[ubuntu/bionic-security] curl 7.58.0-2ubuntu3.15 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed Sep 15 10:58:25 UTC 2021


curl (7.58.0-2ubuntu3.15) bionic-security; urgency=medium

  * SECURITY UPDATE: Protocol downgrade required TLS bypassed
    - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
      HTTPS proxy in lib/ftp.c, lib/urldata.h.
    - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
      lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
      tests/data/test984, tests/data/test985, tests/data/test986.
    - CVE-2021-22946
  * SECURITY UPDATE: STARTTLS protocol injection via MITM
    - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
      pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
      tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
      tests/data/test982, tests/data/test983.
    - CVE-2021-22947

Date: 2021-09-10 18:39:08.836674+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.15
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list