[ubuntu/focal-security] curl 7.68.0-1ubuntu2.10 (Accepted)

Leonidas S. Barbosa leo.barbosa at canonical.com
Thu Apr 28 18:30:41 UTC 2022

curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium

    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776

curl (7.68.0-1ubuntu2.8) focal; urgency=medium

  * Correctly initialize OpenSSL API to ensure that engines are only
    loaded and unloaded once. This prevents user-after-free and
    double-free errors when using OpenSSL engines. LP: #1940528

Date: 2022-04-26 22:32:10.380676+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
-------------- next part --------------
Sorry, changesfile not available.

More information about the Focal-changes mailing list