Control: close (Please correct me if this control tag is erroneous or malformatted. I've read that the [close directive is deprecated][0], but since we're not really fixing the bug this seemed the most appropriate.) [0]: https://www.debian.org/Bugs/server-control#close After clarification with upstream, it turns out that this fix is not necessary because the security issue has only been introduced in curl 8.13.0 as reflected in the [updated CVE][1] and [not as previously assumed in 7.31.0][2]. [1]: https://curl.se/docs/CVE-2025-9086.html [2]: https://hackerone.com/reports/3294999#activity-36342698 @Charles: Could you please update the [Debian security tracker][3] with the new information? [3]: https://security-tracker.debian.org/tracker/source-package/curl @Samuel: What is the correct way to revert these changes on the debian/bookworm branch? Do we drop the commits? Or revert them? Thanks for your help! Best, -- Alex # No gods, no masters. # 47A5 9C45 FA69 E651 25ED 0B98 9891 FC5D 3C3C 4426
Attachment:
signature.asc
Description: PGP signature