diff -Nru curl-7.37.1/debian/changelog curl-7.37.1/debian/changelog --- curl-7.37.1/debian/changelog 2014-07-18 10:18:07.000000000 +0200 +++ curl-7.37.1/debian/changelog 2014-07-25 12:03:34.000000000 +0200 @@ -1,3 +1,14 @@ +curl (7.37.1-1ubuntu1) utopic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Gianfranco Costamagna Fri, 25 Jul 2014 12:03:28 +0200 + curl (7.37.1-1) unstable; urgency=medium * New upstream release @@ -18,6 +29,17 @@ -- Alessandro Ghedini Wed, 21 May 2014 15:22:38 +0200 +curl (7.36.0-2ubuntu1) utopic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Michael Vogt Wed, 30 Apr 2014 13:34:14 +0200 + curl (7.36.0-2) unstable; urgency=medium * Move Depends on -dev packages needed to use static libraries to Suggests @@ -40,6 +62,36 @@ -- Alessandro Ghedini Sun, 30 Mar 2014 15:36:35 +0200 +curl (7.35.0-1ubuntu2) trusty; urgency=medium + + * SECURITY UPDATE: wrong re-use of connections + - debian/patches/CVE-2014-0138.patch: fix possible issues with NTLM + HTTP logic, and extend new connection logic to other protocols in + lib/http.c, lib/url.c, lib/urldata.h, add new tests to + tests/data/Makefile.am, tests/data/test1418, tests/data/test1419. + - CVE-2014-0138 + * SECURITY UPDATE: incorrect wildcard SSL certificate validation with + literal IP addresses + - debian/patches/CVE-2014-0139.patch: fix wildcard logic in + lib/hostcheck.c, added tests to tests/data/Makefile.am, + tests/data/test1397, tests/unit/Makefile.inc, tests/unit/unit1397.c. + - CVE-2014-0139 + * debian/patches/fix_test172.path: fix expired cookie causing test to + fail. + + -- Marc Deslauriers Tue, 01 Apr 2014 09:25:23 -0400 + +curl (7.35.0-1ubuntu1) trusty; urgency=medium + + * Resynchronize on Debian, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Marc Deslauriers Fri, 31 Jan 2014 08:42:28 -0500 + curl (7.35.0-1) unstable; urgency=high * New upstream release @@ -50,6 +102,18 @@ -- Alessandro Ghedini Wed, 29 Jan 2014 11:16:57 +0100 +curl (7.34.0-1ubuntu1) trusty; urgency=low + + * Resynchronize on Debian, remaining changes + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Dropped undocumented Build-Depends change to automake1.9. + + -- Marc Deslauriers Fri, 20 Dec 2013 09:13:22 -0500 + curl (7.34.0-1) unstable; urgency=high * New upstream release @@ -71,6 +135,17 @@ -- Alessandro Ghedini Wed, 11 Dec 2013 18:44:37 +0100 +curl (7.33.0-1ubuntu1) trusty; urgency=low + + * Resynchronize on Debian, remaining changes + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Sebastien Bacher Wed, 06 Nov 2013 10:45:28 +0100 + curl (7.33.0-1) unstable; urgency=low * New upstream release @@ -83,6 +158,18 @@ -- Alessandro Ghedini Mon, 14 Oct 2013 22:11:14 +0200 +curl (7.32.0-1ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Fixes freeipa-client join. (LP: #1220928) + + -- Ubuntu Merge-o-Matic Mon, 12 Aug 2013 15:39:32 +0000 + curl (7.32.0-1) unstable; urgency=low * New upstream release @@ -96,6 +183,17 @@ -- Alessandro Ghedini Mon, 12 Aug 2013 12:19:05 +0200 +curl (7.31.0-2ubuntu1) saucy; urgency=low + + * Merge from Debian, Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Oussama Bounaim Tue, 23 Jul 2013 18:42:00 +0100 + curl (7.31.0-2) unstable; urgency=high * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) @@ -103,6 +201,17 @@ -- Alessandro Ghedini Wed, 26 Jun 2013 11:47:00 +0200 +curl (7.31.0-1ubuntu1) saucy; urgency=low + + * Resynchronize on Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Sebastien Bacher Mon, 24 Jun 2013 13:36:52 +0200 + curl (7.31.0-1) unstable; urgency=low * New upstream release @@ -126,6 +235,18 @@ -- Alessandro Ghedini Fri, 10 May 2013 17:46:46 +0200 +curl (7.30.0-1ubuntu1) saucy; urgency=low + + * Resynchronize on Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Add warning to debian/patches/series. + + -- Sebastien Bacher Tue, 07 May 2013 12:16:37 +0200 + curl (7.30.0-1) unstable; urgency=low * New upstream release @@ -174,6 +295,36 @@ -- Alessandro Ghedini Mon, 11 Mar 2013 19:02:56 +0100 +curl (7.29.0-1ubuntu3) raring; urgency=low + + * SECURITY UPDATE: Incorrect cookie domain handling in tailmatch() + - debian/patches/09_curl-tailmatch.patch: enforce strict subdomain match + when sending cookies. Patch from YAMADA Yasuharu. + - http://curl.haxx.se/curl-tailmatch.patch + - CVE-2013-1944 + + -- Seth Arnold Wed, 10 Apr 2013 15:16:17 -0700 + +curl (7.29.0-1ubuntu2) raring; urgency=low + + * debian/patches/08_lp1124508.patch: Backport fix for upstream bug 1194, + segfault in curl_multi_cleanup() when multi->closure_handle is NULL. + (LP: #1124508) + + -- Barry Warsaw Wed, 03 Apr 2013 17:26:06 -0400 + +curl (7.29.0-1ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Add warning to debian/patches/series. + + -- Marc Deslauriers Tue, 12 Feb 2013 08:54:32 -0500 + curl (7.29.0-1) unstable; urgency=high * New upstream release @@ -200,6 +351,17 @@ -- Alessandro Ghedini Mon, 26 Nov 2012 17:51:27 +0100 +curl (7.28.0-3ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Wed, 28 Nov 2012 17:56:05 +0000 + curl (7.28.0-3) unstable; urgency=low * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug @@ -209,6 +371,24 @@ -- Alessandro Ghedini Sat, 17 Nov 2012 14:07:21 +0100 +curl (7.28.0-2ubuntu2) raring; urgency=low + + * Turn debian/libcurl3-udeb.install and debian/libcurl3-udeb.links back + into symlinks. + + -- Colin Watson Wed, 31 Oct 2012 10:55:24 +0000 + +curl (7.28.0-2ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Wed, 31 Oct 2012 06:51:15 +0000 + curl (7.28.0-2) unstable; urgency=low * Add 05_fix-git-over-https.patch (Closes: #690551) @@ -228,6 +408,17 @@ -- Alessandro Ghedini Thu, 11 Oct 2012 19:11:09 +0200 +curl (7.27.0-1ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + + -- Colin Watson Mon, 20 Aug 2012 13:54:01 +0100 + curl (7.27.0-1) unstable; urgency=low * New upstream release @@ -236,6 +427,19 @@ -- Alessandro Ghedini Wed, 08 Aug 2012 17:22:00 +0200 +curl (7.26.0-1ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from binary package Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + * Adjust udeb configure flags handling to something easier to merge in + future. + + -- Colin Watson Mon, 28 May 2012 12:21:13 +0100 + curl (7.26.0-1) unstable; urgency=low * New upstream release @@ -251,6 +455,26 @@ -- Alessandro Ghedini Fri, 25 May 2012 15:19:51 +0200 +curl (7.25.0-1ubuntu2) quantal; urgency=low + + * Drop libssh2-1-dev Depends (not in main) from libcurl4-gnutls-dev and + libcurl4-nss-dev too. + + -- Colin Watson Tue, 22 May 2012 22:58:51 +0100 + +curl (7.25.0-1ubuntu1) quantal; urgency=low + + * Merge from Debian testing (LP: #1003049). Remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package. + - Add new curl-udeb package. + - Also closes (LP: #855291) + * debian/patches/CVE-2012-0036.patch: Dropped. CVE resolved upstream. + + -- Andres Rodriguez Tue, 22 May 2012 14:53:29 -0400 + curl (7.25.0-1) unstable; urgency=low * New upstream release @@ -324,6 +548,43 @@ -- Alessandro Ghedini Sun, 27 Nov 2011 18:45:01 +0100 +curl (7.22.0-3ubuntu4) precise; urgency=low + + * debian/control: Add missing Depends on libcrypto1.0.0-udeb. + + -- Andres Rodriguez Thu, 22 Mar 2012 18:40:30 -0400 + +curl (7.22.0-3ubuntu3) precise; urgency=low + + [ Andres Rodriguez ] + * Add curl-udeb package (LP: #940425) + + [ Dave Walker (Daviey) ] + * debian/rules: Remove --add-udeb= for libcurl3, and appended to + debian/shlibs.local at build time, which this package seems to + be using for undocumented reasoning. + + -- Dave Walker (Daviey) Fri, 09 Mar 2012 23:45:09 +0000 + +curl (7.22.0-3ubuntu2) precise; urgency=low + + * SECURITY UPDATE: URL sanitization vulnerability + - debian/patches/CVE-2012-0036.patch: reject URLs with embedded control + codes in lib/{escape.h,escape.c,imap.c,pop3.c,smtp.c}. + - CVE-2012-0036 + + -- Marc Deslauriers Tue, 24 Jan 2012 08:26:50 -0500 + +curl (7.22.0-3ubuntu1) precise; urgency=low + + * Merge from Debian unstable, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel4 and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package. + + -- Timo Aaltonen Fri, 25 Nov 2011 17:30:45 +0200 + curl (7.22.0-3) unstable; urgency=low [ Ramakrishnan Muthukrishnan ] @@ -362,6 +623,19 @@ -- Alessandro Ghedini Sun, 13 Nov 2011 21:07:32 +0100 +curl (7.21.7-3ubuntu1) precise; urgency=low + + * Merge from Debian testing, remaining changes: + - Drop dependencies not in main: + + Build-Depends: Drop stunnel and libssh2-1-dev. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + - Add new libcurl3-udeb package, stripped down for use during + installation (LP: #831496). + * Dropped changes: + - debian/patches/timeout_bug_736216: applied upstream. + + -- James Page Thu, 20 Oct 2011 09:28:24 +0100 + curl (7.21.7-3) unstable; urgency=low * debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the @@ -389,6 +663,33 @@ -- Ramakrishnan Muthukrishnan Sat, 30 Jul 2011 17:57:08 +0530 +curl (7.21.6-3ubuntu3) oneiric; urgency=low + + [ James Page, Colin Watson ] + * Add new libcurl3-udeb package, stripped down for use during installation + (LP: #831496). + + -- James Page Wed, 14 Sep 2011 17:31:37 +0100 + +curl (7.21.6-3ubuntu2) oneiric; urgency=low + + * debian/patches/timeout_bug_736216: cherry pick upstream + git revision d4e000906ac4ef243258a5c9a819a7cde247d16a to fix + handshake timeout bug (LP: #736216). Thanks to Sidnei da Silva + and Michael Vogt + + -- Jamie Strandboge Wed, 13 Jul 2011 12:08:54 -0500 + +curl (7.21.6-3ubuntu1) oneiric; urgency=low + + * Restore Ubuntu changes accidentally dropped in previous sync: + - Drop dependencies not in main: + + Build-Depends: Replace libssh2-1-dev with openssh-server. + Drop stunnel since it's in universe, as well. + + Drop libssh2-1-dev from libcurl4-openssl-dev's Depends. + + -- Steve Langasek Thu, 30 Jun 2011 23:40:23 +0000 + curl (7.21.6-3) unstable; urgency=low * Apply the Multiarch patch from Steve Langasek. @@ -1779,3 +2080,4 @@ * Initial Release. -- Leon Breedt Sun, 9 May 1999 18:55:48 +0200 + diff -Nru curl-7.37.1/debian/control curl-7.37.1/debian/control --- curl-7.37.1/debian/control 2014-07-18 10:18:07.000000000 +0200 +++ curl-7.37.1/debian/control 2014-07-25 12:01:57.000000000 +0200 @@ -1,7 +1,8 @@ Source: curl Section: web Priority: optional -Maintainer: Alessandro Ghedini +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Alessandro Ghedini Uploaders: Ian Jackson Build-Depends: debhelper (>= 9), autoconf, @@ -14,13 +15,11 @@ libldap2-dev, libnss3-dev, librtmp-dev (>= 2.4+20131018.git79459a2-3~), - libssh2-1-dev, libssl-dev, libtool, openssh-server, python, quilt, - stunnel4, zlib1g-dev Build-Conflicts: autoconf2.13, automake1.4 Standards-Version: 3.9.5 @@ -42,6 +41,21 @@ NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. +Package: curl-udeb +XC-Package-Type: udeb +Section: debian-installer +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libcurl3-udeb, libcrypto1.0.0-udeb +Description: Get a file from an HTTP, HTTPS or FTP server + curl is a client to get files from servers using any of the supported + protocols. The command is designed to work without user interaction + or any kind of interactivity. + . + curl offers a busload of useful tricks like proxy support, user + authentication, FTP upload, HTTP post, file transfer resume and more. + . + This package contains the curl binary for the Debian Installer (udeb) + Package: libcurl3 Architecture: any Section: libs @@ -65,6 +79,20 @@ . SSL support is provided by OpenSSL. +Package: libcurl3-udeb +Section: debian-installer +XC-Package-Type: udeb +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Multi-protocol file transfer library (OpenSSL) + libcurl is designed to be a solid, usable, reliable and portable + multi-protocol file transfer library. + . + SSL support is provided by OpenSSL. + . + This package contains the minimal runtime libraries for the Debian Installer + (udeb). + Package: libcurl3-gnutls Architecture: any Section: libs @@ -126,7 +154,6 @@ libkrb5-dev, libldap2-dev, librtmp-dev, - libssh2-1-dev, libssl-dev, pkg-config, zlib1g-dev @@ -165,7 +192,6 @@ libkrb5-dev, libldap2-dev, librtmp-dev, - libssh2-1-dev, pkg-config, zlib1g-dev Multi-Arch: same @@ -203,7 +229,6 @@ libldap2-dev, libnss3-dev, librtmp-dev, - libssh2-1-dev, pkg-config, zlib1g-dev Multi-Arch: same diff -Nru curl-7.37.1/debian/patches/series curl-7.37.1/debian/patches/series --- curl-7.37.1/debian/patches/series 2014-07-18 10:18:07.000000000 +0200 +++ curl-7.37.1/debian/patches/series 2014-07-25 11:57:08.000000000 +0200 @@ -4,7 +4,9 @@ 04_workaround_as_needed_bug.patch 06_always-disable-valgrind.patch 07_do-not-disable-debug-symbols.patch - 08_link-curl-to-nss.patch + +# the following two patches are reverted during build +# any new patches must be added before them 90_gnutls.patch 99_nss.patch