Debian Package Tracker

general

source: curl (main)
version: 7.61.0-1
maintainer: Alessandro Ghedini [DMD]
uploaders: Ian Jackson [DMD]
arch: all any
std-ver: 4.2.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.26.0-1+wheezy13
o-o-sec: 7.26.0-1+wheezy25+deb7u1
oldstable: 7.38.0-4+deb8u11
old-sec: 7.38.0-4+deb8u12
stable: 7.52.1-5+deb9u6
stable-sec: 7.52.1-5+deb9u7
stable-p-u: 7.52.1-5+deb9u7
testing: 7.61.0-1
unstable: 7.61.0-1

versioned links

7.26.0-1+wheezy13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.26.0-1+wheezy25+deb7u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.38.0-4+deb8u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.38.0-4+deb8u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.56.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.58.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.60.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.61.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl
libcurl3-gnutls
libcurl3-nss
libcurl4
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-nss-dev
libcurl4-openssl-dev

action needed

A new upstream version is available: 7.61.1 high

A new upstream version 7.61.1 is available, you should consider packaging it.

Created: 2018-09-08 Last update: 2018-10-21 04:04

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Please fix it.

Created: 2018-09-04 Last update: 2018-10-18 07:25

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

Please fix it.

Created: 2018-09-04 Last update: 2018-10-18 07:25

lintian reports 2 errors and 16 warnings high

Lintian reports 2 errors and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2015-03-04 Last update: 2018-07-31 07:46

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs (4 if counting merged bugs), consider including or untagging them.

Created: 2018-10-01 Last update: 2018-10-21 08:01

Depends on packages which need a new maintainer normal

The packages that curl depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec

Created: 2017-12-02 Last update: 2018-10-21 06:44

5 new commits since last upload, time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 7.61.1-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit f48035dea7426b7eadeb56af56fbbc7da44f089e
Author: Alessandro Ghedini <ghedo@debian.org>
Date:   Wed Sep 5 21:10:09 2018 +0100

    Refresh patches

commit 7f7779f2a6e463ec89a2be030908ca292f5e0196
Author: Alessandro Ghedini <ghedo@debian.org>
Date:   Wed Sep 5 21:02:33 2018 +0100

    bump Standards-Version to 4.2.1 (no changes needed)

commit 98423ef51186779dfb76836226b604c05aa5e151
Author: Alessandro Ghedini <ghedo@debian.org>
Date:   Wed Sep 5 21:02:09 2018 +0100

    New upstream release

commit 32925b8d961240d6589df879f306b5b2f415c53e
Merge: d3666e86 067556c9
Author: Alessandro Ghedini <ghedo@debian.org>
Date:   Wed Sep 5 21:00:42 2018 +0100

    Update upstream source from tag 'upstream/7.61.1'
    
    Update to upstream version '7.61.1'
    with Debian dir 7e696582daacdff2aa8c0c83a8aff2fab362df4f

commit 067556c9dfc45ad764ac5da8e9a6dc0b1c12bae7
Author: Alessandro Ghedini <ghedo@debian.org>
Date:   Wed Sep 5 21:00:25 2018 +0100

    New upstream version 7.61.1

Created: 2018-09-23 Last update: 2018-10-21 02:12

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

libcurl4-doc could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2018-10-21 04:02

4 ignored security issues in jessie low

There are 4 open security issues in jessie.

4 issues skipped by the security teams:

CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVE-2016-9586: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVE-2016-8625: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

Please fix them.

Created: 2016-09-06 Last update: 2018-10-18 07:25

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.1 instead of 4.2.0).

Created: 2018-08-26 Last update: 2018-08-26 08:16

news

[rss feed]

[2018-10-02] Accepted curl 7.52.1-5+deb9u7 (source) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-09-08] Accepted curl 7.38.0-4+deb8u12 (source amd64 all) into oldstable (Chris Lamb)
[2018-09-05] Accepted curl 7.52.1-5+deb9u7 (source) into stable->embargoed, stable (Alessandro Ghedini)
[2018-08-16] curl 7.61.0-1 MIGRATED to testing (Debian testing watch)
[2018-08-11] Accepted curl 7.61.0-1 (source) into unstable (Alessandro Ghedini)
[2018-05-31] curl 7.60.0-2 MIGRATED to testing (Debian testing watch)
[2018-05-28] Accepted curl 7.60.0-2 (source amd64 all) into unstable, unstable (Alessandro Ghedini)
[2018-05-25] curl 7.60.0-1 MIGRATED to testing (Debian testing watch)
[2018-05-18] Accepted curl 7.60.0-1 (source) into unstable (Alessandro Ghedini)
[2018-05-17] Accepted curl 7.52.1-5+deb9u6 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-05-17] Accepted curl 7.38.0-4+deb8u11 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.38.0-4+deb8u11 (source amd64 all) into oldstable->embargoed, oldstable (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.52.1-5+deb9u6 (source amd64 all) into stable->embargoed, stable (Alessandro Ghedini)
[2018-05-16] Accepted curl 7.26.0-1+wheezy25+deb7u1 (source amd64) into oldoldstable (Chris Lamb)
[2018-03-18] Accepted curl 7.26.0-1+wheezy25 (source armhf) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2018-03-18] Accepted curl 7.26.0-1+wheezy25 (source armhf) into oldoldstable (Santiago R.R.) (signed by: Santiago Ruano Rincón)
[2018-03-17] Accepted curl 7.38.0-4+deb8u10 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-03-17] Accepted curl 7.52.1-5+deb9u5 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-03-14] Accepted curl 7.52.1-5+deb9u5 (source amd64 all) into stable->embargoed, stable (Alessandro Ghedini)
[2018-03-14] Accepted curl 7.38.0-4+deb8u10 (source amd64 all) into oldstable->embargoed, oldstable (Alessandro Ghedini)
[2018-03-01] Accepted curl 7.58.0-3 (source amd64 all) into experimental, experimental (Alessandro Ghedini)
[2018-02-10] Accepted curl 7.38.0-4+deb8u9 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Alessandro Ghedini)
[2018-02-08] Accepted curl 7.52.1-5+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Alessandro Ghedini)
[2018-01-30] curl 7.58.0-2 MIGRATED to testing (Debian testing watch)
[2018-01-29] Accepted curl 7.26.0-1+wheezy24 (source amd64) into oldoldstable (Thorsten Alteholz)
[2018-01-24] Accepted curl 7.58.0-2 (source amd64 all) into unstable (Alessandro Ghedini)
[2018-01-24] Accepted curl 7.58.0-1 (source) into unstable (Alessandro Ghedini)
[2017-12-06] curl 7.57.0-1 MIGRATED to testing (Debian testing watch)
[2017-12-02] Accepted curl 7.38.0-4+deb8u8 (source amd64 all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Yves-Alexis Perez)
[2017-12-02] Accepted curl 7.52.1-5+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Yves-Alexis Perez)

bugs [bug history graph]

all: 34 38
RC: 1
I&N: 26 28
M&W: 7 9
F&P: 0
patch: 3 4

links

homepage
lintian (2, 16)
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.61.0-1ubuntu2
54 bugs (5 patches)
patches for 7.61.0-1ubuntu2