curl - Debian Package Tracker

general

source: curl (main)
version: 7.74.0-1.2
maintainer: Alessandro Ghedini (DMD)
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 7.52.1-5+deb9u10
old-sec: 7.52.1-5+deb9u13
stable: 7.64.0-4+deb10u1
stable-sec: 7.64.0-4+deb10u2
stable-p-u: 7.64.0-4+deb10u2
testing: 7.74.0-1.1
unstable: 7.74.0-1.2

versioned links

7.52.1-5+deb9u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (34 bugs: 0, 24, 10, 0)
libcurl3-gnutls (7 bugs: 0, 7, 0, 0)
libcurl3-nss (1 bugs: 0, 1, 0, 0)
libcurl4 (2 bugs: 1, 1, 0, 0)
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-nss-dev
libcurl4-openssl-dev (3 bugs: 0, 3, 0, 0)

action needed

A new upstream version is available: 7.76.0 high

A new upstream version 7.76.0 is available, you should consider packaging it.

Created: 2021-02-05 Last update: 2021-04-11 02:30

Multiarch hinter reports 4 issue(s) high

There are issues with the multiarch metadata for this package.

libcurl4-gnutls-dev conflicts on /usr/bin/curl-config on any two of amd64, arm64, armel, armhf, and 5 more
libcurl4-nss-dev conflicts on /usr/bin/curl-config on any two of amd64, arm64, armel, armhf, and 5 more
libcurl4-openssl-dev conflicts on /usr/bin/curl-config on any two of amd64, arm64, armel, armhf, and 5 more
libcurl4-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2021-04-11 01:35

1 security issue in stretch high

There is 1 open security issue in stretch.

1 important issue:

CVE-2021-22876: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Created: 2021-03-31 Last update: 2021-04-08 17:30

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2021-22876: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVE-2021-22890: curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Created: 2021-03-31 Last update: 2021-04-08 17:30

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2021-04-08 Last update: 2021-04-08 15:05

6 bugs tagged patch in the BTS normal

The BTS contains patches fixing 6 bugs (7 if counting merged bugs), consider including or untagging them.

Created: 2020-10-19 Last update: 2021-04-11 07:30

Depends on packages which need a new maintainer normal

The packages that curl depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2019-11-22 Last update: 2021-04-11 06:32

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for curl (7.74.0-1.1 to 7.74.0-1.2): Waiting for test results, another package or too young (no action required now - check later)
- Issues preventing migration:
- Too young, only 3 of 5 days old
- Additional info:
- Updating curl fixes old bugs: #986269, #986270
- Piuparts tested OK - https://piuparts.debian.org/sid/source/c/curl.html
- autopkgtest for libreoffice/blacklisted: arm64: Ignored failure, ppc64el: Ignored failure
- Overriding age needed from 5 days to 5 by ivodd
- Ignoring block request by freeze, due to unblock request by ivodd
- Not considered

news

[rss feed]

[2021-04-08] Accepted curl 7.74.0-1.2 (source) into unstable (Salvatore Bonaccorso)
[2021-04-05] Accepted curl 7.64.0-4+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Alessandro Ghedini)
[2021-03-31] Accepted curl 7.64.0-4+deb10u2 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Alessandro Ghedini)
[2021-02-23] curl 7.74.0-1.1 MIGRATED to testing (Debian testing watch)
[2021-02-13] Accepted curl 7.74.0-1.1 (source) into unstable (Samuel Henrique)
[2021-01-07] curl 7.74.0-1 MIGRATED to testing (Debian testing watch)
[2020-12-31] Accepted curl 7.74.0-1 (source) into unstable (Alessandro Ghedini)
[2020-12-18] Accepted curl 7.52.1-5+deb9u13 (source) into oldstable (Roberto C. Sánchez) (signed by: Roberto C. Sanchez)
[2020-09-26] Accepted curl 7.52.1-5+deb9u12 (source amd64 all) into oldstable (Thorsten Alteholz)
[2020-08-29] curl 7.72.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-29] curl 7.72.0-1 MIGRATED to testing (Debian testing watch)
[2020-08-24] Accepted curl 7.72.0-1 (source) into unstable (Alessandro Ghedini)
[2020-07-28] Accepted curl 7.52.1-5+deb9u11 (source amd64 all) into oldstable (Thorsten Alteholz)
[2020-02-29] curl 7.68.0-1 MIGRATED to testing (Debian testing watch)
[2020-02-25] Accepted curl 7.52.1-5+deb9u10 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2020-02-25] Accepted curl 7.64.0-4+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2020-02-24] Accepted curl 7.52.1-5+deb9u10 (source) into oldstable->embargoed, oldstable (Alessandro Ghedini)
[2020-02-24] Accepted curl 7.64.0-4+deb10u1 (source) into stable->embargoed, stable (Alessandro Ghedini)
[2020-02-22] Accepted curl 7.68.0-1 (source) into unstable (Alessandro Ghedini)
[2019-12-07] curl 7.67.0-2 MIGRATED to testing (Debian testing watch)
[2019-12-01] Accepted curl 7.67.0-2 (source) into unstable (Alessandro Ghedini)
[2019-11-30] Accepted curl 7.67.0-1 (source) into unstable (Alessandro Ghedini)
[2019-09-21] curl 7.66.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-15] Accepted curl 7.66.0-1 (source) into unstable (Alessandro Ghedini)
[2019-09-13] Accepted curl 7.38.0-4+deb8u16 (source amd64 all) into oldoldstable (Chris Lamb)
[2019-08-15] curl 7.65.3-1 MIGRATED to testing (Debian testing watch)
[2019-08-09] Accepted curl 7.65.3-1 (source) into unstable (Alessandro Ghedini)
[2019-07-18] curl 7.65.1-1 MIGRATED to testing (Debian testing watch)
[2019-07-13] Accepted curl 7.65.1-1 (source) into unstable (Alessandro Ghedini)
[2019-06-17] curl 7.64.0-4 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 49 53
RC: 1
I&N: 38 40
M&W: 10 12
F&P: 0
patch: 6 7

links

homepage
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.74.0-1ubuntu2
59 bugs (3 patches)
patches for 7.74.0-1ubuntu2