On gio, apr 10, 2014 at 12:47:39 +0200, Moritz Muehlenhoff wrote: > On Thu, Apr 10, 2014 at 12:01:03PM +0200, Alessandro Ghedini wrote: > > On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: > > > Package: curl > > > Version: 7.21.0-1 > > > Severity: grave > > > Tags: security upstream fixed-upstream > > > > > > Hi Alessandro, > > > > > > For having this referenced also in the Debian BTS, the following > > > vulnerabilities were published for curl. > > > > > > CVE-2014-0138[0]: > > > libcurl wrong re-use of connections > > > > > > CVE-2014-0139[1]: > > > libcurl IP address wildcard certificate validation > > > > Here are the (old)stable debdiffs (better late than nothing, I guess... I > > had > > troubles adapting the patches for the older releases :/). > > If this now passes the test suite, please upload.
Well, it passes the test suite only because the broken test was disabled, but it
can't be helped (the alternative would be enabling the fork() support in the
server used for testing, but that may introduce more breakage). SUSE has done
the same thing (in fact the SUSE maintainer suggested this) and upstream says
it should be safe (in fact, the fact that the disabled test freezes is probably
a good sign, since it means that the patch does what it's supposed to).
Anyway, uploaded.
Cheers
--
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
