Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package curl The version in sid fixes #922554, which affects several users of NetworkManager. and is marked as important (the patch is backported from upstream). Debdiff is attached. At the time I uploaded it I expected it to migrate to testing before the freeze, but apparently I did the math wrong. Anyway an unrelated change adding a couple of entries to the previous upload'ss changelog was also included (as you can see from the debdiff), hope that's not too much of a problem. unblock curl/7.64.0-2 -- System Information: Debian Release: buster/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru curl-7.64.0/debian/changelog curl-7.64.0/debian/changelog --- curl-7.64.0/debian/changelog 2019-02-06 22:33:05.000000000 +0000 +++ curl-7.64.0/debian/changelog 2019-03-07 20:02:35.000000000 +0000 @@ -1,3 +1,9 @@ +curl (7.64.0-2) unstable; urgency=medium + + * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554) + + -- Alessandro Ghedini <gh...@debian.org> Thu, 07 Mar 2019 20:02:35 +0000 + curl (7.64.0-1) unstable; urgency=medium * New upstream release @@ -8,6 +14,8 @@ + Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823 https://curl.haxx.se/docs/CVE-2019-3823.html + Fix HTTP negotiation with POST requests (Closes: #920267) + * Refresh patches + * Import fixes for zsh completion script generator (Closes: #92145) -- Alessandro Ghedini <gh...@debian.org> Wed, 06 Feb 2019 22:33:05 +0000 diff -Nru curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch --- curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.64.0/debian/patches/13_singlesocket-fix-the-sincebefore-placement.patch 2019-03-07 20:02:35.000000000 +0000 @@ -0,0 +1,38 @@ +From afc00e047c773faeaa60a5f86a246cbbeeba5819 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Tue, 19 Feb 2019 15:56:54 +0100 +Subject: [PATCH] singlesocket: fix the 'sincebefore' placement + +The variable wasn't properly reset within the loop and thus could remain +set for sockets that hadn't been set before and miss notifying the app. + +This is a follow-up to 4c35574 (shipped in curl 7.64.0) + +Reported-by: buzo-ffm on github +Detected-by: Jan Alexander Steffens +Fixes #3585 +Closes #3589 +--- + lib/multi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2360,8 +2360,6 @@ + int num; + unsigned int curraction; + int actions[MAX_SOCKSPEREASYHANDLE]; +- unsigned int comboaction; +- bool sincebefore = FALSE; + + for(i = 0; i< MAX_SOCKSPEREASYHANDLE; i++) + socks[i] = CURL_SOCKET_BAD; +@@ -2380,6 +2378,8 @@ + i++) { + unsigned int action = CURL_POLL_NONE; + unsigned int prevaction = 0; ++ unsigned int comboaction; ++ bool sincebefore = FALSE; + + s = socks[i]; + diff -Nru curl-7.64.0/debian/patches/series curl-7.64.0/debian/patches/series --- curl-7.64.0/debian/patches/series 2019-02-06 22:33:05.000000000 +0000 +++ curl-7.64.0/debian/patches/series 2019-03-07 20:02:35.000000000 +0000 @@ -4,6 +4,7 @@ 08_enable-zsh.patch 11_omit-directories-from-config.patch 12_zsh.patch +13_singlesocket-fix-the-sincebefore-placement.patch # do not add patches below 90_gnutls.patch
signature.asc
Description: PGP signature