Bug#1036300: Fwd: bullseye-pu: package curl/7.74.0-1.3+deb11u8
- To: Samuel Henrique <samueloph@debian.org>, 1036300@bugs.debian.org
- Subject: Bug#1036300: Fwd: bullseye-pu: package curl/7.74.0-1.3+deb11u8
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 25 Jun 2023 18:31:41 +0100
- Message-id: <ZJh5/Q7mqrMPLGo0@powdarrmonkey.net>
- Reply-to: Jonathan Wiltshire <jmw@debian.org>, 1036300@bugs.debian.org
- In-reply-to: <CABwkT9rQFMPKwkN9EtX4ObFBv2irKBMHce-+7=K=a2WLMVrCyA@mail.gmail.com>
- References: <CABwkT9raUcK-rW0kUjZGm4N45dCodSDv3vLh-9i1z12iT9uWBQ@mail.gmail.com> <CABwkT9rQFMPKwkN9EtX4ObFBv2irKBMHce-+7=K=a2WLMVrCyA@mail.gmail.com> <CABwkT9rQFMPKwkN9EtX4ObFBv2irKBMHce-+7=K=a2WLMVrCyA@mail.gmail.com>
Control: tag -1 confirmed
On Fri, May 19, 2023 at 12:11:17AM +0100, Samuel Henrique wrote:
> [ Reason ]
> * Backport upstream patches to fix 5 CVEs:
> - CVE-2023-27533: TELNET option IAC injection
> - CVE-2023-27534: SFTP path ~ resolving discrepancy
> - CVE-2023-27535: FTP too eager connection reuse
> - CVE-2023-27536: GSS delegation too eager connection re-use
> - CVE-2023-27538: SSH connection too eager reuse still
> * d/p/add_Curl_timestrcmp.patch: New patch to backport Curl_timestrcmp(),
> required for CVE-2023-27535.
Please go ahead.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: