Your message dated Mon, 20 Feb 2023 23:04:42 +0000 with message-id <e1pufd8-003rmm...@fasolo.debian.org> and subject line Bug#1031371: fixed in curl 7.88.1-1 has caused the Debian Bug report #1031371, regarding curl: CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031371: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: curl X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for curl. CVE-2023-23914 curl: HSTS ignored on multiple requests https://curl.se/docs/CVE-2023-23916.html CVE-2023-23915 curl: HSTS amnesia with --parallel https://curl.se/docs/CVE-2023-23915.html CVE-2023-23914 curl: HSTS ignored on multiple requests https://curl.se/docs/CVE-2023-23914.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23914 https://www.cve.org/CVERecord?id=CVE-2023-23914 [1] https://security-tracker.debian.org/tracker/CVE-2023-23915 https://www.cve.org/CVERecord?id=CVE-2023-23915 [2] https://security-tracker.debian.org/tracker/CVE-2023-23916 https://www.cve.org/CVERecord?id=CVE-2023-23916 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.88.1-1 Done: Samuel Henrique <samuel...@debian.org> We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Samuel Henrique <samuel...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 20 Feb 2023 22:35:53 +0000 Source: curl Architecture: source Version: 7.88.1-1 Distribution: unstable Urgency: medium Maintainer: Alessandro Ghedini <gh...@debian.org> Changed-By: Samuel Henrique <samuel...@debian.org> Closes: 1029231 1031371 Changes: curl (7.88.1-1) unstable; urgency=medium . * New upstream version 7.88.1 - Fix the following CVEs (closes: #1031371) ~ CVE-2023-23916: HTTP multi-header compression denial of service ~ CVE-2023-23915: HSTS amnesia with --parallel ~ CVE-2023-23914: HSTS ignored on multiple requests - Fix curl_multi_socket_action regression (closes: #1029231) * d/patches: Drop backported patch added to fix regression in setopt/getinfo * d/copyright: Drop removed file from copyright * d/control: Update BD to drop transitional package libidn11-dev Checksums-Sha1: 3c87f7bcd9454fe21179a5165eff62242449d67e 2955 curl_7.88.1-1.dsc 6ae5229c36badb822641bb14958e7d227c57611d 4343562 curl_7.88.1.orig.tar.gz 9222035242431a3ef31d33a2ca3d881bcf4572fe 488 curl_7.88.1.orig.tar.gz.asc 519c8ba0f1f0f21387ecc06b4c6669565ed8766b 39392 curl_7.88.1-1.debian.tar.xz 849c224e7ecee6475965db9ee365609e08a74aa4 12644 curl_7.88.1-1_amd64.buildinfo Checksums-Sha256: 570273973ead3345db93e0fe1928ebc2cd3778410fa96a21dcea7f65a58f3ff7 2955 curl_7.88.1-1.dsc cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7 4343562 curl_7.88.1.orig.tar.gz 7a5a55d7123149a1b357f298cf895bd0a601e3a2807005ef6c95f3752803485f 488 curl_7.88.1.orig.tar.gz.asc 8d24c676fcc1f1009706cebf34f52ff1795f783fd385bba3af60211b6d46da95 39392 curl_7.88.1-1.debian.tar.xz fafdd633306bd6778309d98906d0a8f16ef34145bb4d09767144185e29cd5a67 12644 curl_7.88.1-1_amd64.buildinfo Files: e03cea8f0db1e0e1094b3b3a64d5d261 2955 web optional curl_7.88.1-1.dsc 1211d641ae670cebce361ab6a7c6acff 4343562 web optional curl_7.88.1.orig.tar.gz 08b846caa2ce56ccb4b4caa268b30dc2 488 web optional curl_7.88.1.orig.tar.gz.asc d801975a6a3c0bebb72fbfe16579913d 39392 web optional curl_7.88.1-1.debian.tar.xz e058c4006be504216963938d466d5d21 12644 web optional curl_7.88.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmPz+GQACgkQu6n6rcz7 RwdT8w/+MJ/2PUDA42TRxHDWvpjP3HRQU4LDjUMEHf0QCb2Q/8NfFykOHXEViaMK LG3va2U8zeIZhWeyZkm00UvG3W2M6ERAZBUn2Xtj31HlUzqSW05XSQqpRuCsBNqr MziaEqtG+gR//fqnyZJd1sos4PW5WksjzKN/GN5xZoAa8hIGeO7m0duBkVrFnSXH pttUc+0t44IGjlyOKIq2vSFHbfB8Go2UfqG+YCbFtaEddBkBFQ9Tl9Hfp2TWYvqk Ka4johzJvmHuQdbcFByw6nYqWhZBbl2xuFzMUCVlvFCrOc5r7maHEu9Da6ZP9gjf aKm9TgR/ymJH2iJCK7MnqUBsT/ldca0YmUUOCTQU/GcEnE1trvJC0sKcwE+8xnet h7h95XN5z0W0UXwrGeHDb6OHKzUnZxndagYCZSkVy0F6uwCT8umQrnxCikmtTeAv TirwnEYhIi6fCoW96X+Lc33mkJ/MzQMlpk8PdnumJLk5z6CybrYUcixyvZR23Uy6 SJRHb/yNhsu3iD3wGEyqp0SuOVuYUv0wQ5cn5t05OuOgvdTzuQZEreg/ELmC34Mh Ik0q97pRyBiwzdD8rLQ2S3d6726YQRWtVywMrhXLsbdSP2iGP26uzO/MoB8THD/H 6zfqJuxzD6grwdC77slPpeFPDbH7yt0HLcXRyTw/vRdAC2ZkHdQ= =PD3W -----END PGP SIGNATURE-----
--- End Message ---
