From: Raspbian automatic forward porter Date: Fri, 21 Mar 2025 18:19:00 +0000 (+0000) Subject: Merge version 7.88.1-10+rpi1+deb12u8 and 7.88.1-10+deb12u12 to produce 7.88.1-10... X-Git-Tag: archive/raspbian/7.88.1-10+rpi1+deb12u12 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=bedd665c87f8e00617012bd878a6d18d9b7de45c;p=curl.git Merge version 7.88.1-10+rpi1+deb12u8 and 7.88.1-10+deb12u12 to produce 7.88.1-10+rpi1+deb12u12 --- 7d497301d1f4ba53ac35628498b977d070b09f02 diff --cc debian/changelog index cc613d4b,9aaeeb83..deb03129 --- a/debian/changelog +++ b/debian/changelog @@@ -1,9 -1,56 +1,63 @@@ - curl (7.88.1-10+rpi1+deb12u8) bookworm-staging; urgency=medium ++curl (7.88.1-10+rpi1+deb12u12) bookworm-staging; urgency=medium + + [changes brought forward from 7.88.1-9+rpi1 by Peter Michael Green at Sat, 20 May 2023 09:55:44 +0000] + * Disable testsuite. + - -- Raspbian forward porter Wed, 13 Nov 2024 02:21:55 +0000 ++ -- Raspbian forward porter Fri, 21 Mar 2025 18:18:59 +0000 ++ + curl (7.88.1-10+deb12u12) bookworm; urgency=medium + + * d/p/runtests.pl-Increase-variance-of-random-seed-used-for-tes: Fix test + failures due to port clashes + + -- Samuel Henrique Sun, 09 Mar 2025 10:45:45 +0000 + + curl (7.88.1-10+deb12u11) bookworm; urgency=medium + + * Team upload. + * Import patch for CVE-2025-0167. + - When asked to use a `.netrc` file for credentials **and** to follow HTTP + redirects, curl could leak the password used for the first host to the + followed-to host under certain circumstances. This flaw only manifests + itself if the netrc file has a `default` entry that omits both login + and password. A rare circumstance. + + -- Dr. Tobias Quathamer Mon, 10 Feb 2025 11:45:37 +0100 + + curl (7.88.1-10+deb12u10) bookworm; urgency=medium + + * Team upload. + * Import patch for CVE-2024-11053 + - When asked to both use a `.netrc` file for credentials and to follow HTTP + redirects, curl could leak the password used for the first host to the + followed-to host under certain circumstances. + * d/patches: + - url-use-same-credentials-on-redirect.patch: Backport upstream patch to + fix the issue of reusing closed connections when the server disconnects + unexpectedly, and ensure redirects keep both username and password. + This patch is required for CVE-2024-11053. + - CVE-2024-11053.patch: Import and backport upstream patch to + fix CVE-2024-11053 + + -- Matheus Polkorny Sun, 19 Jan 2025 23:22:01 -0300 + + curl (7.88.1-10+deb12u9) bookworm; urgency=medium + + * Team upload. + * Import patches for CVE-2024-9681 + - A vulnerability in curl's HSTS handling allows a subdomain’s expiry time + to overwrite its parent domain’s cache entry. This can lead to unintended + HTTPS upgrades or premature reversion to HTTP when both subdomains and + parent domains are used. Affects applications with HSTS enabled, + potentially disrupting access when a domain stops supporting HTTPS. + * d/patches: + - CVE-2024-9681-*.patch: Backport patches. + - CVE-2024-9681-1: fix backport inconsistencies + - large-time-testable-feature.patch: Import 'large-time' feature for tests + - dont-stop-stunnel-before-retry.patch: Import patch to avoid stopping + stunnel before retrying + + -- Aquila Macedo Costa Thu, 02 Jan 2025 21:11:56 -0300 curl (7.88.1-10+deb12u8) bookworm; urgency=medium