Hi Samuel, [not member of the release team, but was going trough some potential unblock requests with CVE fixes]
On Fri, May 26, 2023 at 06:03:13PM +0100, Samuel Henrique wrote: > Package: release.debian.org > Control: affects -1 + src:curl > X-Debbugs-Cc: c...@packages.debian.org > User: release.debian....@packages.debian.org > Usertags: unblock > Severity: normal > > Please unblock package curl > > [ Reason ] > 4 CVE fixes: > > * Add new patches to fix CVEs (closes: #1036239): > - CVE-2023-28319: UAF in SSH sha256 fingerprint check > - CVE-2023-28320: siglongjmp race condition > - CVE-2023-28321: IDN wildcard match > - CVE-2023-28322: more POST-after-PUT confusion > * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to > CVE-2023-28320 > > [ Impact ] > The highest CVE severity from upstream is "Moderate". > > [ Tests ] > Curl has an extensive test suite that's run at build time and on > autopkgtest, no regressions were detected. > > [ Risks ] > The patches didn't require any changes which would be worrying. > Regarding the "curl_jmpenv", there's no package on Debian using that. After a short discussion with Paul, wouldn't that imply though that there is an soname bump needed? Do you know has upstream considered this and if/or why not? Is there enough assurance nobody (even outside Debian world) is using that symbol? Curl upstream has the following on it https://curl.se/libcurl/abi.html These are just a couple of question trying to understand what potential question from release team members my come for your unblock request. Regards, Salvatore p.s.: note it looks autopkgtest view for curl was still blocking it because cwltool has a flaky test (on armel).
