[ubuntu/vivid-proposed] curl 7.38.0-3ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Mon Nov 10 14:41:14 UTC 2014 

curl (7.38.0-3ubuntu1) vivid; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.
    - Add new libcurl3-udeb package.
    - Add new curl-udeb package.
  * Dropped patches:
    - debian/patches/09_fix-timeout-in-poll-and-wait.patch: upstream
    - debian/patches/CVE-2014-3613.patch: upstream
    - debian/patches/CVE-2014-3620.patch: upstream

curl (7.38.0-3) unstable; urgency=high

  * Enable all hardening options (Closes: #763372)
  * Fix duphandle read out of bounds as per CVE-2014-3707
    http://curl.haxx.se/docs/adv_20141105.html
  * Set urgency=high accordingly

curl (7.38.0-2) unstable; urgency=medium

  * Check for libtoolize instead of libtool during build.
    Thanks to Helmut Grohne for the patch (Closes: #761740)
  * Add README.source note regarding ordering of patches (Closes: #762193)
  * Add 10_fix-resolver.patch from upstream (Closes: #762014)

curl (7.38.0-1) unstable; urgency=medium

  * New upstream release
    - Only use full host matches for hosts used as IP address
      as per CVE-2014-3613
      http://curl.haxx.se/docs/adv_20140910A.html
    - Reject incoming cookies set for TLDs as per CVE-2014-3620
      http://curl.haxx.se/docs/adv_20140910B.html
  * Drop 08_link-curl-to-nss.patch (merged upstream)
  * Refresh patches
  * Fix wildcard-matches-nothing-in-dep5-copyright
  * Add 08_fix-spelling.patch

Date: Mon, 10 Nov 2014 08:48:21 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.38.0-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 10 Nov 2014 08:48:21 -0500
Source: curl
Binary: curl curl-udeb libcurl3 libcurl3-udeb libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source
Version: 7.38.0-3ubuntu1
Distribution: vivid
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 curl       - command line tool for transferring data with URL syntax
 curl-udeb  - Get a file from an HTTP, HTTPS or FTP server (udeb)
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl3-udeb - Multi-protocol file transfer library (OpenSSL) (udeb)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 761740 762014 762193 763372
Changes:
 curl (7.38.0-3ubuntu1) vivid; urgency=medium
 .
   * Merge from Debian. Remaining changes:
     - Drop dependencies not in main:
       + Build-Depends: Drop stunnel4 and libssh2-1-dev.
       + Drop libssh2-1-dev from binary package Depends.
     - Add new libcurl3-udeb package.
     - Add new curl-udeb package.
   * Dropped patches:
     - debian/patches/09_fix-timeout-in-poll-and-wait.patch: upstream
     - debian/patches/CVE-2014-3613.patch: upstream
     - debian/patches/CVE-2014-3620.patch: upstream
 .
 curl (7.38.0-3) unstable; urgency=high
 .
   * Enable all hardening options (Closes: #763372)
   * Fix duphandle read out of bounds as per CVE-2014-3707
     http://curl.haxx.se/docs/adv_20141105.html
   * Set urgency=high accordingly
 .
 curl (7.38.0-2) unstable; urgency=medium
 .
   * Check for libtoolize instead of libtool during build.
     Thanks to Helmut Grohne for the patch (Closes: #761740)
   * Add README.source note regarding ordering of patches (Closes: #762193)
   * Add 10_fix-resolver.patch from upstream (Closes: #762014)
 .
 curl (7.38.0-1) unstable; urgency=medium
 .
   * New upstream release
     - Only use full host matches for hosts used as IP address
       as per CVE-2014-3613
       http://curl.haxx.se/docs/adv_20140910A.html
     - Reject incoming cookies set for TLDs as per CVE-2014-3620
       http://curl.haxx.se/docs/adv_20140910B.html
   * Drop 08_link-curl-to-nss.patch (merged upstream)
   * Refresh patches
   * Fix wildcard-matches-nothing-in-dep5-copyright
   * Add 08_fix-spelling.patch
Checksums-Sha1:
 8d7a94f8d64bcd21e9bec8b1549e80f0f21099a5 2841 curl_7.38.0-3ubuntu1.dsc
 40d8ec9063f076005535139c9229ac77c57f0300 4094034 curl_7.38.0.orig.tar.gz
 a071c8ed220499b7ee181b76364c3934e7439395 31992 curl_7.38.0-3ubuntu1.debian.tar.xz
Checksums-Sha256:
 eba5b8513f7d77439d1d687f8e130989a8abfd0841a7692d1092fbaba0391767 2841 curl_7.38.0-3ubuntu1.dsc
 5661028aa6532882fa228cd23c99ddbb8b87643dbb1a7ea55c068d34a943dff1 4094034 curl_7.38.0.orig.tar.gz
 4b1311f22a4a3dc46422db369cc68de05052a566cdfa55efe7c934ef9c1f1227 31992 curl_7.38.0-3ubuntu1.debian.tar.xz
Files:
 e6ea92e827be281c0ad6e83682117cb1 2841 web optional curl_7.38.0-3ubuntu1.dsc
 b6e3ea55bb718f2270489581efa50a8a 4094034 web optional curl_7.38.0.orig.tar.gz
 2a211600018e3f65d9c162ae68c87473 31992 web optional curl_7.38.0-3ubuntu1.debian.tar.xz
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUYMv/AAoJEGVp2FWnRL6TjZEP/3M3zwz2plQDwfzZ6QRsIvd7
cT0eNqn+MmQ4z4/31v7ATCc6P7aWtDo3VU8oHU9K+tR1lyvIDyM0LD5D/DVtmDaO
e1GM+KbHiuIZcAsamQIEcT813NQPuNH/+Ltbs1mPRe5O2fS1JWArxe2TZ5+SjDQb
2PY3Q3Hvfhv+0Ytr8q36QNQVAFOMl3gf2cqtOgq/QVUT2n7h6imR+Fz0lJzJw3o4
Pd8OWseDQ43WxDhG+fblhyK4GGaEQ7ont7cXZc3CHX9sUeDoRgOd4k8g+KBFypGa
yZBMI/34Psc5hOqSR3hS06N/+aYaxCWS+ooIcLV+JtTV1+eVCSKtuBmwFGTgQtWr
jLeEBoJSwS/1W7AoEVIJvIxCPnlwz3nqdXq3273i//gQ9sbBFORgQxeMBLIj7eL0
01CvqpyjYcAGLjQO1y4aUO3pp7WcjZenk97j68xwXbYRQRtXdITQRnl4gGe80uR/
dTi8DciUltJPgPqqEIje+lMPx474Jgxs8VXviFfKPtv4Hzm2VDpwLYL8OWPtZURh
DEh//Te9EdKcgsjpjhh+fPtL1QGmVUZk1hj8Sf5agQ1iZQMSjpWUcCVXAL6Sm4Yx
W3IIxUUYiVF304KWGD23UnzNDeBRI9qHqY8g1Ac4tR2WSZjPJ5EjbP+iNy4MFUJS
UIyZL5ZHfRBPd18QmTcM
=WtNA
-----END PGP SIGNATURE-----

More information about the Vivid-changes mailing list