-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 27 Dec 2022 00:05:50 +0000 Source: curl Binary: libcurl4-doc Architecture: all Version: 7.74.0-1.3+deb11u4 Distribution: bullseye-security Urgency: high Maintainer: all Build Daemon (x86-csail-02) Changed-By: Samuel Henrique Description: libcurl4-doc - documentation for libcurl Changes: curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high . * Fix backport of patch for CVE-2021-22946, which was passing a wrong first argument to ftp_state_user_resp, this was likely causing a regression when using ftp. * Backport two patches from upstream to solve 2 CVEs: CVE-2022-32221.patch, CVE-2022-43552.patch. - CVE-2022-32221 POST following PUT confusion When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. . This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. - CVE-2022-43552 HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations using an appropriate HTTP error response code. . When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. Checksums-Sha1: 748c858ad262284964a3654eb8644c3f4357dc60 9245 curl_7.74.0-1.3+deb11u4_all-buildd.buildinfo 0ccbf2f0527d3ea00bb485cab4bb4902357d3011 1011088 libcurl4-doc_7.74.0-1.3+deb11u4_all.deb Checksums-Sha256: 0a15ea90c732203ecb919b4809288ca86eca8cdec052b516d754745e76a0c983 9245 curl_7.74.0-1.3+deb11u4_all-buildd.buildinfo 1829709f99e6b2b43c56fc28c0c536ea252e2b09c0808f66470eba9b0e31020c 1011088 libcurl4-doc_7.74.0-1.3+deb11u4_all.deb Files: ebc6d5896bfe5419f35c60a534b33b78 9245 web optional curl_7.74.0-1.3+deb11u4_all-buildd.buildinfo 49917bea96c6835a698321cbd24aafdc 1011088 doc optional libcurl4-doc_7.74.0-1.3+deb11u4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEEfeZ4tM1TNG7DMXxJGSMJV360gIFAmPHNgkACgkQJGSMJV36 0gJT8xAAkNmArRQCEDD2v/cRlHGg5dZQfGNSZdDKJ/9FUX6yIKA8NL/1ZETY+VL+ ThxIudwWF1FAcYgKhla7cRT+AnEbCBHCHH2y6ykLBKcezVRBHtOoPfCDsSuHuEjO D2v4rNKBChC/bVzYHfDa20sdwcO8kIaDMZCfoq4IaiBr3RRhCLPactX6HPM/KE5a zNqWMTTrb5ARTwVnsU9wgUTL7UN/vdCSZoqWn7UxNCUaCvJi8qY9Svdi6/atDSRu yTPxV+Q11Li6hmhA3m1CjRemHtq1/2onJpXfZKe6fOcTAeiRdPjIKxmf7PlAZuSC 8AXFQPCLNODGNnWSoixj5EYO7EExcKsSbrx3XtPbYWOUb6L8qgdA11QH7ziN/rZt yKOBU8yEQQRxUsUiEK50pllr2xVcdMWFGAGFh/JLnMtbnJEhea2Vwj6I67DJEPEU ME7bsNzAK71lnlrx7/XNM+MsnGAjqbjYLhLe6KOcK0TT49ES8rtI5cfd/aKzrSOK kjGZk95dQkCo7C8PWlHv7QhGd8zjk13fECqkbAux+FIZwPotkJOy0PucsOFIkItY 06H2WZcBtPztabdIvnDl8w8+8jmzGpSA8r5Ykh4Sf6ZmFiEfxok+sd3Fcjg0MoYJ Rp9VWDpE3T6HhkA3fNePFL1FoS5t1d78o5/6HQ/U6oZaMYupFUk= =SYFz -----END PGP SIGNATURE-----