Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8
Control: tags -1 + confirmed
On Sun, 2024-10-27 at 22:06 +0000, aquilamacedo@riseup.net wrote:
> Package: release.debian.org
> Control: affects -1 + src:curl
> X-Debbugs-Cc: curl@packages.debian.org, aquilamacedo@riseup.net,
> samueloph@debian.org
> User: release.debian.org@packages.debian.org
> Usertags: pu
Note that the usertagging here didn't work, so the bug was not
displayed in the SRM section of the release.d.o BTS view.
My guess is that the broken linewrapped X-Debbugs-CC header lead to the
"samueloph@debian.org" line being treated as the first line of the
body, and thus the following lines not processed as pseudo-headers.
[...]
> The reason is to fix CVE-2024-8096 [1], which involves improper
> handling
> of OCSP stapling in curl when using GnuTLS as the TLS backend. If the
> OCSP status returns an error other than "revoked" (e.g.,
> "unauthorized"), curl fails to mark the certificate as invalid.
Please go ahead.
Regards,
Adam
Reply to: