Curl 7.51.0 Released

I see that Ubuntu 16.04 LTS have version 7.47.0 [1]. Its been 9 months, 9 releases and at least 15 CVEs since then. I can also see that some of the CVEs was reported to distros@openwall [2]. I (naively) assumed that once this was reported, the package maintainers would update the packages, push a release at the same time as the original developer made a public statement. Then I could just update my system and be done with it.<p>Where is the fault in this chain? How can I as a maintainer of a few servers be sure my servers are secure without manually patching every package?<p>[1] <a href="http:&#x2F;&#x2F;packages.ubuntu.com&#x2F;xenial&#x2F;libcurl3" rel="nofollow">http:&#x2F;&#x2F;packages.ubuntu.com&#x2F;xenial&#x2F;libcurl3</a> [2] <a href="http:&#x2F;&#x2F;oss-security.openwall.org&#x2F;wiki&#x2F;mailing-lists&#x2F;distros" rel="nofollow">http:&#x2F;&#x2F;oss-security.openwall.org&#x2F;wiki&#x2F;mailing-lists&#x2F;distros</a><p>EDIT: changed &quot;12 CVEs&quot; to &quot;at least 15 CVEs&quot;. The changelog don&#x27;t have CVE-numbers in the title for all of them.

Those looking from a &quot;reimplement it in Rust&quot; angle may like:<p>* <a href="https:&#x2F;&#x2F;github.com&#x2F;hyperium&#x2F;hyper&#x2F;" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hyperium&#x2F;hyper&#x2F;</a><p>* <a href="https:&#x2F;&#x2F;github.com&#x2F;lukaszwawrzyk&#x2F;rust-wget" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lukaszwawrzyk&#x2F;rust-wget</a><p>* <a href="https:&#x2F;&#x2F;github.com&#x2F;tokio-rs&#x2F;tokio-curl" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;tokio-rs&#x2F;tokio-curl</a>

Does anyone have an abbreviated explanation of what the security vulnerabilities that were addressed here? I recall there was a very ominous post to look out for this release because of some nasty stuff they found.

I love cURL. Keep up the good work.

What is the biggest usage of Curl? I am new to Linux,sorry.

Change log for this release<p>Fixed in 7.51.0 - November 2 2016<p>Changes:<p><pre><code> nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST New option: CURLOPT_KEEP_SENDING_ON_ERROR </code></pre> Bugfixes:<p><pre><code> CVE-2016-8615: cookie injection for other servers CVE-2016-8616: case insensitive password comparison CVE-2016-8617: OOB write via unchecked multiplication CVE-2016-8618: double-free in curl_maprintf CVE-2016-8619: double-free in krb5 code CVE-2016-8620: glob parser write&#x2F;read out of bounds CVE-2016-8621: curl_getdate read out of bounds CVE-2016-8622: URL unescape heap overflow via integer truncation CVE-2016-8623: Use-after-free via shared cookies CVE-2016-8624: invalid URL parsing with &#x27;#&#x27; CVE-2016-8625: IDNA 2003 makes curl use wrong host openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 http: accept &quot;Transfer-Encoding: chunked&quot; for HTTP&#x2F;2 as well LICENSE-MIXING.md: update with mbedTLS dual licensing examples&#x2F;imap-append: Set size of data to be uploaded test2048: fix url darwinssl: disable RC4 cipher-suite support CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting openssl: don’t call CRYTPO_cleanup_all_ex_data libressl: fix version output easy: Reset all statistical session info in curl_easy_reset curl_global_cleanup.3: don&#x27;t unload the lib with sub threads running dist: add CurlSymbolHiding.cmake to the tarball docs: Remove that --proto is just used for initial retrieval configure: Fixed builds with libssh2 in a custom location curl.1: --trace supports % for sending to stderr! cookies: same domain handling changed to match browser behavior formpost: trying to attach a directory no longer crashes CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning formpost: avoid silent snprintf() truncation ftp: fix Curl_ftpsendf mprintf: return error on too many arguments smb: properly check incoming packet boundaries GIT-INFO: remove the Mac 10.1-specific details resolve: add error message when resolving using SIGALRM cmake: add nghttp2 support dist: remove PDF and HTML converted docs from the releases configure: disable poll() in macOS builds vtls: only re-use session-ids using the same scheme pipelining: skip to-be-closed connections when pipelining win: fix Universal Windows Platform build curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically maketgz: make it support &quot;only&quot; generating version info Curl_socket_check: add extra check to avoid integer overflow gopher: properly return error for poll failures curl: set INTERLEAVEDATA too polarssl: clear thread array at init polarssl: fix unaligned SSL session-id lock polarssl: reduce #ifdef madness with a macro curl_multi_add_handle: set timeouts in closure handles configure: set min version flags for builds on mac INSTALL: converted to markdown =&gt; INSTALL.md curl_multi_remove_handle: fix a double-free multi: fix inifinte loop in curl_multi_cleanup() nss: fix tight loop in non-blocking TLS handhsake over proxy mk-ca-bundle: Change URL retrieval to HTTPS-only by default mbedtls: stop using deprecated include file docs: fix req-&gt;data in multi-uv example configure: Fix test syntax for monotonic clock_gettime CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it&#x27;s not for HTTP&#x2F;2</code></pre>