curl - Debian Package Tracker

general

source: curl (main)
version: 8.18.0-1
maintainer: Debian Curl Maintainers (DMD)
uploaders: Sergio Durigan Junior [DMD] – Samuel Henrique [DMD] – Carlos Henrique Lima Melara [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.74.0-1.3+deb11u13
o-o-sec: 7.74.0-1.3+deb11u16
o-o-p-u: 7.74.0-1.3+deb11u13
oldstable: 7.88.1-10+deb12u14
old-sec: 7.88.1-10+deb12u5
old-bpo: 8.14.1-2~bpo12+1
stable: 8.14.1-2+deb13u2
stable-bpo: 8.16.0-4~bpo13+1
testing: 8.18.0-1
unstable: 8.18.0-1

versioned links

7.74.0-1.3+deb11u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.74.0-1.3+deb11u16: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.88.1-10+deb12u14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.1-2+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.16.0-4~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.18.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

curl (44 bugs: 1, 31, 12, 0)
libcurl3t64-gnutls
libcurl4-doc
libcurl4-gnutls-dev
libcurl4-openssl-dev (4 bugs: 0, 4, 0, 0)
libcurl4t64

action needed

Multiarch hinter reports 2 issue(s) high

There are issues with the multiarch metadata for this package.

libcurl4-gnutls-dev conflicts on /usr/bin/curl-config on amd64, arm64, and 5 more with 22 combinations
libcurl4-openssl-dev conflicts on /usr/bin/curl-config on amd64, arm64, and 5 more with 22 combinations

Created: 2025-12-29 Last update: 2026-01-14 10:00

10 bugs tagged patch in the BTS normal

The BTS contains patches fixing 10 bugs (11 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2026-01-14 12:16

Depends on packages which need a new maintainer normal

The packages that curl depends on which need a new maintainer are:

stunnel4 (#1122515)
- Build-Depends: stunnel4

Created: 2025-12-11 Last update: 2026-01-14 11:00

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-12-16 Last update: 2026-01-08 09:30

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2025-13034: (needs triaging) When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-07 Last update: 2026-01-14 04:00

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-14524: (needs triaging) When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
CVE-2025-14819: (needs triaging) When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2025-10148: curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

Created: 2025-09-10 Last update: 2026-01-14 04:00

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 8.18.0-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-01-08 06:30

news

[rss feed]

[2026-01-14] Accepted curl 8.14.1-2+deb13u2~bpo13+1 (source) into oldstable-backports (Samuel Henrique)
[2026-01-14] Accepted curl 8.18.0-1~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2026-01-12] curl 8.18.0-1 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted curl 8.18.0-1 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-05] Accepted curl 7.74.0-1.3+deb11u16 (source) into oldoldstable-security (Alex) (signed by: Carlos Henrique Lima Melara)
[2026-01-02] curl 8.18.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted curl 8.18.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-12-20] curl 8.18.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-12-16] Accepted curl 8.18.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-12-06] Accepted curl 8.18.0~rc1-1+exp1 (source) into experimental (Samuel Henrique)
[2025-11-26] curl 8.17.0-3 MIGRATED to testing (Debian testing watch)
[2025-11-24] Accepted curl 8.17.0-3 (source) into unstable (Carlos Henrique Lima Melara)
[2025-11-16] curl 8.17.0-2 MIGRATED to testing (Debian testing watch)
[2025-11-13] Accepted curl 8.17.0-2 (source) into unstable (Samuel Henrique)
[2025-11-09] Accepted curl 8.14.1-2+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-08] curl 8.17.0-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted curl 8.14.1-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
[2025-11-05] Accepted curl 8.17.0-1 (source) into unstable (Samuel Henrique)
[2025-11-01] curl 8.17.0~rc3-1 MIGRATED to testing (Debian testing watch)
[2025-10-29] Accepted curl 8.17.0~rc3-1 (source) into unstable (Samuel Henrique)
[2025-10-28] curl 8.17.0~rc2-1 MIGRATED to testing (Debian testing watch)
[2025-10-20] Accepted curl 8.17.0~rc2-1 (source) into unstable (Samuel Henrique)
[2025-10-11] Accepted curl 8.16.0-4~bpo13+1 (source) into stable-backports (Samuel Henrique)
[2025-10-11] Accepted curl 8.17.0~rc1-1~exp1 (source) into experimental (Samuel Henrique)
[2025-10-11] curl 8.16.0-4 MIGRATED to testing (Debian testing watch)
[2025-10-08] Accepted curl 8.16.0-4 (source) into unstable (Carlos Henrique Lima Melara)
[2025-10-08] curl 8.16.0-2 MIGRATED to testing (Debian testing watch)
[2025-10-07] Accepted curl 8.16.0-3 (source) into unstable (Samuel Henrique)
[2025-10-02] Accepted curl 8.16.0-2 (source) into unstable (Samuel Henrique)
[2025-09-28] Accepted curl 8.16.0-1+exp1 (source) into experimental (Samuel Henrique)

bugs [bug history graph]

all: 62 67
RC: 1
I&N: 49 52
M&W: 12 14
F&P: 0
patch: 10 11

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.17.0-1ubuntu1
80 bugs (4 patches)
patches for 8.17.0-1ubuntu1