[ubuntu/impish-proposed] curl 7.74.0-1.3ubuntu2 (Accepted)

[Marc Deslauriers]

curl (7.74.0-1.3ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: UAF and double-free in MQTT sending
    - debian/patches/CVE-2021-22945.patch: clear the leftovers pointer when
      sending succeeds in lib/mqtt.c.
    - CVE-2021-22945
  * SECURITY UPDATE: Protocol downgrade required TLS bypassed
    - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
      lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
      tests/data/test984, tests/data/test985, tests/data/test986.
    - CVE-2021-22946
  * SECURITY UPDATE: STARTTLS protocol injection via MITM
    - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
      pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
      tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
      tests/data/test982, tests/data/test983.
    - CVE-2021-22947

Date: Wed, 15 Sep 2021 08:05:33 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2
-------------- next part --------------
Format: 1.8
Date: Wed, 15 Sep 2021 08:05:33 -0400
Source: curl
Built-For-Profiles: noudeb
Architecture: source
Version: 7.74.0-1.3ubuntu2
Distribution: impish
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 curl (7.74.0-1.3ubuntu2) impish; urgency=medium
 .
   * SECURITY UPDATE: UAF and double-free in MQTT sending
     - debian/patches/CVE-2021-22945.patch: clear the leftovers pointer when
       sending succeeds in lib/mqtt.c.
     - CVE-2021-22945
   * SECURITY UPDATE: Protocol downgrade required TLS bypassed
     - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
       lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
       tests/data/test984, tests/data/test985, tests/data/test986.
     - CVE-2021-22946
   * SECURITY UPDATE: STARTTLS protocol injection via MITM
     - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
       pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
       tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
       tests/data/test982, tests/data/test983.
     - CVE-2021-22947
Checksums-Sha1:
 8d7b277e7fc49fe87c092ee76a8047f5ec922439 2771 curl_7.74.0-1.3ubuntu2.dsc
 698b90976e3cd5d71e3422db786ccf4d53a3b730 45780 curl_7.74.0-1.3ubuntu2.debian.tar.xz
 cd316b33be93ccb6e6696bdbc4ff631cbbd0864b 9826 curl_7.74.0-1.3ubuntu2_source.buildinfo
Checksums-Sha256:
 d71740ba7009b091c44154c2c536190f3019cf2e20c53b299252b9c6360061d9 2771 curl_7.74.0-1.3ubuntu2.dsc
 7ddcfca3ccf3a34ad20bde4dd29d0d247d868034d3bff5e96f227e5f2422db47 45780 curl_7.74.0-1.3ubuntu2.debian.tar.xz
 8fb6d55aedf3fd1c7a6e30a5ae513d4368c3140a7d89063efb181af6d2f2959c 9826 curl_7.74.0-1.3ubuntu2_source.buildinfo
Files:
 adcb89215f98005c4b909c26e54dad9f 2771 web optional curl_7.74.0-1.3ubuntu2.dsc
 b7a2969bafa39ad21779473ccf700107 45780 web optional curl_7.74.0-1.3ubuntu2.debian.tar.xz
 bfcdce94a1fa797a05f9dce64bec64e5 9826 web optional curl_7.74.0-1.3ubuntu2_source.buildinfo
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>