Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: curl@packages.debian.org User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: sergiodj@debian.org, samueloph@debian.org Severity: normal Please unblock package curl I would like to push the fix for the recent 6 CVEs disclosed: - CVE-2023-27533: TELNET option IAC injection - CVE-2023-27534: SFTP path ~ resolving discrepancy - CVE-2023-27535: FTP too eager connection reuse - CVE-2023-27536: GSS delegation too eager connection re-use - CVE-2023-27537: HSTS double-free - CVE-2023-27538: SSH connection too eager reuse still I have also prepared the fixes for stable and oldstable and will be requesting a p-u upload for them shortly (already pushed the commits to the repo). I would also appreciate it if the wait time for the migration could be cut short due to the nature of the changes (low risk and the sooner they get to testing the better). [ Reason ] CVE fixes, the security team said no DSAs will be assigned to them. [ Impact ] The highest severity of the CVEs is moderate as per upstream, the security team considered all of them low (thus no DSA). [ Tests ] Curl's test suite passed (the build succeeded on all archs). [ Risks ] Only minimal changes were required in order to backport CVE-2023-27533. There has been no bugfixes related to these CVE fixes in 8.0.1. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Other small changes in the debdiff are: Bump Standards-Version to 4.6.2 d/p/06_always-disable-valgrind.patch: Remove unused patch d/patches: Refresh all patches None of these three changes modifies the resulting binaries. I am planning to push 7.88.1-8 after 7.88.1-7 migrates and I will be requesting an unblock for that revision as well, I figured it's better to not bundle the changes together to make the review easier and to let the CVE fixes get to testing sooner. The changes for -8 will be: 1) Inclusion of autopkgtests. 2) Inclusion of new build profiles to limit the builds to certain TLS backends (to be used by manual tests or autopkgtests only). 3) And possibly a fix for the multi-arch issue #913995 (the lintian error that the package has). I would also like to ask the release team to consider unblocking curl' s latest release 8.0.1 due to the delta consisting of mostly bugfixes (biggest change is removal of support for systems that don't have 64 bit data types). Being able to ship 8.0.1 will make maintenance easier on the long term (stable, oldstable...). But I want to first get these CVE fixes and the autopkgtests (coming in rev 8) in testing before asking for 8.0.1's unblock. PS.: I've made a typo in the changelog entry where I mention "5 CVEs" rather than 6, but it's fine since all of the 6 CVEs are listed anyway. unblock curl/7.88.1-7 -- Samuel Henrique <samueloph>
Attachment:
curl_7.88.1-7.debdiff
Description: Binary data