Accepted curl 7.64.0-4+deb10u4 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted curl 7.64.0-4+deb10u4 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 28 Jan 2023 20:40:20 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: curl_7.64.0-4+deb10u4_source.changes
- Debian-source: curl
- Debian-suite: oldstable
- Debian-version: 7.64.0-4+deb10u4
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=jCoFxRlbS6lZqwLQc63tU0QP3ykdsZtobYlBT+fmkwM=; b=nEV3AYftNkX/GFESNvaxTk7SKL LfzCQiMBYoEpP2dtCUQoawSDofAKwyj6ndZeVUUoPehKLTrPh5lK6pnOQ5Mx7EyjQ5hXCnYZ4ZDO7 RCEmGy59isiG1IxJo5LDYszp/kaqRsg8cyRbS8s7WicJLPflX/J1Ck5AoiM0AGCvwNfj+/G5fVp8S zwNZbU7K1/2VyJBvU4A7STBGsTOLFOBxzjzAly4/j/nv4QNGQ6S2K/0BGVi06wsuSkAMRAo5wT2A4 udTeGx6GkoC0zmh/KnQQLFjqyWwky/4IheN7pKEMsatWCrcFMckNcqB/wmy0rT7bxjBiAlVLMUWpS isw8BXAw==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1pLrzo-004QwU-Bu@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 26 Jan 2023 08:47:05 -0500
Source: curl
Architecture: source
Version: 7.64.0-4+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Roberto C. Sánchez <roberto@debian.org>
Changes:
curl (7.64.0-4+deb10u4) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* CVE-2022-27774:
An insufficiently protected credentials vulnerability exists in curl that
could allow an attacker to extract credentials when follows HTTP(S)
redirects is used with authentication could leak credentials to other
services that exist on different protocols or port numbers.
* Follow up to CVE-2022-27782:
The patch included to address this CVE in 7.64.0-4+deb10u3 contained a
defect which resulted in the vulnerability being completely addressed. The
patch is corrected and the vulberability is fully addressed in this version.
* CVE-2022-32221:
When doing HTTP(S) transfers, libcurl might erroneously use the read
callback (CURLOPT_READFUNCTION) to ask for data to send, even when the
CURLOPT_POSTFIELDS option has been set, if the same handle previously was
used to issue a PUT request which used that callback.
* CVE-2022-35252:
When curl is used to retrieve and parse cookies from a HTTP(S) server,
it accepts cookies using control codes that when later are sent back to a
HTTP server might make the server return 400 responses. Effectively
allowing a "sister site" to deny service to all siblings.
* CVE-2022-43552:
HTTP Proxy deny use-after-free
Checksums-Sha1:
8d2bdc1b1be2e0902b6892b15789b7201345013f 2694 curl_7.64.0-4+deb10u4.dsc
91cbf9870fe086bbb8057ae3e2342fc6462913bf 59080 curl_7.64.0-4+deb10u4.debian.tar.xz
66ba73edc78da52619c83ba099e855475bb78125 11810 curl_7.64.0-4+deb10u4_amd64.buildinfo
Checksums-Sha256:
ba385d7f1468f4bf309642218433f4975b9d5606410941bce7382b8cddebc273 2694 curl_7.64.0-4+deb10u4.dsc
a6a0f1c45359fa262ae1612e9d3d3e185c88b4d87473e44557bcc0441a72f10c 59080 curl_7.64.0-4+deb10u4.debian.tar.xz
e0013362ab8237ce14273d268f74c6a7125647830e3a95009580cb82ee611117 11810 curl_7.64.0-4+deb10u4_amd64.buildinfo
Files:
a1a433d9fbd4cebf9ca87f42a07d0dba 2694 web optional curl_7.64.0-4+deb10u4.dsc
f339698607d0ba7a918fdf2c00375338 59080 web optional curl_7.64.0-4+deb10u4.debian.tar.xz
52783a1817d2b9c49126d11811b16d2b 11810 web optional curl_7.64.0-4+deb10u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmPVhGgACgkQldFmTdL1
kUI4fg/6ApuNKC6jw9UxuE0JNezK/Zk1Kb3gWkN6lOwuizlflBS6InVZeLEFtRDB
/L2mMw/XUMMtUweBq38ZD3Xv9ROavKZB9n7CHbBOx6SFUBrhKfc9tGFdluvGlNlk
pwdG/KRqcqnKJ5yxXx9dEFgC3aKDjCDVs92jMI4zSmTUoXbFNXr+URATybrl+X2d
ao1avKPyh1Qvn4OAKkSEX2MoXyegzoWIm7/Kf6+TrkbCzmBjx6nniYd7nwnRARP2
ECYTSBHgA/PScGab0Sth30BGh3wnC+Bzr2mWj9SsO+fOP5i0FHG+ZSD9DpwbdFD1
JErexcCHaWh0/GfrP4KVOxvzJXHc2hAMEzgDxojoOzxJDG3CMRb+FhknklBM/CJb
nNnGKZjcLT/hUKKzwWBYaP3+l7RW1ArG0/izOVPs/Iw3q9MxfJMZjJCLL9RlOQYu
MbuC+K6ML9UHaH5QuIxgn9ySyMjwNK2BbAwawweQAza9G6v/wD2cc3gRXBPGj2Cy
RJQc4YUfz2hfHjxXwcXIOfLbm2OOf6UJewQRekWWjVo0QC2973rvlgw/3wvccuGL
FmNfS52tC5qGKU4b7sCG+9UYB8DZtHFetU5RUse+0iY7TxBK2UvwuRrIQDr8hTK7
XrSJZG0FhmpZ6cJh06LUS5X/+uFO6u6cdw+zzaiRGQMl6o5AZkA=
=QVbv
-----END PGP SIGNATURE-----