New Debian curl 7.88.1-10+deb12u12 fixes: This update addresses the following issues: * curl: HSTS subdomain overwrites parent cache entry (CVE-2024-9681) * curl: curl netrc password leak (CVE-2024-11053) * When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. (CVE-2025-0167)
--- mirror/ftp/pool/main/c/curl/curl_7.88.1-10+deb12u8.dsc +++ apt/ucs_5.2-0-errata5.2-1/source/curl_7.88.1-10+deb12u12.dsc @@ -1,3 +1,49 @@ +7.88.1-10+deb12u12 [Sun, 09 Mar 2025 10:45:45 +0000] Samuel Henrique <samueloph@debian.org>: + + * d/p/runtests.pl-Increase-variance-of-random-seed-used-for-tes: Fix test + failures due to port clashes + +7.88.1-10+deb12u11 [Mon, 10 Feb 2025 11:45:37 +0100] Dr. Tobias Quathamer <toddy@debian.org>: + + * Team upload. + * Import patch for CVE-2025-0167. + - When asked to use a `.netrc` file for credentials **and** to follow HTTP + redirects, curl could leak the password used for the first host to the + followed-to host under certain circumstances. This flaw only manifests + itself if the netrc file has a `default` entry that omits both login + and password. A rare circumstance. + +7.88.1-10+deb12u10 [Sun, 19 Jan 2025 23:22:01 -0300] Matheus Polkorny <mpolkorny@gmail.com>: + + * Team upload. + * Import patch for CVE-2024-11053 + - When asked to both use a `.netrc` file for credentials and to follow HTTP + redirects, curl could leak the password used for the first host to the + followed-to host under certain circumstances. + * d/patches: + - url-use-same-credentials-on-redirect.patch: Backport upstream patch to + fix the issue of reusing closed connections when the server disconnects + unexpectedly, and ensure redirects keep both username and password. + This patch is required for CVE-2024-11053. + - CVE-2024-11053.patch: Import and backport upstream patch to + fix CVE-2024-11053 + +7.88.1-10+deb12u9 [Thu, 02 Jan 2025 21:11:56 -0300] Aquila Macedo Costa <aquilamacedo@riseup.net>: + + * Team upload. + * Import patches for CVE-2024-9681 + - A vulnerability in curl's HSTS handling allows a subdomain’s expiry time + to overwrite its parent domain’s cache entry. This can lead to unintended + HTTPS upgrades or premature reversion to HTTP when both subdomains and + parent domains are used. Affects applications with HSTS enabled, + potentially disrupting access when a domain stops supporting HTTPS. + * d/patches: + - CVE-2024-9681-*.patch: Backport patches. + - CVE-2024-9681-1: fix backport inconsistencies + - large-time-testable-feature.patch: Import 'large-time' feature for tests + - dont-stop-stunnel-before-retry.patch: Import patch to avoid stopping + stunnel before retrying + 7.88.1-10+deb12u8 [Tue, 17 Sep 2024 16:29:24 -0300] Aquila Macedo Costa <aquilamacedo@riseup.net>: * Team upload. <http://piuparts.knut.univention.de/5.2-1/#3850096592911302637>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.2-1] a39f9a7de12 Bug #58098: curl 7.88.1-10+deb12u12 doc/errata/staging/curl.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x40>