Debian Package Tracker
Register | Log in
Subscribe

curl

command line tool for transferring data with URL syntax

Choose email to subscribe with

general
  • source: curl (main)
  • version: 8.21.0-2
  • maintainer: Debian Curl Maintainers (DMD)
  • uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD] – Carlos Henrique Lima Melara [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 7.74.0-1.3+deb11u13
  • o-o-sec: 7.74.0-1.3+deb11u16
  • o-o-p-u: 7.74.0-1.3+deb11u13
  • oldstable: 7.88.1-10+deb12u14
  • old-sec: 7.88.1-10+deb12u5
  • old-bpo: 8.14.1-2+deb13u2~bpo13+1
  • old-p-u: 7.88.1-10+deb12u15
  • stable: 8.14.1-2+deb13u3
  • stable-bpo: 8.20.0-5~bpo13+1
  • stable-p-u: 8.14.1-2+deb13u4
  • testing: 8.20.0-5
  • unstable: 8.21.0-2
  • exp: 8.21.0-2+exp1
versioned links
  • 7.74.0-1.3+deb11u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.74.0-1.3+deb11u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.88.1-10+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.88.1-10+deb12u14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 7.88.1-10+deb12u15: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.14.1-2+deb13u2~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.14.1-2+deb13u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.14.1-2+deb13u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.20.0-5~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.20.0-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.21.0-1+exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.21.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.21.0-2+exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • curl (33 bugs: 0, 22, 11, 0)
  • libcurl3t64-gnutls
  • libcurl4-doc
  • libcurl4-gnutls
  • libcurl4-gnutls-dev
  • libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)
  • libcurl4t64
action needed
The VCS repository is not up to date, push the missing commits. high
vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.
Created: 2026-06-04 Last update: 2026-07-05 16:02
18 security issues in forky high

There are 18 open security issues in forky.

18 important issues:
  • CVE-2026-8286: A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
  • CVE-2026-8458: libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
  • CVE-2026-8924: A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
  • CVE-2026-8925: The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.
  • CVE-2026-8926: When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
  • CVE-2026-8927: When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
  • CVE-2026-8932: libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
  • CVE-2026-9079: libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
  • CVE-2026-9080: Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
  • CVE-2026-9545: In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
  • CVE-2026-9546: A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
  • CVE-2026-9547: When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
  • CVE-2026-10536: A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
  • CVE-2026-11352: An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
  • CVE-2026-11564: libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
  • CVE-2026-11586: By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
  • CVE-2026-11856: Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
  • CVE-2026-12064: When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
Created: 2026-06-24 Last update: 2026-07-04 07:32
26 security issues in bullseye high

There are 26 open security issues in bullseye.

9 important issues:
  • CVE-2026-8286: A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
  • CVE-2026-8458: libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
  • CVE-2026-8924: A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
  • CVE-2026-8927: When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
  • CVE-2026-8932: libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
  • CVE-2026-9547: When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
  • CVE-2026-10536: A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
  • CVE-2026-11856: Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
  • CVE-2026-12064: When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
11 issues postponed or untriaged:
  • CVE-2026-1965: (postponed; to be fixed through a stable update) libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
  • CVE-2026-3783: (postponed; to be fixed through a stable update) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
  • CVE-2026-3784: (postponed; to be fixed through a stable update) curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
  • CVE-2026-4873: (postponed; to be fixed through a stable update) A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.
  • CVE-2026-5545: (postponed; to be fixed through a stable update) libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...
  • CVE-2026-5773: (postponed; to be fixed through a stable update) libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.
  • CVE-2026-6253: (postponed; to be fixed through a stable update) curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
  • CVE-2026-6276: (postponed; to be fixed through a stable update) Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
  • CVE-2026-6429: (postponed; to be fixed through a stable update) When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
  • CVE-2026-7168: (postponed; to be fixed through a stable update) Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.
  • CVE-2025-14524: (postponed; to be fixed through a stable update) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
6 ignored issues:
  • CVE-2024-9681: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.
  • CVE-2022-42916: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
  • CVE-2022-43551: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
  • CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
  • CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
  • CVE-2023-46219: When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
Created: 2026-06-24 Last update: 2026-07-04 07:32
15 security issues in bookworm high

There are 15 open security issues in bookworm.

9 important issues:
  • CVE-2026-8286: A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
  • CVE-2026-8458: libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
  • CVE-2026-8924: A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
  • CVE-2026-8927: When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
  • CVE-2026-8932: libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
  • CVE-2026-9547: When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
  • CVE-2026-10536: A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
  • CVE-2026-11856: Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
  • CVE-2026-12064: When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.
6 issues left for the package maintainer to handle:
  • CVE-2026-1965: (needs triaging) libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
  • CVE-2026-4873: (needs triaging) A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.
  • CVE-2026-5545: (needs triaging) libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...
  • CVE-2026-6253: (needs triaging) curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
  • CVE-2026-6276: (needs triaging) Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
  • CVE-2026-6429: (needs triaging) When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

You can find information about how to handle these issues in the security team's documentation.

7 issues that should be fixed with the next stable update:
  • CVE-2026-3783: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
  • CVE-2026-3784: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
  • CVE-2026-5773: libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.
  • CVE-2026-7168: Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.
  • CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
  • CVE-2025-14524: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
  • CVE-2025-14819: When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
Created: 2025-09-10 Last update: 2026-07-04 07:32
debian/patches: 1 patch with invalid metadata, 2 patches to forward upstream high

Among the 6 debian patches available in version 8.21.0-2 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-06-29 10:49
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2026-07-04 Last update: 2026-07-09 03:02
9 bugs tagged patch in the BTS normal
The BTS contains patches fixing 9 bugs (10 if counting merged bugs), consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-09 03:00
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2026-06-30 Last update: 2026-06-30 04:48
19 low-priority security issues in trixie low

There are 19 open security issues in trixie.

19 issues left for the package maintainer to handle:
  • CVE-2026-3783: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
  • CVE-2026-3784: (needs triaging) curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
  • CVE-2026-5773: (needs triaging) libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.
  • CVE-2026-7168: (needs triaging) Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.
  • CVE-2026-8286: (needs triaging) A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
  • CVE-2026-8458: (needs triaging) libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
  • CVE-2026-8924: (needs triaging) A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.
  • CVE-2026-8926: (needs triaging) When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
  • CVE-2026-8927: (needs triaging) When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
  • CVE-2026-8932: (needs triaging) libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
  • CVE-2026-9079: (needs triaging) libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
  • CVE-2026-9080: (needs triaging) Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.
  • CVE-2026-9545: (needs triaging) In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.
  • CVE-2026-9547: (needs triaging) When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
  • CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
  • CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.
  • CVE-2026-10536: (needs triaging) A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.
  • CVE-2026-11856: (needs triaging) Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.
  • CVE-2026-12064: (needs triaging) When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

You can find information about how to handle these issues in the security team's documentation.

7 issues that should be fixed with the next stable update:
  • CVE-2026-1965: libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).
  • CVE-2026-3805: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
  • CVE-2026-4873: A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.
  • CVE-2026-5545: libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...
  • CVE-2026-6253: curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
  • CVE-2026-6276: Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
  • CVE-2026-6429: When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
Created: 2026-01-07 Last update: 2026-07-04 07:32
testing migrations
  • This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • excuses:
    • Migration status for curl (8.20.0-5 to 8.21.0-2): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Updating curl would introduce bugs in testing: #1141371
    • ∙ ∙ Autopkgtest for cimg/3.5.2+dfsg-2: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for cmake/4.3.4-1: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for curl/8.21.0-2: amd64: Pass, arm64: Pass, armhf: Regression ♻ (reference ♻), i386: Pass, loong64: Pass, ppc64el: Regression ♻ (reference ♻), riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for debusine/0.14.10: amd64: Pass, arm64: Pass, armhf: Failed (not a regression) ♻ (reference ♻), i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for dracut/111-4: amd64: Pass, arm64: Pass, armhf: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for libreoffice/4:26.2.4.2-1: arm64: Test triggered (failure will be ignored), armhf: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), loong64: Failed (not a regression) ♻ (reference ♻)
    • ∙ ∙ Autopkgtest for nodejs/24.18.0+dfsg+~cs24.13.2-1: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
    • ∙ ∙ Autopkgtest for ocaml-dune/3.23.1-5: amd64: Pass, arm64: Pass, armhf: Pass, i386: Pass, loong64: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Autopkgtest for trurl/0.16.1-4: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/curl.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • ∙ ∙ 10 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2026-06-30] Accepted curl 8.14.1-2+deb13u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
  • [2026-06-30] Accepted curl 7.88.1-10+deb12u15 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
  • [2026-06-28] Accepted curl 8.21.0-2+exp1 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-06-28] Accepted curl 8.21.0-2 (source) into unstable (Carlos Henrique Lima Melara)
  • [2026-06-26] Accepted curl 8.21.0-1+exp1 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-06-25] Accepted curl 8.21.0-1 (source) into unstable (Carlos Henrique Lima Melara)
  • [2026-06-19] Accepted curl 8.21.0~rc3-1+exp1 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-06-19] Accepted curl 8.21.0~rc3-1 (source) into unstable (Carlos Henrique Lima Melara)
  • [2026-06-14] Accepted curl 8.21.0~rc2-1+exp1 (source) into experimental (Samuel Henrique)
  • [2026-06-13] Accepted curl 8.21.0~rc2-1 (source) into unstable (Samuel Henrique)
  • [2026-06-08] Accepted curl 8.20.0-5~bpo13+1 (source amd64 all) into stable-backports (Debian FTP Masters) (signed by: Samuel Henrique)
  • [2026-06-06] curl 8.20.0-5 MIGRATED to testing (Debian testing watch)
  • [2026-06-04] Accepted curl 8.21.0~rc1-1+exp1 (source) into experimental (Samuel Henrique)
  • [2026-06-01] Accepted curl 8.20.0-5 (source) into unstable (Sergio Durigan Junior)
  • [2026-06-01] Accepted curl 8.20.0-4 (source) into unstable (Sergio Durigan Junior)
  • [2026-05-31] Accepted curl 8.20.0-3 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Sergio Durigan Junior)
  • [2026-05-24] Accepted curl 8.20.0-2~bpo13+1 (source) into stable-backports (Samuel Henrique)
  • [2026-05-23] Accepted curl 8.20.0-2+exp1 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-05-22] curl 8.20.0-2 MIGRATED to testing (Debian testing watch)
  • [2026-05-13] Accepted curl 8.20.0-2 (source) into unstable (Carlos Henrique Lima Melara)
  • [2026-05-11] curl 8.20.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-02] Accepted curl 8.14.1-2+deb13u3 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
  • [2026-04-30] Accepted curl 8.20.0-1+exp (source) into experimental (Samuel Henrique)
  • [2026-04-29] Accepted curl 8.20.0-1 (source) into unstable (Samuel Henrique)
  • [2026-04-23] Accepted curl 8.20.0~rc3-1 (source) into unstable (Samuel Henrique)
  • [2026-04-23] Accepted curl 8.20.0~rc3-1+exp1 (source) into experimental (Samuel Henrique)
  • [2026-04-15] Accepted curl 8.20.0~rc2-1+exp1 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-04-15] Accepted curl 8.20.0~rc2-1 (source) into unstable (Carlos Henrique Lima Melara)
  • [2026-04-08] Accepted curl 8.20.0~rc1-1+exp3 (source) into experimental (Carlos Henrique Lima Melara)
  • [2026-04-07] Accepted curl 8.20.0~rc1-1+exp2 (source) into experimental (Samuel Henrique)
  • 1
  • 2
bugs [bug history graph]
  • all: 50 54
  • RC: 1
  • I&N: 38 40
  • M&W: 11 13
  • F&P: 0
  • patch: 9 10
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, exp, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 8.18.0-1ubuntu2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing