Package: release.debian.org Control: affects -1 + src:curl X-Debbugs-Cc: c...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bookworm X-Debbugs-Cc: samuel...@debian.org Severity: normal [ Reason ] This change provides DEB_VERSION on "--version" output.
It's common for curl users to provide the output of "curl --version" when reporting issues, and there have been cases where having the version of the package in that output would have saved time (e.g.: if we don't know which distro the person is using and/or whether the package is up-to-date). Recently, on a Twitter thread, someone was assuming that a server was not patched for "CVE-2023-38545" because they only saw the upstream version. With this change, the "Release-Date" line of the output will change from e.g.: Release-Date: 2020-12-09 to: Release-Date: 2020-12-09, security patched: 7.88.1-10+deb12u4 [ Impact ] // Explained in the "Reason" section. [ Tests ] Curl has an extensive test suite and no failures were detected. [ Risks ] The only affected code is a single "printf" statement, which is changed to include the version: https://github.com/curl/curl/blob/curl-7_88_1/src/tool_help.c#L171-L176 There's a risk that scripts parsing the "Release-Date:" line from "--version" might fail to parse the date if the regex is badly written. I think it's very unlikely that there are scripts parsing that line of the output. Assuming there is one, and that it's using a bad regex, the risk is that it will match more than just the release date. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/rules is now importing "/usr/share/dpkg/pkg-info.mk" and setting "CURL_PATCHSTAMP" to the value of "DEB_VERSION". Effectively, this only changes the output of "curl --version" (on the "Release-Date" line). [ Other info ] I'm opening -pu bugs against bullseye, bookworm, and I'll check with the LTS team if they accept this change for buster. -- Samuel Henrique <samueloph>
curl_7.88.1-10+deb12u5.debdiff
Description: Binary data
