-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Dec 2022 00:05:50 +0000
Source: curl
Architecture: source
Version: 7.74.0-1.3+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Changes:
curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high
.
* Fix backport of patch for CVE-2021-22946, which was passing a wrong first
argument to ftp_state_user_resp, this was likely causing a regression when
using ftp.
* Backport two patches from upstream to solve 2 CVEs:
CVE-2022-32221.patch, CVE-2022-43552.patch.
- CVE-2022-32221
POST following PUT confusion When doing HTTP(S) transfers, libcurl might
erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data
to send, even when the CURLOPT_POSTFIELDS option has been set, if the
same handle previously was used to issue a PUT request which used that
callback.
.
This flaw may surprise the application and cause it to misbehave and
either send off the wrong data or use memory after free or similar in the
subsequent POST request.
- CVE-2022-43552
HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all
protocols it supports through an HTTP proxy. HTTP proxies can (and often
do) deny such tunnel operations using an appropriate HTTP error response
code.
.
When getting denied to tunnel the specific protocols SMB or TELNET, curl
would use a heap-allocated struct after it had been freed, in its
transfer shutdown code path.
Checksums-Sha1:
788aa08c7accfa110afc4bcc33f04bcf54166bca 2699 curl_7.74.0-1.3+deb11u4.dsc
c69a8426ee72ce28761a721564fae9659d9df2da 58728 curl_7.74.0-1.3+deb11u4.debian.tar.xz
04d364b46abb2fd488616ed9e4636527a238cff9 13007 curl_7.74.0-1.3+deb11u4_amd64.buildinfo
Checksums-Sha256:
56b1d7aca0d7f30123839dc184c0fbc7899aa4b9fd45010c3973064e35ecac16 2699 curl_7.74.0-1.3+deb11u4.dsc
b3a83e01b833159ea9d76491609cc5ed1d6d59f7d16e6b4db243ed6705f26f3f 58728 curl_7.74.0-1.3+deb11u4.debian.tar.xz
38d7a40448225ed0ceae56c4ab73ab1a8a3ed92ddc893bb68da490203aad8595 13007 curl_7.74.0-1.3+deb11u4_amd64.buildinfo
Files:
bcadd4005c2deee3ff19edc67c2c3b27 2699 web optional curl_7.74.0-1.3+deb11u4.dsc
bb07fce9b90080bc54a215682767e401 58728 web optional curl_7.74.0-1.3+deb11u4.debian.tar.xz
3bc9c91c6d91c0f204bdfdbb321257cf 13007 web optional curl_7.74.0-1.3+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmPHJzIACgkQu6n6rcz7 RwdDxw//TOOY3RzaEjX7kq0YpR/oRvLN2t779cclgh1VVJtGE5pCAOzpDdIlHRAU hCNEE5fDJj3lL583jZl8oEs72glc/cWeafaPeFM0aZQ+A5f0RY96qe8jdr1o5T+m yJSf1+EKJPdT7ZO3pqwxiH8JNA7WsF0E1iS5PFtPfSzC5pZJ0KnmrND28nhnrO4H T0BsegXXRCNzk3hR0cz5jm5MaLQRl+y5N35ZX79qLOX78iqAEQ9qSxNuPVnzsCY/ yp87C3jV6WOWFnZtsHWxwFRLy47+1T4TfgB8Dzja4X7duxQeWKk0YQyT2Ak/JUCW pChIt2WB0djbmU6rhohvLBININBDaWNhXpEzrU47soFkoRgDnGUPdC/9pTXPWSJC /IpLHGA7Lkvuzt2P1QWBJRedQI6zu7/dMGjrq6IsdAbaGezJY/JXGWhpyQz2mHeD HZTTsUfCxR6Ya032YvbUaMadVXF3TD7SsFNtFwWSP1/KAl6bVfj/iplsEiVjuEpD SY0+J2NLXmbB9QHNRXC1pc/lInlcmsFuV++HU5qoKtmYp5qd0Lwosbr6bMLy5Vnh MUv8pzEL+drcPL1opGVOmcYE/xnbG+M4SnI0PAhJgeQdS/yHxUv36ebBCID5JDnP hN4E5TVgpCtud0TQMgwQRUBYTf3z+tI4VnvrQOB/tdaDRbD+ofA=
=smDR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)