Debian Patches

Status for curl/7.74.0-1.3+deb11u13

Patch Description Author Forwarded Bugs Origin Last update
04_workaround_as_needed_bug.patch Work around libtool --as-needed reordering bug Alessandro Ghedini <ghedo@debian.org> not-needed debian vendor 2016-08-03
06_always-disable-valgrind.patch Always disable valgrind tests not-needed debian vendor 2012-10-22
07_do-not-disable-debug-symbols.patch Do not disable debug symbols without --enable-debug Alessandro Ghedini <ghedo@debian.org> not-needed debian vendor 2012-11-16
08_enable-zsh.patch Enable zsh completion generation Alessandro Ghedini <ghedo@debian.org> not-needed vendor 2016-08-03
11_omit-directories-from-config.patch In order to (partially) multi-arch-ify curl-config, remove all mention of @includedir@ and @libdir@ from the script. On Debian, the actual
header and library directories are architecture-dependent, but will always be
in the C compiler's default search path, so -I and -L options are not
necessary (and may be harmful in multi-arch environments.)
Benjamin Moody <benjamin.moody@gmail.com> not-needed debian vendor 2017-01-10
12_use-python3-in-tests.patch Use python3 executable in tests Alessandro Ghedini <ghedo@debian.org> not-needed vendor 2020-08-24
13_fix-man-formatting.patch [PATCH] curl/docs/libcurl/*: fix some formatting of man pages
Fix some fomatting issues in man pages.

Details:

From "mandoc -Tlint":


From "test-groff -b -mandoc -T utf8 -rF0 -t -w w -z":

[ "test-groff" is a developmental version of "groff" ]
Bjarni Ingi Gislason <bjarniig@rhi.hi.is> no
14_transfer-strip-credentials-from-the-auto-referer-hea.patch transfer: strip credentials from the auto-referer header field
Added test 2081 to verify.

CVE-2021-22876
Viktor Szakats <commit@vsz.me> yes upstream https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c 2021-02-23
15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.


CVE-2021-22890

[Salvatore Bonaccorso: Backport to 7.74.0 for context changes]
Daniel Stenberg <daniel@haxx.se> yes upstream https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844 2021-03-19
fix-regression-microseconds-instead-of-seconds.patch [PATCH] =?UTF-8?q?too=C4=BA=5Fwriteout:=20fix=20the=20-w=20time?= =?UTF-8?q?=20output=20units?=

Fix regression from commit fc813f80e1bcac (#6248) that changed the unit
to microseconds instead of seconds with fractions

Fixes #6321
Closes #6322
Daniel Stenberg <daniel@haxx.se> no 2020-12-15
CVE-2021-22898.patch CVE-2021-22898 Markus Koschany <apo@debian.org> no debian https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a 2022-07-23
CVE-2021-22945.patch CVE-2021-22945 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/43157490a5054bd24256fe12876931e8abc9df49 2022-07-23
CVE-2021-22946.patch CVE-2021-22946 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca 2022-07-23
CVE-2021-22947.patch CVE-2021-22947 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 2022-07-24
CVE-2021-22924.patch CVE-2021-22924 Markus Koschany <apo@debian.org> no debian https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 2022-07-24
CVE-2022-22576.patch CVE-2022-22576 Markus Koschany <apo@debian.org> no debian https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 2022-07-24
CVE-2022-27775.patch CVE-2022-27775 Markus Koschany <apo@debian.org> no debian https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705 2022-07-25
CVE-2022-27776.patch CVE-2022-27776 Markus Koschany <apo@debian.org> no debian https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 2022-07-25
CVE-2022-27781.patch CVE-2022-27781 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/5c7da89d404bf59 2022-07-25
CVE-2022-27782_part1.patch CVE-2022-27782_part1 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c 2022-07-25
CVE-2022-27782_part2.patch CVE-2022-27782_part2 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 2022-07-26
CVE-2022-32205.patch CVE-2022-32205 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24 2022-07-26
CVE-2022-32206.patch CVE-2022-32206 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2 2022-07-26
CVE-2022-32207.patch CVE-2022-32207 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f 2022-07-26
CVE-2022-32208.patch CVE-2022-32208 Markus Koschany <apo@debian.org> no https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09 2022-07-26
CVE-2022-27774_1_of_4.patch [PATCH] connect: store "conn_remote_port" in the info struct
To make it available after the connection ended.
Daniel Stenberg <daniel@haxx.se> no 2022-04-25
CVE-2022-27774_2_of_4.patch [PATCH] transfer: redirects to other protocols or ports clear auth
... unless explicitly permitted.

Closes #8748
Daniel Stenberg <daniel@haxx.se> yes upstream 2022-04-25
CVE-2022-27774_3_of_4.patch [PATCH] tests: verify the fix for CVE-2022-27774
- Test 973 redirects from HTTP to FTP, clear auth
- Test 974 redirects from HTTP to HTTP different port, clear auth
- Test 975 redirects from HTTP to FTP, permitted to keep auth
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
auth
Daniel Stenberg <daniel@haxx.se> no 2022-04-25
CVE-2022-27774_4_of_4.patch [PATCH] openssl: don't leak the SRP credentials in redirects either
Follow-up to 620ea21410030

Closes #8751
Daniel Stenberg <daniel@haxx.se> no 2022-04-25
cookie-reject-cookies-with-control-bytes.patch cookie: reject cookies with "control bytes"
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f



CVE-2022-35252

Closes #9381
Daniel Stenberg <daniel@haxx.se> yes debian upstream https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3 2022-08-29
test8-verify-that-ctrl-byte-cookies-are-ignored.patch test8: verify that "ctrl-byte cookies" are ignored Daniel Stenberg <daniel@haxx.se> no https://github.com/curl/curl/commit/2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 2022-08-29
CVE-2022-32221.patch setopt: when POST is set, reset the 'upload' field (CVE-2022-32221) Samuel Henrique <samueloph@debian.org> no https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 2022-12-27
CVE-2022-43552.patch smb/telnet: do not free the protocol struct in *_done() (CVE-2022-43552) Samuel Henrique <samueloph@debian.org> no https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 2022-12-27
CVE-2023-23916.patch [PATCH] content_encoding: do not reset stage counter for each header

This patch was backported and may contain changes done by
Samuel Henrique <samueloph@debian.org>

===================================================================
Patrick Monnerat <patrick@monnerat.net> no https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 2023-02-13
CVE-2023-27533.patch [PATCH] telnet: only accept option arguments in ascii
To avoid embedded telnet negotiation commands etc.

Closes #10728

Backported to Debian by Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-03-06
CVE-2023-27534.patch [PATCH] curl_path: create the new path with dynbuf
Closes #10729

Backported to Debian by Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-03-09
CVE-2023-27538.patch [PATCH] url: fix the SSH connection reuse check
Closes #10735

Backported to Debian by Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-03-10
add_Curl_timestrcmp.patch Backport Curl_timestrcmp in lib/strcase.(c|h) This patch was backported by Samuel Henrique <samueloph@debian.org> and it
only has the changes required to backport other patches, so we are not
converting the whole codebase to make use of the new function (yet).

Original patch details

===================================================================
Daniel Stenberg <daniel@haxx.se> no https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878
CVE-2023-27535.patch [PATCH] ftp: add more conditions for connection reuse
Closes #10730

Backported to Debian by Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-03-09
CVE-2023-27536.patch [PATCH] url: only reuse connections with same GSS delegation
Closes #10731

Backported to Debian by Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-03-10
CVE-2023-28321.patch [PATCH] Resolves: CVE-2023-28321 - fix host name wildcard checking Jacek Migacz <jmigacz@redhat.com> no 2023-06-27
CVE-2023-28322.patch [PATCH] lib: unify the upload/method handling
By making sure we set state.upload based on the set.method value and not
independently as set.upload, we reduce confusion and mixup risks, both
internally and externally.

Closes #11017
Daniel Stenberg <daniel@haxx.se> no 2023-04-25
CVE-2023-38545.patch [PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote
resolve to a local resolve if the hostname was longer than 255
characters. Unfortunately that did not work as intended and caused a
security issue.

Name resolvers cannot resolve hostnames longer than 255 characters.


Backported by: Samuel Henrique <samueloph@debian.org>
Jay Satiro <raysatiro@yahoo.com> yes upstream 2023-09-30
CVE-2023-38546.patch [PATCH] cookie: remove unnecessary struct fields
make much of a speed difference for most use cases but saves 1.5KB of
data per instance.

Closes #11862

Backported by: Samuel Henrique <samueloph@debian.org>
Daniel Stenberg <daniel@haxx.se> no 2023-09-14
CVE-2023-46218.patch [PATCH] cookie: lowercase the domain names before PSL checks

Closes #12387

Backported by: Samuel Henrique <samueloph@debian.org>:
* Update signature of function "bad_domain"
* Refresh patch context
Daniel Stenberg <daniel@haxx.se> no 2023-11-23
CVE-2024-2398.patch [PATCH] http2: push headers better cleanup
- provide common cleanup method for push headers

Closes #13054

Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>:
* Changed h2_stream_ctx to HTTP in free_push_headers.
* Dropped unnaplicable hunk in push_promise, since it changed some code
that does not yet exist.
Stefan Eissing <stefan@eissing.org> no 2024-03-06
CVE-2024-7264-0.patch x509asn1: clean up GTime2str

Closes #14307

Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>.

Changes:
- In this version, GTime2str doesn't return CURLcode, so change that to NULL.
Daniel Stenberg <daniel@haxx.se> no 2024-07-30
CVE-2024-7264-1.patch x509asn1: unittests and fixes for gtime2str
Fix issues in GTime2str() and add unit test cases to verify correct
behaviour.

Follow-up to 3c914bc6801

Closes #14316

Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>.

Changes:
- In this version, GTime2str doesn't return CURLcode, so change that to NULL.
- Also change test helper function to match the correct type and pass the
correct arguments. In this version, GTime2str doesn't take struct dynbuf *.
It's aimed to not FTBFS if someone build the package with --enable-debug.
Stefan Eissing <stefan@eissing.org> no 2024-07-30
90_gnutls.patch Build with GnuTLS. Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> not-needed vendor 2018-05-23
99_nss.patch Build with NSS. Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> not-needed vendor 2015-08-12

All known versions for source package 'curl'

Links