curl - Debian Package Tracker

general

source: curl (main)
version: 8.19.0~rc3-1
maintainer: Debian Curl Maintainers (DMD)
uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD] – Carlos Henrique Lima Melara [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.74.0-1.3+deb11u13
o-o-sec: 7.74.0-1.3+deb11u16
o-o-p-u: 7.74.0-1.3+deb11u13
oldstable: 7.88.1-10+deb12u14
old-sec: 7.88.1-10+deb12u5
old-bpo: 8.14.1-2+deb13u2~bpo13+1
stable: 8.14.1-2+deb13u2
stable-bpo: 8.18.0-1~bpo13+1
testing: 8.18.0-2
unstable: 8.19.0~rc3-1

versioned links

7.74.0-1.3+deb11u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.19.0~rc3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (43 bugs: 1, 30, 12, 0)
libcurl3t64-gnutls
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)
libcurl4t64

action needed

10 bugs tagged patch in the BTS normal

The BTS contains patches fixing 10 bugs (11 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2026-03-03 10:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-01 Last update: 2026-03-01 00:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 6a682e963e2d12fc318269cca3fecde6ede408fd
Author: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
Date:   Sat Feb 28 17:14:42 2026 -0300

    d/control: drop leftover quilt build-dep
    
    It was previously used to apply and remove patches during build so we
    could have multiple libcurl ssl backend, but it's not needed anymore.
    
    Closes: #1129269

Created: 2026-02-28 Last update: 2026-02-28 21:31

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 8.19.0~rc3-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-02-28 08:31

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2025-13034: (needs triaging) When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-07 Last update: 2026-02-28 04:32

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Created: 2025-09-10 Last update: 2026-02-28 04:32

testing migrations

excuses:
- Migration status for curl (8.18.0-2 to 8.19.0~rc3-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for cmake/4.2.3-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for curl/8.19.0~rc3-1: amd64: Regression ♻ (reference ♻), arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for debusine/0.14.5: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Ignored failure ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for libreoffice/4:26.2.1-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Failed (not a regression) ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for nodejs/22.22.0+dfsg+~cs22.19.6-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for pycurl/7.45.7-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/curl.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- Not considered

news

[rss feed]

[2026-02-28] Accepted curl 8.19.0~rc3-1 (source) into unstable (Carlos Henrique Lima Melara)
[2026-02-24] Accepted curl 8.19.0~rc2-2 (source) into unstable (Carlos Henrique Lima Melara)
[2026-02-21] Accepted curl 8.19.0~rc2-1 (source) into unstable (Samuel Henrique)
[2026-02-15] Accepted curl 8.19.0~rc1-1~exp1 (source) into experimental (Samuel Henrique)
[2026-01-19] curl 8.18.0-2 MIGRATED to testing (Debian testing watch)
[2026-01-15] Accepted curl 8.18.0-2 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-14] Accepted curl 8.14.1-2+deb13u2~bpo13+1 (source) into oldstable-backports (Samuel Henrique)
[2026-01-14] Accepted curl 8.18.0-1~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2026-01-12] curl 8.18.0-1 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted curl 8.18.0-1 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-05] Accepted curl 7.74.0-1.3+deb11u16 (source) into oldoldstable-security (Alex) (signed by: Carlos Henrique Lima Melara)
[2026-01-02] curl 8.18.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted curl 8.18.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-12-20] curl 8.18.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-12-16] Accepted curl 8.18.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-12-06] Accepted curl 8.18.0~rc1-1+exp1 (source) into experimental (Samuel Henrique)
[2025-11-26] curl 8.17.0-3 MIGRATED to testing (Debian testing watch)
[2025-11-24] Accepted curl 8.17.0-3 (source) into unstable (Carlos Henrique Lima Melara)
[2025-11-16] curl 8.17.0-2 MIGRATED to testing (Debian testing watch)
[2025-11-13] Accepted curl 8.17.0-2 (source) into unstable (Samuel Henrique)
[2025-11-09] Accepted curl 8.14.1-2+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-08] curl 8.17.0-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted curl 8.14.1-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-05] Accepted curl 8.17.0-1 (source) into unstable (Samuel Henrique)
[2025-11-01] curl 8.17.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-10-29] Accepted curl 8.17.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-10-28] curl 8.17.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-10-20] Accepted curl 8.17.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-10-11] Accepted curl 8.16.0-4~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2025-10-11] Accepted curl 8.17.0~rc1-1~exp1 (source) into experimental (Samuel Henrique)

bugs [bug history graph]

all: 62 67
RC: 1
I&N: 48 51
M&W: 12 14
F&P: 1
patch: 10 11

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.18.0-1ubuntu1
80 bugs (4 patches)
patches for 8.18.0-1ubuntu1