Control: affects -1 + src:curl
Usertags: unblock
Severity: normal

Please unblock package curl

I would like to push the fix for the recent 6 CVEs disclosed:
- CVE-2023-27533: TELNET option IAC injection
- CVE-2023-27534: SFTP path ~ resolving discrepancy
- CVE-2023-27535: FTP too eager connection reuse
- CVE-2023-27536: GSS delegation too eager connection re-use
- CVE-2023-27537: HSTS double-free
- CVE-2023-27538: SSH connection too eager reuse still

I have also prepared the fixes for stable and oldstable and will be
requesting a p-u upload for them shortly (already pushed the commits
to the repo).

I would also appreciate it if the wait time for the migration could be
cut short due to the nature of the changes (low risk and the sooner
they get to testing the better).

[ Reason ]
CVE fixes, the security team said no DSAs will be assigned to them.

[ Impact ]
The highest severity of the CVEs is moderate as per upstream, the
security team considered all of them low (thus no DSA).

[ Tests ]
Curl's test suite passed (the build succeeded on all archs).

[ Risks ]
Only minimal changes were required in order to backport CVE-2023-27533.
There has been no bugfixes related to these CVE fixes in 8.0.1.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]

Other small changes in the debdiff are:
Bump Standards-Version to 4.6.2
d/p/06_always-disable-valgrind.patch: Remove unused patch
d/patches: Refresh all patches

None of these three changes modifies the resulting binaries.

I am planning to push 7.88.1-8 after 7.88.1-7 migrates and I will be
requesting an unblock for that revision as well, I figured it's better
to not bundle the changes together to make the review easier and to
let the CVE fixes get to testing sooner.

The changes for -8 will be:
1) Inclusion of autopkgtests.
2) Inclusion of new build profiles to limit the builds to certain TLS
backends (to be used by manual tests or autopkgtests only).
3) And possibly a fix for the multi-arch issue #913995 (the lintian
error that the package has).

I would also like to ask the release team to consider unblocking curl'
s latest release 8.0.1 due to the delta consisting of mostly bugfixes
(biggest change is removal of support for systems that don't have 64
bit data types).
Being able to ship 8.0.1 will make maintenance easier on the long term
(stable, oldstable...). But I want to first get these CVE fixes and
the autopkgtests (coming in rev 8) in testing before asking for
8.0.1's unblock.

PS.: I've made a typo in the changelog entry where I mention "5 CVEs"
rather than 6, but it's fine since all of the 6 CVEs are listed

unblock curl/7.88.1-7

Samuel Henrique <samueloph>

Attachment: curl_7.88.1-7.debdiff
Description: Binary data

Reply via email to