Debian Patches
Status for curl/8.14.1-2+deb13u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| ZZZgnutls-build.patch | Build with GnuTLS. | Steve McIntyre <93sam@debian.org> | not-needed | vendor | 2024-11-06 | |
| build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch | build: Divide mit-krb5-gssapi link flags between LDFLAGS and LIBS From the comments nearby about not having --libs-only-L, it looks as though the intention was to apply a split like this to all dependency libraries where possible, and the only reason it was not done for Kerberos is that krb5-config doesn't have that feature and pkg-config was originally not supported here. For example, zlib, libssh and librtmp all have their flags from pkg-config split in this way. Now that pkg-config is supported here, we can do the intended split. |
Simon McVittie <smcv@collabora.com> | no | 2022-11-22 | ||
| 11_omit-directories-from-config.patch | Omit directories embedding arch info from curl-config In order to (partially) multi-arch-ify curl-config, remove all mention of @includedir@ and @libdir@ from the script. On Debian, the actual header and library directories are architecture-dependent, but will always be in the C compiler's default search path, so -I and -L options are not necessary (and may be harmful in multi-arch environments.) |
Benjamin Moody <benjamin.moody@gmail.com> | not-needed | debian | vendor | 2025-02-05 |
| tool_getparam_fix_ftp_pasv.patch | tool_getparam: fix --ftp-pasv This boolean option was moved to the wrong handling function. Make it an ARG_NONE and move it to the correct handler and add a test to verify that the option works. Follow-up to 698491f44 Fixes #17545 Closes #17547 |
Dan Fandrich <dan@coneharvesters.com> | no | 2025-06-06 | ||
| curl_path_make_SFTP_handle_a_path.patch | curl_path: make SFTP handle a path like /~ properly. ... without a trailing slash. Fixes #17534 Closes #17542 |
Carlos Henrique Lima Melara <charlesmelara@riseup.net> | no | 2025-06-05 | ||
| tool_operate_fix_return_code_when_retry_is_used_but_not_triggered.patch | tool_operate: fix return code when --retry is used but not triggered Verify with test 752 Fixes #17554 Closes #17559 |
Daniel Stenberg <daniel@haxx.se> | no | 2025-06-09 | ||
| cookie-don-t-treat-the-leading-slash-as-trailing.patch | cookie: don't treat the leading slash as trailing If there is only a leading slash in the path, keep that. Also add an assert to make sure the path is never blank. Closes #18266 |
Daniel Stenberg <daniel@haxx.se> | no | 2025-08-11 | ||
| CVE-2025-10148.patch | ws: get a new mask for each new outgoing frame Closes #18496 Changes: * Refresh patch context for lib/ws.c * Adapt return value to current function return type |
Daniel Stenberg <daniel@haxx.se> | no | 2025-09-08 | ||
| wcurl-Set-CURL_OPTIONS-right-before-the-url.patch | Set CURL_OPTIONS right before the url I'm reordering the parameters used in the curl invocation to have "CURL-OPTIONS" be set for last, allowing "--output" to also be overwritten and making the curl invocation more clear, as having "--continue-at -" not right before the URL looks weird. As far as my tests went, this has no functionality side effect other than allowing "output" to be set by the user. * Modify wcurl patch to apply on curl sources by changing the location of the wcurl script from wcurl to scripts/wcurl. |
Samuel Henrique <samueloph@debian.org> | no | 2025-09-21 | ||
| wcurl-Fix-example-for-continue-at.patch | Fix example for "continue-at" It stopped working after we introduced the "--no-clobber" option, to make the example work again we just need to explicitly override it with "--clobber". Thanks to Thomas Braun for reporting it. Closes: https://github.com/curl/wcurl/issues/61 * Modify wcurl patch to apply on curl sources by changing the location of the wcurl script from wcurl to scripts/wcurl. * Drop changes to wcurl's README file as they are not in the curl sources. |
Samuel Henrique <samueloph@debian.org> | no | 2025-09-21 | ||
| wcurl-CVE-2025-11563.patch | Don't percent-decode '/' and '\' in output file name * Modify wcurl patch to apply on curl sources by changing the location of the wcurl script from wcurl to scripts/wcurl. * Drop changes to wcurl's tests as they are not in the curl sources. * Swap placement of logical AND (&&) operator in conditions of the if statement to match the new approach; i.e.; they are written in the beginning of the line instead of the end now. * Pull fix from https://github.com/curl/wcurl/pull/75, prefixing values in UNSAFE_PERCENT_ENCODE with "%". |
Samuel Henrique <samueloph@debian.org> | no | 2025-10-12 | ||
| CVE-2025-13034.patch | vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally Closes #19531 [PATCH] When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool, curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. * removes host verification so that it always verifies. |
Daniel Stenberg <daniel@haxx.se> | no | backport, https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9 | 2026-01-29 |
All known versions for source package 'curl'
- 8.20.0-1+exp (experimental)
- 8.20.0-1 (forky, sid)
- 8.19.0-1~bpo13+1 (trixie-backports)
- 8.14.1-2+deb13u3 (trixie-proposed-updates)
- 8.14.1-2+deb13u2 (trixie)
- 8.14.1-2+deb13u2~bpo13+1 (bookworm-backports)
- 7.88.1-10+deb12u14 (bookworm)
- 7.88.1-10+deb12u5 (bookworm-security)