Bug#1036801: unblock: curl/7.88.1-10
Hi Samuel,
[not member of the release team, but was going trough some potential
unblock requests with CVE fixes]
On Fri, May 26, 2023 at 06:03:13PM +0100, Samuel Henrique wrote:
> Package: release.debian.org
> Control: affects -1 + src:curl
> X-Debbugs-Cc: curl@packages.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Severity: normal
>
> Please unblock package curl
>
> [ Reason ]
> 4 CVE fixes:
>
> * Add new patches to fix CVEs (closes: #1036239):
> - CVE-2023-28319: UAF in SSH sha256 fingerprint check
> - CVE-2023-28320: siglongjmp race condition
> - CVE-2023-28321: IDN wildcard match
> - CVE-2023-28322: more POST-after-PUT confusion
> * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
> CVE-2023-28320
>
> [ Impact ]
> The highest CVE severity from upstream is "Moderate".
>
> [ Tests ]
> Curl has an extensive test suite that's run at build time and on
> autopkgtest, no regressions were detected.
>
> [ Risks ]
> The patches didn't require any changes which would be worrying.
> Regarding the "curl_jmpenv", there's no package on Debian using that.
After a short discussion with Paul, wouldn't that imply though that
there is an soname bump needed? Do you know has upstream considered
this and if/or why not? Is there enough assurance nobody (even outside
Debian world) is using that symbol?
Curl upstream has the following on it https://curl.se/libcurl/abi.html
These are just a couple of question trying to understand what
potential question from release team members my come for your unblock
request.
Regards,
Salvatore
p.s.: note it looks autopkgtest view for curl was still blocking it
because cwltool has a flaky test (on armel).
Reply to: