-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 17 Dec 2020 14:12:07 -0500 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source Version: 7.52.1-5+deb9u13 Distribution: stretch-security Urgency: high Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Roberto C. Sánchez <roberto@debian.org> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Closes: 977161 977162 977163 Changes: curl (7.52.1-5+deb9u13) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2020-8284 malicious server can use the FTP PASV response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions (Closes: #977163) * CVE-2020-8285 curl is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing (Closes: #977162) * CVE-2020-8286 curl is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response (Closes: #977161) Checksums-Sha1: ee6ecb3332355434e969e2e51ba22a2a512ec7ea 2797 curl_7.52.1-5+deb9u13.dsc e10855b3941a2acf7c35eed8fd2584a0ff6b458b 48744 curl_7.52.1-5+deb9u13.debian.tar.xz 81c5252ee34d823d0dca062c8705ae4bffc95330 11276 curl_7.52.1-5+deb9u13_amd64.buildinfo Checksums-Sha256: 394b35eceaaf3c3545b3fcc673ef43c4d81f0f26f27392333e7c593e63c2d24e 2797 curl_7.52.1-5+deb9u13.dsc 685ebde74e62c02bb6c0c55b0430be76ee85fe038f468b47330c23c18f74647f 48744 curl_7.52.1-5+deb9u13.debian.tar.xz 8847473ae5741e3a1399355a938c16b4760b978bd45d4090072cbf90e22be160 11276 curl_7.52.1-5+deb9u13_amd64.buildinfo Files: f722928468c7ba8986962e26a657fff3 2797 web optional curl_7.52.1-5+deb9u13.dsc 4ca6e2ed5820446869e9d54297fdd31e 48744 web optional curl_7.52.1-5+deb9u13.debian.tar.xz 63ab0be5d30f172a1cb1edc63214c186 11276 web optional curl_7.52.1-5+deb9u13_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAl/cvWQACgkQldFmTdL1 kUJ52hAAneP7BZB6ng7yHR7Ms2EoUfjXTmwNrM+3AWO5Z7eygb4tUILRqZ38iD2d kDSLyTBdZzSKkJ3KlWlwjZnJLqBxeviH4acKio2mBB9gv1rhnl8OnJiz5yyveGO5 WDYCwDp7v55uFwPH6a4RoXrLm3UNprve0YiCWWL+fTPeU3l+fl5PxJtW3g63LjeW jBN1d3WheWBrh9nlXQlhB0IFIkotijE2B5/3GL8BzaWK1Y5sv16jQPe46SuSZHfl uX/rZm5950sHtRsHTco6fO3SbJCBg8NHrq0jTSuguOIEILgr6GIQHWiAVx94tTem MrfPO1w1B5SmemX8e6FmgfMCHviN9b4AH323dBT9FzVq2JmAjVzt2CQ0BTU32Gq1 xn1KFPUYoPEVfFxEdVqKy0w00AHjeg6J57DspyYMtITA7Fuf2iU0Hu0r1sMHe1cY aRTMFsyP7MvpUWg1kR5Tg1NoHTnWjMhnbY/+S901tqWMcaAiAJ4ZzYB/JtiuD8EG bDBt6NqGvyz9EwWJUCv32gh9QuDv1JSEweQbGZWFtWmFYf3rPjmFm+80SY0KUa5N IMf85J46KGyTo4hjxzlrEGeZqmgu8/brWZVCTpIT4waD2pDJTcEtI1M7shms7dme wv5Kfx9fsi6wrl7nLMsMFKhOovlZRDxY2GzMaXh5hXIi6PAK4ow= =DTo+ -----END PGP SIGNATURE-----
