Bug#1098725: Bug#1098397: bookworm-pu: package curl/7.88.1-10+deb12u10

To: Matheus Polkorny <mpolkorny@gmail.com>, 1098397@bugs.debian.org, samueloph <samueloph@debian.org>
Cc: "Dr. Tobias Quathamer" <toddy@debian.org>, 1098725@bugs.debian.org
Subject: Bug#1098725: Bug#1098397: bookworm-pu: package curl/7.88.1-10+deb12u10
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 08 Mar 2025 22:51:37 +0000
Message-id: <[🔎] d9a9d33c31537ffac050d4708bb9abd718daff7b.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1098725@bugs.debian.org
In-reply-to: <174001305398.841844.10335542488929474374.reportbug@polkorny>
References: <174001305398.841844.10335542488929474374.reportbug@polkorny> <ea1da456-4adb-4b92-83bc-ff984a76cfa5@debian.org>

On Wed, 2025-02-19 at 21:57 -0300, Matheus Polkorny wrote:
> The reason is to fix CVE-2024-11053 [1], when both a `.netrc` file
> for credentials and HTTP redirects are used, curl could leak the
> password from the first host to the redirect target in certain cases.

I'm not sure if either of the sets of changes for these bugs caused the
issue, but the new curl upload FTBFS for both the arch:all and amd64
builds, with test failures:

TESTFAIL: These test cases failed: 320 324 

This is quite reproducible - so far 3 times on "all" and 2 on amd64.

Regards,

Adam

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: Bug#1099533: nmu: rust-mimalloc_0.1.29-1
Previous by thread: Processed: Re: Bug#1099852: transition: icu
Next by thread: dwarfutils: CVE-2024-2002 & mold - guidance?
Index(es):
- Date
- Thread