Information on source package curl

Available versions

ReleaseVersion
jessie7.38.0-4+deb8u28
stretch7.52.1-5+deb9u22
stretch (security)7.52.1-5+deb9u16
buster7.64.0-4+deb10u10
buster (security)7.64.0-4+deb10u9
bullseye7.74.0-1.3+deb11u13
bullseye (security)7.74.0-1.3+deb11u14
bookworm7.88.1-10+deb12u8
bookworm (security)7.88.1-10+deb12u5
trixie8.11.1-1
sid8.11.1-1

Open issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
CVE-2024-11053vulnerable (no DSA, postponed)vulnerable (no DSA, postponed)vulnerable (no DSA, postponed)vulnerable (no DSA, postponed)vulnerable (no DSA)fixedfixedWhen asked to both use a `.netrc` file for credentials and to follow H ...
CVE-2024-9681fixedfixedfixedvulnerable (no DSA, ignored)vulnerable (no DSA)fixedfixedWhen curl is asked to use HSTS, the expiry time for a subdomain might ...
CVE-2024-8096fixedvulnerable (no DSA, postponed)vulnerable (no DSA, postponed)fixedfixedfixedfixedWhen curl is told to use the Certificate Status Request TLS extension, ...
CVE-2024-2398fixedvulnerable (no DSA, postponed)vulnerable (no DSA, postponed)fixedfixedfixedfixedWhen an application tells libcurl it wants to allow HTTP/2 server push ...
CVE-2023-46219fixedfixedfixedvulnerable (no DSA, ignored)fixedfixedfixedWhen saving HSTS data to an excessively long file name, curl could end ...
CVE-2023-28322vulnerable (no DSA)fixedfixedfixedfixedfixedfixedAn information disclosure vulnerability exists in curl <v8.1.0 when do ...
CVE-2023-28321vulnerable (no DSA)fixedfixedfixedfixedfixedfixedAn improper certificate validation vulnerability exists in curl <v8.1. ...
CVE-2023-27534vulnerable (no DSA)fixedfixedfixedfixedfixedfixedA path traversal vulnerability exists in curl <8.0.0 SFTP implementati ...
CVE-2023-23915fixedfixedfixedvulnerable (no DSA, ignored)fixedfixedfixedA cleartext transmission of sensitive information vulnerability exists ...
CVE-2023-23914fixedfixedfixedvulnerable (no DSA, ignored)fixedfixedfixedA cleartext transmission of sensitive information vulnerability exists ...
CVE-2022-43551fixedfixedfixedvulnerable (no DSA, ignored)fixedfixedfixedA vulnerability exists in curl <7.87.0 HSTS check that could be bypass ...
CVE-2022-42916fixedfixedfixedvulnerable (no DSA, ignored)fixedfixedfixedIn curl before 7.86.0, the HSTS check could be bypassed to trick it in ...
CVE-2016-8625vulnerable (no DSA)fixedfixedfixedfixedfixedfixedcurl before version 7.51.0 uses outdated IDNA 2003 standard to handle ...

Open unimportant issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
CVE-2024-2379vulnerablevulnerablevulnerablevulnerablevulnerablefixedfixedlibcurl skips the certificate verification for a QUIC connection under ...
CVE-2023-28320vulnerablevulnerablevulnerablevulnerablefixedfixedfixedA denial of service vulnerability exists in curl <v8.1.0 in the way li ...
CVE-2021-22923vulnerablevulnerablevulnerablevulnerablefixedfixedfixedWhen curl is instructed to get content using the metalink feature, and ...
CVE-2021-22922vulnerablevulnerablevulnerablevulnerablefixedfixedfixedWhen curl is instructed to download content using the metalink feature ...
CVE-2020-19909vulnerablevulnerablevulnerablefixedfixedfixedfixedInteger overflow vulnerability in tool_operate.c in curl 7.65.2 via a ...
CVE-2017-7407vulnerablefixedfixedfixedfixedfixedfixedThe ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow ...
CVE-2016-3739vulnerablefixedfixedfixedfixedfixedfixedThe (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) pola ...

Resolved issues

BugDescription
CVE-2024-7264libcurl's ASN1 parser code has the `GTime2str()` function, used for pa ...
CVE-2024-6874libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/ ...
CVE-2024-6197libcurl's ASN1 parser has this utf8asn1str() function used for parsing ...
CVE-2024-2466libcurl did not check the server certificate of TLS connections done t ...
CVE-2024-2004When a protocol selection parameter option disables all protocols with ...
CVE-2024-0853curl inadvertently kept the SSL session ID for connections in its cach ...
CVE-2023-46218This flaw allows a malicious HTTP server to set "super cookies" in cur ...
CVE-2023-38546This flaw allows an attacker to insert cookies at will into a running ...
CVE-2023-38545This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy ...
CVE-2023-38039When curl retrieves an HTTP response, it stores the incoming headers s ...
CVE-2023-32001
CVE-2023-28319A use after free vulnerability exists in curl <v8.1.0 in the way libcu ...
CVE-2023-27538An authentication bypass vulnerability exists in libcurl prior to v8.0 ...
CVE-2023-27537A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS ...
CVE-2023-27536An authentication bypass vulnerability exists libcurl <8.0.0 in the co ...
CVE-2023-27535An authentication bypass vulnerability exists in libcurl <8.0.0 in the ...
CVE-2023-27533A vulnerability in input validation exists in curl <8.0 during communi ...
CVE-2023-23916An allocation of resources without limits or throttling vulnerability ...
CVE-2022-43552A use after free vulnerability exists in curl <7.87.0. Curl can be ask ...
CVE-2022-42915curl before 7.86.0 has a double free. If curl is told to use an HTTP p ...
CVE-2022-35260curl can be told to parse a `.netrc` file for credentials. If that fil ...
CVE-2022-35252When curl is used to retrieve and parse cookies from a HTTP(S) server, ...
CVE-2022-32221When doing HTTP(S) transfers, libcurl might erroneously use the read c ...
CVE-2022-32208When curl < 7.84.0 does FTP transfers secured by krb5, it handles mess ...
CVE-2022-32207When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files ...
CVE-2022-32206curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning ...
CVE-2022-32205A malicious server can serve excessive amounts of `Set-Cookie:` header ...
CVE-2022-30115Using its HSTS support, curl can be instructed to use HTTPS directly i ...
CVE-2022-27782libcurl would reuse a previously created connection even when a TLS or ...
CVE-2022-27781libcurl provides the `CURLOPT_CERTINFO` option to allow applications t ...
CVE-2022-27780The curl URL parser wrongly accepts percent-encoded URL separators lik ...
CVE-2022-27779libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) ...
CVE-2022-27778A use of incorrectly resolved name vulnerability fixed in 7.83.1 might ...
CVE-2022-27776A insufficiently protected credentials vulnerability in fixed in curl ...
CVE-2022-27775An information disclosure vulnerability exists in curl 7.65.0 to 7.82. ...
CVE-2022-27774An insufficiently protected credentials vulnerability exists in curl 4 ...
CVE-2022-22576An improper authentication vulnerability exists in curl 7.33.0 to and ...
CVE-2021-22947When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server t ...
CVE-2021-22946A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful u ...
CVE-2021-22945When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 coul ...
CVE-2021-22925curl supports the `-t` command line option, known as `CURLOPT_TELNETOP ...
CVE-2021-22924libcurl keeps previously used connections in a connection pool for sub ...
CVE-2021-22901curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability ...
CVE-2021-22898curl 7.7 through 7.76.1 suffers from an information disclosure when th ...
CVE-2021-22897curl 7.61.0 through 7.76.1 suffers from exposure of data element to wr ...
CVE-2021-22890curl 7.63.0 to and including 7.75.0 includes vulnerability that allows ...
CVE-2021-22876curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Pr ...
CVE-2020-8286curl 7.41.0 through 7.73.0 is vulnerable to an improper check for cert ...
CVE-2020-8285curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recu ...
CVE-2020-8284A malicious server can use the FTP PASV response to trick curl 7.73.0 ...
CVE-2020-8231Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can us ...
CVE-2020-8177curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of na ...
CVE-2020-8169curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure ...
CVE-2019-5482Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7. ...
CVE-2019-5481Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7 ...
CVE-2019-5443A non-privileged user or program can put code and a config file in a k ...
CVE-2019-5436A heap buffer overflow in the TFTP receiving code allows for DoS or ar ...
CVE-2019-5435An integer overflow in curl's URL API results in a buffer overflow in ...
CVE-2019-3823libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap ...
CVE-2019-3822libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stac ...
CVE-2018-1000301curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-1 ...
CVE-2018-1000300curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-1 ...
CVE-2018-1000122A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 ...
CVE-2018-1000121A NULL pointer dereference exists in curl 7.21.0 to and including curl ...
CVE-2018-1000120A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 i ...
CVE-2018-1000007libcurl 7.1 through 7.57.0 might accidentally leak authentication data ...
CVE-2018-1000005libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...
CVE-2018-16890libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap ...
CVE-2018-16842Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buf ...
CVE-2018-16840A heap use-after-free flaw was found in curl versions from 7.59.0 thro ...
CVE-2018-16839Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun ...
CVE-2018-14618curl before version 7.61.1 is vulnerable to a buffer overrun in the NT ...
CVE-2018-0500Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including cur ...
CVE-2017-1000257An IMAP FETCH response line indicates the size of the returned data, i ...
CVE-2017-1000254libcurl may read outside of a heap allocated buffer when doing FTP. Wh ...
CVE-2017-1000101curl supports "globbing" of URLs, in which a user can pass a numerical ...
CVE-2017-1000100When doing a TFTP transfer and curl/libcurl is given a URL that contai ...
CVE-2017-1000099When asking to get a file from a file:// URL, libcurl provides a featu ...
CVE-2017-9502In curl before 7.54.1 on Windows and DOS, libcurl's default protocol f ...
CVE-2017-8818curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...
CVE-2017-8817The FTP wildcard function in curl and libcurl before 7.57.0 allows rem ...
CVE-2017-8816The NTLM authentication feature in curl and libcurl before 7.57.0 on 3 ...
CVE-2017-7468In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would atte ...
CVE-2017-2629curl before 7.53.0 has an incorrect TLS Certificate Status Request ext ...
CVE-2017-2628curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-5 ...
CVE-2016-9953The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ...
CVE-2016-9952The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30 ...
CVE-2016-9594curl before version 7.52.1 is vulnerable to an uninitialized random in ...
CVE-2016-9586curl before version 7.52.0 is vulnerable to a buffer overflow when doi ...
CVE-2016-8624curl before version 7.51.0 doesn't parse the authority component of th ...
CVE-2016-8623A flaw was found in curl before version 7.51.0. The way curl handles c ...
CVE-2016-8622The URL percent-encoding decode function in libcurl before 7.51.0 is c ...
CVE-2016-8621The `curl_getdate` function in curl before version 7.51.0 is vulnerabl ...
CVE-2016-8620The 'globbing' feature in curl before version 7.51.0 has a flaw that l ...
CVE-2016-8619The function `read_data()` in security.c in curl before version 7.51.0 ...
CVE-2016-8618The libcurl API function called `curl_maprintf()` before version 7.51. ...
CVE-2016-8617The base64 encode function in curl before version 7.51.0 is prone to a ...
CVE-2016-8616A flaw was found in curl before version 7.51.0 When re-using a connect ...
CVE-2016-8615A flaw was found in curl before version 7.51. If cookie state is writt ...
CVE-2016-7167Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escap ...
CVE-2016-7141curl and libcurl before 7.50.2, when built with NSS and the libnsspem. ...
CVE-2016-5421Use-after-free vulnerability in libcurl before 7.50.1 allows attackers ...
CVE-2016-5420curl and libcurl before 7.50.1 do not check the client certificate whe ...
CVE-2016-5419curl and libcurl before 7.50.1 do not prevent TLS session resumption w ...
CVE-2016-4802Multiple untrusted search path vulnerabilities in cURL and libcurl bef ...
CVE-2016-4606Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 al ...
CVE-2016-0755The ConnectionExists function in lib/url.c in libcurl before 7.47.0 do ...
CVE-2016-0754cURL before 7.47.0 on Windows allows attackers to write to arbitrary f ...
CVE-2015-3237The smb_request_state function in cURL and libcurl 7.40.0 through 7.42 ...
CVE-2015-3236cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authenticat ...
CVE-2015-3153The default configuration for cURL and libcurl before 7.42.1 sends cus ...
CVE-2015-3148cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenti ...
CVE-2015-3145The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7 ...
CVE-2015-3144The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 do ...
CVE-2015-3143cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM c ...
CVE-2014-8151The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in l ...
CVE-2014-8150CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, ...
CVE-2014-3707The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, whe ...
CVE-2014-3620cURL and libcurl before 7.38.0 allow remote attackers to bypass the Sa ...
CVE-2014-3613cURL and libcurl before 7.38.0 does not properly handle IP addresses i ...
CVE-2014-2522curl and libcurl 7.27.0 through 7.35.0, when running on Windows and us ...
CVE-2014-1263curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport ...
CVE-2014-0139cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qso ...
CVE-2014-0138The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re- ...
CVE-2014-0015cURL and libcurl 7.10.6 through 7.34.0, when more than one authenticat ...
CVE-2013-6422The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling di ...
CVE-2013-4545cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disab ...
CVE-2013-2174Heap-based buffer overflow in the curl_easy_unescape function in lib/e ...
CVE-2013-1944The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 d ...
CVE-2013-0249Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message ...
CVE-2012-0036curl and libcurl 7.2x before 7.24.0 do not properly consider special c ...
CVE-2011-3389The SSL protocol, as used in certain configurations in Microsoft Windo ...
CVE-2011-2192The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10. ...
CVE-2010-3842Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, w ...
CVE-2010-0734content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enab ...
CVE-2009-2417lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is u ...
CVE-2009-0037The redirect implementation in curl and libcurl 5.11 through 7.19.3, w ...
CVE-2007-3564libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does no ...
CVE-2006-1061Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 a ...
CVE-2005-4077Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 throug ...
CVE-2005-3185Stack-based buffer overflow in the ntlm_output function in http-ntlm.c ...
CVE-2005-0490Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and ...
CVE-2003-1605curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote s ...

Security announcements

DSA / DLADescription
DLA-3951-1curl - security update
ELA-1145-1curl - security update
ELA-1068-1curl - security update
DLA-3763-1curl - security update
DSA-5587-1curl - security update
DLA-3692-1curl - security update
DSA-5523-1curl - security update
DLA-3613-1curl - security update
ELA-982-1curl - security update
DSA-5460-1curl - security update
DLA-3398-1curl - security update
ELA-831-1curl - security update
DSA-5365-1curl - security update
DLA-3341-1curl - security update
ELA-780-2curl - regression update
DLA-3288-1curl - security update
ELA-780-1curl - security update
DSA-5330-1curl - security update
DLA-3085-1curl - security update
ELA-664-1curl - security update
DSA-5197-1curl - security update
ELA-494-1curl - security update
DLA-2773-1curl - security update
DLA-2734-1curl - security update
ELA-470-1curl - security update
DLA-2664-1curl - security update
ELA-431-1curl - security update
DSA-4881-1curl - security update
DLA-2500-1curl - security update
ELA-334-1curl - security update
ELA-284-1curl - security update
DLA-2382-1curl - security update
DLA-2295-1curl - security update
ELA-251-1curl - security update
DSA-4633-1curl - security update
ELA-163-1curl - security update
DLA-1917-1curl - security update
ELA-122-1curl - security update
DLA-1804-1curl - security update
DLA-1672-1curl - security update
DSA-4386-1curl - security update
DLA-1568-1curl - security update
ELA-54-1curl - security update
DSA-4331-1curl - security update
ELA-36-1curl - security update
DLA-1498-1curl - security update
DSA-4286-1curl - security update
DSA-4202-1curl - security update
DLA-1379-1curl - security update
DLA-1309-1curl - security update
DSA-4136-1curl - security update
DLA-1263-1curl - security update
DSA-4098-1curl - security update
DLA-1195-1curl - security update
DSA-4051-1curl - security update
DSA-4007-1curl - security update
DLA-1143-1curl - security update
DSA-3992-1curl - security update
DLA-1121-1curl - security update
DLA-1062-1curl - security update
DLA-883-1curl - security update
DLA-767-1curl - security update
DLA-711-1curl - security update
DSA-3705-1curl - security update
DLA-625-1curl - security update
DLA-616-1curl - security update
DLA-586-1curl - security update
DSA-3638-1curl - security update
DSA-3455-1curl - security update
DSA-3240-1curl - security update
DLA-211-1curl - security update
DSA-3232-1curl - security update
DLA-134-1curl - security update
DSA-3122-1curl - security update
DLA-84-1curl - security update
DSA-3069-1curl - security update
DLA-64-1curl - security update
DSA-3022-1curl - security update
DSA-2902-1curl - security update
DSA-2849-1curl - information disclosure
DSA-2824-1curl - unchecked tls/ssl certificate host name
DSA-2798-1curl - unchecked ssl certificate host name
DSA-2713-1curl - heap overflow
DSA-2660-1curl - cookie leak vulnerability
DSA-2398-1curl - several
DSA-2271-1curl - improper delegation of client credentials
DSA-2023-1curl - arbitrary code execution
DSA-1869-1curl - SSL certificate verification weakness
DSA-1738-1curl - arbitrary file access
DSA-1333-1curl
DSA-919-2curl - buffer overflow

Search for package or bug name: Reporting problems