Your message dated Sat, 11 Aug 2018 13:19:36 +0000 with message-id <e1fotns-000bkr...@fasolo.debian.org> and subject line Bug#883174: fixed in curl 7.61.0-1 has caused the Debian Bug report #883174, regarding libcurl3: uses ca-certificates.crt rather than /etc/ssl/certs/<hash> by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883174: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883174 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: curl Version: 7.42.1-3 Severity: wishlist Hi, Up to 7.42.1-3, libcurl3 (OpenSSL) and the curl binary would use the subject hash symlinks under /etc/ssl/certs for certificate verification. Debian commit a494ae19[1] changed the OpenSSL build to specify both --with-ca-path and --with-ca-bundle. According to SSL_CTX_LOAD_VERIFY_LOCATIONS(3SSL): When looking up CA certificates, the OpenSSL library will first search the certificates in CAfile, then those in CApath. The following illustrates the difference between a Stretch host: $ strace -etrace=file curl -s https://debian.org 2>&1 | grep ssl open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 4 and a Jessie host: $ strace -etrace=file curl -s https://debian.org 2>&1 | grep /etc/ssl stat("/etc/ssl/certs/2e5ac55d.0", {st_mode=S_IFREG|0644, st_size=1200, ...}) = 0 open("/etc/ssl/certs/2e5ac55d.0", O_RDONLY) = 5 stat("/etc/ssl/certs/2e5ac55d.1", 0x7ffdcf392220) = -1 ENOENT (No such file or directory) The former uses ca-certificates.crt, the latter uses the subject hash symlinks under /etc/ssl/certs. Note that this may lead to increased memory usage for applications using libcurl with multiple curl handles (this is how I found out :), as ca-certificates.crt is always loaded in memory and typically accounts for about 1MB per curl handle. In contrast, using the subject hash links loads only the required certificates in memory and only when they are needed. Please consider reverting that part of the commit and relying only on ca-path. Regards, Apollon P.S.: I did not investigate how GnuTLS behaves in this respect. [1] https://anonscm.debian.org/git/collab-maint/curl.git/commit/?id=a494ae1901f86e03ed631f6aa6b0bf0758e75e35
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.61.0-1 We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 883...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alessandro Ghedini <gh...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Aug 2018 13:32:28 +0100 Source: curl Binary: curl libcurl4 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl4-doc Architecture: source Version: 7.61.0-1 Distribution: unstable Urgency: medium Maintainer: Alessandro Ghedini <gh...@debian.org> Changed-By: Alessandro Ghedini <gh...@debian.org> Description: curl - command line tool for transferring data with URL syntax libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Closes: 883174 888449 902628 903546 Changes: curl (7.61.0-1) unstable; urgency=medium . * New upstream release + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546) https://curl.haxx.se/docs/adv_2018-70a2.html + Fix some crashes related to HTTP/2 (Closes: #902628) * Disable libssh2 on Ubuntu. Thanks to Gianfranco Costamagna for the patch (Closes: #888449) * Bump Standards-Version to 4.2.0 (no changes needed) * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174) Checksums-Sha1: dcf093da928a4d426bf2e3cec1c75658a784def3 2662 curl_7.61.0-1.dsc 34c0f89e01c27070fe3b6f86371791390f464602 3964862 curl_7.61.0.orig.tar.gz 44217062c4c8d1865cc4945076b544543bc0094f 28348 curl_7.61.0-1.debian.tar.xz 8ad4ea8cf3e79e73288018fdd3ff27979d9d1c7f 11241 curl_7.61.0-1_amd64.buildinfo Checksums-Sha256: f7a9c3d60f75ff16dae8bde2efc632d12b5d306d2dd2f0b7bad5ebc61c3f2830 2662 curl_7.61.0-1.dsc 64141f0db4945268a21b490d58806b97c615d3d0c75bf8c335bbe0efd13b45b5 3964862 curl_7.61.0.orig.tar.gz 3bdcd5605cf1e7fdf10aa7009e55ae16fd518e6ae193e262ade19a1d24ce5134 28348 curl_7.61.0-1.debian.tar.xz a18d09d63f19bac9e479335b0dba7ade9380b3dbfb1638094c65b179d1b36864 11241 curl_7.61.0-1_amd64.buildinfo Files: 806380fc99162f0062c118202d9731dc 2662 web optional curl_7.61.0-1.dsc ef343f64daab4691f528697b58a2d984 3964862 web optional curl_7.61.0.orig.tar.gz f8e140d57aa9ebf8fd59cf88b5ba3187 28348 web optional curl_7.61.0-1.debian.tar.xz 9a51930dab5a720745ae8cc6607db3b5 11241 web optional curl_7.61.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAltu3qwACgkQbwzL4CFi RyhBqA/8DbwgvjjRkO/fXo30hfkgn+6EI/mIErGedAHpqJwwHMcWz2WHYU9Zmqti YV4CKoBD+gDol+bYCcNUePrjc1P+WZLjTqQGJGzhO+RR5YwlI/CO8fRRn2SMFd40 v9kSqvT9RP2uQi0bxKiDJhb1vuv2vn6mXDR2RKfnULJAG3LDOs/VIetljp240znw thZKfzwHbKbliFRUu/1uzVJ9zN3zz38gGl3Dlq5/bpC+taUnTLL2AUoGD5DTU8l+ hRhPkSwM/yKHYLytJHvcJVY6USKP9xi75j+2ftyjr/AZyrN9dMTqCOYJs+YUVjve sM8KrOvMcOV4Wb5ZTgSBCm/p4dqKuj1MnUa1k2+7/onMQu+VlZI6uLrhm/L148uB ouD7mt0aqiBQPrsdpRjwTEq91rtHvBRI7nhMGQuONTBwY9+3RJl3KL5IpAkKjNj0 YmtBf1Vlx6FG6alp6mMjV4FX5gH4jHT5MgAfNzFl/lpP1GPEMmJ9/utyNpx3ev6K pQ03nZtk9EKN6MM4xXOi0X8WBl7+59fxXOJ9GCBHEMZZWsTGFYkeVKD5c0ErJH/W c2DVR9CAixKD/ZGB0Lcm+jgQUQCxMEZxEvbVDuxuUGrd43YgT58nXVCD1gQV4C/e Ahxq3OLqoluhTzLe1GSJiMHZO56y+O+cvdwub2lA+c9IGp/7ViA= =cSOr -----END PGP SIGNATURE-----
--- End Message ---
