Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8

To: aquilamacedo@riseup.net, 1086163@bugs.debian.org
Cc: samueloph@debian.org
Subject: Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 02 Nov 2024 11:41:01 +0000
Message-id: <[🔎] 881978d8dc0f904e32668a3ecf9b6925baf961a5.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1086163@bugs.debian.org
In-reply-to: <b9e14aa5d0cfc708a9527e246fd0bcda@riseup.net>
References: <b9e14aa5d0cfc708a9527e246fd0bcda@riseup.net> <b9e14aa5d0cfc708a9527e246fd0bcda@riseup.net>

Control: tags -1 + confirmed

On Sun, 2024-10-27 at 22:06 +0000, aquilamacedo@riseup.net wrote:
> Package: release.debian.org
> Control: affects -1 + src:curl
> X-Debbugs-Cc: curl@packages.debian.org, aquilamacedo@riseup.net,
> samueloph@debian.org
> User: release.debian.org@packages.debian.org
> Usertags: pu

Note that the usertagging here didn't work, so the bug was not
displayed in the SRM section of the release.d.o BTS view.

My guess is that the broken linewrapped X-Debbugs-CC header lead to the
"samueloph@debian.org" line being treated as the first line of the
body, and thus the following lines not processed as pseudo-headers.

[...]
> The reason is to fix CVE-2024-8096 [1], which involves improper
> handling
> of OCSP stapling in curl when using GnuTLS as the TLS backend. If the
> OCSP status returns an error other than "revoked" (e.g.,
> "unauthorized"), curl fails to mark the certificate as invalid.

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8
Next by Date: Bug#1086151: util-linux 2.38.1-5+deb12u2 flagged for acceptance
Previous by thread: Processed: zfs-linux 2.1.11-1+deb12u1 flagged for acceptance
Next by thread: Processed: Re: Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8
Index(es):
- Date
- Thread