option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send
variable=content pairs to TELNET servers. Due to a flaw in the option
parser for sending NEW_ENV variables, libcurl could be made to pass on
uninitialized data from a stack based buffer to the server, resulting in
potentially revealing sensitive internal information to the server using a
clear-text network protocol.
* CVE-2021-22924:
libcurl keeps previously used connections in a connection pool for
subsequenttransfers to reuse, if one of them matches the setup.Due to
errors in the logic, the config matching function did not take 'issuercert'
into account and it compared the involved paths *case insensitively*,which
could lead to libcurl reusing wrong connections.File paths are, or can be,
case sensitive on many systems but not all, and caneven vary depending on
used file systems.The comparison also didn't include the 'issuer cert'
which a transfer can setto qualify how to verify the server certificate.
* CVE-2021-22945:
When sending data to an MQTT server, libcurl could in some circumstances
erroneously keep a pointer to an already freed memory area and both use
that again in a subsequent call to send data and also free it *again*.
* CVE-2021-22946:
A user can tell curl to require a successful upgrade to TLS when speaking
to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line
or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL`
withlibcurl). This requirement could be bypassed if the server would return
a properly crafted but perfectly legitimate response. This flaw would then
make curl silently continue its operations **withoutTLS** contrary to the
instructions and expectations, exposing possibly sensitive data in clear
text over the network.
* CVE-2021-22947:
When curl connects to an IMAP or POP3 server to retrieve data using
STARTTLS to upgrade to TLS security, the server can respond and send back
multiple responses at once that curl caches. curl would then upgrade to TLS
but not flush the in-queue of cached responses but instead continue using
and trustingthe responses it got *before* the TLS handshake as if they were
authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to
first inject the fake responses, then pass-through the TLS traffic from the
legitimate server and trick curl into sending data back to the user
thinking the attacker's injected data comes from the TLS-protected server.
* CVE-2022-22576:
An improper authentication vulnerability exists in curl which might allow
reuse OAUTH2-authenticated connections without properly making sure that
the connection was authenticated with the same credentials as set for this
transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S)
and LDAP(S) (openldap only).
* CVE-2022-27774:
An insufficiently protected credentials vulnerability exists in curl that
could allow an attacker to extract credentials when follows HTTP(S)
redirects is used with authentication could leak credentials to other
services that exist on different protocols or port numbers.
* CVE-2022-27775:
An information disclosure vulnerability exists in curl. By using an
IPv6 address that was in the connection pool but with a different zone id
it could reuse a connection instead.
* CVE-2022-27776:
A insufficiently protected credentials vulnerability in curl might leak
authentication or cookie header data on HTTP redirects to the same host but
another port number.
* CVE-2022-27781:
libcurl provides the `CURLOPT_CERTINFO` option to allow applications
torequest details to be returned about a server's certificate chain.Due to
an erroneous function, a malicious server could make libcurl built withNSS
get stuck in a never-ending busy-loop when trying to retrieve
thatinformation.
* CVE-2022-27782:
libcurl would reuse a previously created connection even when a TLS or
SSHrelated option had been changed that should have prohibited
reuse.libcurl keeps previously used connections in a connection pool for
subsequenttransfers to reuse if one of them matches the setup. However,
several TLS andSSH settings were left out from the configuration match
checks, making themmatch too easily.
* CVE-2022-32205:
A malicious server can serve excessive amounts of `Set-Cookie:` headers in
a HTTP response to curl and curl stores all of them. A sufficiently large
amount of (big) cookies make subsequent HTTP requests to this, or other
servers to which the cookies match, create requests that become larger than
the threshold that curl uses internally to avoid sending crazy large
requests (1048576 bytes) and instead returns an error. This denial state
might remain for as long as the same cookies are kept, match and haven't
expired. Due to cookie matching rules, a server on `foo.example.com` can
set cookies that also would match for `bar.example.com`, making it it
possible for a "sister server" to effectively cause a denial of service for
a sibling site on the same second level domain using this method.
* CVE-2022-32206:
curl supports "chained" HTTP compression algorithms, meaning that a
serverresponse can be compressed multiple times and potentially with
different algorithms. The number of acceptable "links" in this
"decompression chain" was unbounded, allowing a malicious server to insert
a virtually unlimited number of compression steps.The use of such a
decompression chain could result in a "malloc bomb", makingcurl end up
spending enormous amounts of allocated heap memory, or trying toand
returning out of memory errors.
* CVE-2022-32207:
When curl saves cookies, alt-svc and hsts data to local files, it makes the
operation atomic by finalizing the operation with a rename from a temporary
name to the final target file name.In that rename operation, it might
accidentally *widen* the permissions for the target file, leaving the
updated file accessible to more users than intended.
* CVE-2022-32208:
When curl does FTP transfers secured by krb5, it handles message
verification failures wrongly. This flaw makes it possible for a
Man-In-The-Middle attack to go unnoticed and even allows it to inject data
to the client.
.
curl (7.74.0-1.3+deb11u1) bullseye; urgency=medium
.
* Non-maintainer upload.
* Also remove -ffile-prefix-map from curl-config. (Closes: #990128)
.
curl (7.74.0-1.3) unstable; urgency=medium
.
* Non-maintainer upload.
* Add upstream patch bc7ecc7 so curl -w times shown as seconds with
fractions (Closes: #989064)
Checksums-Sha1:
a3d91376796896e28ac227397ae577380456d71a 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
cd7239cf9223b39ade86a14eb37fe68f5656eae9 4043409 curl_7.74.0.orig.tar.gz
19d59fcd8c9a06f412eb94faabbf501389714bf5 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
631d28b22d4ddbac76f91f486137b5b95e70880b 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo
Checksums-Sha256:
14cbd416e0edb41d8d2d189d736ab86eb1caea8567336403b4047900bbf1c824 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7 4043409 curl_7.74.0.orig.tar.gz
19a74f24ede345e3b0989c26cee7dc126745674255694c31e0686e163f23f1b9 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
d0c6eee2ce0cf4c0e1fcc7d64adb4a41425375814a653db0ca09155253769cf7 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo
Files:
4d86faaa174bc309d6b7ce4c765da636 2729 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
45f468aa42c4af027c4c6ddba58267f0 4043409 web optional curl_7.74.0.orig.tar.gz
de96bbebcb0d2cf76d08de7579435457 61120 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
e1c1c69bfbf1fc6988dfe2d240f8a97a 11472 web optional curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmQfc4YACgkQu6n6rcz7
RwcuCA/+Nc6UFdg1iDwwHERQQOvgm6rwPYR5QfY9cvJKHWjy6I3ddBLvzaBi6Mc7
pPcdEQtdxl06Tiae0vjp4BgKlcnoUypXIPJl4loibZixfu05w21z6plKBjRtaEA7
78p4Q9BzZCOFbj+0wBfRlYIfK0/n0j6FNQRMS1G9IzfBK85IJKKQulXSyj/uGENL
21fbA1tFGyCORd9gjr+B6t0I4nr7BWhT6lWeUc/caZtfkXpNZFE0ahHh+rxNZAMg
McN+CKOEE6PqYQyp7DWw9HIBAevOiohgRya6dslalWqz6LdbXXTSiaY1P01IrQc+
1VUsmPitwD6pmmQRP7b5ep5O6Ovn2xpjM94Kley5XqnsqBJQlVkPpwTKQWvoD8+A
IuZgINXVaoQZQRG0Icl715GmQPO8WEH/8u2JGq9Bk7MrYu6QeJ5SRgxkax3/xL4b
/Rb8nQ1qs9v3TQZbd6i9fSqyB8GCke92EuateiFDeem/Ix6yQHeYtzI8rEpGNEtJ
/pVeG1gWkCi0YbT3PdkLpuC6h8mYU6tzLlOsL/FwhGk7ThDXElO+gNk2VJ822Qwt
PzGtQ/R/saBT+kbzr1nWZGXq4T/CJUltFYkUrLEft5TjJdNLzfojXf3M0nER9PMa
PCP1ObrdeAzmitXKs82/WuAPSGit5Y8Ge9J5h5UvBJnxBqhyfU8=
=V3wM
-----END PGP SIGNATURE-----
Reply to: