Re: curl CVE-2025-4947, CVE-2025-5025 probably fixed in trixie/sid

To: Simon McVittie <smcv@collabora.com>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: curl CVE-2025-4947, CVE-2025-5025 probably fixed in trixie/sid
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 12 Jun 2025 06:55:24 +0200
Message-id: <[🔎] aEpdvMYUVSQgTMBv@eldamar.lan>
Mail-followup-to: Simon McVittie <smcv@collabora.com>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] aEmqBe6QdcUjWPoL@descent>
References: <[🔎] aEmqBe6QdcUjWPoL@descent>

Hi Simon,

On Wed, Jun 11, 2025 at 05:08:37PM +0100, Simon McVittie wrote:
> Hi,
> While merging updated versions of curl into a Debian derivative I noticed
> that curl in trixie/sid is listed as vulnerable to CVE-2025-4947 and
> CVE-2025-5025, but according to the notes those CVEs are fixed in
> curl-8_14_0, therefore 8.14.1-1 in trixie/sid is probably not vulnerable
> (even if the relevant features are enabled, which I haven't checked).

Thank you, I have updated the metadata on security-tracker.

And correct, they are marked unimportant ad we do not build with
wolfSSL support.

Regards,
Salvatore

Reply to:

References:
- curl CVE-2025-4947, CVE-2025-5025 probably fixed in trixie/sid
  - From: Simon McVittie <smcv@collabora.com>

Prev by Date: Please update courier security tracker information
Next by Date: Re: Please update courier security tracker information
Previous by thread: curl CVE-2025-4947, CVE-2025-5025 probably fixed in trixie/sid
Next by thread: Please update courier security tracker information
Index(es):
- Date
- Thread