{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "curl", "libcurl3-gnutls:ppc64el", "libcurl4:ppc64el" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.22", "version": "7.68.0-1ubuntu2.22" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "log": [ "", " * SECURITY UPDATE: ASN.1 date parser overread", " - debian/patches/CVE-2024-7264-pre1.patch: clean up GTime2str in", " lib/x509asn1.c.", " - debian/patches/CVE-2024-7264.patch: unittests and fixes for gtime2str", " in lib/x509asn1.c, lib/x509asn1.h, tests/data/Makefile.inc,", " tests/data/test1656, tests/unit/Makefile.inc, tests/unit/unit1656.c.", " - CVE-2024-7264", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.23", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 01 Aug 2024 10:17:24 -0400" } ], "notes": null }, { "name": "libcurl3-gnutls:ppc64el", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.22", "version": "7.68.0-1ubuntu2.22" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "log": [ "", " * SECURITY UPDATE: ASN.1 date parser overread", " - debian/patches/CVE-2024-7264-pre1.patch: clean up GTime2str in", " lib/x509asn1.c.", " - debian/patches/CVE-2024-7264.patch: unittests and fixes for gtime2str", " in lib/x509asn1.c, lib/x509asn1.h, tests/data/Makefile.inc,", " tests/data/test1656, tests/unit/Makefile.inc, tests/unit/unit1656.c.", " - CVE-2024-7264", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.23", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 01 Aug 2024 10:17:24 -0400" } ], "notes": null }, { "name": "libcurl4:ppc64el", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.22", "version": "7.68.0-1ubuntu2.22" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-7264", "url": "https://ubuntu.com/security/CVE-2024-7264", "cve_description": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.", "cve_priority": "medium", "cve_public_date": "2024-07-31" } ], "log": [ "", " * SECURITY UPDATE: ASN.1 date parser overread", " - debian/patches/CVE-2024-7264-pre1.patch: clean up GTime2str in", " lib/x509asn1.c.", " - debian/patches/CVE-2024-7264.patch: unittests and fixes for gtime2str", " in lib/x509asn1.c, lib/x509asn1.h, tests/data/Makefile.inc,", " tests/data/test1656, tests/unit/Makefile.inc, tests/unit/unit1656.c.", " - CVE-2024-7264", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.23", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 01 Aug 2024 10:17:24 -0400" } ], "notes": null } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240801 to 20240805", "from_series": "focal", "to_series": "focal", "from_serial": "20240801", "to_serial": "20240805", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }