Your message dated Sat, 11 Aug 2018 13:19:36 +0000
with message-id <>
and subject line Bug#902628: fixed in curl 7.61.0-1
has caused the Debian Bug report #902628,
regarding curl: segfaults with http2 on libcurl 7.60.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Source: curl
Version: 7.60.0-1
Severity: normal
Control: affects -1 src:r-cran-curl
Usertags: breaks

Hi Maintainer

The issue below, detected by autopkgtests, appears to be related to a
known bug in curl.


On 20 May 2018 at 20:11, Paul Gevers <> wrote:
> Dear maintainers,
> [This e-mail is automatically sent. V3.2 (20180518)]
> tl;dr: curl/7.60.0-1 appears to break r-cran-curl/3.2-1 autopkgtest in testing
> see:
> and
> As recently announced [1] Debian is now running autopkgtests in testing
> to check if the migration of a new source package causes regressions. It
> does this with the binary packages of the new version of the source
> package from unstable.
> With a recent upload of curl the autopkgtest of r-cran-curl
> started to fail in testing [2]. This is currently delaying the migration
> of curl version 7.60.0-1 [3].
> This e-mail is meant to trigger prompt direct communication between the
> maintainers of the involved packages as one party has insight in what
> changed and the other party insight in what is being tested. Please
> therefore get in touch with each other with your ideas about what the
> causes of the problem might be, proposed patches, etc. A regression in a
> reverse dependency can be due to one of the following reasons (of course
> not complete):
> * new bug in the candidate package (fix the package)
> * bug in the test case that only gets triggered due to the update (fix
>   the reverse dependency, but see below)
> * out-of-date reference date in the test case that captures a former bug
>   in the candidate package (fix the reverse dependency, but see below)
> * deprecation of functionality that is used in the reverse dependency
>   and/or its test case (discussion needed)
> * regression due to other packages from unstable that are installed to
>   fulfill (versioned) Depends (contact maintainers of those).
> Triaging tips are being collected on the Debian Wiki [4].
> Unfortunately sometimes a regression is only intermittent. Ideally this
> should be fixed, but it may be OK to just have the autopkgtest retried
> (a link is available in the excuses [3]).
> There are cases where it is required to have multiple packages migrate
> together to have the test cases pass, e.g. when there was a bug in a
> regressing test case of a reverse dependency and that got fixed. In that
> case the test cases need to be triggered with both packages from
> unstable (reply to this e-mail and/or contact the ci-team [5]) or just
> wait until the aging time is over (if the fixed reverse dependency
> migrates before that time, the failed test can be retriggered [3]).
> Of course no system is perfect. In case a framework issue is suspected,
> don't hesitate to raise the issue via BTS or to the ci-team [5] (reply to
> me is also fine for initial cross-check).
> To avoid stepping on peoples toes, this e-mail does not automatically
> generate a bug in the BTS, but it is highly recommended to forward this
> e-mail there (psuedo-header boilerplate below [6,7]) in case it is
> clear which package should solve this regression.
> It can be appropriate to file an RC bug against the depended-on package,
> if the regression amounts to an RC bug in the depending package, and to
> keep it open while the matter is investigated. That will prevent
> migration of an RC regression.
> If the maintainers of the depending package don't have available effort
> to fix a problem, it is appropriate for the maintainers of the
> depended-on package to consider an NMU of the depending package. Any
> such an NMU should take place in accordance with the normal NMU rules.
> Neither of the above steps should be seen as hostile; they are part of
> trying to work together to keep Debian in tip-top shape.
> If you find that you are not able to agree between you about the right
> next steps, bug severities, etc., please try to find a neutral third
> party to help you mediate and/or provide a third opinion. Failing that
> your best bet is probably to post to debian-devel.
> [1]
> [2]
> [3]
> [4]
> [5] #debci on oftc or
> [6] curl has an issue
> ============
> Source: curl
> Version: 7.60.0-1
> Severity: normal or higher
> Control: affects -1 src:r-cran-curl
> User:
> Usertags: breaks
> ============
> [7] r-cran-curl has an issue
> ============
> Source: r-cran-curl
> Version: 3.2-1
> Severity: normal or higher
> Control: affects -1 src:curl
> User:
> Usertags: needs-update
> ============

--- End Message ---
--- Begin Message ---
Source: curl
Source-Version: 7.61.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Alessandro Ghedini <> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA512

Format: 1.8
Date: Sat, 11 Aug 2018 13:32:28 +0100
Source: curl
Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev 
libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc
Architecture: source
Version: 7.61.0-1
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <>
Changed-By: Alessandro Ghedini <>
 curl       - command line tool for transferring data with URL syntax
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl4-doc - documentation for libcurl
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS 
 libcurl4-nss-dev - development files and documentation for libcurl (NSS 
 libcurl4-openssl-dev - development files and documentation for libcurl 
(OpenSSL flavour)
Closes: 883174 888449 902628 903546
 curl (7.61.0-1) unstable; urgency=medium
   * New upstream release
     + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546)
     + Fix some crashes related to HTTP/2 (Closes: #902628)
   * Disable libssh2 on Ubuntu.
     Thanks to Gianfranco Costamagna for the patch (Closes: #888449)
   * Bump Standards-Version to 4.2.0 (no changes needed)
   * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174)
 dcf093da928a4d426bf2e3cec1c75658a784def3 2662 curl_7.61.0-1.dsc
 34c0f89e01c27070fe3b6f86371791390f464602 3964862 curl_7.61.0.orig.tar.gz
 44217062c4c8d1865cc4945076b544543bc0094f 28348 curl_7.61.0-1.debian.tar.xz
 8ad4ea8cf3e79e73288018fdd3ff27979d9d1c7f 11241 curl_7.61.0-1_amd64.buildinfo
 f7a9c3d60f75ff16dae8bde2efc632d12b5d306d2dd2f0b7bad5ebc61c3f2830 2662 
 64141f0db4945268a21b490d58806b97c615d3d0c75bf8c335bbe0efd13b45b5 3964862 
 3bdcd5605cf1e7fdf10aa7009e55ae16fd518e6ae193e262ade19a1d24ce5134 28348 
 a18d09d63f19bac9e479335b0dba7ade9380b3dbfb1638094c65b179d1b36864 11241 
 806380fc99162f0062c118202d9731dc 2662 web optional curl_7.61.0-1.dsc
 ef343f64daab4691f528697b58a2d984 3964862 web optional curl_7.61.0.orig.tar.gz
 f8e140d57aa9ebf8fd59cf88b5ba3187 28348 web optional curl_7.61.0-1.debian.tar.xz
 9a51930dab5a720745ae8cc6607db3b5 11241 web optional 



--- End Message ---

Reply via email to