-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 25 Mar 2023 22:13:33 +0000 Source: curl Built-For-Profiles: nocheck Architecture: source Version: 7.74.0-1.3+deb11u7~bpo11+1 Distribution: buster-backports Urgency: high Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Samuel Henrique <samueloph@debian.org> Closes: 989064 990128 1018831 1030863 Changes: curl (7.74.0-1.3+deb11u7~bpo11+1) buster-backports; urgency=medium . * Rebuild for buster-backports. . curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium . * Fix CVE-2023-23916: HTTP multi-header compression denial of service: - Done by d/p/CVE-2023-23916.patch. . curl (7.74.0-1.3+deb11u6) bullseye-security; urgency=high . * Follow up to CVE-2022-27774: The revised patch for this CVE in 7.74.0-1.3+deb11u5 contained a defect such that it incorrectly manages redirects with authentication. As a result, authetication credentials are cleared in some instances where they should be retained, breaking certain requests. The patch is corrected in this version (closes: #1030863). . curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high . * Follow up to CVE-2022-27774: The patch included to address this CVE in 7.74.0-1.3+deb11u2 was not effective and the vulnerability was still present. The patch is corrected and the vulberability addressed in this version. Thanks to Kamil Dudka for providing the patches used in CentOS 8 and 9 and upon which the corrected patch is based. . curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high . * Fix backport of patch for CVE-2021-22946, which was passing a wrong first argument to ftp_state_user_resp, this was likely causing a regression when using ftp. * Backport two patches from upstream to solve 2 CVEs: CVE-2022-32221.patch, CVE-2022-43552.patch. - CVE-2022-32221 POST following PUT confusion When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. . This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. - CVE-2022-43552 HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. . When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. . curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium . * cookie: reject cookies with "control bytes" (CVE-2022-35252) (Closes: #1018831) * test8: verify that "ctrl-byte cookies" are ignored . curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload. * CVE-2021-22898: curl suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. * CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. * CVE-2021-22945: When sending data to an MQTT server, libcurl could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. * CVE-2021-22946: A user can tell curl to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response. This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. * CVE-2021-22947: When curl connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. * CVE-2022-22576: An improper authentication vulnerability exists in curl which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). * CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. * CVE-2022-27775: An information disclosure vulnerability exists in curl. By using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. * CVE-2022-27776: A insufficiently protected credentials vulnerability in curl might leak authentication or cookie header data on HTTP redirects to the same host but another port number. * CVE-2022-27781: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. * CVE-2022-27782: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. * CVE-2022-32205: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error. This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. * CVE-2022-32206: curl supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. * CVE-2022-32207: When curl saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. * CVE-2022-32208: When curl does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. . curl (7.74.0-1.3+deb11u1) bullseye; urgency=medium . * Non-maintainer upload. * Also remove -ffile-prefix-map from curl-config. (Closes: #990128) . curl (7.74.0-1.3) unstable; urgency=medium . * Non-maintainer upload. * Add upstream patch bc7ecc7 so curl -w times shown as seconds with fractions (Closes: #989064) Checksums-Sha1: a3d91376796896e28ac227397ae577380456d71a 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc cd7239cf9223b39ade86a14eb37fe68f5656eae9 4043409 curl_7.74.0.orig.tar.gz 19d59fcd8c9a06f412eb94faabbf501389714bf5 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz 631d28b22d4ddbac76f91f486137b5b95e70880b 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo Checksums-Sha256: 14cbd416e0edb41d8d2d189d736ab86eb1caea8567336403b4047900bbf1c824 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7 4043409 curl_7.74.0.orig.tar.gz 19a74f24ede345e3b0989c26cee7dc126745674255694c31e0686e163f23f1b9 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz d0c6eee2ce0cf4c0e1fcc7d64adb4a41425375814a653db0ca09155253769cf7 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo Files: 4d86faaa174bc309d6b7ce4c765da636 2729 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.dsc 45f468aa42c4af027c4c6ddba58267f0 4043409 web optional curl_7.74.0.orig.tar.gz de96bbebcb0d2cf76d08de7579435457 61120 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz e1c1c69bfbf1fc6988dfe2d240f8a97a 11472 web optional curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmQfc4YACgkQu6n6rcz7 RwcuCA/+Nc6UFdg1iDwwHERQQOvgm6rwPYR5QfY9cvJKHWjy6I3ddBLvzaBi6Mc7 pPcdEQtdxl06Tiae0vjp4BgKlcnoUypXIPJl4loibZixfu05w21z6plKBjRtaEA7 78p4Q9BzZCOFbj+0wBfRlYIfK0/n0j6FNQRMS1G9IzfBK85IJKKQulXSyj/uGENL 21fbA1tFGyCORd9gjr+B6t0I4nr7BWhT6lWeUc/caZtfkXpNZFE0ahHh+rxNZAMg McN+CKOEE6PqYQyp7DWw9HIBAevOiohgRya6dslalWqz6LdbXXTSiaY1P01IrQc+ 1VUsmPitwD6pmmQRP7b5ep5O6Ovn2xpjM94Kley5XqnsqBJQlVkPpwTKQWvoD8+A IuZgINXVaoQZQRG0Icl715GmQPO8WEH/8u2JGq9Bk7MrYu6QeJ5SRgxkax3/xL4b /Rb8nQ1qs9v3TQZbd6i9fSqyB8GCke92EuateiFDeem/Ix6yQHeYtzI8rEpGNEtJ /pVeG1gWkCi0YbT3PdkLpuC6h8mYU6tzLlOsL/FwhGk7ThDXElO+gNk2VJ822Qwt PzGtQ/R/saBT+kbzr1nWZGXq4T/CJUltFYkUrLEft5TjJdNLzfojXf3M0nER9PMa PCP1ObrdeAzmitXKs82/WuAPSGit5Y8Ge9J5h5UvBJnxBqhyfU8= =V3wM -----END PGP SIGNATURE-----