Skip to content

Changelog curl (7.68.0-1ubuntu2.7)

2021

curl (7.68.0-1ubuntu2.7) focal-security; urgency=medium

   * SECURITY UPDATE: Protocol downgrade required TLS bypassed
     - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over
       HTTPS proxy in lib/ftp.c, lib/urldata.h.
     - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in
       lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc,
       tests/data/test984, tests/data/test985, tests/data/test986.
     - CVE-2021-22946
   * SECURITY UPDATE: STARTTLS protocol injection via MITM
     - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response
       pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c,
       tests/data/Makefile.inc, tests/data/test980, tests/data/test981,
       tests/data/test982, tests/data/test983.
     - CVE-2021-22947

curl (7.68.0-1ubuntu2.6) focal-security; urgency=medium

   * SECURITY UPDATE: TELNET stack contents disclosure
     - debian/patches/CVE-2021-22898.patch: check sscanf() for correct
       number of matches in lib/telnet.c.
     - CVE-2021-22898
   * SECURITY UPDATE: Bad connection reuse due to flawed path name checks
     - debian/patches/CVE-2021-22924.patch: fix connection reuse checks for
       issuer cert and case sensitivity in lib/url.c, lib/urldata.h,
       lib/vtls/gtls.c, lib/vtls/nss.c, lib/vtls/openssl.c, lib/vtls/vtls.c.
     - CVE-2021-22924
   * SECURITY UPDATE: TELNET stack contents disclosure again
     - debian/patches/CVE-2021-22925.patch: fix option parser to not send
       uninitialized contents in lib/telnet.c.
     - CVE-2021-22925

curl (7.68.0-1ubuntu2.5) focal-security; urgency=medium

   * SECURITY UPDATE: data leak via referer header field
     - debian/patches/CVE-2021-22876.patch: strip credentials from the
       auto-referer header field in lib/transfer.c.
     - CVE-2021-22876
   * SECURITY UPDATE: TLS 1.3 session ticket proxy host mixup
     - debian/patches/CVE-2021-22890.patch: make sure we set and extract the
       correct session in lib/vtls/*.
     - CVE-2021-22890

2020

curl (7.68.0-1ubuntu2.4) focal-security; urgency=medium

   * SECURITY UPDATE: FTP redirect to malicious host via PASV response
     - debian/patches/CVE-2020-8284.patch: use CURLOPT_FTP_SKIP_PASV_IP by
       default in lib/url.c, src/tool_cfgable.c, docs/*, tests/data/*.
     - CVE-2020-8284
   * SECURITY UPDATE: FTP wildcard stack buffer overflow in libcurl
     - debian/patches/CVE-2020-8285.patch: make wc_statemach loop instead of
       recurse in lib/ftp.c.
     - CVE-2020-8285
   * SECURITY UPDATE: Inferior OCSP verification
     - debian/patches/CVE-2020-8286.patch: make the OCSP verification verify
       the certificate id in lib/vtls/openssl.c.
     - CVE-2020-8286

curl (7.68.0-1ubuntu2.2) focal-security; urgency=medium

   * SECURITY UPDATE: wrong connect-only connection
     - debian/patches/CVE-2020-8231.patch: remember last connection by id,
       not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c,
       lib/urldata.h.
     - CVE-2020-8231

curl (7.68.0-1ubuntu2.1) focal-security; urgency=medium

   * SECURITY UPDATE: Partial password leak over DNS on HTTP redirect
     - debian/patches/CVE-2020-8169.patch: make the updated credentials
       URL-encoded in the URL in lib/url.c, tests/data/test1168,
       tests/data/Makefile.inc.
     - CVE-2020-8169
   * SECURITY UPDATE: curl overwrite local file with -J
     - debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in
       src/tool_cb_hdr.c, src/tool_getparam.c.
     - CVE-2020-8177

curl (7.68.0-1ubuntu2) focal; urgency=medium

   * debian/patches/git_tls13_gnutls.patch:
     - Ensure TLS 1.3 works with GnuTLS, thanks Dirkjan Bussink for writting
       the patch and pointing it out on launchpad! (lp: #1872698)

curl (7.68.0-1ubuntu1) focal; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.

curl (7.68.0-1) unstable; urgency=medium

   * New upstream release
   * Bump Standards-Version to 4.5.0 (no changes needed)
   * Update symbols files
   * Configure default CA file with OpenSSL again (Closes: #948441)

curl (7.67.0-2ubuntu1) focal; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.

2019

curl (7.67.0-2) unstable; urgency=medium

   * Restore :native annotation for python3 Build-Depends.
     Thanks to Helmut Grohne for the patch (Closes: #945928)

curl (7.67.0-1) unstable; urgency=medium

   * New upstream release
   * Replace python with python3 in Build-Depends (Closes: #942984)
   * Bump Standards-Version to 4.4.1 (no changes needed)

curl (7.66.0-1ubuntu1) focal; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.
   * Dropped changes, included upstream:
     - debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
        double-free on large memory allocation failures
     - debian/patches/CVE-2019-5482.patch: ensure to use the correct block
       size when calling recvfrom() if the server returns an OACK without
       specifying a block size in lib/tftp.c

curl (7.66.0-1) unstable; urgency=medium

   * New upstream release (Closes: #940024)
     + Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009)
       CVE-2019-5481.html">https://curl.haxx.se/docs/CVE-2019-5481.html
     + Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482
       (Closes: #940010)
       CVE-2019-5482.html">https://curl.haxx.se/docs/CVE-2019-5482.html
   * Refresh patches
   * Enable brotli support (Closes: #940129)
   * Update *.symbols files

curl (7.65.3-1ubuntu4) focal; urgency=medium

   * No-change rebuild against libnettle7

curl (7.65.3-1ubuntu3) eoan; urgency=medium

   * SECURITY UPDATE: double-free when using kerberos over FTP may cause
     denial-of-service
     - debian/patches/CVE-2019-5481.patch: update lib/security.c to avoid
       double-free on large memory allocation failures
     - CVE-2019-5481
   * SECURITY UPDATE: heap buffer overflow when receiving TFTP data may
     cause denial-of-service or remote code-execution
     - debian/patches/CVE-2019-5482.patch: ensure to use the correct block
       size when calling recvfrom() if the server returns an OACK without
       specifying a block size in lib/tftp.c
     - CVE-2019-5482

curl (7.65.3-1ubuntu2) eoan; urgency=medium

   * No-change upload with strops.h and sys/strops.h removed in glibc.

curl (7.65.3-1ubuntu1) eoan; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.

curl (7.65.3-1) unstable; urgency=medium

   * New upstream release
   * Drop 12_fix-man-errors.patch (merged upstream)
   * Remove Ian Jackson from Uploaders as he has never done an upload

curl (7.65.1-1ubuntu1) eoan; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.

curl (7.65.1-1) unstable; urgency=medium

   * New upstream release
     + Reduce verbose output (Closes: #926148)
     + Fix parsing URLs with link local addresses (Closes: #926812)
   * Drop patches merged upstream
   * Refresh patches
   * Bump STandards-Version to 4.4.0 (no changes needed)
   * Update entry in copyright for renamed files
   * Fix some man errors.
     Thanks to Bjarni Ingi Gislason for the patch (Closes: #926352)
   * Add Build-Depends-Package field to symbols files

curl (7.64.0-4ubuntu1) eoan; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - debian/control, debian/rules: build with libssh instead of libssh2.
   * Dropped changes, included in Debian:
     - SECURITY UPDATE: Integer overflows in curl_url_set()
     - SECURITY UPDATE: TFTP receive buffer overflow

curl (7.64.0-4) unstable; urgency=medium

   * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351)
     CVE-2019-5436.html">https://curl.haxx.se/docs/CVE-2019-5436.html
   * Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352)
     CVE-2019-5435.html">https://curl.haxx.se/docs/CVE-2019-5435.html

curl (7.64.0-3ubuntu2) eoan; urgency=medium

   * SECURITY UPDATE: Integer overflows in curl_url_set()
     - debian/patches/CVE-2019-5435.patch: limit sizes in lib/setopt.c,
       lib/urlapi.c, lib/urldata.h, tests/data/Makefile.inc,
       tests/data/test1559, tests/libtest/Makefile.inc,
       tests/libtest/lib1559.c.
     - CVE-2019-5435
   * SECURITY UPDATE: TFTP receive buffer overflow
     - debian/patches/CVE-2019-5436.patch: use the current blksize in
       lib/tftp.c.
     - CVE-2019-5436

curl (7.64.0-3ubuntu1) eoan; urgency=low

   * Merge from Debian unstable.  Remaining changes:
   * debian/control, debian/rules:
     - build with libssh instead of libssh2, that's a better maintained
       library and it's in Ubuntu main (lp: #311029)

curl (7.64.0-3) unstable; urgency=medium

   * Fix potential crash in HTTP/2 code and busy loop at the end of connections
     (Closes: #927471)

curl (7.64.0-2ubuntu1) disco; urgency=low

   * Merge from Debian unstable.  Remaining changes:
   * debian/control, debian/rules:
     - build with libssh instead of libssh2, that's a better maintained
       library and it's in Ubuntu main (lp: #311029)

curl (7.64.0-2) unstable; urgency=medium

   * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)

curl (7.64.0-1ubuntu1) disco; urgency=medium

   * Resynchronize with Debian, remaining change
   * debian/control, debian/rules:
     - build with libssh instead of libssh2, that's a better maintained
       library and it's in Ubuntu main (lp: #311029)

curl (7.64.0-1) unstable; urgency=medium

   * New upstream release
     + Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890
       https://curl.haxx.se/docs/CVE-2018-16890.html
     + Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822
       CVE-2019-3822.html">https://curl.haxx.se/docs/CVE-2019-3822.html
     + Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
       CVE-2019-3823.html">https://curl.haxx.se/docs/CVE-2019-3823.html
     + Fix HTTP negotiation with POST requests (Closes: #920267)
   * Refresh patches
   * Import fixes for zsh completion script generator (Closes: #92145)

curl (7.63.0-1) unstable; urgency=medium

   * New upstream release
     + Fix IPv6 numeral address parser (Closes: #915520)
     + Fix timeout handling (Closes: #914793)
     + Fix HTTP auth to include query in URI (Closes: #913214)
   * Drop 12_fix-runtests-curl.patch (merged upstream)
   * Update symbols
   * Update copyright for removed files
   * Bump debhlper compat level to 12
   * Bump Standards-Version to 4.3.0 (no changes needed)

2018

curl (7.62.0-1) unstable; urgency=medium

   * New upstream release
     + Fix NTLM password overflow via integer overflow as per CVE-2018-14618
       (Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html
     + Fix SASL password overflow via integer overflow as per CVE-2018-16839
       https://curl.haxx.se/docs/CVE-2018-16839.html
     + Fix use-after-free in handle close as per CVE-2018-16840
       https://curl.haxx.se/docs/CVE-2018-16840.html
     + Fix warning message out-of-buffer read as per CVE-2018-16842
       https://curl.haxx.se/docs/CVE-2018-16842.html
     + Fix broken terminal output (closes: #911333)
   * Refresh patches
   * Add 12_fix-runtests-curl.patch to fix running curl in tests

curl (7.61.0-1) unstable; urgency=medium

   * New upstream release
     + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
       https://curl.haxx.se/docs/adv_2018-70a2.html
     + Fix some crashes related to HTTP/2 (Closes: #902628)
   * Disable libssh2 on Ubuntu.
     Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
   * Bump Standards-Version to 4.2.0 (no changes needed)
   * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)

curl (7.60.0-2) unstable; urgency=medium

   [ Steve Langasek ]
   * Build-depend on libssl-dev instead of libssl1.0-dev.
   * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via
     CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between
     openssl 1.0 and openssl 1.1.
   * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer
     claiming compatibility.
   * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for
     non-OpenSSL builds.  Closes: #858398.
   * Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk

curl (7.60.0-1) unstable; urgency=medium

   * New upstream release (Closes: #891997, #893546, #898856)
     + Fix use of IPv6 literals with NO_PROXY
     + Fix NIL byte out of bounds write due to FTP path trickery
       as per CVE-2018-1000120
       https://curl.haxx.se/docs/adv_2018-9cd6.html
     + Fix LDAP NULL pointer dereference as per CVE-2018-1000121
       https://curl.haxx.se/docs/adv_2018-97a2.html
     + Fix RTSP RTP buffer over-read as per CVE-2018-1000122
       https://curl.haxx.se/docs/adv_2018-b047.html
     + Fix heap buffer overflow when closing down an FTP connection
       with very long server command replies as per CVE-2018-1000300
       https://curl.haxx.se/docs/adv_2018-82c2.html
     + Fix heap buffer over-read when parsing bad RTSP headers
       as per CVE-2018-1000301
       https://curl.haxx.se/docs/adv_2018-b138.html
   * Refresh patches
   * Bump Standards-Version to 4.1.4 (no changes needed)

curl (7.58.0-2) unstable; urgency=medium

   * Explicitly enable libssh2 support which got silently disabled in the
     previous update

curl (7.58.0-1) unstable; urgency=medium

   * New upstream release
     - Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005
       https://curl.haxx.se/docs/adv_2018-824a.html
     - Fix HTTP authentication leak in redirects as per CVE-2018-1000007
       https://curl.haxx.se/docs/adv_2018-b3bf.html
   * Point Vcs-* to salsa.d.o
   * Bump Standards-Version to 4.1.3 (no changes needed)
   * Bump debhlper compat level to 11
   * Refresh patches
   * fix insecure-copyright-format-uri

2017

curl (7.57.0-1) unstable; urgency=medium

   * New upstream release
     - Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816
       https://curl.haxx.se/docs/adv_2017-11e7.html
     - Fix FTP wildcard out of bounds read as per CVE-2017-8817
       https://curl.haxx.se/docs/adv_2017-ae72.html
     - Fix SSL out of buffer access as per CVE-2017-8818
       https://curl.haxx.se/docs/adv_2017-af0a.html
   * Remove -fdebug-prefix-map from curl-config.
     Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238)
   * Don't install zsh completion when cross compiling.
     Thanks to Wookey for the patch (Closes: #812965)

curl (7.56.1-1) unstable; urgency=medium

   * New upstream release
     - Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257
       https://curl.haxx.se/docs/adv_20171023.html
   * Bump Standards-Version to 4.1.1 (no changes needed)
   * Drop 01_runtests_gdb.patch
   * Drop 12_dont-wait-on-CONNECT.patch
   * Refresh patches
   * Update *.symbols files
   * Use https:// URL in watch file

curl (7.55.1-1) unstable; urgency=medium

   * New upstream release
     - Fix FTBFS on powerpc (Closes: #872502)
   * Apply upstream patch to fix connection timeouts with NetworkManager
     (Closes: #873181)
   * Refresh patches
   * Bump Standards-Version to 4.1.0 (no changes needed)

curl (7.55.0-1) unstable; urgency=medium

   * New upstream release
     - Fix TFTP sends more than buffer size as per CVE-2017-1000100
       (Closes: #871555)
     - Fix URL globbing out of bounds read as per CVE-2017-1000101
       (Closes: #871554)
   * Refresh patches and drop patches merged upstream
   * Update Standards-Version to 4.0.1 (no changes needed)
   * Drop -dbg package

curl (7.52.1-5) unstable; urgency=high

   * Fix TLS session resumption client cert bypass as per CVE-2017-7468
     https://curl.haxx.se/docs/adv_20170419.html

curl (7.52.1-4) unstable; urgency=medium

   * Fix regression in CONNECT response handling (Closes: #857613)
   * Fix buffer read overrun on --write-out as per CVE-2017-7407
     https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)

curl (7.52.1-3) unstable; urgency=high

   * Make SSL_VERIFYSTATUS work again as per CVE-2017-2629
     https://curl.haxx.se/docs/adv_20170222.html

curl (7.52.1-2) unstable; urgency=medium

   * Fix HTTPS connection timeout with OpenSSL (Closes: #852317)

curl (7.52.1-1) unstable; urgency=medium

   * New upstream release
     - Fix printf floating point buffer overflow as per CVE-2016-9586
       (Closes: #848958)
   * B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018)
   * Another attempt at making -dev packages multi-arch.
     Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360)
   * Enable support for PSL (Closes: #847958)
   * Re-enable support for IDN (Closes: #849539)
   * Drop 10_disable-network-tests.patch.
     It didn't really work, and the issue is not urgent.
   * Switch curl binary back to libcurl3/OpenSSL.
     While the GnuTLS flavour mostly worked fine, there are a bunch of features
     that are not implemented.

2016

curl (7.51.0-1) unstable; urgency=medium

   * New upstream release
     - Fix cookie injection for other servers as per CVE-2016-8615
       https://curl.haxx.se/docs/adv_20161102A.html
     - Fix case insensitive password comparison as per CVE-2016-8616
       https://curl.haxx.se/docs/adv_20161102B.html
     - Fix OOB write via unchecked multiplication as per CVE-2016-8617
       https://curl.haxx.se/docs/adv_20161102C.html
     - Fix double-free in curl_maprintf as per CVE-2016-8618
       https://curl.haxx.se/docs/adv_20161102D.html
     - Fix double-free in krb5 code as per CVE-2016-8619
       https://curl.haxx.se/docs/adv_20161102E.html
     - Fix glob parser write/read out of bounds as per CVE-2016-8620
       https://curl.haxx.se/docs/adv_20161102F.html
     - Fix curl_getdate read out of bounds as per CVE-2016-8621
       https://curl.haxx.se/docs/adv_20161102G.html
     - Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622
       https://curl.haxx.se/docs/adv_20161102H.html
     - Fix use-after-free via shared cookies as per CVE-2016-8623
       https://curl.haxx.se/docs/adv_20161102I.html
     - Fix invalid URL parsing with '#' as per CVE-2016-8624
       https://curl.haxx.se/docs/adv_20161102J.html
     - Fix IDNA 2003 makes curl use wrong host
       https://curl.haxx.se/docs/adv_20161102K.html
     - Fix escape and unescape integer overflows as
       per CVE-2016-7167 (Closes: #837945)
       https://curl.haxx.se/docs/adv_20160914.html
     - Fix incorrect reuse of client certificates (NSS backend)
       as per CVE-2016-7141 (Closes: #836918)
       https://curl.haxx.se/docs/adv_20160907.html
   * Drop 02_art_http_scripting.patch (file not shipped anymore)
   * Refresh patches
   * Temporarily disable IDN support
   * Don't install pdf and html docs (they are not shipped in the tarball anymore)
   * Install markdown docs

curl (7.50.1-2) unstable; urgency=medium

   * Disable more network tests (Closes: #830273)

curl (7.50.1-1) unstable; urgency=medium

   * New upstream release (Closes: #827900)
     - Fix TLS session resumption client cert bypass as per CVE-2016-5419
       https://curl.haxx.se/docs/adv_20160803A.html
     - Fix re-using connection with wrong client cert as per CVE-2016-5420
       https://curl.haxx.se/docs/adv_20160803B.html
     - Fix use of connection struct after free as per CVE-2016-5421
       https://curl.haxx.se/docs/adv_20160803C.html
     - Support OpenSSL 1.1 (Closes: #828127)
   * Fix 04_workaround_as_needed_bug.patch.
     Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131)
   * Bump Standards-Version to 3.9.8 (no changes needed)
   * Update Vcs-* URLs
   * Refresh patches
   * Add 08_enable-zsh.patch to re-enable zsh completion generation
   * Remove 08_fix-zsh-completion.patch (was already disabled)
   * Add 09_fix-typo.patch to fix spelling-error-in-manpage
   * Add 10_disable-network-tests.patch to disable networked tests
     (Closes: #830273)
   * Improve cross Build-Depends satisfiability.
     Thanks to Helmut Grohne for the patch (Closes: #818092)

curl (7.47.0-1) unstable; urgency=high

   * New upstream release
     - Fix NTLM credentials not-checked for proxy connection re-use
       as per CVE-2016-0755
       http://curl.haxx.se/docs/adv_20160127A.html
     - Set uyrgency=high accordingly
   * Remove hard-coded dependency on libgnutls (Closes: #812542)
   * Drop 08_fix-zsh-completion.patch (merged upstream)
   * Refresh patches

2015

curl (7.46.0-1) unstable; urgency=medium

   * New upstream release
     - Initialize OpenSSL algorithms after loading config (Closes: #805408)
   * Install curl zsh completion (Closes: #805509)
     - Add 08_fix-zsh-completion.patch to fix zsh completion generation

curl (7.45.0-1) unstable; urgency=medium

   * New upstream release
   * Drop 08_spelling.patch (merged upstream)

curl (7.44.0-2) unstable; urgency=medium

   * Enable HTTP/2 support (Closes: #796302)

curl (7.44.0-1) unstable; urgency=medium

   * New upstream release
   * Refresh patches
   * Update symbols files
   * Add 08_spelling.patch to fix some spelling errors

curl (7.43.0-1) unstable; urgency=medium

   * New upstream release
     - Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
       http://curl.haxx.se/docs/adv_20150617A.html
     - Fix SMB send off unrelated memory contents as per CVE-2015-3237
       http://curl.haxx.se/docs/adv_20150617B.html
   * Refresh patches
   * Fix spelling-error-in-description

curl (7.42.1-3) unstable; urgency=medium

   * Update copyright
   * Set both CA bundle and CA path default values for OpenSSL and GnuTLS
     backends
   * Bump versioned depends on libgnutls to workaround lack of nettle versioned
     symbols (Closes: #787960)

curl (7.42.1-2) unstable; urgency=medium

   * Switch curl binary to libcurl3-gnutls (Closes: #342719)
     This is the first step of a possible migration to a GnuTLS-only
     libcurl for Debian. Let's see how it goes.

curl (7.42.1-1) unstable; urgency=high

   * New upstream release
     - Don't send sensitive HTTP server headers to proxies as per
       CVE-2015-3153
       http://curl.haxx.se/docs/adv_20150429.html
   * Drop 08_fix-spelling.patch (merged upstream)
   * Refresh patches

curl (7.42.0-1) unstable; urgency=medium

   * New upstream release
     - Fix re-using authenticated connection when unauthenticated
       as per CVE-2015-3143
       http://curl.haxx.se/docs/adv_20150422A.html
     - Fix host name out of boundary memory access as per CVE-2015-3144
       http://curl.haxx.se/docs/adv_20150422D.html
     - Fix cookie parser out of boundary memory access as per CVE-2015-3145
       http://curl.haxx.se/docs/adv_20150422C.html
     - Fix Negotiate not treated as connection-oriented as per CVE-2015-3148
       http://curl.haxx.se/docs/adv_20150422B.html
     - Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is
       defined (Closes: #768562)
   * Drop patches merged upstream
   * Refresh patches
   * Bump Standards-Version to 3.9.6 (no changes needed)

curl (7.38.0-4) unstable; urgency=high

   * Fix URL request injection vulnerability as per CVE-2014-8150
     http://curl.haxx.se/docs/adv_20150108B.html
   * Set urgency=high accordingly

2014

curl (7.38.0-3) unstable; urgency=high

   * Enable all hardening options (Closes: #763372)
   * Fix duphandle read out of bounds as per CVE-2014-3707
     http://curl.haxx.se/docs/adv_20141105.html
   * Set urgency=high accordingly

curl (7.38.0-2) unstable; urgency=medium

   * Check for libtoolize instead of libtool during build.
     Thanks to Helmut Grohne for the patch (Closes: #761740)
   * Add README.source note regarding ordering of patches (Closes: #762193)
   * Add 10_fix-resolver.patch from upstream (Closes: #762014)

curl (7.38.0-1) unstable; urgency=medium

   * New upstream release
     - Only use full host matches for hosts used as IP address
       as per CVE-2014-3613
       http://curl.haxx.se/docs/adv_20140910A.html
     - Reject incoming cookies set for TLDs as per CVE-2014-3620
       http://curl.haxx.se/docs/adv_20140910B.html
   * Drop 08_link-curl-to-nss.patch (merged upstream)
   * Refresh patches
   * Fix wildcard-matches-nothing-in-dep5-copyright
   * Add 08_fix-spelling.patch

curl (7.37.1-1) unstable; urgency=medium

   * New upstream release
   * Re-enable RTMP support (Closes: #754222)
   * Add 08_link-curl-to-nss.patch to fix NSS build
   * Refresh patches
   * Install manpages of single libcurl options too

curl (7.37.0-1) unstable; urgency=medium

   * New upstream release
     - Fix NULL pointer dereference in GnuTLS code (Closes: #746349)
   * Drop 08_fix-imap-tests.patch (merged upstream)
   * Refresh 01_runtests_gdb.patch
   * Remove Build-Depends on libgcrypt

curl (7.36.0-2) unstable; urgency=medium

   * Move Depends on -dev packages needed to use static libraries to Suggests
   * Switch to GnuTLS 3.x (Closes: #741568)
   * Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts
     with libgnutls28-dev)

curl (7.36.0-1) unstable; urgency=high

   * New upstream release (Closes: #742728)
     - Fix connection re-use when using different log-in credentials
       as per CVE-2014-0138
       http://curl.haxx.se/docs/adv_20140326A.html
     - Reject IP address wildcard matches as per CVE-2014-0139
       http://curl.haxx.se/docs/adv_20140326B.html
     - Set urgency=high accordingly
   * Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138

curl (7.35.0-1) unstable; urgency=high

   * New upstream release
     - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
       http://curl.haxx.se/docs/adv_20140129.html
     - Set urgency=high accordingly
   * Refresh patches

2013

curl (7.34.0-1) unstable; urgency=high

   * New upstream release
     - Fix GnuTLS checking of a certificate CN or SAN name field when the
       digital signature verification is turned off as per CVE-2013-6422
       http://curl.haxx.se/docs/adv_20131217.html
     - Set urgency=high accordingly
   * Drop patches merged upstream:
     - 08_fix-typo.patch
     - 09_fix-urlglob.patch

curl (7.33.0-2) unstable; urgency=low

   * Make -dev packages Multi-Arch: same too (Closes: #731309)
   * Bump Standards-Version to 3.9.5 (no changes needed)
   * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855)

curl (7.33.0-1) unstable; urgency=low

   * New upstream release
     - Handle arbitrary-length username and password (Closes: #719856)
   * Remove Luk from Uploaders as per his request (Closes: #723603)
   * Do not Build-Depends on specific automake version (Closes: #724361)
   * Fix lintian vcs-field-not-canonical
   * Add 08_fix-typo.patch
   * Refresh patches

curl (7.32.0-1) unstable; urgency=low

   * New upstream release
   * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502)
   * Drop 08_typo.patch (merged upstream)
   * Drop 09_openssl-recv.patch (merged upstream)
   * Refresh 90_gnutls.patch and 99_nss.patch
   * Refresh 06_always-disable-valgrind.patch
   * Enable threaded DNS resolver (Closes: #570436)
     See NEWS.Debian for more info

curl (7.31.0-2) unstable; urgency=high

   * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050)
   * Set urgency=high because of the security fix in the previous upload

curl (7.31.0-1) unstable; urgency=low

   * New upstream release
     - Fix URL decode buffer boundary flaw as per CVE-2013-2174
       http://curl.haxx.se/docs/adv_20130622.html
   * Make curl Multi-Arch: foreign (Closes: #712585)
   * Drop 08_reset-timecond.patch (merged upstream)
   * Refresh patches
   * Add 08_typo.patch to fix a couple of typos in one of the manpages

curl (7.30.0-2) unstable; urgency=low

   * Move textual docs to the -doc package too
   * Move manpages from -dev packages to -doc as well
     - Add Breaks+Replaces accordingly
   * Remove outdated Replaces/Conflicts
   * Update watch file version to 3
   * Add 08_reset-timecond.patch (Closes: #705783)

curl (7.30.0-1) unstable; urgency=low

   * New upstream release
   * Update upstream copyright years
   * Drop patches merged upstream:
     - 08_NULL-pointer-dereference-on-close.patch
     - 09_CVE-213-1944.patch
     - 10_test1218-another-cookie-tailmatch-test.patch
   * Update patches:
     - 03_keep_symbols_compat.patch
     - 90_gnutls.patch
     - 99_nss.patch
   * Add libcurl4-doc package:
     - Move *.pdf and *.html files to the libcurl4-doc package
     - Add Suggests for -doc package to -dev packages
     - Move examples to the -doc package
   * Add Build-Depends on python which is used by some tests

curl (7.29.0-2.1) unstable; urgency=high

   * Non-maintainer upload.
 
   [ Alessandro Ghedini ]
   * Do not compress *.pdf files (Closes: #704093)
 
   [ Salvatore Bonaccorso ]
   * Add 09_CVE-213-1944.patch.
     Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage.
     Cookies set for 'example.com' could accidentaly also be sent by libcurl
     to the 'bexample.com' (ie with a prefix to the first domain name).
     (Closes: #705274)
   * Add testcase for CVE-2013-1944.

curl (7.29.0-2) unstable; urgency=low

   * Fix a segfault when closing an unused multi handle (Closes: #701713)
   * Mention LDAPS in packages' long descriptions
   * Clean-up d/rules
     - Switch to short-form dh
     - Enable test suite on hurd and kfreebsd too
     - Enable GSSAPI support on hurd too

curl (7.29.0-1) unstable; urgency=high

   * New upstream release
     - Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication
       as per CVE-2013-0249 (Closes: #700002)
       http://curl.haxx.se/docs/adv_20130206.html
     - Set urgency=high accordingly
   * Install all the examples
   * Update 90_gnutls.patch and 99_nss.patch
   * Refresh patches
   * Correctly pass CPPFLAGS to ./configure
   * Upload to unstable

2012

curl (7.28.1-1) experimental; urgency=low

   * New upstream release
   * Drop 05_fix-git-over-https.patch and 08_fix-git-auth.patch
     (merged upstream)
   * Update 07_do-not-disable-debug-symbols.patch
   * Refresh patches
   * Add NEWS entry about change in CURLOPT_SSL_VERIFYHOST semantics

curl (7.28.0-3) unstable; urgency=low

   * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug
     anymore (Closes: #693110)
   * Update 05_fix-git-over-https.patch to reflect new upstream patch
   * Add 08_fix-git-auth.patch to fix HTTPS authentication (Closes: #690764)

curl (7.28.0-2) unstable; urgency=low

   * Add 05_fix-git-over-https.patch (Closes: #690551)
   * Add 06_always-disable-valgrind.patch (Closes: #690968)

curl (7.28.0-1) unstable; urgency=low

   * New upstream release
     - gnutls: do not fail on non-fatal handshake errors (Closes: #685402)
   * Remove versioned build depends on libssh2 (already in stable)
   * Bump Standards-Version to 3.9.4 (no changes needed)
   * Refresh 01_runtests_gdb.patch
   * Update *.symbols files
   * Build depend on ca-certifcates to avoid test failure

curl (7.27.0-1) unstable; urgency=low

   * New upstream release
   * Update upstream copyright
   * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch

curl (7.26.0-1) unstable; urgency=low

   * New upstream release
     - Reject numerical IPv6 addresses outside brackets (Closes: #670126)
   * Email change: Alessandro Ghedini -> ghedo@debian.org
   * Stricter Depends on libcurl3 (Closes: #666089)
   * Remove Ramakrishnan (as per his request), move myself to Maintainer
     Thank you for all your work so far
   * Disable memory tracking, but keep debug enabled
     - Remove memdebug symbols (used by curl only)
   * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch
   * Disable not-quite-working symbols hiding

curl (7.25.0-1) unstable; urgency=low

   * New upstream release
     - Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276)
     - Allow negative numbers as option value (Closes: #659591)
   * Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends
   * Bump debhelper compat level to 9
     - Make *.links files executable to simplify rules file
   * Pass --as-needed ld flag to avoid unneeded dependencies
     - Add workaround_as_needed_bug to workaround a libtool bug
     - Drop dont_link_to_krb5 (not needed because of --as-needed)
   * Do some clean-up in debian/rules
   * Update debian/copyright format as in Debian Policy 3.9.3
   * Bump Standards-Version to 3.9.3
   * Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict)
   * Add openssh-server to build depends to enable some more tests
   * Update upstream copyright years
   * Refresh patches

curl (7.24.0-1) unstable; urgency=high

   * New upstream release
     - Improve documentation for the --capath option (Closes: #628697)
     - Fix URL sanitization vulnerability as per CVE-2012-0036
       http://curl.haxx.se/docs/adv_20120124.html
     - Fix SSL CBC IV vulnerability as per CVE-2011-3389
       http://curl.haxx.se/docs/adv_20120124B.html
     - Set urgency=high accordingly
   * Remove curl_links_with_rt patch (curl links to librt anyway)
   * Improve descriptions of -dev and -dbg packages
   * Drop fix_manpage_spelling and versioned patches (merged upstream)
   * Refresh patches
   * Add keep_symbols_compat patch to not break backwards ABI compatibility
   * Enable libssh2 support for GnuTLS and NSS flavours too
     (libssh2 now uses libgcrypt instead of libssl)

2011

curl (7.23.1-3) unstable; urgency=low

   * Enable security hardening flags
   * Remove libdb-dev from B-D (not used)
   * Improve short and  long descriptions
   * Provide proper *.symbols files (Closes: #651619)
   * Do not version Curl_* symbols (for internal use only)
   * Do not override dh_makeshlibs version anymore

curl (7.23.1-2) unstable; urgency=low

   * Bump shlibs version for libcurl3-nss (Closes: #650498)

curl (7.23.1-1) unstable; urgency=low

   * New upstream release
     - Do not use gnutls_priority_set_direct and
       gnutls_certificate_type_set_priority anymore (Closes: #624024)
   * Refresh patches
   * Add --enable-debug flag to configure (Closes: #648902)
   * One Provides/Replaces per line
   * libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126)
   * Specify only 3 components for Standards-Version
     (the fourth is not really needed)
   * Move ca-certificates to Recommends in lib* packages (Closes: #546607)
   * Add NSS flavour to versioned symbols

curl (7.22.0-3) unstable; urgency=low

   [ Ramakrishnan Muthukrishnan ]
   * Add new Uploaders, Ian and Alessandro. (Closes: #647255)
 
   [ Luk Claes ]
   * Install lintian overrides with dh_lintian.
   * Install all files with dh_install and get rid of dh_installdirs.
 
   [ Alessandro Ghedini ]
   * New upstream release.
   * Bump debhelper compat level to 8.
   * debian/control:
     - One (Build-)Depends per line.
     - Sort (Build-)Depends.
     - Remove Build-Depends on binutils
       (v2.18 is already in oldstable and it is Build-Essential: yes).
     - Build depends on stunnel4 instead of stunnel
       (stunnel is just a dummy package).
     - Remove duplicate Section field in package curl.
     - Add Luk to Uploaders too, sort names.
   * debian/patches:
     - Update runtests_gdb patch, add DEP3 headers.
     - Update gnutls and nss patches, add DEP3 headers.
     - Refresh other patches.
     - Add DEP3 headers to all the patches.
     - Remove libtool patch (not applied anyway)
     - Set Forwarded: not-needed for Debian specific patches
   * Replace dh_clean -k call with dh_prep
     (dh_clean -k is deprecated since debhelper 7).
   * Add fix_manpage_spelling patch
   * debian/copyright:
     - Switch to DEP5 format
     - Update copyright information
   * Add librtmp-dev to libcurl4-nss-dev too

curl (7.21.7-3) unstable; urgency=low

   * debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the
     packages do not need to be built with rtmp support. (closes: #641173)

curl (7.21.7-2) unstable; urgency=low

   * debian/control: libcurl*-dev packages should depend on librtmp-dev.
     (closes: #640260)
   * debian/rules: add build-arch and build-indep targets.

curl (7.21.7-1) unstable; urgency=low

   * New Upstream release which fixes the following bugs.
     - libcurl3-gnutls: HTTPS over HTTP still broken in
       Git (closes: #627335)
     - git-core: gnutls_handshake() fail when using
       https:// over a proxy (closes: #559371)
   * debian/control: capitalize 'ftp'. (closes: #587338)
   * debian/rules: add build-arch and build-indep targets.

curl (7.21.6-3) unstable; urgency=low

   * Apply the Multiarch patch from Steve Langasek.
     (closes: #631946)

curl (7.21.6-2) unstable; urgency=high

   * Fix for the inappropriate GSSAPI delegation vulnerability (CVE-2011-2192).
     (closes: #631615)

curl (7.21.6-1) unstable; urgency=low

   * New upstream release to fix a HTTPS over a HTTP proxy bug on 7.21.5.

curl (7.21.5-1) unstable; urgency=low

   * New Upstream version. (closes: #623459)
   * debian/patches/{sslv2_disable, error_code}: removed as these
     patches were backported earlier from new upstream and this
     release incorporates them.

curl (7.21.4-2) unstable; urgency=low

   * debian/patches/{sslv2-disable, series}: Apply the
     upstream commit c66b0b32fba175d5f096c944d8ec8f9f06299f4a.
     (closes: #622016)
   * debian/{rules, control}: enable rtmp. (closes: #622328)
   * debian/control: removing hurd from dependencies. Hurd is
     an 'essential' package.

curl (7.21.4-1) unstable; urgency=low

   * New upstream release.
   * debian/control: downgraded the version number of libdb-dev required
     to 4.6 from 4.7, based on the inputs from Erik Schanze <schanzi_@gmx.de>.

2010

curl (7.21.3-1) unstable; urgency=low

   * New upstream release.
   * debian/*.manpages: adding all manpages for the curl library.
     (closes: #605651)
   * gnutls->handshake: improved timeout handling. See #594150 for details.

curl (7.21.2-4) unstable; urgency=low

   * support for curl library built against nss.
     (closes: #606244)
   * honour DEB_BUILD_OPTIONS=nocheck option.
     (closes: #606059)

curl (7.21.2-3) unstable; urgency=low

   * debian/rules: reverting changes related to c-ares inclusion.
   * debian/control: removing libc-ares-dev for now.
     (closes: #605558)

curl (7.21.2-2) unstable; urgency=low

   * debian/control: add libc-ares-dev as build dependency.
   * debian/rules: invoke configure with --enable-ares.
     (closes: #570436)
   * debian/copyright: add copyright notice of `lib/security.c'
     to the copyright file. (closes: #603712)

curl (7.21.2-1) unstable; urgency=low

   * New upstream release.

curl (7.21.1-1) unstable; urgency=low

   * New upstream release.

curl (7.21.0-1) unstable; urgency=low

   * New upstream.

curl (7.20.1-2) unstable; urgency=low

   * debian/rules: Removed the custom LDFLAGS variable. This is not
     required as we are no longer using the libtool patch.
     (closes: #578774)

curl (7.20.1-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/missing-double-quote: No longer needed as it has been
     fixed by the upstream.
   * debian/patches/no_com_err: Reworked the patches for the new release.
   * debian/patches/versioned: fix for build failure of 'make test'.
     (closes: #576237)
   * debian/rules: removed --enable-ldaps option from the configure as LDAP
     SSL (Novell extensions to openldap) is not available as Debian packages.
   * lib/http.c: chunked-encoding with Content-Length header problem has
     been fixed in the upstream. (closes: #572276)

curl (7.20.0-3) unstable; urgency=low

   * debian/control: Vcs* tags added.
   * docs/libcurl/libcurl.m4: added the missing double quote (closes: #576518).

curl (7.20.0-2) unstable; urgency=low

   * New Maintainer (closes: #574137).
   * Bug #533669 (curl segmentation fault in addbyter()) is fixed
     from release 7.19.7 onwards (closes: #533669).
   * Bug #510559 (curl sends whitespace unencoded in the url) can't
     be reproduced in the 7.20.0 release (closes: #510559).

curl (7.20.0-1) unstable; urgency=low

   * Package is orphaned.
   * New upstream release.
   * Switch to dpkg-source 3.0 (quilt) format (closes: #538547).
   * Fixed build error with binutils-gold (closes: #554296).

2009

curl (7.19.7-1) unstable; urgency=low

   * New upstream release:
     - curl_getdate(3) now correctly manages single letter military
       timezones as specified in RFC 822 (closes: #551461).
   * build depends on generic libdb-dev (closes: #548476).
   * build depends on libssh2-1-dev (>= 1.2) to enable new curl options.

curl (7.19.5-1) unstable; urgency=low

   * New upstream release
   * Fix "libcurl3-gnutls has memory corruption" by upgrading to new upstream
     release, which fixes this bug (Closes: #530131)
   * update standards version to 3.8.1
   * adjust overrides from libdevel to debug for -dbg package
   * adjust doc-base section

curl (7.19.4-1) unstable; urgency=low

   * New upstream release
   * Fix "newer bdb version" <explain what you changed and why>
     (Closes: #517277)
   * resolve libtool version confusion, thanks to
     Stefanos Harhalakis <v13@v13.gr>
   * add new dependency on libgcrypt11-dev due to newly arising binary symbols

curl (7.18.2-8lenny1) stable-security; urgency=high

   * Applied upstream patch to fix arbitrary file access (CVE-2009-0037).

2008

curl (7.18.2-8) unstable; urgency=low

   * Fix "Please add support for ldap/ldaps protocols"
     by changing the linker option for liblber (Closes: #506096)

curl (7.18.2-7) unstable; urgency=low

   * disable c-ares support again, no fix yet, just get stuff working again.

curl (7.18.2-6) unstable; urgency=low

   * enable c-ares support, with ipv6 support

curl (7.18.2-5) unstable; urgency=low

   * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns
     "-Wl, -z, defs" (Closes: #488701), closing same bug again for
     curl-config --libs  command

curl (7.18.2-4) unstable; urgency=medium

   * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns
     "-Wl, -z, defs" (Closes: #488701)

curl (7.18.2-3) unstable; urgency=low

   * removing c-ares from the dependencies

curl (7.18.2-2) unstable; urgency=medium

   * blanking the "dependency_libs" line in lib*.la file to keep all the listed libs
     from being linked to other libs linking to curl.
   * fixing miss-linking problem by specifying liblber as a configure argument
   * disabling c-ares again for stability reasons
   * correcting libgssapi linking in configure.ac (patch no_com_err)

curl (7.18.2-1e1) experimental; urgency=low

   * testing c-ares-ipv6 integration patch

curl (7.18.2-1) unstable; urgency=low

   * New upstream release:
     - removed patches/ftp-response, it is already in the upstream release
     - fixed issues with kerberos ftp (closes: #478864).
   * Disable c-ares support, it is still not ready for Debian's wide
     user base (closes: #478864, #481189).
   * Standards-Version bumped to 3.8.0:
     - added support for parallel builds to debian/rules
   * Removal of $QUILT_PC's override makes this package ready for new
     source format 3.0 (quilt) (closes: #485023).
   * Configure build with --with-ca-path but only for OpenSSL flavour,
     GnuTLS supports only --with-ca-bundle (closes: #482814, #483999).
     Both libcurl3 and libcurl3-gnutls now depend on ca-certificates.

curl (7.18.1-1) unstable; urgency=low

   * New upstream release.
   * Fixed crossbuilding bug (closes: #465089).
   * Improved error reporting in case of failing FTP (closes: #474224).
   * Enable c-ares support (closes: #352694).
   * libcurl3-dbg now depends on either libcurl3 or libcurl3-gnutls
     (closes: #463173).

curl (7.18.0-1) unstable; urgency=low

   * New upstream release.
   * Use Homepage field in debian/control.

2007

curl (7.17.1-1) unstable; urgency=low

   * New upstream release:
     - fixed bad use of "its" in curl.1 (closes: #443734)
     - fixed curl_easy_escape() with input bytes that are >= 0x80
       (closes: #445214)

curl (7.17.0-1) unstable; urgency=low

   * New upstream release.
   * Updated to use libssh2-1-dev (closes: #441979, #442198).
   * Do not run the test suite on hurd (closes: #433834).
   * Enabled support for LDAPS protocol.

curl (7.16.4-5) unstable; urgency=low

   * libcurl4-openssl-dev now depends on libssh2-0-dev.
     closes: #439317, #439326.

curl (7.16.4-4) unstable; urgency=low

   * Build libcurl/GnuTLS without libssh2 because of the usual OpenSSL
     vs. GPL software lincense conflict (closes: #439176).

curl (7.16.4-3) unstable; urgency=low

   * Added support for scp and SFTP protocols.

curl (7.16.4-2) unstable; urgency=low

   * Fixed regression with FTP sites not requesting PASS (closes: #435771).

curl (7.16.4-1) unstable; urgency=low

   * New upstream release (closes: #432514).
   * Welcome Andreas to the curl packagers!
   * Build-Depends is now more backporting friendly.

curl (7.16.2-6) unstable; urgency=low

   * Added missing libcurl3 symlinks (closes: #429945)
     Patch courtesy of Bryan Donlan.

curl (7.16.2-5) unstable; urgency=low

   [ Steve Langasek ]
   * Re-introduce curl3 symbol versions and rename the packages back to
     libcurl3*, restoring ABI compatibility with the etch version of the
     package.
 
   [ Domenico Andreoli ]
   * Package libcurl4-gnutls-dev now suggests libcurl3-dbg.
   * libcurl3-dbg replaces/conflict/provide libcurl4-dbg.
   * Properly use ${binary:Version} in control file.

curl (7.16.2-4) unstable; urgency=low

   * Fixed configure.ac in case of build with GNUTLS (closes: #425013).
   * Fixed double-free bug (closes: #424894).
     Patch courtesy of Daniel Stenberg.

curl (7.16.2-3) unstable; urgency=low

   * Updated to db4.5 (closes: #421933).
   * Got rid of unused libcomerr2 dependency (closes: #392294).

curl (7.16.2-2) experimental; urgency=low

   * Improved package descriptions (closes: #410472).
   * Updated package Provides to ease the soname transition.

curl (7.16.2-1) experimental; urgency=low

   * New upstream release.
   * libcurl4-openssl-dev now depends on libcurl4-openssl (closes: #419774).
   * Bumped shlibs version to 7.16.2-1.
   * Patches are now managed with quilt.

curl (7.16.1-1) experimental; urgency=low

   * New upstream release.
   * Bumped shlibs version to 7.16.1-1.
   * Added HIDDEN section to version script to handle any __*, _rest or
     _save* local symbol.
   * Gopher protocol is not supported since 7.15.2. Removed any reference
     in package description (closes: #408704).
   * Moved libcurl/openssl to the new package libcurl4-openssl, now
     libcurl4 contains a version with no SSL or GSSAPI support (any
     future cryptographic stuff will be kept out of there).
   * Package libcurl4-dev now contains the matching headers for libcurl4
     (so crypto stuff).

curl (7.16.0-1) experimental; urgency=low

   * New upstream release.
   * Bumped shlibs version to 7.16.0-1.
   * libcurl4 and libcurl4-gnutls now only recommend ca-certificates
     (closes: #404103).
   * pkg-config .pc file now uses Libs.private (closes: #405226).

2006

curl (7.15.5-1) unstable; urgency=low

   * New upstream release:
     - fixed nodes removal from the splay tree (closes: #375076).
   * Make package build also if $TAPE is set (closes: #377470).
   * Bumped shlibs version to 7.15.5-1.

curl (7.15.4-1ubuntu1) edgy; urgency=low

   * Synchronize to Debian. Only change left: Removal of stunnel and
     libdb4.2-dev build dependencies.

curl (7.15.4-1) unstable; urgency=low

   * New upstream release.
   * Bumped shlibs version to 7.15.4-1.

curl (7.15.3-2) unstable; urgency=low

   * Fixed bug in configure.ac that makes FTBFS (closes: #367954).

curl (7.15.3-1) unstable; urgency=high

   * New upstream release:
     - fixed TFTP packet buffer overflow vulnerability
       [lib/tftp.c, CVE-2006-1061].
     - improved curl_getenv.3 manpage grammar (closes: #357388).

curl (7.15.2-3) unstable; urgency=low

   * Applied upstream patch to fix multi interface and multi-part formposts
     (closes: #355715).
   * Build back with -O2, gcc 4.0.2-10 fixed the previously trigged bug.

curl (7.15.2-2) unstable; urgency=low

   * Added missing autotools invocation. Re-added versioned symbols
     (closes: #355241).
   * Bumped shlibs version to 7.15.2-2.
   * Build with -O3 to work around sospicious segfaults on tests 253
     and 255.

curl (7.15.2-1) unstable; urgency=low

   * New upstream release.
   * Bumped shlibs version to 7.15.2-1.
   * Adopted debhelper's compatibility level 5.

curl (7.15.1-1ubuntu2) dapper; urgency=low

   * SECURITY UPDATE: Arbitrary remote code execution with long tftp:// URLs.
   * lib/tftp.c: Fix unbounded sprintf() to avoid buffer overflow. Thanks to
     Ulf Harnhammar for discovering this.
   * CVE-2006-1061

2005

curl (7.15.1-1ubuntu1) dapper; urgency=low

   * Resynchronise with Debian to get URL parser overflow fix from 7.15.1
     (CVE-2005-4077).

curl (7.15.1-1) unstable; urgency=low

   * New upstream release:
     - fixed buffer overflow in URL parser function (closes: #342339).

curl (7.15.0-5.1) unstable; urgency=high

   * Non-maintainer upload.
   * Urgency high for RC bug fix.
   * Let libcurl3-*-dev depend on libkrb5-dev (closes: #340784, #340916).

curl (7.15.0-5) unstable; urgency=low

   * libcurl3-gnutls-dev and libcurl3-openssl-dev now only recommend
     libkrb5-dev (closes: #334888).
   * Applied upstream patch to fix error message in case FTP-path does
     not exist (closes: #338680).
   * Applied upstream patch to fix parsing of --limit-rate command line
     option (closes: #338681).

curl (7.15.0-4ubuntu1) dapper; urgency=low

   * Resynchronise with Debian (only change left: Removal of stunnel build
     dependency).
   * Remove libdb4.2-dev build dependency.

curl (7.15.0-4) unstable; urgency=low

   * Fixed output of curl-config --vernum (closes: #335296).
   * libcurl3-openssl-dev now replaces libcurl3-dev older than 7.14.1-1
     (closes: #335277).

curl (7.15.0-3) unstable; urgency=low

   * libcurl3 and libcurl3-gnutls now suggest libldap2 (closes: #294407).
 
   * Re-introduced libcurl3-dev package for transition reasons.

curl (7.15.0-2) unstable; urgency=low

   * Fixed depends of libcurl3-*-dev packages (closes: #334021, #333609, #334048).
   * Bumped shlibs version to 7.15.0-1 (closes: #334053).

curl (7.15.0-1) unstable; urgency=low

   * New upstream release:
     - fixed user+domain name buffer overflow in the NTLM code
       (CAN-2005-3185, closes: #333734).
     - libcurl3-*-dev packages now depend on libkrb5-dev (closes: #333609).
     - improved docs about curl_easy_setopt() and ERRORBUFFER (closes: #329313).

curl (7.14.1-5) unstable; urgency=low

   * Added build dependency on libtool (closes: #332729, #333174).

curl (7.14.1-4) unstable; urgency=low

   * Fixed SEE ALSO section in curl_excape.3 (closes: #331505).
   * Fixed configure.ac when --host=i586-mingw32msvc is given (closes: #329444).
   * Added missing example files (closes: #331722).
   * Updated build dependency for OpenSSL 0.9.8 transition.

curl (7.14.1-3) experimental; urgency=low

   * Fixed soname of libcurl-gnutls.so* variant.
   * Fixed broken sentence (closes: #329305).
   * Fixed reference to TheArtOfHttpScripting.gz (closes: #329299).
   * Added clarification about WRITEFUNCTION and WRITEDATA (closes: #329311).

curl (7.14.1-2) experimental; urgency=low

   * Started using the system-wide CA certificate file (closes: #308514).
   * Fixed apostrophe typos in the curl man page (closes: #326511).
   * Only curl_* symbols are now globally visible outside of libcurl.

curl (7.14.1-1) experimental; urgency=low

   * New upstream release.
   * libcurl3-gnutls has a modified soname and may be installed together
     with libcurl3 (closes: #318590).
   * Both libcurl3 and libcurl3-gnutls are built with versioned symbols
     and with support of GSSAPI authentication.
   * Renamed libcurl3-dev to libcurl3-openssl-dev.
   * Dropped package libcurl3-gssapi.

curl (7.14.0-5) unstable; urgency=low

   * Added libcurl3-gnutls and libcurl3-gnutls-dev packages (closes: #318590).
   * libcurl3-gssapi now has its own shlibs file. Packages built with this
     package installed will depend on it.

curl (7.14.0-4) unstable; urgency=low

   * OpenSSL is back (closes: #321294, #321391).

curl (7.14.0-3) unstable; urgency=low

   * Updated the use of dpkg-architecture (closes: #320046).
   * Added missing aclocal file libcurl.m4 to libcurl3-dev (closes: #315848).
   * Added (many) missing man pages (closes: #315850).
   * OpenSSL is replaced by GnuTLS in providing SSL support (closes: #318590).
   * Heimdal is replaced by MIT Kerberos in providing GSSAPI support.

curl (7.14.0-2ubuntu1) breezy; urgency=low

   * Synchronize with Debian.

curl (7.14.0-2) unstable; urgency=low

   * Rebuilt and uploaded to unstable.

curl (7.14.0-1) experimental; urgency=low

   * New upstream release.

curl (7.13.2-3) unstable; urgency=high

   * HTTP response headers with null bytes are now correctly managed
     (closes: #310948).

curl (7.13.2-2) unstable; urgency=low

   * Fixed conditional build of package libcurl3-gssapi
     (closes: #303939, #303953).

curl (7.13.2-1) unstable; urgency=low

   * New upstream release:
     - fixed curl man page typos (closes: #302820).

curl (7.13.1-3) unstable; urgency=low

   * Fixed hanging of some SSL connections (closes: #302366).

curl (7.13.1-2) unstable; urgency=low

   * Rebuilt to get the correct libidn11 dependency (closes: #299348).
   * Added some missing documentation files (closes: #298855).

curl (7.13.1-1) unstable; urgency=low

   * New upstream release.
   * Bumped up shlibs version for libcurl3 because of new curl options.

curl (7.13.0-2) unstable; urgency=high

   * Fixed NTLM Authentication buffer overflow (closes: #296678).
     Patch courtesy of Daniel Stenberg. This handles CAN-2005-0490.
   * Removed libcurl2* packages and all the scary stuff used to build them
     (closes: #274631).

curl (7.13.0-1) unstable; urgency=low

   * New upstream release.
   * libcurl3 now suggests package libldap2-dev to enable support for
     LDAP protocol.
   * Bumped up shlibs version for libcurl3 because of new curl options.

curl (7.12.3-2ubuntu3) hoary; urgency=low

   * Fix the version numbers internal to debian/rules.  Closes; #8088

2004

curl (7.12.3-2) unstable; urgency=low

   * Disabled test suite on m68k, it stalls.

curl (7.12.3-1) unstable; urgency=low

   * New upstream release:
     - fixed debug tracing to network socket is stderr is closed
       (closes: #278691).
   * Applied patch to fix getpass license problems (closes: #286794).
     Patch courtesy of Daniel Stenberg.
   * Bumped up shlibs version for libcurl3 because of new curl options.

curl (7.12.2-2) unstable; urgency=low

   * libcurl3-dbg package is now built by dh_strip --dbg-package
     (closes: #274710).
   * Added build dependency on libdb4.2-dev.

curl (7.12.2-1) unstable; urgency=low

   * New upstream release.
   * Update diff to 7.11.2.
   * Add debian/watch file.
   * Add myself as a uploader.

curl (7.12.1-1) unstable; urgency=low

   * New upstream release:
     - workaround for ASN1_STRING_to_UTF8 failing if input is already
       UTF-8 encoded (closes: #264711).
   * Bumped up shlibs version for libcurl3 because of the introduction
     of FTP 3rd party transfer support options.

curl (7.12.0.rel-6) unstable; urgency=low

   * In rebuilding the 7.11.2 tree starting from the 7.12.0 one,
     lib/getdate.y is patched before lib/getdate.c (closes: #262597).

curl (7.12.0.rel-5) unstable; urgency=low

   * Tests are performed only if build target and building host are the
     same and are not kfreebsd-gnu or knetbsd-gnu (closes: #261591).
   * On hurd-i386 libcurl3-gssapi is not built.

curl (7.12.0.rel-4) unstable; urgency=low

   * Added build dependency on groff-base to really build the built-in
     manual.
   * libcurl3 now replaces old libcurl2 versions (closes: #255262).

curl (7.12.0.rel-3) unstable; urgency=low

   * Enabled curl's built-in manual.
   * configure script for 7.11.2 is now managed correctly.

curl (7.12.0.rel-2) unstable; urgency=low

   * libcurl2 uses curl-ca-bundle-7.11.2.crt (closes: #255262).
     Yes, it is a hack to not add libcurl-common package right now.

curl (7.12.0.rel-1) experimental; urgency=low

   * Version 7.12.0 is back with proper libcurl3* packages.
   * libcurl2* 7.11.2 packages are still provided (closes: #252879).
   * Enabled again the support for libidn.

curl (7.12.0.is.7.11.2-1) unstable; urgency=low

   * Reverted to version 7.11.2 (closes: #252348).
   * Disabled support for libidn (closes: #252367). This is to leave
     curl in unstable as much similar as possible to the one in testing.

curl (7.12.0-1) unstable; urgency=low

   * New upstream release:
     - fixed minor man page problem (closes: #232928)
     - improved --create-dirs description in curl man page (closes: #251351)
   * Enabled support for libidn.

curl (7.11.2-2) unstable; urgency=low

   * Fixed curl.1 man page (closes: #232928).
     Patch courtesy of Daniel Stenberg, the upstream developer.

curl (7.11.2-1) unstable; urgency=low

   * New upstream release.
   * Bumped up shlibs version because of the introduction of
     CURLOPT_TCP_NODELAY option.

curl (7.11.1-2) unstable; urgency=low

   * Added GSSAPI support to package libcurl2-gssapi (closes: #241553).

curl (7.11.1-1) unstable; urgency=low

   * New upstream release.
   * Bumped up shlibs version because of the introduction of
     CURLOPT_POSTFIELDSIZE_LARGE option.

curl (7.11.0-4) unstable; urgency=low

   * Applied fix from upstream's CVS which adds another CRLF in
     chunked-transfers.

curl (7.11.0-3) unstable; urgency=low

   * "Fixed" build process, now the right file is searched for CA
     certificates (closes: #228182).

curl (7.11.0-2) unstable; urgency=low

   * Test suite is still performed but is not critical for the build
     being successful any more.

curl (7.11.0-1) unstable; urgency=low

   * New upstream release.

curl (7.10.8+7.11.0-pre1-1) unstable; urgency=low

   * New upstream pre-release:
     - proxy+ssl now passes post variables (closes: #222901)
     - various test case problems exposed in #222140 should now be fixed.
   * Bumped up shlibs version because of the introduction of
     CURLOPT_NETRC_FILE and CURLOPT_FTP_SSL options in libcurl.

2003

curl (7.10.8-1) unstable; urgency=low

   * New upstream release:
     - fixed LDAP support (closes: #149609)
     - cleaner environment for testsuite execution (closes: #210253)
     - fixed lib/Makefile.am's use of LDFLAGS (closes: #212086)
     - fixed name clash in curl.h with respect to unistd.h (closes: #213180)
     - fixed typo in curl manpage (closes: #218046).
   * Bumped up shlibs version because of new libcurl options.
   * Added stunnel to the Build-Depends in order to enable SSL test cases.

curl (7.10.7-2) unstable; urgency=low

   * Fixed bug in cache_resolv_response on alpha and ia64 (closes: #207174).
     Patch courtesy of Jurij Smakov.

curl (7.10.7-1) unstable; urgency=low

   * New upstream release.
   * Bumped up shlibs version because of the introduction of CURLOPT_PROXYAUTH
     and CURLOPT_FTP_CREATE_MISSING_DIRS options in libcurl.

curl (7.10.6-3) unstable; urgency=low

   * Applied patch to fix test 60 on ia64.

curl (7.10.6-2) unstable; urgency=low

   * Applied patch from upstream to fix url globbing (closes: #203827).
   * make test is still performed on building debug stuff but errors
     are ignored.

curl (7.10.6-1) unstable; urgency=low

   * New upstream release:
     - added spport for http_proxy env var with name:passwd
       (closes: #193630).
   * make test is invoked after build

curl (7.10.5-1) unstable; urgency=low

   * New upstream release:
     - fixed typo in curl's man page (closes: #189272).
   * New libcurl option CURLOPT_FTP_USE_EPRT has been added, bumped
     up shlibs.

curl (7.10.4-1) unstable; urgency=low

   * New upstream release:
     - now uses new settings properly when re-using an existing connection
       (closes: #185254)
     - curl man page now refers to MANUAL (closes: #178509).
   * Changed section of libcurl2-dev and libcurl2-dbg to libdevel.

curl (7.10.3-3) unstable; urgency=low

   * Rebuilt to link against libssl0.9.7.
   * Improved package descriptions thanks to suggestions provided by
     Filip Van Raemdonck <mechanix@debian.org> (closes: #177995).

curl (7.10.3-2) unstable; urgency=low

   * Development package is now named libcurl2-dev, it provides
     libcurl-dev.  People can now safely make their build dependencies
     and be sure to use the right stuff.
   * New package libcurl2-dbg is provided to help in debugging sessions.

curl (7.10.3-1) unstable; urgency=low

   * New upstream release.
   * It now suggests ca-certificates package.

2002

curl (7.10.2-2) unstable; urgency=low

   * Added AM_MAINTAINER_MODE to configure.in (closes: #170050).

curl (7.10.2-1) unstable; urgency=low

   * New upstream release:
     - fixed segfault on retrieving relative redirects (closes: #165382)
     - fixed a leak of debug output (closes: #167678).
   * Updated config.guess and config.sub (closes: #166153).
   * Added zlib1g-dev to build and libcurl-dev dependencies
     (closes: #169654).
   * Added HTML and PDF versions of all manpages in libcurl-dev package.

curl (7.10.1-1) unstable; urgency=low

   * New upstream release.

curl (7.10-1) unstable; urgency=low

   * New upstream release:
     - new way to use option -x to prevent curl from using any proxy
       server (closes: #161153).

curl (7.9.8-2) unstable; urgency=low

   * Added again libcurl2-ssl to the libcurl2 conflicts.

curl (7.9.8-1) unstable; urgency=low

   * New upstream release.
   * Double flavor of curl to support both non-SSL and SSL is gone.
     Now curl comes only with SSL. Who needs SSL can require curl
     version >= 7.9.8 .

curl (7.9.7-2) unstable; urgency=low

   * Fixed the bashism in debian/rules (closes: #147352).
   * SSL and non-SSL series of curl packages are now built from the
     same source. thanks crypto-in-main! :)

curl (7.9.7-1) unstable; urgency=low

   * New upstream release.

curl (7.9.6-1) unstable; urgency=low

   * New upstream release.
   * libcurl.3 manpage is now installed by libcurl-dev instead of
     libcurl2. Indeed it provides an overview on how to use libcurl in
     C programs.

curl (7.9.5-2) unstable; urgency=low

   * curl-ssl stuff moved from non-US to main.

curl (7.9.5-1) unstable; urgency=low

   * New upstream release (closes: #134608).
   * Added autotools-dev to the build dependencies. config.{guess,sub}
     can now be updated automatically in the build process.

curl (7.9.3-2) unstable; urgency=low

   * Upstream source code has been correctly imported in my CVS
     repository (closes: #130906).

curl (7.9.3-1) unstable; urgency=low

   * New upstream release:
     - fixed wrong assumption on char signedness (closes: #127011)
     - missing header added accordingly (closes: #130401)
   * Fixed a typo in curl description (closes: #124526).

2001

curl (7.9.2-1) unstable; urgency=low

   * New upstream release:
     - two bad timeout matters in libcurl2 are now solved (closes: #118595).

curl (7.9.1-3) unstable; urgency=low

   * Fixed return type of Curl_ftpsendf(...) to CURLcode (closes: #120485).
   * Versions in debian/libcurl2.shlibs have been incremented to
     ">= 7.9.1-1".

curl (7.9.1-2) unstable; urgency=low

   * Reverted to unpatched released 7.9.1 source tree, patch behavior
     was weird.

curl (7.9.1-1) unstable; urgency=low

   * New upstream release.
   * Applied upstream patch #478780 found on sourceforge, fixes libcurl
     which didn't restore SIGALRM handler (closes: #118595).
   * Applied patch for patch #478780 of above, see bug #118595 in BTS.
     Patch courtesy of Enrik Berkhan <Enrik.Berkhan@planb.de>.
   * Build-Depends reduced to what is strictly required for building.
     autoconf, automake and libtool build dependencies are gone.

curl (7.9-1) unstable; urgency=low

   * New upstream release:
     - output of "curl-config --libs" now includes -lcurl.

curl (7.8-3) unstable; urgency=low

   * Added libc6-dev to libcurl2-dev dependencies.
   * Fixed lack of some FD_ZERO(...)s in lib/transfer.c (closes: #105516).

curl (7.8-2) unstable; urgency=low

   * libcurl2.shlibs now includes version numbers. some new symbols have
     been introduced in libcurl 7.8, so program linked against 7.8 cannot
     work with older ones.
   * IPv6 support is now enabled
   * configure.in has been renamed to autoconf.ac to force the use of
     autoconf 2.50

curl (7.8-1) unstable; urgency=low

   * New upstream release.
   * Applied patch for correct shared library versioning of libcurl, curl
     7.8 comes with broken shared library version out of the box.
     Patch provided by upstream developer.

curl (7.7.3-3) unstable; urgency=low

   * Fixed manpages libcurl-dev with required simlinks (closes: 99610).

curl (7.7.3-2) unstable; urgency=low

   * lib/url.c and lib/version.c are now fixed (closes: #97709).
   * install upstream changelog (closes: #97628).

curl (7.7.3-1) unstable; urgency=low

   * New upstream release.
   * Using dh_installman instead dh_installmanpages.
   * Installing libcurl examples with dh_installexamples.
   * Policy 3.5.3.0 compliant.

curl (7.7.2-1) unstable; urgency=low

   * New upstream release.

curl (7.7.1-2) unstable; urgency=low

   * Fixed debian/rules (closes: #78232, #93837).

curl (7.7.1-1) unstable; urgency=low

   * New upstream release.

curl (7.7-1) unstable; urgency=low

   * New upstream release.
   * Fixed formatting errors in curl.1 (closes: #90281).

curl (7.6.1-5) unstable; urgency=low

   * Fixed debian/libcurl1.shlibs in order to solve any problem for those
     packages which should depend on either libcurl1 or libcurl1-ssl.
     I should have done it long time ago.

curl (7.6.1-4) unstable; urgency=low

   * Added versioned Build-Depend for debhelper.

curl (7.6.1-3) unstable; urgency=low

   * Refining the transition to debhelper compatibility 2. I forgot the
     executable in the curl package (closes: #87886).

curl (7.6.1-2) unstable; urgency=low

   * Switched to debhelper compatibility version 2.

curl (7.6.1-1) unstable; urgency=low

   * New upstream release.

curl (7.6-2) unstable; urgency=low

   * Adjusted dependencies in order to let curl-ssl package manage a
     smooth upgrade from potato.

curl (7.6-1) unstable; urgency=low

   * New upstream release.

curl (7.5.2-2) unstable; urgency=low

   * This is a service upload in order to fix dependencies problems arose
     for a ill-formed upload of 7.5.2-1.

curl (7.5.2-1) unstable; urgency=low

   * New upstream release.
   * It needed to be recompiled against the new libc (closes: #80256).

2000

curl (7.5-1) unstable; urgency=low

   * New upstream release.

curl (7.4.2-2) unstable; urgency=low

   * curl replaces curl-ssl. curl is only a frontend for libcurl and is not
     aware of any protocol, libcurl is. so what is really different whether
     ssl is enable or not is only libcurl.
   * curl now depends on (libcurl0 | libcurl0-ssl).
   * The workaround for libtool -rpath parameter is not required, so
     it has been removed from configure.in.
   * Removed "Suggests: " field in control file for libcurl0. It suggested
     to install curl and libcurl-dev too but it really doesn't make sense
     (this change was really applied in -1).

curl (7.4.2-1) unstable; urgency=low

   * New upstream release.

curl (7.2.1-1) unstable; urgency=low

   * New upstream release.

curl (7.1-3) unstable; urgency=low

   * Added "Suggests: " field in control file for libcurl0. Now curl and
     libcurl-dev are suggested upon installation of libcurl0.

curl (7.1-2) unstable; urgency=low

   * Fixed a line that did not install development manpages.

curl (7.1-1) unstable; urgency=low

   * New upstream release.
   * libcurl is now a separate package, it provides shared libraries and
     includes to allow developing for other applications.

curl (6.5.2-4) unstable; urgency=low

   * Some missing build dependencies (autoconf, automake, libtool) added.

curl (6.5.2-3) unstable; urgency=low

   * Due to some policy and technical restrictions, curl's source package
     has been splitted again in two, one for main archive and one for non-US.

curl (6.5.2-2) unstable; urgency=low

   * Added a Build-Depends in order to compile curl-ssl only if
     libssl09-dev is installed.
   * Documentation reflects the new location of curl debian packages
     home page (http://curl-deb.sourceforge.net).
   * Corrected minor spelling errors in README.Debian.

curl (6.5.2-1) unstable; urgency=low

   * New upstream release.
   * Now curl and curl-ssl binary packages are generated from the same
     debian source package.
   * Uploads and downloads are now performed simultaneously (closes: #56627).

curl (6.4-1) unstable; urgency=low

   * New upstream release.

1999

curl (6.3.1-1) unstable; urgency=low

   * New upstream release.

curl (6.2-1) unstable; urgency=low

   * New upstream release.
   * No hack to compile without SSL is required anymore. Fixed by
     upstream maintainer.

curl (6.0-1) unstable; urgency=low

   * New upstream release.

curl (5.11-1.1) unstable; urgency=low

   * Put sources into the right section.

curl (5.11-1) unstable; urgency=low

   * New upstream release.
   * New debian maintainer.

curl (5.9-2) unstable; urgency=low

   * Moved to non-US, and compiled against ssl (closes: #40099).

curl (5.9-1) unstable; urgency=low

   * New upstream release.

curl (5.8-1) unstable; urgency=low

   * Initial Release.