| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 04_workaround_as_needed_bug.patch | Work around libtool --as-needed reordering bug | Alessandro Ghedini <ghedo@debian.org> | not-needed | debian | vendor | 2016-08-03 |
| 06_always-disable-valgrind.patch | Always disable valgrind tests | not-needed | debian | vendor | 2012-10-22 | |
| 07_do-not-disable-debug-symbols.patch | Do not disable debug symbols without --enable-debug | Alessandro Ghedini <ghedo@debian.org> | not-needed | debian | vendor | 2012-11-16 |
| 08_enable-zsh.patch | Enable zsh completion generation | Alessandro Ghedini <ghedo@debian.org> | not-needed | vendor | 2016-08-03 | |
| 11_omit-directories-from-config.patch | In order to (partially) multi-arch-ify curl-config, remove all mention of @includedir@ and @libdir@ from the script. On Debian, the actual header and library directories are architecture-dependent, but will always be in the C compiler's default search path, so -I and -L options are not necessary (and may be harmful in multi-arch environments.) |
Benjamin Moody <benjamin.moody@gmail.com> | not-needed | debian | vendor | 2017-01-10 |
| 12_use-python3-in-tests.patch | Use python3 executable in tests | Alessandro Ghedini <ghedo@debian.org> | not-needed | vendor | 2020-08-24 | |
| 13_fix-man-formatting.patch | [PATCH] curl/docs/libcurl/*: fix some formatting of man pages Fix some fomatting issues in man pages. Details: From "mandoc -Tlint": From "test-groff -b -mandoc -T utf8 -rF0 -t -w w -z": [ "test-groff" is a developmental version of "groff" ] |
Bjarni Ingi Gislason <bjarniig@rhi.hi.is> | no | |||
| 14_transfer-strip-credentials-from-the-auto-referer-hea.patch | transfer: strip credentials from the auto-referer header field Added test 2081 to verify. CVE-2021-22876 |
Viktor Szakats <commit@vsz.me> | yes | upstream | https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c | 2021-02-23 |
| 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession.patch | vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() To make sure we set and extract the correct session. CVE-2021-22890 [Salvatore Bonaccorso: Backport to 7.74.0 for context changes] |
Daniel Stenberg <daniel@haxx.se> | yes | upstream | https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844 | 2021-03-19 |
| fix-regression-microseconds-instead-of-seconds.patch | [PATCH] =?UTF-8?q?too=C4=BA=5Fwriteout:=20fix=20the=20-w=20time?= =?UTF-8?q?=20output=20units?= Fix regression from commit fc813f80e1bcac (#6248) that changed the unit to microseconds instead of seconds with fractions Fixes #6321 Closes #6322 |
Daniel Stenberg <daniel@haxx.se> | no | 2020-12-15 | ||
| CVE-2021-22898.patch | CVE-2021-22898 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a | 2022-07-23 |
| CVE-2021-22945.patch | CVE-2021-22945 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/43157490a5054bd24256fe12876931e8abc9df49 | 2022-07-23 | |
| CVE-2021-22946.patch | CVE-2021-22946 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca | 2022-07-23 | |
| CVE-2021-22947.patch | CVE-2021-22947 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 | 2022-07-24 | |
| CVE-2021-22924.patch | CVE-2021-22924 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 | 2022-07-24 |
| CVE-2022-22576.patch | CVE-2022-22576 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 | 2022-07-24 |
| CVE-2022-27775.patch | CVE-2022-27775 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705 | 2022-07-25 |
| CVE-2022-27776.patch | CVE-2022-27776 | Markus Koschany <apo@debian.org> | no | debian | https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 | 2022-07-25 |
| CVE-2022-27781.patch | CVE-2022-27781 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/5c7da89d404bf59 | 2022-07-25 | |
| CVE-2022-27782_part1.patch | CVE-2022-27782_part1 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c | 2022-07-25 | |
| CVE-2022-27782_part2.patch | CVE-2022-27782_part2 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 | 2022-07-26 | |
| CVE-2022-32205.patch | CVE-2022-32205 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/48d7064a49148f03942380967da739dcde1cdc24 | 2022-07-26 | |
| CVE-2022-32206.patch | CVE-2022-32206 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2 | 2022-07-26 | |
| CVE-2022-32207.patch | CVE-2022-32207 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f | 2022-07-26 | |
| CVE-2022-32208.patch | CVE-2022-32208 | Markus Koschany <apo@debian.org> | no | https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09 | 2022-07-26 | |
| CVE-2022-27774_1_of_4.patch | [PATCH] connect: store "conn_remote_port" in the info struct To make it available after the connection ended. |
Daniel Stenberg <daniel@haxx.se> | no | 2022-04-25 | ||
| CVE-2022-27774_2_of_4.patch | [PATCH] transfer: redirects to other protocols or ports clear auth ... unless explicitly permitted. Closes #8748 |
Daniel Stenberg <daniel@haxx.se> | yes | upstream | 2022-04-25 | |
| CVE-2022-27774_3_of_4.patch | [PATCH] tests: verify the fix for CVE-2022-27774 - Test 973 redirects from HTTP to FTP, clear auth - Test 974 redirects from HTTP to HTTP different port, clear auth - Test 975 redirects from HTTP to FTP, permitted to keep auth - Test 976 redirects from HTTP to HTTP different port, permitted to keep auth |
Daniel Stenberg <daniel@haxx.se> | no | 2022-04-25 | ||
| CVE-2022-27774_4_of_4.patch | [PATCH] openssl: don't leak the SRP credentials in redirects either Follow-up to 620ea21410030 Closes #8751 |
Daniel Stenberg <daniel@haxx.se> | no | 2022-04-25 | ||
| cookie-reject-cookies-with-control-bytes.patch | cookie: reject cookies with "control bytes" Rejects 0x01 - 0x1f (except 0x09) plus 0x7f CVE-2022-35252 Closes #9381 |
Daniel Stenberg <daniel@haxx.se> | yes | debian upstream | https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3 | 2022-08-29 |
| test8-verify-that-ctrl-byte-cookies-are-ignored.patch | test8: verify that "ctrl-byte cookies" are ignored | Daniel Stenberg <daniel@haxx.se> | no | https://github.com/curl/curl/commit/2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 | 2022-08-29 | |
| CVE-2022-32221.patch | setopt: when POST is set, reset the 'upload' field (CVE-2022-32221) | Samuel Henrique <samueloph@debian.org> | no | https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 | 2022-12-27 | |
| CVE-2022-43552.patch | smb/telnet: do not free the protocol struct in *_done() (CVE-2022-43552) | Samuel Henrique <samueloph@debian.org> | no | https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 | 2022-12-27 | |
| CVE-2023-23916.patch | [PATCH] content_encoding: do not reset stage counter for each header This patch was backported and may contain changes done by Samuel Henrique <samueloph@debian.org> =================================================================== |
Patrick Monnerat <patrick@monnerat.net> | no | https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 | 2023-02-13 | |
| CVE-2023-27533.patch | [PATCH] telnet: only accept option arguments in ascii To avoid embedded telnet negotiation commands etc. Closes #10728 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-06 | ||
| CVE-2023-27534.patch | [PATCH] curl_path: create the new path with dynbuf Closes #10729 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-09 | ||
| CVE-2023-27538.patch | [PATCH] url: fix the SSH connection reuse check Closes #10735 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-10 | ||
| add_Curl_timestrcmp.patch | Backport Curl_timestrcmp in lib/strcase.(c|h) This patch was backported by Samuel Henrique <samueloph@debian.org> and it only has the changes required to backport other patches, so we are not converting the whole codebase to make use of the new function (yet). Original patch details =================================================================== |
Daniel Stenberg <daniel@haxx.se> | no | https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 | ||
| CVE-2023-27535.patch | [PATCH] ftp: add more conditions for connection reuse Closes #10730 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-09 | ||
| CVE-2023-27536.patch | [PATCH] url: only reuse connections with same GSS delegation Closes #10731 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-10 | ||
| CVE-2023-28321.patch | [PATCH] Resolves: CVE-2023-28321 - fix host name wildcard checking | Jacek Migacz <jmigacz@redhat.com> | no | 2023-06-27 | ||
| CVE-2023-28322.patch | [PATCH] lib: unify the upload/method handling By making sure we set state.upload based on the set.method value and not independently as set.upload, we reduce confusion and mixup risks, both internally and externally. Closes #11017 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-04-25 | ||
| CVE-2023-38545.patch | [PATCH] socks: return error if hostname too long for remote resolve Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue. Name resolvers cannot resolve hostnames longer than 255 characters. Backported by: Samuel Henrique <samueloph@debian.org> |
Jay Satiro <raysatiro@yahoo.com> | yes | upstream | 2023-09-30 | |
| CVE-2023-38546.patch | [PATCH] cookie: remove unnecessary struct fields make much of a speed difference for most use cases but saves 1.5KB of data per instance. Closes #11862 Backported by: Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-09-14 | ||
| CVE-2023-46218.patch | [PATCH] cookie: lowercase the domain names before PSL checks Closes #12387 Backported by: Samuel Henrique <samueloph@debian.org>: * Update signature of function "bad_domain" * Refresh patch context |
Daniel Stenberg <daniel@haxx.se> | no | 2023-11-23 | ||
| CVE-2024-2398.patch | [PATCH] http2: push headers better cleanup - provide common cleanup method for push headers Closes #13054 Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>: * Changed h2_stream_ctx to HTTP in free_push_headers. * Dropped unnaplicable hunk in push_promise, since it changed some code that does not yet exist. |
Stefan Eissing <stefan@eissing.org> | no | 2024-03-06 | ||
| CVE-2024-7264-0.patch | x509asn1: clean up GTime2str Closes #14307 Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>. Changes: - In this version, GTime2str doesn't return CURLcode, so change that to NULL. |
Daniel Stenberg <daniel@haxx.se> | no | 2024-07-30 | ||
| CVE-2024-7264-1.patch | x509asn1: unittests and fixes for gtime2str Fix issues in GTime2str() and add unit test cases to verify correct behaviour. Follow-up to 3c914bc6801 Closes #14316 Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>. Changes: - In this version, GTime2str doesn't return CURLcode, so change that to NULL. - Also change test helper function to match the correct type and pass the correct arguments. In this version, GTime2str doesn't take struct dynbuf *. It's aimed to not FTBFS if someone build the package with --enable-debug. |
Stefan Eissing <stefan@eissing.org> | no | 2024-07-30 | ||
| 90_gnutls.patch | Build with GnuTLS. | Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> | not-needed | vendor | 2018-05-23 | |
| 99_nss.patch | Build with NSS. | Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> | not-needed | vendor | 2015-08-12 |