{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "curl", "libcurl4t64" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.2", "version": "8.14.1-2ubuntu1.2" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c, tests/http/test_13_proxy_auth.py,", " tests/http/testenv/curl.py.", " - CVE-2026-3784", " * SECURITY UPDATE: use after free in SMB connection reuse", " - debian/patches/CVE-2026-3805.patch: free the path in the request", " struct properly in lib/smb.c.", " - CVE-2026-3805", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 09 Mar 2026 09:15:00 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.2", "version": "8.14.1-2ubuntu1.2" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c, tests/http/test_13_proxy_auth.py,", " tests/http/testenv/curl.py.", " - CVE-2026-3784", " * SECURITY UPDATE: use after free in SMB connection reuse", " - debian/patches/CVE-2026-3805.patch: free the path in the request", " struct properly in lib/smb.c.", " - CVE-2026-3805", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 09 Mar 2026 09:15:00 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from daily image serial 20260311 to 20260312", "from_series": "questing", "to_series": "questing", "from_serial": "20260311", "to_serial": "20260312", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }