Register | Log in

curl

command line tool for transferring data with URL syntax

Choose email to subscribe with

general

source: curl (main)
version: 7.87.0-2
maintainer: Alessandro Ghedini (DMD)
uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.52.1-5+deb9u10
o-o-sec: 7.52.1-5+deb9u16
oldstable: 7.64.0-4+deb10u2
old-sec: 7.64.0-4+deb10u4
old-bpo: 7.74.0-1.2~bpo10+1
stable: 7.74.0-1.3+deb11u3
stable-sec: 7.74.0-1.3+deb11u5
stable-bpo: 7.87.0-2~bpo11+1
stable-p-u: 7.74.0-1.3+deb11u5
testing: 7.87.0-2
unstable: 7.87.0-2

versioned links

7.52.1-5+deb9u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.52.1-5+deb9u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.64.0-4+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.2~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.87.0-2~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.87.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (35 bugs: 0, 26, 9, 0)
libcurl3-gnutls (10 bugs: 0, 10, 0, 0)
libcurl3-nss (1 bugs: 0, 1, 0, 0)
libcurl4 (2 bugs: 0, 2, 0, 0)
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-nss-dev
libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)

action needed

lintian reports 1 error and 6 warnings high

Lintian reports 1 error and 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-01-16 Last update: 2023-01-17 00:36

8 bugs tagged patch in the BTS normal

The BTS contains patches fixing 8 bugs (9 if counting merged bugs), consider including or untagging them.

Created: 2022-07-27 Last update: 2023-02-06 22:30

No known security issue in bullseye wishlist

There are 2 open security issues in bullseye.

2 ignored issues:

CVE-2022-42916: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
CVE-2022-43551: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Created: 2022-10-26 Last update: 2023-02-04 03:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2023-01-16 05:25

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2023-01-31] Accepted curl 7.74.0-1.3+deb11u5 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2023-01-31] Accepted curl 7.74.0-1.3+deb11u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2023-01-28] Accepted curl 7.64.0-4+deb10u4 (source) into oldstable (Roberto C. Sánchez) (signed by: Roberto C. Sanchez)
[2023-01-27] Accepted curl 7.74.0-1.3+deb11u5 (source) into stable-security (Debian FTP Masters) (signed by: Samuel Henrique)
[2023-01-27] Accepted curl 7.74.0-1.3+deb11u4 (source) into stable-security (Debian FTP Masters) (signed by: Samuel Henrique)
[2023-01-21] Accepted curl 7.87.0-2~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2023-01-21] curl 7.87.0-2 MIGRATED to testing (Debian testing watch)
[2023-01-15] Accepted curl 7.87.0-2 (source) into unstable (Samuel Henrique)
[2022-12-29] Accepted curl 7.87.0-1~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-12-29] curl 7.87.0-1 MIGRATED to testing (Debian testing watch)
[2022-12-23] Accepted curl 7.87.0-1 (source) into unstable (Samuel Henrique)
[2022-12-21] Accepted curl 7.86.0-3 (source) into unstable (Sergio Durigan Junior)
[2022-11-22] curl 7.86.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-22] curl 7.86.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-15] Accepted curl 7.86.0-2 (source) into unstable (Samuel Henrique)
[2022-11-09] curl 7.86.0-1 MIGRATED to testing (Debian testing watch)
[2022-10-27] Accepted curl 7.86.0-1 (source) into unstable (Samuel Henrique)
[2022-09-10] Accepted curl 7.85.0-1~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-09-07] curl 7.85.0-1 MIGRATED to testing (Debian testing watch)
[2022-09-04] Accepted curl 7.64.0-4+deb10u3 (source) into oldstable (Markus Koschany)
[2022-09-04] Accepted curl 7.74.0-1.3+deb11u3 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2022-09-04] Accepted curl 7.85.0-1 (source) into unstable (Samuel Henrique)
[2022-08-13] Accepted curl 7.74.0-1.3+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2022-08-01] Accepted curl 7.74.0-1.3+deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2022-07-17] Accepted curl 7.84.0-2~bpo11+1 (source) into bullseye-backports (Samuel Henrique)
[2022-07-17] curl 7.84.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-17] curl 7.84.0-2 MIGRATED to testing (Debian testing watch)
[2022-07-11] Accepted curl 7.84.0-2 (source) into unstable (Samuel Henrique)
[2022-06-27] Accepted curl 7.84.0-1 (source) into unstable (Samuel Henrique)
[2022-06-20] curl 7.83.1-2 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 52 57
RC: 0
I&N: 43 46
M&W: 9 11
F&P: 0
patch: 8 9

links

homepage
lintian (1, 6)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.87.0-1ubuntu1
64 bugs (3 patches)
patches for 7.87.0-1ubuntu1

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing