[ubuntu/groovy-security] curl 7.68.0-1ubuntu4.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Wed Dec 9 11:59:10 UTC 2020

curl (7.68.0-1ubuntu4.2) groovy-security; urgency=medium

  * SECURITY UPDATE: wrong connect-only connection
    - debian/patches/CVE-2020-8231.patch: remember last connection by id,
      not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
    - CVE-2020-8231
  * SECURITY UPDATE: FTP redirect to malicious host via PASV response
    - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
      default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
    - CVE-2020-8284
  * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
    - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
      recurse in lib/ftp.c.
    - CVE-2020-8285
  * SECURITY UPDATE: Inferior OCSP verification
    - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
      the certificate id in lib/vtls/openssl.c.
    - CVE-2020-8286

Date: 2020-12-07 14:32:14.719812+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Groovy-changes mailing list