Register | Log in

curl

command line tool for transferring data with URL syntax

Choose email to subscribe with

general

source: curl (main)
version: 7.86.0-2
maintainer: Alessandro Ghedini (DMD)
uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.52.1-5+deb9u10
o-o-sec: 7.52.1-5+deb9u16
oldstable: 7.64.0-4+deb10u2
old-sec: 7.64.0-4+deb10u3
old-bpo: 7.74.0-1.2~bpo10+1
stable: 7.74.0-1.3+deb11u3
stable-sec: 7.74.0-1.3+deb11u2
stable-bpo: 7.85.0-1~bpo11+1
testing: 7.86.0-2
unstable: 7.86.0-2

versioned links

7.52.1-5+deb9u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.2~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.85.0-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.86.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (34 bugs: 0, 25, 9, 0)
libcurl3-gnutls (10 bugs: 0, 10, 0, 0)
libcurl3-nss (1 bugs: 0, 1, 0, 0)
libcurl4 (1 bugs: 0, 1, 0, 0)
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-nss-dev
libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)

action needed

3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:

CVE-2022-32221: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-35252: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

1 issue postponed or untriaged:

CVE-2022-27774: (postponed; to be fixed through a stable update) An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

Created: 2022-08-31 Last update: 2022-12-07 04:08

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2022-32221: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
CVE-2022-42916: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Created: 2022-10-26 Last update: 2022-12-07 04:08

lintian reports 1 error and 6 warnings high

Lintian reports 1 error and 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-11-16 Last update: 2022-11-16 18:36

9 bugs tagged patch in the BTS normal

The BTS contains patches fixing 9 bugs (10 if counting merged bugs), consider including or untagging them.

Created: 2022-07-27 Last update: 2022-12-08 06:30

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2022-11-22] curl 7.86.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-22] curl 7.86.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-15] Accepted curl 7.86.0-2 (source) into unstable (Samuel Henrique)
[2022-11-09] curl 7.86.0-1 MIGRATED to testing (Debian testing watch)
[2022-10-27] Accepted curl 7.86.0-1 (source) into unstable (Samuel Henrique)
[2022-09-10] Accepted curl 7.85.0-1~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-09-07] curl 7.85.0-1 MIGRATED to testing (Debian testing watch)
[2022-09-04] Accepted curl 7.64.0-4+deb10u3 (source) into oldstable (Markus Koschany)
[2022-09-04] Accepted curl 7.74.0-1.3+deb11u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2022-09-04] Accepted curl 7.85.0-1 (source) into unstable (Samuel Henrique)
[2022-08-13] Accepted curl 7.74.0-1.3+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-08-01] Accepted curl 7.74.0-1.3+deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-07-17] Accepted curl 7.84.0-2~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-07-17] curl 7.84.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-17] curl 7.84.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-11] Accepted curl 7.84.0-2 (source) into unstable (Samuel Henrique)
[2022-06-27] Accepted curl 7.84.0-1 (source) into unstable (Samuel Henrique)
[2022-06-20] curl 7.83.1-2 MIGRATED to testing (Debian testing watch)
[2022-06-14] Accepted curl 7.83.1-2 (source) into unstable (Samuel Henrique)
[2022-06-11] curl 7.83.1-1 MIGRATED to testing (Debian testing watch)
[2022-06-11] curl 7.83.1-1 MIGRATED to testing (Debian testing watch)
[2022-05-11] Accepted curl 7.83.1-1 (source) into unstable (Samuel Henrique)
[2022-05-04] curl 7.83.0-1 MIGRATED to testing (Debian testing watch)
[2022-05-04] curl 7.83.0-1 MIGRATED to testing (Debian testing watch)
[2022-04-28] Accepted curl 7.83.0-1 (source) into unstable (Samuel Henrique)
[2022-03-25] Accepted curl 7.82.0-2~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-03-25] curl 7.82.0-2 MIGRATED to testing (Debian testing watch)
[2022-03-19] Accepted curl 7.82.0-2 (source) into unstable (Samuel Henrique)
[2022-03-05] Accepted curl 7.82.0-1 (source) into unstable (Samuel Henrique)
[2022-01-11] Accepted curl 7.81.0-1~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Samuel Henrique)

1
2

bugs [bug history graph]

all: 51 56
RC: 0
I&N: 42 45
M&W: 9 11
F&P: 0
patch: 9 10

links

homepage
lintian (1, 6)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.86.0-2
64 bugs (3 patches)

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing