Your message dated Thu, 18 May 2023 23:04:15 +0000 with message-id <e1pzmfp-005ili...@fasolo.debian.org> and subject line Bug#1036239: fixed in curl 7.88.1-10 has caused the Debian Bug report #1036239, regarding curl: CVE-2023-28319 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: curl Version: 7.88.1-9 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for curl. CVE-2023-28319[0]: | UAF in SSH sha256 fingerprint check CVE-2023-28320[1]: | siglongjmp race condition CVE-2023-28321[2]: | IDN wildcard match CVE-2023-28322[3]: | more POST-after-PUT confusion If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28319 https://www.cve.org/CVERecord?id=CVE-2023-28319 [1] https://security-tracker.debian.org/tracker/CVE-2023-28320 https://www.cve.org/CVERecord?id=CVE-2023-28320 [2] https://security-tracker.debian.org/tracker/CVE-2023-28321 https://www.cve.org/CVERecord?id=CVE-2023-28321 [3] https://security-tracker.debian.org/tracker/CVE-2023-28322 https://www.cve.org/CVERecord?id=CVE-2023-28322 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.88.1-10 Done: Samuel Henrique <samuel...@debian.org> We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1036...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Samuel Henrique <samuel...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 May 2023 23:43:40 +0100 Source: curl Built-For-Profiles: nocheck Architecture: source Version: 7.88.1-10 Distribution: unstable Urgency: medium Maintainer: Alessandro Ghedini <gh...@debian.org> Changed-By: Samuel Henrique <samuel...@debian.org> Closes: 1036239 Changes: curl (7.88.1-10) unstable; urgency=medium . * Add new patches to fix CVEs (closes: #1036239): - CVE-2023-28319: UAF in SSH sha256 fingerprint check - CVE-2023-28320: siglongjmp race condition - CVE-2023-28321: IDN wildcard match - CVE-2023-28322: more POST-after-PUT confusion * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to CVE-2023-28320 Checksums-Sha1: 3f2d5285cf65569050453888ccdf9e447adb1f55 3163 curl_7.88.1-10.dsc 717a0b98c9b6bc273a81dc9a240c143c37d43b16 55392 curl_7.88.1-10.debian.tar.xz e5a757cceeae14205992a337c370c7403590fe98 11048 curl_7.88.1-10_amd64.buildinfo Checksums-Sha256: 717ed30766b1ccf951685627c910dea11b021da5f1c3e6f465517981d62ef0fe 3163 curl_7.88.1-10.dsc fc3976de8659cd016d9f3c3523dc801294651c895026193e07a6c3ce358c13d1 55392 curl_7.88.1-10.debian.tar.xz 57083f4c6f401c0b3e54e0edf0d83e7a9d48cb3af84c9a7d69340d6ae70e1740 11048 curl_7.88.1-10_amd64.buildinfo Files: 625c11be1661922d233dd14527988a73 3163 web optional curl_7.88.1-10.dsc 917fbd7585dd33eef719b51beeef462b 55392 web optional curl_7.88.1-10.debian.tar.xz 55db644ca2b943c2d300c81629f30773 11048 web optional curl_7.88.1-10_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmRmq6cACgkQu6n6rcz7 RwedexAAw0pBT010Cd+66zvEY7v4P88nyQWDbY6C5sZSyDVXmrUDGHn2PeEGGTTH /1ZH25JUdOenWMVYPIQbfOig7+mrfCe9qdthpjWFImc4LrQ31OlZyM7tl+20PSmi Cgi2eXCQ+bw0gS+huU12bvr01y5qkBistgfPCtmFo5JaPFe0uQ2n3BUtnjDEhEI2 jfXQFP7R2LJ7+H51B+gL5bPynpYoSXoImBf4iuYnnqA3B/qzk4WvbP6r5j37duv5 AOAT+M2+5GyHYeMIrbKkPCh94zNvLmDquaYVwQZJu1ND3gU6tso/XIiO9jmXQm0O 5lZ4mAEgjvywyU64YIq4DbDQ5cnlSmwBsVCuGqWoLuG85cFDnJXawTWDdYNUNvWS PAY5OfEVVZynSFA3X+IaOe8j1ZCOTmmRdvWdyB+Ix7hr+gZb8b48PskCn0Xh3pUF F7PbiOp9wXIZbRldxKTrzEMZPtNpbokBI6QIHjyLHEthOFhsA1Q1XvqyiovZ3sNa 4P+6WPQF3FZkoN4apNnOW0g6csYJ2mffMhXHNDX0TajFigXiu0MSjwqTgI4fLt9w oB4Y8Xt53dW85rGyKmNMuPTlo84sZoiHmG5FWXOAAdW+VhRfy6AcEEzJKilqoBtS r5jlztyL2eKADm5bzKSzH5mv0HJY8l6zVS61uMzQlgQQdGbLPHs= =uQjj -----END PGP SIGNATURE-----
--- End Message ---
