Your message dated Sat, 07 Oct 2023 12:41:28 +0100 with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk> and subject line Closing opu requests for updates included in 11.8 has caused the Debian Bug report #1036300, regarding bullseye-pu: package curl/7.74.0-1.3+deb11u8 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036300 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Fwd: bullseye-pu: package curl/7.74.0-1.3+deb11u8
- From: Samuel Henrique <samueloph@debian.org>
- Date: Fri, 19 May 2023 00:11:17 +0100
- Message-id: <CABwkT9rQFMPKwkN9EtX4ObFBv2irKBMHce-+7=K=a2WLMVrCyA@mail.gmail.com>
- In-reply-to: <CABwkT9raUcK-rW0kUjZGm4N45dCodSDv3vLh-9i1z12iT9uWBQ@mail.gmail.com>
- References: <CABwkT9raUcK-rW0kUjZGm4N45dCodSDv3vLh-9i1z12iT9uWBQ@mail.gmail.com>
Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: curl@packages.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: bullseye X-Debbugs-Cc: samueloph@debian.org Severity: normal [ Reason ] * Backport upstream patches to fix 5 CVEs: - CVE-2023-27533: TELNET option IAC injection - CVE-2023-27534: SFTP path ~ resolving discrepancy - CVE-2023-27535: FTP too eager connection reuse - CVE-2023-27536: GSS delegation too eager connection re-use - CVE-2023-27538: SSH connection too eager reuse still * d/p/add_Curl_timestrcmp.patch: New patch to backport Curl_timestrcmp(), required for CVE-2023-27535. [ Impact ] None of the vulnerabilities are critical, but they have already been fixed in buster and we should do the same for bullseye. [ Tests ] curl's testsuite didn't spot any regressions. The same CVEs have also been fixed in buster already. [ Risks ] Regressions on TELNET, SFTP, FTP, GSS and SSH functionalities of curl. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Nothing besides the CVE fixes. The patches were changed to apply cleanly on bullseye, all the changes can be seen here: https://salsa.debian.org/debian/curl/-/commit/4adf0d7c4d47610336294d39f84a8360522a5936 https://salsa.debian.org/debian/curl/-/commit/b3dedba95658cea02405af32f0652f83d87f6eac https://salsa.debian.org/debian/curl/-/commit/6909425ffa87e4c35730ecc2801ef40492239048 https://salsa.debian.org/debian/curl/-/commit/54e6a929643fe14160049ed8d1bda72dd34db9f7 https://salsa.debian.org/debian/curl/-/commit/19c382231a004b45b3096f72fb722f6df5d31902 [ Other info ] I will be working on the latest CVEs that have been published for curl but I'll push those fixes in a different upload. -- Samuel Henrique <samueloph>Attachment: curl_7.74.0-1.3+deb11u8.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 1007787-done@bugs.debian.org, 1007950-done@bugs.debian.org, 1013893-done@bugs.debian.org, 1028992-done@bugs.debian.org, 1032299-done@bugs.debian.org, 1034510-done@bugs.debian.org, 1034713-done@bugs.debian.org, 1034714-done@bugs.debian.org, 1034736-done@bugs.debian.org, 1035046-done@bugs.debian.org, 1035059-done@bugs.debian.org, 1035105-done@bugs.debian.org, 1035304-done@bugs.debian.org, 1035311-done@bugs.debian.org, 1035464-done@bugs.debian.org, 1035475-done@bugs.debian.org, 1035522-done@bugs.debian.org, 1035683-done@bugs.debian.org, 1035924-done@bugs.debian.org, 1036043-done@bugs.debian.org, 1036044-done@bugs.debian.org, 1036046-done@bugs.debian.org, 1036182-done@bugs.debian.org, 1036240-done@bugs.debian.org, 1036300-done@bugs.debian.org, 1036314-done@bugs.debian.org, 1036797-done@bugs.debian.org, 1036811-done@bugs.debian.org, 1036976-done@bugs.debian.org, 1037054-done@bugs.debian.org, 1037175-done@bugs.debian.org, 1037182-done@bugs.debian.org, 1037187-done@bugs.debian.org, 1037196-done@bugs.debian.org, 1037214-done@bugs.debian.org, 1037236-done@bugs.debian.org, 1038153-done@bugs.debian.org, 1038451-done@bugs.debian.org, 1038813-done@bugs.debian.org, 1038943-done@bugs.debian.org, 1039020-done@bugs.debian.org, 1039040-done@bugs.debian.org, 1039470-done@bugs.debian.org, 1039708-done@bugs.debian.org, 1039738-done@bugs.debian.org, 1039854-done@bugs.debian.org, 1039860-done@bugs.debian.org, 1039994-done@bugs.debian.org, 1040137-done@bugs.debian.org, 1040668-done@bugs.debian.org, 1040677-done@bugs.debian.org, 1040758-done@bugs.debian.org, 1040865-done@bugs.debian.org, 1040930-done@bugs.debian.org, 1040950-done@bugs.debian.org, 1041397-done@bugs.debian.org, 1041475-done@bugs.debian.org, 1042057-done@bugs.debian.org, 1043270-done@bugs.debian.org, 1049374-done@bugs.debian.org, 1050044-done@bugs.debian.org, 1050119-done@bugs.debian.org, 1050121-done@bugs.debian.org, 1050332-done@bugs.debian.org, 1050333-done@bugs.debian.org, 1050538-done@bugs.debian.org, 1050573-done@bugs.debian.org, 1050638-done@bugs.debian.org, 1051051-done@bugs.debian.org, 1051339-done@bugs.debian.org, 1051508-done@bugs.debian.org, 1051884-done@bugs.debian.org, 1051902-done@bugs.debian.org, 1051937-done@bugs.debian.org, 1052027-done@bugs.debian.org, 1052082-done@bugs.debian.org, 1052150-done@bugs.debian.org, 1052222-done@bugs.debian.org, 1052288-done@bugs.debian.org, 1052363-done@bugs.debian.org, 1052402-done@bugs.debian.org, 1052420-done@bugs.debian.org, 1052552-done@bugs.debian.org, 1052611-done@bugs.debian.org, 1053177-done@bugs.debian.org, 1053220-done@bugs.debian.org, 1053240-done@bugs.debian.org, 1053270-done@bugs.debian.org, 1053271-done@bugs.debian.org, 1053290-done@bugs.debian.org, 1053522-done@bugs.debian.org
- Subject: Closing opu requests for updates included in 11.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Oct 2023 12:41:28 +0100
- Message-id: <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.8 Hi, The updates referred to by each of these requests were included in today's 11.8 bullseye point release. Regards, Adam
--- End Message ---