Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package curl
[ Reason ]
4 CVE fixes:
* Add new patches to fix CVEs (closes: #1036239):
- CVE-2023-28319: UAF in SSH sha256 fingerprint check
- CVE-2023-28320: siglongjmp race condition
- CVE-2023-28321: IDN wildcard match
- CVE-2023-28322: more POST-after-PUT confusion
* d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
CVE-2023-28320
[ Impact ]
The highest CVE severity from upstream is "Moderate".
[ Tests ]
Curl has an extensive test suite that's run at build time and on
autopkgtest, no regressions were detected.
[ Risks ]
The patches didn't require any changes which would be worrying.
Regarding the "curl_jmpenv", there's no package on Debian using that.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Please also shorten the bake time in unstable, is possible (and needed).
unblock curl/7.88.1-10
--
Samuel Henrique <samueloph>
curl_7.88.1-10.debdiff
Description: Binary data
