[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053998: marked as done (bookworm-pu: package curl/7.88.1-10+deb12u5)

Your message dated Fri, 22 Dec 2023 09:49:22 -0300
with message-id <rs5enpezgoo7bmxtjjfwv6su4hvs32vvnj7ayasusjl5hwsh5i@dbpo5ej2yfnl>
and subject line curl bookworm-pu and bullseye-pu
has caused the Debian Bug report #1053998,
regarding bookworm-pu: package curl/7.88.1-10+deb12u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1053998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053998
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: curl@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: samueloph@debian.org
Severity: normal
[ Reason ]
This change provides DEB_VERSION on "--version" output.

It's common for curl users to provide the output of "curl --version"
when reporting issues, and there have been cases where having the
version of the package in that output would have saved time (e.g.: if
we don't know which distro the person is using and/or whether the
package is up-to-date).

Recently, on a Twitter thread, someone was assuming that a server was
not patched for "CVE-2023-38545" because they only saw the upstream
version.

With this change, the "Release-Date" line of the output will change from e.g.:
Release-Date: 2020-12-09
to:
Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4

[ Impact ]
// Explained in the "Reason" section.

[ Tests ]
Curl has an extensive test suite and no failures were detected.

[ Risks ]
The only affected code is a single "printf" statement, which is
changed to include the version:
https://github.com/curl/curl/blob/curl-7_88_1/src/tool_help.c#L171-L176

There's a risk that scripts parsing the "Release-Date:" line from
"--version" might fail to parse the date if the regex is badly
written.

I think it's very unlikely that there are scripts parsing that line of
the output. Assuming there is one, and that it's using a bad regex,
the risk is that it will match more than just the release date.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting
"CURL_PATCHSTAMP" to the value of "DEB_VERSION".

Effectively, this only changes the output of "curl --version" (on the
"Release-Date" line).

[ Other info ]
I'm opening -pu bugs against bullseye, bookworm, and I'll check with
the LTS team if they accept this change for buster.

--
Samuel Henrique <samueloph>

Attachment: curl_7.88.1-10+deb12u5.debdiff
Description: Binary data


--- End Message ---
--- Begin Message --- 
This change is included in the next security update of curl which is currently
staged for publishing.

Regards,

-- 
Samuel Henrique <samueloph>

--- End Message ---
Reply to: