[ubuntu/kinetic-security] curl 7.85.0-1ubuntu0.3 (Accepted)
Marc Deslauriers
marc.deslauriers at canonical.com
Mon Feb 27 12:26:38 UTC 2023
curl (7.85.0-1ubuntu0.3) kinetic-security; urgency=medium
* SECURITY UPDATE: multiple HSTS issues
- debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
lib/url.c, lib/urldata.h.
- debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
in src/tool_operate.c.
- debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
name again in lib/hsts.c.
- debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
- debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
tests/data/Makefile.inc, tests/data/test446.
- CVE-2023-23914
- CVE-2023-23915
* SECURITY UPDATE: HTTP multi-header compression denial of service
- debian/patches/CVE-2023-23916-pre1.patch: do CRLF replacements in
tests/FILEFORMAT.md, tests/data/test1, tests/runtests.pl.
- debian/patches/CVE-2023-23916.patch: do not reset stage counter for
each header in lib/content_encoding.c, lib/urldata.h,
tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
- CVE-2023-23916
Date: 2023-02-16 15:19:09.816864+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the kinetic-changes
mailing list