[ubuntu/hardy-security] curl 7.18.0-1ubuntu2.3 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Thu Jun 23 23:04:36 UTC 2011 

curl (7.18.0-1ubuntu2.3) hardy-security; urgency=low

  * SECURITY UPDATE: libcurl unconditional credential delegation during
    GSSAPI authentication vulnerability.
    - debian/patches/0001-Curl_input_negotiate-do-not-delegate-credentials.patch:
      do not delegate credentials when doing GSSAPI authentication
    - CVE-2011-2192
  * SECURITY UPDATE: libcurl zlib automatic decompression callback
    data buffer overflow
    - debian/patches/libcurl-contentencoding.patch: restrict amount of
      callback data sent to an application
    - CVE-2010-0734
  * SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
    - debian/patches/series: adjust patch ordering so that
      debian/patches/cert-null-cn gets applied at build time
    - CVE-2009-2417

Date: Wed, 08 Jun 2011 16:51:02 -0700
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/hardy/+source/curl/7.18.0-1ubuntu2.3
-------------- next part --------------
Format: 1.7
Date: Wed, 08 Jun 2011 16:51:02 -0700
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source
Version: 7.18.0-1ubuntu2.3
Distribution: hardy-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Changes: 
 curl (7.18.0-1ubuntu2.3) hardy-security; urgency=low
 .
   * SECURITY UPDATE: libcurl unconditional credential delegation during
     GSSAPI authentication vulnerability.
     - debian/patches/0001-Curl_input_negotiate-do-not-delegate-credentials.patch:
       do not delegate credentials when doing GSSAPI authentication
     - CVE-2011-2192
   * SECURITY UPDATE: libcurl zlib automatic decompression callback
     data buffer overflow
     - debian/patches/libcurl-contentencoding.patch: restrict amount of
       callback data sent to an application
     - CVE-2010-0734
   * SECURITY UPDATE: SSL cert hostname checking bypass with NULL byte.
     - debian/patches/series: adjust patch ordering so that
       debian/patches/cert-null-cn gets applied at build time
     - CVE-2009-2417
Files: 
 f4c2e0ce1bdc60a06f142254fd0c6714 1737 web optional curl_7.18.0-1ubuntu2.3.dsc
 63e0f92fddd63372c131f67dd35b151f 25218 web optional curl_7.18.0-1ubuntu2.3.diff.gz
Original-Maintainer: Domenico Andreoli <cavok at debian.org>

More information about the Hardy-changes mailing list