Debian Patches
Status for curl/7.88.1-10+deb12u14
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 04_workaround_as_needed_bug.patch | Work around libtool --as-needed reordering bug =================================================================== |
Alessandro Ghedini <ghedo@debian.org> | not-needed | debian | vendor | 2016-08-03 |
| 08_enable-zsh.patch | Enable zsh completion generation =================================================================== |
Alessandro Ghedini <ghedo@debian.org> | not-needed | vendor | 2016-08-03 | |
| build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch | build: Divide mit-krb5-gssapi link flags between LDFLAGS and LIBS From the comments nearby about not having --libs-only-L, it looks as though the intention was to apply a split like this to all dependency libraries where possible, and the only reason it was not done for Kerberos is that krb5-config doesn't have that feature and pkg-config was originally not supported here. For example, zlib, libssh and librtmp all have their flags from pkg-config split in this way. Now that pkg-config is supported here, we can do the intended split. |
Simon McVittie <smcv@collabora.com> | no | 2022-11-22 | ||
| 11_omit-directories-from-config.patch | In order to (partially) multi-arch-ify curl-config, remove all mention of @includedir@ and @libdir@ from the script. On Debian, the actual header and library directories are architecture-dependent, but will always be in the C compiler's default search path, so -I and -L options are not necessary (and may be harmful in multi-arch environments.) =================================================================== |
Benjamin Moody <benjamin.moody@gmail.com> | not-needed | debian | vendor | 2017-01-10 |
| Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch | Remove curl's LDFLAGS from curl-config --static-libs On current Debian bookworm, the LDFLAGS consist of -L/usr/lib/${triplet}/mit-krb5 originating from `pkg-config --libs-only-L mit-krb5-gssapi` from krb5-multidev, plus some linker options that are intended for curl itself rather than for dependent packages. None of these are really desirable, and they create divergence between architectures that would prevent libcurl-*-dev from being Multi-Arch: same. The -L flag is not really needed, for the same reason that -L@libdir@ isn't. curl Build-Depends on libkrb5-dev, which doesn't need a special -L flag to find libgssapi_krb5, and the various libcurl-*-dev packages have Suggests on libkrb5-dev rather than on krb5-multidev for static linking. The other options (currently `-Wl,-z-relro -Wl,-z,now`) are intended for libcurl itself, and if dependent packages want those options then they should set them from their own packaging. |
Simon McVittie <smcv@collabora.com> | not-needed | debian | 2022-11-22 | |
| Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch | Use correct path when loading libnss{pem,ckbi}.so | Sergio Durigan Junior <sergiodj@debian.org> | no | debian | 2023-03-05 | |
| fix-unix-domain-socket.patch | [PATCH] Fixing unix domain socket use in https connects. - refs #10633, when h2/h3 eyeballing was involved, unix domain socket configurations were not honoured - configuring --unix-socket will disable HTTP/3 as candidate for eyeballing - combinatino of --unix-socket and --http3-only will fail during initialisation - adding pytest test_11 to reproduce |
Stefan Eissing <stefan@eissing.org> | no | 2023-02-28 | ||
| openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch | openldap: create ldap URLs correctly for IPv6 addresses Fixes #13228 Closes #13235 More context: When the user specified an IPv6 address to be used as an LDAP server, curl will fail to properly enclose it in square brackets, which causes the connection to fail because the host address cannot be distinguished from the port: $ curl -v ldap://[fd42:be5:e632:a6b3:216:3eff:feb1:5bc4]:389 ... * LDAP local: Cannot connect to ldap://fd42:be5:e632:a6b3:216:3eff:feb1:5bc4:389, Bad parameter to an ldap routine ... Fix this by always enclosing the IPv6 address in square brackets. |
Daniel Stenberg <daniel@haxx.se> | no | debian | upstream, https://github.com/curl/curl/commit/56935a7dada6975d5a46aa494de0af195e4e8659 | 2024-03-30 |
| large-time-testable-feature.patch | [PATCH] tests: add 'large-time' as a testable feature This allows test cases to require this feature to run and to be used in %if conditions. Large here means larger than 32 bits. Ie does not suffer from y2038. Closes #11696 Backported by: Aquila Macedo Costa <aquilamacedo@riseup.net>. Changes: - Refresh patch context |
Daniel Stenberg <daniel@haxx.se> | no | 2023-08-19 | ||
| dont-stop-stunnel-before-retry.patch | [PATCH] runtests: don't try to stop stunnel before trying again Calling stopserver() before retrying stunnel due to an error would stop the dependent server (such as HTTP) meaning stunnel would have nothing to talk to when it came up. Don't try to force a stop when it didn't actually start. Also, don't mark the server as bad for future use when it starts up on a retry. Fixes #10976 Backported by: Aquila Macedo Costa <aquilamacedo@riseup.net>. Changes: - Apply the changes to `runtests.pl` instead of `servers.pm`, as `servers.pm` does not exist in this version of bookworm. |
Dan Fandrich <dan@coneharvesters.com> | no | 2023-04-17 | ||
| CVE-2023-27533.patch | [PATCH] telnet: only accept option arguments in ascii To avoid embedded telnet negotiation commands etc. Closes #10728 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-06 | ||
| CVE-2023-27534.patch | [PATCH] curl_path: create the new path with dynbuf Closes #10729 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-09 | ||
| CVE-2023-27538.patch | [PATCH] url: fix the SSH connection reuse check Closes #10735 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-10 | ||
| CVE-2023-27535.patch | [PATCH] ftp: add more conditions for connection reuse Closes #10730 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-09 | ||
| CVE-2023-27536.patch | [PATCH] url: only reuse connections with same GSS delegation Closes #10731 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-10 | ||
| CVE-2023-27537.patch | [PATCH] CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe Closes #10732 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-03-09 | ||
| CVE-2023-28319.patch | [PATCH] libssh2: free fingerprint better Closes #11088 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-05-08 | ||
| CVE-2023-28320.patch | [PATCH] hostip: add locks around use of global buffer for alarm() When building with the sync name resolver and timeout ability we now require thread-safety to be present to enable it. Closes #11030 |
Harry Sintonen <sintonen@iki.fi> | no | 2023-04-25 | ||
| CVE-2023-28320-1.patch | [PATCH] hostip: include easy_lock.h before using GLOBAL_INIT_IS_THREADSAFE Since that header file is the only place that define can be defined. Follow-up to 13718030ad4b3209 Closes #11121 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-05-16 | ||
| CVE-2023-28321.patch | [PATCH] hostcheck: fix host name wildcard checking The leftmost "label" of the host name can now only match against single '*'. Like the browsers have worked for a long time. - extended unit test 1397 for this - move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc Closes #11018 Backported to Debian by Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-04-24 | ||
| CVE-2023-28322.patch | [PATCH] lib: unify the upload/method handling By making sure we set state.upload based on the set.method value and not independently as set.upload, we reduce confusion and mixup risks, both internally and externally. Closes #11017 |
Daniel Stenberg <daniel@haxx.se> | no | 2023-04-25 | ||
| CVE-2023-32001.patch | [PATCH] fopen: optimize Closes #11419 |
SaltyMilk <soufiane.elmelcaoui@gmail.com> | no | 2023-07-10 | ||
| Use-OpenLDAP-specific-functionality.patch | Fix Autotools not enabling OpenLDAP-specific functionality The non-OpenLDAP code paths are less tested, less featureful, less secure, and omitted in the build system by accident. It has been discovered that this also mitigates curl not being able to make LDIF output when attributes have binary values. |
yes | upstream | upstream, https://github.com/curl/curl/commit/0ac6108856b9d500bc376d1d7e0b648d15499837.patch | 2023-07-25 | |
| CVE-2023-38039.patch | [PATCH] http: return error when receiving too large header set To avoid abuse. The limit is set to 300 KB for the accumulated size of all received HTTP headers for a single response. Incomplete research suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to 1MB. Closes #11582 Backport to Debian by Carlos Henrique Lima Melara <charlesmelara@riseup.net> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-08-02 | ||
| CVE-2023-38545.patch | [PATCH] socks: return error if hostname too long for remote resolve Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue. Name resolvers cannot resolve hostnames longer than 255 characters. Backported by: Samuel Henrique <samueloph@debian.org> |
Jay Satiro <raysatiro@yahoo.com> | yes | upstream | 2023-09-30 | |
| CVE-2023-38546.patch | [PATCH] cookie: remove unnecessary struct fields make much of a speed difference for most use cases but saves 1.5KB of data per instance. Closes #11862 Backported by: Samuel Henrique <samueloph@debian.org> |
Daniel Stenberg <daniel@haxx.se> | no | 2023-09-14 | ||
| CVE-2023-46218.patch | [PATCH] cookie: lowercase the domain names before PSL checks Closes #12387 Backported by: Samuel Henrique <samueloph@debian.org>: * Update signature of function "bad_domain" |
Daniel Stenberg <daniel@haxx.se> | no | 2023-11-23 | ||
| CVE-2023-46219.patch | [PATCH] fopen: create short(er) temporary file name Only using random letters in the name plus a ".tmp" extension. Not by appending characters to the final file name. Closes #12388 Backported by: Samuel Henrique <samueloph@debian.org>: * The function Curl_rand_alnum was renamed to Curl_rand_hex |
Daniel Stenberg <daniel@haxx.se> | no | 2023-11-23 | ||
| CVE-2024-2004.patch | [PATCH] setopt: Fix disabling all protocols When disabling all protocols without enabling any, the resulting set of allowed protocols remained the default set. Clearing the allowed set before inspecting the passed value from --proto make the set empty even in the errorpath of no protocols enabled. Backported by: Guilherme Puida Moreira <guilherme@puida.xyz> * Small change in the Makefile to add a new test. |
Daniel Gustafsson <daniel@yesql.se> | no | 2024-02-27 | ||
| CVE-2024-2398.patch | [PATCH] http2: push headers better cleanup - provide common cleanup method for push headers Closes #13054 Backported by: Guilherme Puida Moreira <guilherme@puida.xyz>: * Changed h2_stream_ctx to HTTP in free_push_headers. |
Stefan Eissing <stefan@eissing.org> | no | 2024-03-06 | ||
| CVE-2024-7264-0.patch | x509asn1: clean up GTime2str Closes #14307 Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>. Changes: - In this version, GTime2str doesn't return CURLcode, so change that to NULL. |
Daniel Stenberg <daniel@haxx.se> | no | 2024-07-30 | ||
| CVE-2024-7264-1.patch | x509asn1: unittests and fixes for gtime2str Fix issues in GTime2str() and add unit test cases to verify correct behaviour. Follow-up to 3c914bc6801 Closes #14316 Backported to Debian by Carlos Henrique Lima Melara <charles@debian.org>. Changes: - In this version, GTime2str doesn't return CURLcode, so change that to NULL. - Also change test helper function to match the correct type and pass the correct arguments. In this version, GTime2str doesn't take struct dynbuf *. It's aimed to not FTBFS if someone build the package with --enable-debug. |
Stefan Eissing <stefan@eissing.org> | no | 2024-07-30 | ||
| CVE-2024-8096.patch | [PATCH] gtls: fix OCSP stapling management Closes #14642 |
Daniel Stenberg <daniel@haxx.se> | no | 2024-08-20 | ||
| CVE-2024-9681-0.patch | [PATCH] hsts: improve subdomain handling - on load, only replace existing HSTS entries if there is a full host match - on matching, prefer a full host match and secondary the longest tail subdomain match Closes #15210 Backported by: Aquila Macedo Costa <aquilamacedo@riseup.net>. Changes: - Refresh patch context. |
Daniel Stenberg <daniel@haxx.se> | no | 2024-10-09 | ||
| CVE-2024-9681-1.patch | [PATCH] tests: 780 - 783, new HSTS tests test780: verify updated HSTS data in response header test781: HSTS update expiry, with parent includeSubDomains domain present test782: HSTS update expiry, with two includeSubDomains domains present test783: HSTS update expiry, removing includesubdomains in update Backported by: Aquila Macedo Costa <aquilamacedo@riseup.net>. Changes: - Adjust `tests/data/Makefile.inc` to include new HSTS tests (780 - 783). - Updates 'Debug' to 'debug' in test data files (`test780`, `test781`, `test782`, `test783`) to align with curl conventions in bookworm and ensure consistency in feature definitions. - Additionally, `%LOGDIR` is replaced with log in the test files due to its absence in curl bookworm. |
Daniel Stenberg <daniel@haxx.se> | no | 2024-10-09 | ||
| url-use-same-credentials-on-redirect.patch | [PATCH] url: use same credentials on redirect Previously it could lose the username and only use the password. Added test 998 and 999 to verify. Fixes #15262 Closes #15282 Backported by: Matheus Polkorny <mpolkorny@gmail.com>. Changes: - Refresh patch context - Small change in the Makefile to add a new test |
Daniel Stenberg <daniel@haxx.se> | no | 2024-10-12 | ||
| CVE-2024-11053.patch | [PATCH] netrc: address several netrc parser flaws - make sure that a match that returns a username also returns a password, that should be blank if no password is found - fix handling of multiple logins for same host where the password/login order might be reversed. - reject credentials provided in the .netrc if they contain ASCII control codes - if the used protocol does not support such (like HTTP and WS do) Add test 478, 479 and 480 to verify. Updated unit 1304. Closes #15586 Backported by: Matheus Polkorny <mpolkorny@gmail.com> Based on the work of Marc Deslauriers <marc.deslauriers@ubuntu.com> for curl 7.81.0-1ubuntu1.20. Changes: - Refresh patch context. - Adjust `%LOGDIR/` to 'log/' due to its absence in bookworm. - Replaces the previous usage of the state_login, state_password, and state_our_login variables with the found_state enum, which includes the values NONE, LOGIN, and PASSWORD. As a result, all conditionals and memory management logic associated with these variables were updated. - Updates to use password and login instead of s_password and s_login, which do not exist in the Bookworm version. This change preserves the same logic while adapting the code to the current structure. - test478 is disabled as this version of curl does not support searching for a specific login in the netrc file. (see https://github.com/curl/curl/issues/8241) - test480 is disabled as this version of curl does not support quoted or escaped strings in the netrc file. (see https://github.com/curl/curl/issues/8908) - Small change in the Makefile to add a new test. |
Daniel Stenberg <daniel@haxx.se> | no | 2024-11-15 | ||
| CVE-2025-0167.patch | [PATCH] netrc: 'default' with no credentials is not a match Test 486 verifies. Closes #15908 Backported by: Dr. Tobias Quathamer <toddy@debian.org> Changes: * Refresh patch context for lib/netrc.c * Use tests/data/Makefile.inc to add new test instead of tests/data/Makefile.am, because that has only been introduced in later versions of curl. * Replace "%LOGDIR" with "log" due to its absence in bookworm. |
Daniel Stenberg <daniel@haxx.se> | no | 2025-01-03 | ||
| runtests.pl-Increase-variance-of-random-seed-used-for-tes.patch | runtests.pl: Increase variance of random seed used for tests's port designation Patched on Debian to add day, hour and min to the seed, e.g.: 201912091530 The version of curl we ship on bookworm is too prone to port conflicts on tests, this is the least intrusive workaround as it makes each retry use a different seed. Gbp-Pq: Name runtests_port_random_seed_variance.patch |
Samuel Henrique <samueloph@debian.org> | no | 2025-03-09 | ||
| fix-CVE-2023-27534-regression-1.patch | curl_path: bring back support for SFTP path ending in /~ libcurl used to do a directory listing for this case (even though the documentation says a URL needs to end in a slash for this), but 4e2b52b5f7a3 modified the behavior. This change brings back a directory listing for SFTP paths that are specified exactly as /~ in the URL. Fixes #11001 Closes #11023 |
Daniel Stenberg <daniel@haxx.se> | yes | upstream | upstream, https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 | 2025-06-09 |
| fix-CVE-2023-27534-regression-2.patch | curl_path: make SFTP handle a path like /~ properly. ... without a trailing slash. Fixes #17534 Closes #17542 |
Carlos Henrique Lima Melara <charlesmelara@riseup.net> | yes | upstream | upstream, https://github.com/curl/curl/commit/0ede81dcc61844cecce8904fb4de24319afeb024 | 2025-06-09 |
| 0001-http_chunks-reset-the-trailer-to-avoid-memory-leak.patch | [PATCH] http_chunks: reset the trailer to avoid memory leak | Daniel Stenberg <daniel@haxx.se> | no | 2025-07-15 | ||
| 90_gnutls.patch | Build with GnuTLS. =================================================================== |
Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> | not-needed | vendor | 2018-05-23 | |
| 99_nss.patch | Build with NSS. =================================================================== |
Ramakrishnan Muthukrishnan <vu3rdd@gmail.com> | not-needed | vendor | 2015-08-12 |
All known versions for source package 'curl'
- 8.17.0~rc2-1 (sid)
- 8.16.0-4 (forky)
- 8.16.0-4~bpo13+1 (trixie-backports)
- 8.14.1-2 (trixie)
- 8.14.1-2~bpo12+1 (bookworm-backports)
- 7.88.1-10+deb12u14 (bookworm)
- 7.88.1-10+deb12u5 (bookworm-security)