On Sat, 8 Feb 2025, Samuel Henrique wrote:
Hello Harry,
I would prefer to have a patch like this submitted upstream, and then once it's
merged there, we could backport it to stable/oldstable.
Cheers,
Since curl project does not consider this issue a security vulnerability
it will likely not get priority in developing the fix. Obviously this is
not great if your systems are affected. Regardless if the project
considers the issue a vulnerability or not, the security impact can be
critical for some users of curl.
Uploading my unofficial patch here was a courtesy in case someone is in
urgent need to mitigating the issue. It was a proposal for a fix, and was
also submitted to the project via the h1 ticket.
My intention was not to mess with the normal workflow of curl/debian
project or to cause some kind of confusion. If I did, I apologize for the
disruption.
PS. Just as a closing note to anyone out of the loop, Curl project is also
working on the official patch here:
https://github.com/curl/curl/pull/16205
Regards,
--
Harry Sintonen