-
Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30
- fix HTTP multi-header compression denial of service (CVE-2023-23916)
-
Tue Feb 07 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-29
- h2: lower initial window size to 32 MiB (#2166254)
-
Wed Dec 21 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-28
- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552)
-
Fri Nov 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-27
- upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 (#2139337)
-
Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-26
- control code in cookie denial of service (CVE-2022-35252)
-
Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-25
- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
- fix HTTP compression denial of service (CVE-2022-32206)
- fix FTP-KRB bad message verification (CVE-2022-32208)
-
Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-24
- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
- fix invalid type in printf() argument detected by Coverity
-
Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.61.1-23
- fix credential leak on redirect (CVE-2022-27774)
- fix auth/cookie leak on redirect (CVE-2022-27776)
- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
-
Fri Sep 17 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-22
- fix STARTTLS protocol injection via MITM (CVE-2021-22947)
- fix protocol downgrade required TLS bypass (CVE-2021-22946)
-
Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-21
- fix TELNET stack contents disclosure again (CVE-2021-22925)
- fix TELNET stack contents disclosure (CVE-2021-22898)
- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
- disable metalink support to fix the following vulnerabilities
CVE-2021-22923 - metalink download sends credentials
CVE-2021-22922 - wrong content via metalink not discarded