[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036300: marked as done (bullseye-pu: package curl/7.74.0-1.3+deb11u8)

Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1036300,
regarding bullseye-pu: package curl/7.74.0-1.3+deb11u8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036300
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: curl@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: samueloph@debian.org
Severity: normal

[ Reason ]
* Backport upstream patches to fix 5 CVEs:
  - CVE-2023-27533: TELNET option IAC injection
  - CVE-2023-27534: SFTP path ~ resolving discrepancy
  - CVE-2023-27535: FTP too eager connection reuse
  - CVE-2023-27536: GSS delegation too eager connection re-use
  - CVE-2023-27538: SSH connection too eager reuse still
* d/p/add_Curl_timestrcmp.patch: New patch to backport Curl_timestrcmp(),
  required for CVE-2023-27535.

[ Impact ]
None of the vulnerabilities are critical, but they have already been
fixed in buster and we should do the same for bullseye.

[ Tests ]
curl's testsuite didn't spot any regressions.
The same CVEs have also been fixed in buster already.

[ Risks ]
Regressions on TELNET, SFTP, FTP, GSS and SSH functionalities of curl.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Nothing besides the CVE fixes.
The patches were changed to apply cleanly on bullseye, all the changes
can be seen here:
https://salsa.debian.org/debian/curl/-/commit/4adf0d7c4d47610336294d39f84a8360522a5936
https://salsa.debian.org/debian/curl/-/commit/b3dedba95658cea02405af32f0652f83d87f6eac
https://salsa.debian.org/debian/curl/-/commit/6909425ffa87e4c35730ecc2801ef40492239048
https://salsa.debian.org/debian/curl/-/commit/54e6a929643fe14160049ed8d1bda72dd34db9f7
https://salsa.debian.org/debian/curl/-/commit/19c382231a004b45b3096f72fb722f6df5d31902

[ Other info ]
I will be working on the latest CVEs that have been published for curl
but I'll push those fixes in a different upload.


-- 
Samuel Henrique <samueloph>

Attachment: curl_7.74.0-1.3+deb11u8.debdiff
Description: Binary data


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: