curl - Debian Package Tracker

general

source: curl (main)
version: 8.18.0-2
maintainer: Debian Curl Maintainers (DMD)
uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD] – Carlos Henrique Lima Melara [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.74.0-1.3+deb11u13
o-o-sec: 7.74.0-1.3+deb11u16
o-o-p-u: 7.74.0-1.3+deb11u13
oldstable: 7.88.1-10+deb12u14
old-sec: 7.88.1-10+deb12u5
old-bpo: 8.14.1-2+deb13u2~bpo13+1
stable: 8.14.1-2+deb13u2
stable-bpo: 8.18.0-1~bpo13+1
testing: 8.18.0-2
unstable: 8.18.0-2
exp: 8.19.0~rc1-1~exp1

versioned links

7.74.0-1.3+deb11u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.19.0~rc1-1~exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (43 bugs: 1, 30, 12, 0)
libcurl3t64-gnutls
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)
libcurl4t64

action needed

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2026-02-16 Last update: 2026-02-16 10:55

10 bugs tagged patch in the BTS normal

The BTS contains patches fixing 10 bugs (11 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2026-02-20 08:00

Depends on packages which need a new maintainer normal

The packages that curl depends on which need a new maintainer are:

stunnel4 (#1122515)
- Build-Depends: stunnel4

Created: 2025-12-11 Last update: 2026-02-20 06:32

2 open merge requests in Salsa normal

There are 2 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-01-23 Last update: 2026-02-01 03:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-01-15 Last update: 2026-01-20 22:32

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2025-13034: (needs triaging) When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-07 Last update: 2026-01-21 09:31

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Created: 2025-09-10 Last update: 2026-01-21 09:31

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 8.18.0-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-01-15 14:00

news

[rss feed]

[2026-02-15] Accepted curl 8.19.0~rc1-1~exp1 (source) into experimental (Samuel Henrique)
[2026-01-19] curl 8.18.0-2 MIGRATED to testing (Debian testing watch)
[2026-01-15] Accepted curl 8.18.0-2 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-14] Accepted curl 8.14.1-2+deb13u2~bpo13+1 (source) into oldstable-backports (Samuel Henrique)
[2026-01-14] Accepted curl 8.18.0-1~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2026-01-12] curl 8.18.0-1 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted curl 8.18.0-1 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-05] Accepted curl 7.74.0-1.3+deb11u16 (source) into oldoldstable-security (Alex) (signed by: Carlos Henrique Lima Melara)
[2026-01-02] curl 8.18.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted curl 8.18.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-12-20] curl 8.18.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-12-16] Accepted curl 8.18.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-12-06] Accepted curl 8.18.0~rc1-1+exp1 (source) into experimental (Samuel Henrique)
[2025-11-26] curl 8.17.0-3 MIGRATED to testing (Debian testing watch)
[2025-11-24] Accepted curl 8.17.0-3 (source) into unstable (Carlos Henrique Lima Melara)
[2025-11-16] curl 8.17.0-2 MIGRATED to testing (Debian testing watch)
[2025-11-13] Accepted curl 8.17.0-2 (source) into unstable (Samuel Henrique)
[2025-11-09] Accepted curl 8.14.1-2+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-08] curl 8.17.0-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted curl 8.14.1-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-05] Accepted curl 8.17.0-1 (source) into unstable (Samuel Henrique)
[2025-11-01] curl 8.17.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-10-29] Accepted curl 8.17.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-10-28] curl 8.17.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-10-20] Accepted curl 8.17.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-10-11] Accepted curl 8.16.0-4~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2025-10-11] Accepted curl 8.17.0~rc1-1~exp1 (source) into experimental (Samuel Henrique)
[2025-10-11] curl 8.16.0-4 MIGRATED to testing (Debian testing watch)
[2025-10-08] Accepted curl 8.16.0-4 (source) into unstable (Carlos Henrique Lima Melara)
[2025-10-08] curl 8.16.0-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 61 66
RC: 1
I&N: 48 51
M&W: 12 14
F&P: 0
patch: 10 11

links

homepage
lintian (0, 1)
buildd: logs, exp, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.18.0-1ubuntu1
80 bugs (4 patches)
patches for 8.18.0-1ubuntu1