Debian Package Tracker

general

source: curl (main)
version: 7.61.0-1
maintainer: Alessandro Ghedini [DMD]
uploaders: Ian Jackson [DMD]
arch: all any
std-ver: 4.2.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.26.0-1+wheezy13
o-o-sec: 7.26.0-1+wheezy25+deb7u1
oldstable: 7.38.0-4+deb8u11
old-sec: 7.38.0-4+deb8u12
stable: 7.52.1-5+deb9u6
stable-sec: 7.52.1-5+deb9u7
testing: 7.61.0-1
unstable: 7.61.0-1

versioned links

7.26.0-1+wheezy13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.26.0-1+wheezy25+deb7u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.38.0-4+deb8u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.38.0-4+deb8u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.56.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.58.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.60.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.61.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl
libcurl3-gnutls
libcurl3-nss
libcurl4
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-nss-dev
libcurl4-openssl-dev

action needed

A new upstream version is available: 7.61.1 high

A new upstream version 7.61.1 is available, you should consider packaging it.

Created: 2018-09-08 Last update: 2018-09-18 17:26

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Please fix it.

Created: 2018-09-04 Last update: 2018-09-13 07:20

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Please fix it.

Created: 2018-09-04 Last update: 2018-09-13 07:20

lintian reports 2 errors and 16 warnings high

Lintian reports 2 errors and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2015-03-04 Last update: 2018-07-31 07:46

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs (4 if counting merged bugs), consider including or untagging them.

Created: 2017-11-21 Last update: 2018-09-18 19:42

Depends on packages which need a new maintainer normal

The packages that curl depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2017-12-02 Last update: 2018-09-18 18:00

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

libcurl4-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2018-09-18 19:36

4 ignored security issues in jessie low

There are 4 open security issues in jessie.

4 issues skipped by the security teams:

CVE-2016-8625: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
CVE-2016-9586: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.

Please fix them.

Created: 2016-09-06 Last update: 2018-09-13 07:20

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.1 instead of 4.2.0).

Created: 2018-08-26 Last update: 2018-08-26 08:16

news

[rss feed]

[2018-09-08] Accepted curl 7.38.0-4+deb8u12 (source amd64 all) into oldstable (Chris Lamb)
[2018-09-05] Accepted curl 7.52.1-5+deb9u7 (source) into stable->embargoed, stable (Alessandro Ghedini)
[2018-08-16] curl 7.61.0-1 MIGRATED to testing (Debian testing watch)
[2018-08-11] Accepted curl 7.61.0-1 (source) into unstable (Alessandro Ghedini)
[2018-05-31] curl 7.60.0-2 MIGRATED to testing (Debian testing watch)
[2018-05-28] Accepted curl 7.60.0-2 (source amd64 all) into unstable, unstable (Alessandro Ghedini)
[2018-05-25] curl 7.60.0-1 MIGRATED to testing (Debian testing watch)
[2018-05-18] Accepted curl 7.60.0-1 (source) into unstable (Alessandro Ghedini)
[2018-05-17] Accepted curl 7.52.1-5+deb9u6 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-05-17] Accepted curl 7.38.0-4+deb8u11 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.38.0-4+deb8u11 (source amd64 all) into oldstable->embargoed, oldstable (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.52.1-5+deb9u6 (source amd64 all) into stable->embargoed, stable (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.26.0-1+wheezy25+deb7u1 (source amd64) into oldoldstable (Chris Lamb)
[2018-03-18] Accepted curl 7.26.0-1+wheezy25 (source armhf) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2018-03-18] Accepted curl 7.26.0-1+wheezy25 (source armhf) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2018-03-17] Accepted curl 7.38.0-4+deb8u10 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-03-17] Accepted curl 7.52.1-5+deb9u5 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-03-14] Accepted curl 7.52.1-5+deb9u5 (source amd64 all) into stable->embargoed, stable (Alessandro Ghedini)
[2018-03-14] Accepted curl 7.38.0-4+deb8u10 (source amd64 all) into oldstable->embargoed, oldstable (Alessandro Ghedini)
[2018-03-01] Accepted curl 7.58.0-3 (source amd64 all) into experimental, experimental (Alessandro Ghedini)
[2018-02-10] Accepted curl 7.38.0-4+deb8u9 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-02-08] Accepted curl 7.52.1-5+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-01-30] curl 7.58.0-2 MIGRATED to testing (Debian testing watch)
[2018-01-29] Accepted curl 7.26.0-1+wheezy24 (source amd64) into oldoldstable (Thorsten Alteholz)
[2018-01-24] Accepted curl 7.58.0-2 (source amd64 all) into unstable (Alessandro Ghedini)
[2018-01-24] Accepted curl 7.58.0-1 (source) into unstable (Alessandro Ghedini)
[2017-12-06] curl 7.57.0-1 MIGRATED to testing (Debian testing watch)
[2017-12-02] Accepted curl 7.38.0-4+deb8u8 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Yves-Alexis Perez)
[2017-12-02] Accepted curl 7.52.1-5+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Yves-Alexis Perez)
[2017-11-30] Accepted curl 7.57.0-1 (source) into unstable (Alessandro Ghedini)

bugs [bug history graph]

all: 36 41
RC: 1
I&N: 25 27
M&W: 7 9
F&P: 0
patch: 3 4

links

homepage
lintian (2, 16)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.61.0-1ubuntu1
52 bugs (5 patches)
patches for 7.61.0-1ubuntu1