Your message dated Thu, 5 Oct 2023 23:01:14 +0100
with message-id
<cabwkt9osvxfdvk2fwcxc2_filn9te9wehchdbnctqvdunwm...@mail.gmail.com>
and subject line curl: Block migration to testing until more information is
publicly available about last CVE
has caused the Debian Bug report #1053344,
regarding curl: Block migration to testing until more information is publicly
available about last CVE
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053344: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053344
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: curl
X-Debbugs-Cc: sergi...@debian.org, charlesmel...@riseup.net,
samuel...@debian.org
Version: 8.3.0-2
Severity: serious
Tags: upstream security
Due to a recent email on the curl-library mailing list, I want to
block the migration of the latest release to testing.
https://curl.se/mail/lib-2023-10/0002.html
The email mentions:
> Due to the discovery of a serious security vulnerability we have now been
> forced to immediately close the feature window and instead start preparing for
> a cycle-breaking early release.
I don't know which versions of curl this "serious security
vulnerability" affects, but I'm being extra careful here in blocking
the migration of 8.3.0 to testing.
In case this CVE only affects 8.3.0, then testing will be safe.
If it also affects older releases, then blocking the migration doesn't
change anything, but it's still worthy to take this precaution (no
harm in keeping with 8.2.1 in testing for a few days).
The CVE that's currently fixed by 8.3.0 (CVE-2023-38039) is not
serious so we can postpone the fix for that on testing.
I usually receive curl CVE details through an embargo process, I
haven't received anything yet so this is all based on public
information.
>From the moment I receive any details under embargo, I'll stop
interacting with this in any way that might leak information.
This means this migration block will stay in place up until public
details are published (even if I might know, under embargo, whether
the new vulnerability only affects 8.3.0 or not).
Cheers,
--
Samuel Henrique <samueloph>
--- End Message ---
--- Begin Message ---
> From the moment I receive any details under embargo, I'll stop
> interacting with this in any way that might leak information.
> This means this migration block will stay in place up until public
> details are published (even if I might know, under embargo, whether
> the new vulnerability only affects 8.3.0 or not).
So the curl upstream has publicly confirmed that the vulnerability
affects old releases, which means this migration blocker is useless,
removing it to let 8.3.0 migrate to Debian testing.
Upstream public confirmation.
https://github.com/curl/curl/discussions/12026#discussioncomment-7194757
Note: As the curl maintainer on Debian, I did get access to the CVE's
details under embargo, but this action is based on public information
about the CVE.
Cheers,
--
Samuel Henrique <samueloph>
--- End Message ---
