This repository has been archived by the owner on Oct 10, 2023. It is now read-only.
0.296.0
cf-buildpacks-eng
released this
11 May 17:03
·
74 commits
to main
since this release
Notably, this release addresses:
USN-5412-1 USN-5412-1: curl vulnerabilities:
- CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved.
- CVE-2022-27781: [libcurl provides the
CURLOPT_CERTINFO
option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.] - CVE-2022-27782: [libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse.]
- CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved.
- CVE-2022-27782: [libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse.]
- CVE-2022-27781: [libcurl provides the
CURLOPT_CERTINFO
option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]
-ii curl 7.58.0-2ubuntu3.17 amd64 command line tool for transferring data with URL syntax
+ii curl 7.58.0-2ubuntu3.18 amd64 command line tool for transferring data with URL syntax
-ii libcurl3-gnutls:amd64 7.58.0-2ubuntu3.17 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
-ii libcurl4:amd64 7.58.0-2ubuntu3.17 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
-ii libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.17 amd64 development files and documentation for libcurl (OpenSSL flavour)
+ii libcurl3-gnutls:amd64 7.58.0-2ubuntu3.18 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
+ii libcurl4:amd64 7.58.0-2ubuntu3.18 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
+ii libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.18 amd64 development files and documentation for libcurl (OpenSSL flavour)