On Sat, 8 Feb 2025, Samuel Henrique wrote:

Hello Harry,

I would prefer to have a patch like this submitted upstream, and then once it's
merged there, we could backport it to stable/oldstable.

Cheers,

Since curl project does not consider this issue a security vulnerability it will likely not get priority in developing the fix. Obviously this is not great if your systems are affected. Regardless if the project considers the issue a vulnerability or not, the security impact can be critical for some users of curl.

Uploading my unofficial patch here was a courtesy in case someone is in urgent need to mitigating the issue. It was a proposal for a fix, and was also submitted to the project via the h1 ticket.

My intention was not to mess with the normal workflow of curl/debian project or to cause some kind of confusion. If I did, I apologize for the disruption.

PS. Just as a closing note to anyone out of the loop, Curl project is also working on the official patch here:

https://github.com/curl/curl/pull/16205


  Regards,
--
  Harry Sintonen

Reply via email to