Your message dated Sat, 08 Apr 2017 21:49:14 +0000
with message-id <[email protected]>
and subject line Bug#857613: fixed in curl 7.52.1-4
has caused the Debian Bug report #857613,
regarding curl: RFC for CONNECT requests not honored
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
857613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857613
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: curl
Version: 7.52.1-3
Tags: upstream
Severity: important

Using an HTTP proxy with curl that sends Transfer-Encoding or Content-Length
headers will make curl output an error message and close the connection.

According to RFC 7231 section 4.3.6 "A client MUST ignore any Content-Length or
Transfer-Encoding header fields received in a successful response to CONNECT."

This means, even though the server itself is not RFC-compatible, the curl client
must ignore those headers.

The bug was reported to upstream[1] and a patch already exists[2].

 [1]: https://github.com/curl/curl/issues/1317
 [2]: 
https://github.com/curl/curl/commit/ec1d0ed1c14d1b2ed06d8914c19b3df2da575005

-- System Information:
Debian Release: 9.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages curl depends on:
ii  libc6     2.24-9
ii  libcurl3  7.52.1-3
ii  zlib1g    1:1.2.8.dfsg-5

curl recommends no packages.

curl suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.52.1-4

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 08 Apr 2017 21:55:27 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc
Architecture: source amd64 all
Version: 7.52.1-4
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description:
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 857613 859500
Changes:
 curl (7.52.1-4) unstable; urgency=medium
 .
   * Fix regression in CONNECT response handling (Closes: #857613)
   * Fix buffer read overrun on --write-out as per CVE-2017-7407
     https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500)
Checksums-Sha1:
 306dac59909e53f353f44449818a552aa97cf076 2765 curl_7.52.1-4.dsc
 0f27166a77187a3ecee227aa3566f3a45c3fd705 31092 curl_7.52.1-4.debian.tar.xz
 f5019e6d04f2262f15088f853304832a24a53874 131916 curl-dbgsym_7.52.1-4_amd64.deb
 36359f3e45f541a2c38d76212b188a9cc08d1c9d 10310 curl_7.52.1-4_amd64.buildinfo
 d3394bc1a12e51cb6cde3a01800ae2538eff56e0 227062 curl_7.52.1-4_amd64.deb
 56b75947908ce846798857707982faed602ce85c 5008122 
libcurl3-dbg_7.52.1-4_amd64.deb
 3d14af47272fce9e621cf9baee675817ef92fa2d 288824 
libcurl3-gnutls_7.52.1-4_amd64.deb
 e629d3dd097d6511db806bfce7a71402c06038c5 294210 libcurl3-nss_7.52.1-4_amd64.deb
 e3fd259eab2b987135b94420df91703065be2357 290736 libcurl3_7.52.1-4_amd64.deb
 af10eb75180ffccdb9f953d482944462a1a5c207 827290 libcurl4-doc_7.52.1-4_all.deb
 6cbc1e6d502d917e119248512f5d8db5350df77b 371596 
libcurl4-gnutls-dev_7.52.1-4_amd64.deb
 ef49d75270ab46fc355e47ed8829a8d02176f9f1 377268 
libcurl4-nss-dev_7.52.1-4_amd64.deb
 1eac7789600b79818af1c7b9f0c71d5bf9b10375 373620 
libcurl4-openssl-dev_7.52.1-4_amd64.deb
Checksums-Sha256:
 8093fec132fc9688bc91901c1f8159dd0a70a831f0f29bbd43c17cc25f82c635 2765 
curl_7.52.1-4.dsc
 36ea9f70ac166ec30e5dcfdbc6496faeeec9921be9218fd5f9c2aed16620a612 31092 
curl_7.52.1-4.debian.tar.xz
 956f1e98849058ee2007c2e085700ca75fa3137aa287720606161c13651560ad 131916 
curl-dbgsym_7.52.1-4_amd64.deb
 12350ed87fe530c362dd7d69412d07a7ed915d7bc0446e591de6fdc467107bd2 10310 
curl_7.52.1-4_amd64.buildinfo
 0d4df0016ff5c1e72bedfafd62c4a7f969d3d79ee3a929576b1b0b130f2721fc 227062 
curl_7.52.1-4_amd64.deb
 828db2b4d279252326bcf6f2b9ac74c5322f5d531688b9c175f87e55629ae45e 5008122 
libcurl3-dbg_7.52.1-4_amd64.deb
 301bfb2cc251d1627750493162bb297681eaedbab83e5afbca63ab5372b05466 288824 
libcurl3-gnutls_7.52.1-4_amd64.deb
 91d05f03bb9fee69081f128a94f6382cdcf96035b48cae5847e9b59e7e8f6cd2 294210 
libcurl3-nss_7.52.1-4_amd64.deb
 4ea5bf1d7a611b95e8621bff2f2d546c26e5a97406244349d01410d49b947508 290736 
libcurl3_7.52.1-4_amd64.deb
 f36a9aad15fc9e352797c5741215cce0fbe79f72782f1beee9326ae7c8bcb87e 827290 
libcurl4-doc_7.52.1-4_all.deb
 0d119a038a047ce0ee18f0b41ee91d9c1adac15ead92cdac4bbdc9b9e9b1f5a5 371596 
libcurl4-gnutls-dev_7.52.1-4_amd64.deb
 add720ef38b1069d79ba5ed62daaac3e01660a33f7a9ead37e99938137b73633 377268 
libcurl4-nss-dev_7.52.1-4_amd64.deb
 368ef7a612bd1a228ea9f717ba821964ae566ffd0d793ff632e594f36a3eff46 373620 
libcurl4-openssl-dev_7.52.1-4_amd64.deb
Files:
 8f301e0d04f2f7bb571705d8a1b437fb 2765 web optional curl_7.52.1-4.dsc
 a5ef7944f76f19c62570cd4a390228b3 31092 web optional curl_7.52.1-4.debian.tar.xz
 883b688d937c1ef1d50e4e74dce376e5 131916 debug extra 
curl-dbgsym_7.52.1-4_amd64.deb
 7f5bf44d7e4835fe973979c440498ca4 10310 web optional 
curl_7.52.1-4_amd64.buildinfo
 c5d396f39a877e2467ab9b7b28909d0a 227062 web optional curl_7.52.1-4_amd64.deb
 28c7049c02937908269c59d795ae97ac 5008122 debug extra 
libcurl3-dbg_7.52.1-4_amd64.deb
 c1092d32ff987cb7c1103fb343957e6e 288824 libs optional 
libcurl3-gnutls_7.52.1-4_amd64.deb
 e936a0bfee404974f1171a097d3acec5 294210 libs optional 
libcurl3-nss_7.52.1-4_amd64.deb
 933b62d62b81bb0ed9a268c3b5dc1c49 290736 libs optional 
libcurl3_7.52.1-4_amd64.deb
 62749c932c0ed454417fdb9691624804 827290 doc optional 
libcurl4-doc_7.52.1-4_all.deb
 04171d61d343c469d70ce4c95c7390dd 371596 libdevel optional 
libcurl4-gnutls-dev_7.52.1-4_amd64.deb
 a61c009b5ca4c85c76231a021b9940ca 377268 libdevel optional 
libcurl4-nss-dev_7.52.1-4_amd64.deb
 673c76d2f6d083cfcade6ac30bb7eb93 373620 libdevel optional 
libcurl4-openssl-dev_7.52.1-4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAljpVYkACgkQbwzL4CFi
RyjihQ//a9nUG2LA0pkz1A8Z0YVO6yZ0hIc7YeyKNC3fhFojMo21tAN89TjQpgb5
5ALcaqoMXzndEpkWP1RZIJfNS+OLeS8zaEdwSyRWz16el9sW3wTvXDNjyVAeleYD
45XwRapnN8Br4TzmnH765dWee3PYDgtATjq7EWHdj2xv/7+yBwDibAAZ+GpVY3kG
09XAvo01FhdWQT6y0XQjNKPSGvVDd+VRIDrlWIaDgq31y80IW8jeJ3HJzibp3GPH
4M37rzu0joDpiC1dHHuWxD2/1YF1aNVyinouJra4QgU1zoFS8E2MEsuyWTJxSn8b
Ja5NLyunnXQThkenD3TCF08prix0DdMGNFn3eL2i8A5CgAjlRgS8mX6wZ9JD4aZD
cORvZdmfSD+I8QficnSE1Mv8AFBGfzUKhRDJ6aUChW6x2TLiIvawSHL3ttvbRDiU
s6/NU8iir4za9clutAQ0dcUAEHIv80iLSLokk/Fyyq7m4qbOoD0G0OpmVoZ0wjQE
+6Lnm3VB9KjLpD7CCG1kSS/QDrHLxqd8n2788STBwVd4a2P5ByWgqVEDRj0zuNYl
Re2o/0jeYB4IOwF5TIbnJOc/aMjCAPPdOUQhs7ehlcRCLI0N+80cPUNVDWcfi12t
/rL18j2jY3n/kjA3UpCSPIjq5LpXXzJlrC2UdnpSZ4UAI5Xdzww=
=IVOm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to