Your message dated Fri, 22 Dec 2023 09:49:22 -0300 with message-id <rs5enpezgoo7bmxtjjfwv6su4hvs32vvnj7ayasusjl5hwsh5i@dbpo5ej2yfnl> and subject line curl bookworm-pu and bullseye-pu has caused the Debian Bug report #1053998, regarding bookworm-pu: package curl/7.88.1-10+deb12u5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1053998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053998 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package curl/7.88.1-10+deb12u5
- From: Samuel Henrique <samueloph@debian.org>
- Date: Sun, 15 Oct 2023 16:22:11 +0100
- Message-id: <CABwkT9r4kEzw27-hRBy=Qixxidp5Dexu8MNyzcPfS7DhNybE5A@mail.gmail.com>
Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: curl@packages.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: bookworm X-Debbugs-Cc: samueloph@debian.org Severity: normal [ Reason ] This change provides DEB_VERSION on "--version" output. It's common for curl users to provide the output of "curl --version" when reporting issues, and there have been cases where having the version of the package in that output would have saved time (e.g.: if we don't know which distro the person is using and/or whether the package is up-to-date). Recently, on a Twitter thread, someone was assuming that a server was not patched for "CVE-2023-38545" because they only saw the upstream version. With this change, the "Release-Date" line of the output will change from e.g.: Release-Date: 2020-12-09 to: Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4 [ Impact ] // Explained in the "Reason" section. [ Tests ] Curl has an extensive test suite and no failures were detected. [ Risks ] The only affected code is a single "printf" statement, which is changed to include the version: https://github.com/curl/curl/blob/curl-7_88_1/src/tool_help.c#L171-L176 There's a risk that scripts parsing the "Release-Date:" line from "--version" might fail to parse the date if the regex is badly written. I think it's very unlikely that there are scripts parsing that line of the output. Assuming there is one, and that it's using a bad regex, the risk is that it will match more than just the release date. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting "CURL_PATCHSTAMP" to the value of "DEB_VERSION". Effectively, this only changes the output of "curl --version" (on the "Release-Date" line). [ Other info ] I'm opening -pu bugs against bullseye, bookworm, and I'll check with the LTS team if they accept this change for buster. -- Samuel Henrique <samueloph>Attachment: curl_7.88.1-10+deb12u5.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 1053998-done@bugs.debian.org, 1053997-done@bugs.debian.org
- Subject: curl bookworm-pu and bullseye-pu
- From: Samuel Henrique <samueloph@debian.org>
- Date: Fri, 22 Dec 2023 09:49:22 -0300
- Message-id: <rs5enpezgoo7bmxtjjfwv6su4hvs32vvnj7ayasusjl5hwsh5i@dbpo5ej2yfnl>
This change is included in the next security update of curl which is currently staged for publishing. Regards, -- Samuel Henrique <samueloph>
--- End Message ---