-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Sep 2021 21:03:02 +0200 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source amd64 all Version: 7.52.1-5+deb9u16 Distribution: stretch-security Urgency: medium Maintainer: Alessandro Ghedini <ghedo@debian.org> Changed-By: Thorsten Alteholz <debian@alteholz.de> Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Changes: curl (7.52.1-5+deb9u16) stretch-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected. * CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data. Checksums-Sha1: 9e88eb32e6cac05f34eddff0702b0c621cfea6b5 2956 curl_7.52.1-5+deb9u16.dsc 73097952ada80fbaff924c706ba57d1f77c38d00 3504621 curl_7.52.1.orig.tar.gz 77d28c01ea763739d0c7ea66b6247f7b2e2f3284 68076 curl_7.52.1-5+deb9u16.debian.tar.xz c1b27a9b130d91cead960e4d2fcdf7aa27b5645e 131908 curl-dbgsym_7.52.1-5+deb9u16_amd64.deb fda8633025131a03e9bd33e3425cb3c021bfcaba 11425 curl_7.52.1-5+deb9u16_amd64.buildinfo 6beafd8e0bdf4bb1c4005134c7a2ab40d8b585d6 228768 curl_7.52.1-5+deb9u16_amd64.deb 5178246d84cdb0215cc592a481942492e8f1cc47 5096978 libcurl3-dbg_7.52.1-5+deb9u16_amd64.deb 87c3fbe5c2f74eee354e732be9e391fa11119af9 296148 libcurl3-gnutls_7.52.1-5+deb9u16_amd64.deb b67051a53fa23173948ae76e9e394a5572046b8c 301912 libcurl3-nss_7.52.1-5+deb9u16_amd64.deb 76388abfc679a3f66c8cad18c2f88949d45610e8 298370 libcurl3_7.52.1-5+deb9u16_amd64.deb 6d2d2e57450ef505fc66c1791dca1369c83abee7 829464 libcurl4-doc_7.52.1-5+deb9u16_all.deb 6f4b18ae98fdd4be90ec4a7056e6185f862fee01 380648 libcurl4-gnutls-dev_7.52.1-5+deb9u16_amd64.deb 2975d94de9ddf283fe935cac9b01cea9789e9416 386434 libcurl4-nss-dev_7.52.1-5+deb9u16_amd64.deb b8a94227c125292e0cc137140df2ba81532ba590 382650 libcurl4-openssl-dev_7.52.1-5+deb9u16_amd64.deb Checksums-Sha256: 983ffa16e37e057f0c15a3bfbc23598e2b8b436e61c4c2bc12efa71a9bdf31f8 2956 curl_7.52.1-5+deb9u16.dsc a8984e8b20880b621f61a62d95ff3c0763a3152093a9f9ce4287cfd614add6ae 3504621 curl_7.52.1.orig.tar.gz 3b5a01e9b08e5e845a368c6f4c82cdd221a029afe264b5954aa646c8c30b6373 68076 curl_7.52.1-5+deb9u16.debian.tar.xz 7363b655b3ecc3c36baae9903c76736dd1bb0c1db171520acf3efb4ef0a4f905 131908 curl-dbgsym_7.52.1-5+deb9u16_amd64.deb be975a05ee8cd1b04c2b1e3ef09fc60431396760e76b883cf4b3eb30b88b5fef 11425 curl_7.52.1-5+deb9u16_amd64.buildinfo 4bf6b575bc3fcc861838d8383b478d42a55fbf0d717f0c44cfc23d2d1978195b 228768 curl_7.52.1-5+deb9u16_amd64.deb ee755c2d35c124935ccb74c50ad2b058c0b2f0e20a37699ab1aaf6c9f80d11b1 5096978 libcurl3-dbg_7.52.1-5+deb9u16_amd64.deb 5b8abe4c17939ba9f8fd37376aca6404cea57dd5c9f2caa0ad9cb269559827a7 296148 libcurl3-gnutls_7.52.1-5+deb9u16_amd64.deb a19ce3bfc28851c8a8eed721ac1b6b6a00e59ab8699800d62e808c6436f22282 301912 libcurl3-nss_7.52.1-5+deb9u16_amd64.deb bbdb3d7be2577c07593b1035cd70a1d288ec7632db3e17304cef27529065ad66 298370 libcurl3_7.52.1-5+deb9u16_amd64.deb f2dc1ba27e835703787bed67bfed130d83ad4a431f7493dc2d63830dc9402b63 829464 libcurl4-doc_7.52.1-5+deb9u16_all.deb 7e2aaa2273315b279452db23c6f60e327bc27739e5d0bfa029dd61ca6e3490d8 380648 libcurl4-gnutls-dev_7.52.1-5+deb9u16_amd64.deb 227a75cb307c866818f5a7956a94cd7757dd90d9bae27e2da99acea366529bb8 386434 libcurl4-nss-dev_7.52.1-5+deb9u16_amd64.deb a5aca5b152787efe86b6a7b3072e8019ba0c570c80b3ddc616d6caf83f92a373 382650 libcurl4-openssl-dev_7.52.1-5+deb9u16_amd64.deb Files: 64ada4e514b7beecff33315b82df2974 2956 web optional curl_7.52.1-5+deb9u16.dsc 4e1ef056e117b4d25f4ec42ac609c0d4 3504621 web optional curl_7.52.1.orig.tar.gz 743bda40fabac3ecc269657cb751bc3d 68076 web optional curl_7.52.1-5+deb9u16.debian.tar.xz a3a8d4649a6bb17309b8a0f3305ad209 131908 debug extra curl-dbgsym_7.52.1-5+deb9u16_amd64.deb 737dd590a5c18ebe81c73ac8965ffd6d 11425 web optional curl_7.52.1-5+deb9u16_amd64.buildinfo 7143af8b7dc93f7e2953a1cd8ef70861 228768 web optional curl_7.52.1-5+deb9u16_amd64.deb 229b3bbafafe6bfce741a6ef962a7049 5096978 debug extra libcurl3-dbg_7.52.1-5+deb9u16_amd64.deb ebdba94763f118ff129ce71a98473cf8 296148 libs optional libcurl3-gnutls_7.52.1-5+deb9u16_amd64.deb f0ff50ba57bd619eec3568604925f86b 301912 libs optional libcurl3-nss_7.52.1-5+deb9u16_amd64.deb 21583b193675351cef461918710ae0b1 298370 libs optional libcurl3_7.52.1-5+deb9u16_amd64.deb d2b9e5769b610a35423a5e3df2fd9437 829464 doc optional libcurl4-doc_7.52.1-5+deb9u16_all.deb 7833baa569d299ac4ef27e5732bc6250 380648 libdevel optional libcurl4-gnutls-dev_7.52.1-5+deb9u16_amd64.deb 503cf93299455d3f13d65a311eea9887 386434 libdevel optional libcurl4-nss-dev_7.52.1-5+deb9u16_amd64.deb 71b7b3271f22eaf9e1d3cfc68ce956e8 382650 libdevel optional libcurl4-openssl-dev_7.52.1-5+deb9u16_amd64.deb -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFVv3NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR0DnD/45iHZTeiAacNtMjCQiook7li/C2cDy YV8uB9Jw4ua7DmYROHTAgJ7RBJ6aCfOm2XCl/pFyDm4e7Ce/BO1SK1TyeqPy5/4k bags7Hjk7mDcDlJ5ZsA2PXyWBNXYp1iIqtChi9cY/xbGNC6ShkWl6tGqfEfHyc8j /lVBqXpN61qETpUv4xTXKVtWNPrwx2uscrWiXvkENnAcJq+ci1MVXnbIl+Nxbwx0 CdKxCO6SA383aSax83I21MzShLJSWuBroOcdr/bB0fJFnfLr2CyG8xS4zYL29Glf XCSdqrK+QMnCdqIwan2q5UtNJgrdwoAXUuU2qDNJZEp6XjgscLDQtp626ZiTKN2g gJj5U9cFQ5k0V5zAE3uRetDF1mJz3MLylbe8D/0bZpsWvFc0KqunD4vMzDlpDJQ0 ERQAw1lCBuvVpOz70cFkai2QXGtPqjpo5jCPZUhverNzPgrF92OE1eIfFu9Gj7qf uscZaJFlwEFFsvgTd+VMHcOg2eMG5Ig7FMxn4YAYVjdx0rlUEBDfUhTu96PZhlTB 24de/VJAIZaKvhzMaYfpTDLWjSl4hw6jzNhgW6lD5zEsf5Q5LVO7FDJ/RGIdvN74 W/pSbl61fJehEniW3YrEo23MBYdINVOhHTBm/nEJxT7bIa+4tBETgs7e1VTyxJXQ ZmISC9w2fLVTwg== =/RHT -----END PGP SIGNATURE-----