Hi Alessandro, On Thu, Apr 10, 2014 at 01:38:37PM +0200, Alessandro Ghedini wrote: > On gio, apr 10, 2014 at 12:47:39 +0200, Moritz Muehlenhoff wrote: > > On Thu, Apr 10, 2014 at 12:01:03PM +0200, Alessandro Ghedini wrote: > > > On mer, mar 26, 2014 at 06:50:41 +0100, Salvatore Bonaccorso wrote: > > > > Package: curl > > > > Version: 7.21.0-1 > > > > Severity: grave > > > > Tags: security upstream fixed-upstream > > > > > > > > Hi Alessandro, > > > > > > > > For having this referenced also in the Debian BTS, the following > > > > vulnerabilities were published for curl. > > > > > > > > CVE-2014-0138[0]: > > > > libcurl wrong re-use of connections > > > > > > > > CVE-2014-0139[1]: > > > > libcurl IP address wildcard certificate validation > > > > > > Here are the (old)stable debdiffs (better late than nothing, I guess... I > > > had > > > troubles adapting the patches for the older releases :/). > > > > If this now passes the test suite, please upload. > > Well, it passes the test suite only because the broken test was disabled, but > it > can't be helped (the alternative would be enabling the fork() support in the > server used for testing, but that may introduce more breakage). SUSE has done > the same thing (in fact the SUSE maintainer suggested this) and upstream says > it should be safe (in fact, the fact that the disabled test freezes is > probably > a good sign, since it means that the patch does what it's supposed to). > > Anyway, uploaded.
Thanks for your uploads. Will try to have a look at them in the weekend and release the packages. Both arrived in any case to security-master and builds are done. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org