Your message dated Sat, 16 May 2026 10:23:16 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1130040,
regarding trixie-pu: package curl/8.14.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130040: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130040
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:curl
User: [email protected]
Usertags: pu
[ Reason ]
The curl package version in debian Trixie is affected by the CVE:
https://security-tracker.debian.org/tracker/CVE-2025-13034
The updated version contains the patch, backported from upstream.
[ Impact ]
If not approved, installations on Trixie will stay vulnerable to
the exploit CVE-2025-13034: Under certain conditions, skips
certificate checks. More info on the link below.
https://curl.se/docs/CVE-2025-13034.html
[ Tests ]
All upstream tests are run as part of the autopkgtest suite and
have passed.
[ Risks ]
Errors in backporting the patch such that it introduces regressions
or doesn't close the vulnerability were not caught by upstream
tests.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* The backport patch removes the condition for checking the
certificate, thus always checking it's validity.
[ Other info ]
The issue has been fixed in version 8.18, but a patch to the
8.14 version is yet to be applied on debian (Bookworm and older
versions are not affected).
The link for the merge request that contains the patch is:
https://salsa.debian.org/debian/curl/-/commit/6a85f51f6458a95750816604a0c7887b6cf62b41
diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog
--- curl-8.14.1/debian/changelog 2025-11-09 11:49:56.000000000 -0300
+++ curl-8.14.1/debian/changelog 2026-01-29 23:20:09.000000000 -0300
@@ -1,3 +1,10 @@
+curl (8.14.1-2+deb13u3) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * d/p/CVE-2025-13034.patch: cherry-pick from upstream
+
+ -- Matheus Souza Zanzin <[email protected]> Thu, 29 Jan 2026 23:20:09
-0300
+
curl (8.14.1-2+deb13u2) trixie; urgency=medium
* d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix
diff -Nru curl-8.14.1/debian/patches/CVE-2025-13034.patch
curl-8.14.1/debian/patches/CVE-2025-13034.patch
--- curl-8.14.1/debian/patches/CVE-2025-13034.patch 1969-12-31
21:00:00.000000000 -0300
+++ curl-8.14.1/debian/patches/CVE-2025-13034.patch 2026-01-29
23:20:09.000000000 -0300
@@ -0,0 +1,45 @@
+From: Daniel Stenberg <[email protected]>
+Date: Fri, 14 Nov 2025 16:42:23 +0100
+Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally
+
+Closes #19531
+
+[PATCH] When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or
`--pinnedpubkey`
+with the curl tool, curl should check the public key of the server certificate
to
+verify the peer. This check was skipped in a certain condition that would then
make
+curl allow the connection without performing the proper check, thus not
noticing a
+possible impostor. To skip this check, the connection had to be done with QUIC
with
+ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard
+certificate verification.
+
+Backported-by: Matheus Souza Zanzin <[email protected]>
+ * removes host verification so that it always verifies.
+Origin: backport,
https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9
+Last-Update: 2026-01-29
+---
+ lib/vquic/vquic-tls.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
+index 2a5be13..b8b0e6b 100644
+--- a/lib/vquic/vquic-tls.c
++++ b/lib/vquic/vquic-tls.c
+@@ -169,13 +169,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx
*ctx,
+ (void)conn_config;
+ result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer);
+ #elif defined(USE_GNUTLS)
+- if(conn_config->verifyhost) {
+- result = Curl_gtls_verifyserver(data, ctx->gtls.session,
+- conn_config, &data->set.ssl, peer,
+-
data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
+- if(result)
+- return result;
+- }
++ result = Curl_gtls_verifyserver(data, ctx->gtls.session,
++ conn_config, &data->set.ssl, peer,
++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
++ if(result)
++ return result;
+ #elif defined(USE_WOLFSSL)
+ (void)data;
+ if(conn_config->verifyhost) {
diff -Nru curl-8.14.1/debian/patches/series curl-8.14.1/debian/patches/series
--- curl-8.14.1/debian/patches/series 2025-11-09 11:49:56.000000000 -0300
+++ curl-8.14.1/debian/patches/series 2026-01-29 23:20:09.000000000 -0300
@@ -16,3 +16,4 @@
wcurl-Fix-example-for-continue-at.patch
# CVE-2025-11563
wcurl-CVE-2025-11563.patch
+CVE-2025-13034.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
