Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package curl The version in sid fixes #922554, which affects several users of NetworkManager. and is marked as important (the patch is backported from upstream). Debdiff is attached. At the time I uploaded it I expected it to migrate to testing before the freeze, but apparently I did the math wrong. Anyway an unrelated change adding a couple of entries to the previous upload'ss changelog was also included (as you can see from the debdiff), hope that's not too much of a problem. unblock curl/7.64.0-2 -- System Information: Debian Release: buster/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru curl-7.64.0/debian/changelog curl-7.64.0/debian/changelog
--- curl-7.64.0/debian/changelog 2019-02-06 22:33:05.000000000 +0000
+++ curl-7.64.0/debian/changelog 2019-03-07 20:02:35.000000000 +0000
@@ -1,3 +1,9 @@
+curl (7.64.0-2) unstable; urgency=medium
+
+ * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554)
+
+ -- Alessandro Ghedini <ghedo@debian.org> Thu, 07 Mar 2019 20:02:35 +0000
+
curl (7.64.0-1) unstable; urgency=medium
* New upstream release
@@ -8,6 +14,8 @@
+ Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823
https://curl.haxx.se/docs/CVE-2019-3823.html
+ Fix HTTP negotiation with POST requests (Closes: #920267)
+ * Refresh patches
+ * Import fixes for zsh completion script generator (Closes: #92145)
-- Alessandro Ghedini <ghedo@debian.org> Wed, 06 Feb 2019 22:33:05 +0000
diff -Nru curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch
--- curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch 1970-01-01 01:00:00.000000000 +0100
+++ curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch 2019-03-07 20:02:35.000000000 +0000
@@ -0,0 +1,38 @@
+From afc00e047c773faeaa60a5f86a246cbbeeba5819 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 19 Feb 2019 15:56:54 +0100
+Subject: [PATCH] singlesocket: fix the 'sincebefore' placement
+
+The variable wasn't properly reset within the loop and thus could remain
+set for sockets that hadn't been set before and miss notifying the app.
+
+This is a follow-up to 4c35574 (shipped in curl 7.64.0)
+
+Reported-by: buzo-ffm on github
+Detected-by: Jan Alexander Steffens
+Fixes #3585
+Closes #3589
+---
+ lib/multi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2360,8 +2360,6 @@
+ int num;
+ unsigned int curraction;
+ int actions[MAX_SOCKSPEREASYHANDLE];
+- unsigned int comboaction;
+- bool sincebefore = FALSE;
+
+ for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++)
+ socks[i] = CURL_SOCKET_BAD;
+@@ -2380,6 +2378,8 @@
+ i++) {
+ unsigned int action = CURL_POLL_NONE;
+ unsigned int prevaction = 0;
++ unsigned int comboaction;
++ bool sincebefore = FALSE;
+
+ s = socks[i];
+
diff -Nru curl-7.64.0/debian/patches/series curl-7.64.0/debian/patches/series
--- curl-7.64.0/debian/patches/series 2019-02-06 22:33:05.000000000 +0000
+++ curl-7.64.0/debian/patches/series 2019-03-07 20:02:35.000000000 +0000
@@ -4,6 +4,7 @@
08_enable-zsh.patch
11_omit-directories-from-config.patch
12_zsh.patch
+13_singlesocket-fix-the-sincebefore-placement.patch
# do not add patches below
90_gnutls.patch
Attachment:
signature.asc
Description: PGP signature