Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted curl 7.74.0-1.3+deb11u4 (source) into proposed-updates
Date: Tue, 31 Jan 2023 17:47:19 +0000
Signed by: Samuel Henrique <samueloph@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Dec 2022 00:05:50 +0000
Source: curl
Architecture: source
Version: 7.74.0-1.3+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Changes:
 curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high
 .
   * Fix backport of patch for CVE-2021-22946, which was passing a wrong first
     argument to ftp_state_user_resp, this was likely causing a regression when
     using ftp.
   * Backport two patches from upstream to solve 2 CVEs:
     CVE-2022-32221.patch, CVE-2022-43552.patch.
     - CVE-2022-32221
       POST following PUT confusion When doing HTTP(S) transfers, libcurl might
       erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data
       to send, even when the CURLOPT_POSTFIELDS option has been set, if the
       same handle previously was used to issue a PUT request which used that
       callback.
       .
       This flaw may surprise the application and cause it to misbehave and
       either send off the wrong data or use memory after free or similar in the
       subsequent POST request.
     - CVE-2022-43552
       HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all
       protocols it supports through an HTTP proxy. HTTP proxies can (and often
       do) deny such tunnel operations using an appropriate HTTP error response
       code.
       .
       When getting denied to tunnel the specific protocols SMB or TELNET, curl
       would use a heap-allocated struct after it had been freed, in its
       transfer shutdown code path.
Checksums-Sha1:
 788aa08c7accfa110afc4bcc33f04bcf54166bca 2699 curl_7.74.0-1.3+deb11u4.dsc
 c69a8426ee72ce28761a721564fae9659d9df2da 58728 curl_7.74.0-1.3+deb11u4.debian.tar.xz
 04d364b46abb2fd488616ed9e4636527a238cff9 13007 curl_7.74.0-1.3+deb11u4_amd64.buildinfo
Checksums-Sha256:
 56b1d7aca0d7f30123839dc184c0fbc7899aa4b9fd45010c3973064e35ecac16 2699 curl_7.74.0-1.3+deb11u4.dsc
 b3a83e01b833159ea9d76491609cc5ed1d6d59f7d16e6b4db243ed6705f26f3f 58728 curl_7.74.0-1.3+deb11u4.debian.tar.xz
 38d7a40448225ed0ceae56c4ab73ab1a8a3ed92ddc893bb68da490203aad8595 13007 curl_7.74.0-1.3+deb11u4_amd64.buildinfo
Files:
 bcadd4005c2deee3ff19edc67c2c3b27 2699 web optional curl_7.74.0-1.3+deb11u4.dsc
 bb07fce9b90080bc54a215682767e401 58728 web optional curl_7.74.0-1.3+deb11u4.debian.tar.xz
 3bc9c91c6d91c0f204bdfdbb321257cf 13007 web optional curl_7.74.0-1.3+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmPHJzIACgkQu6n6rcz7
RwdDxw//TOOY3RzaEjX7kq0YpR/oRvLN2t779cclgh1VVJtGE5pCAOzpDdIlHRAU
hCNEE5fDJj3lL583jZl8oEs72glc/cWeafaPeFM0aZQ+A5f0RY96qe8jdr1o5T+m
yJSf1+EKJPdT7ZO3pqwxiH8JNA7WsF0E1iS5PFtPfSzC5pZJ0KnmrND28nhnrO4H
T0BsegXXRCNzk3hR0cz5jm5MaLQRl+y5N35ZX79qLOX78iqAEQ9qSxNuPVnzsCY/
yp87C3jV6WOWFnZtsHWxwFRLy47+1T4TfgB8Dzja4X7duxQeWKk0YQyT2Ak/JUCW
pChIt2WB0djbmU6rhohvLBININBDaWNhXpEzrU47soFkoRgDnGUPdC/9pTXPWSJC
/IpLHGA7Lkvuzt2P1QWBJRedQI6zu7/dMGjrq6IsdAbaGezJY/JXGWhpyQz2mHeD
HZTTsUfCxR6Ya032YvbUaMadVXF3TD7SsFNtFwWSP1/KAl6bVfj/iplsEiVjuEpD
SY0+J2NLXmbB9QHNRXC1pc/lInlcmsFuV++HU5qoKtmYp5qd0Lwosbr6bMLy5Vnh
MUv8pzEL+drcPL1opGVOmcYE/xnbG+M4SnI0PAhJgeQdS/yHxUv36ebBCID5JDnP
hN4E5TVgpCtud0TQMgwQRUBYTf3z+tI4VnvrQOB/tdaDRbD+ofA=
=smDR
-----END PGP SIGNATURE-----
News for package curl
