[ubuntu/focal-updates] curl 7.68.0-1ubuntu2.10 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Thu Apr 28 19:28:18 UTC 2022
curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
curl (7.68.0-1ubuntu2.8) focal; urgency=medium
* Correctly initialize OpenSSL API to ensure that engines are only
loaded and unloaded once. This prevents user-after-free and
double-free errors when using OpenSSL engines. LP: #1940528
Date: 2022-04-26 22:32:10.380676+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.10
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list