[ubuntu/mantic-proposed] curl 7.88.1-10ubuntu1 (Accepted)

Gianfranco Costamagna locutusofborg at debian.org
Fri May 19 06:48:14 UTC 2023 

curl (7.88.1-10ubuntu1) mantic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Don't build-depend on python3-impacket on i386 so we can drop it
      (and its dependencies) from the i386 partial port.  It's only used for
      the tests, which do not block the build in any case.

curl (7.88.1-10) unstable; urgency=medium

  * Add new patches to fix CVEs (closes: #1036239):
    - CVE-2023-28319: UAF in SSH sha256 fingerprint check
    - CVE-2023-28320: siglongjmp race condition
    - CVE-2023-28321: IDN wildcard match
    - CVE-2023-28322: more POST-after-PUT confusion
  * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
    CVE-2023-28320

Date: Fri, 19 May 2023 08:46:54 +0200
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/curl/7.88.1-10ubuntu1
-------------- next part --------------
Format: 1.8
Date: Fri, 19 May 2023 08:46:54 +0200
Source: curl
Built-For-Profiles: noudeb
Architecture: source
Version: 7.88.1-10ubuntu1
Distribution: mantic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Gianfranco Costamagna <locutusofborg at debian.org>
Closes: 1036239
Changes:
 curl (7.88.1-10ubuntu1) mantic; urgency=low
 .
   * Merge from Debian unstable. Remaining changes:
     - Don't build-depend on python3-impacket on i386 so we can drop it
       (and its dependencies) from the i386 partial port.  It's only used for
       the tests, which do not block the build in any case.
 .
 curl (7.88.1-10) unstable; urgency=medium
 .
   * Add new patches to fix CVEs (closes: #1036239):
     - CVE-2023-28319: UAF in SSH sha256 fingerprint check
     - CVE-2023-28320: siglongjmp race condition
     - CVE-2023-28321: IDN wildcard match
     - CVE-2023-28322: more POST-after-PUT confusion
   * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
     CVE-2023-28320
Checksums-Sha1:
 bceffa42f4804aa638c0749fb08dce7126b8fe3f 3278 curl_7.88.1-10ubuntu1.dsc
 ada702472b47e289aa5169cb7f747288d76f152d 56096 curl_7.88.1-10ubuntu1.debian.tar.xz
 686b791488566dc73c58f198eeb94437cbaa6a77 9044 curl_7.88.1-10ubuntu1_source.buildinfo
Checksums-Sha256:
 f51c0049694387e4727d2c4e6978a14e102dc957d8467bee7a1047a142fcb20b 3278 curl_7.88.1-10ubuntu1.dsc
 e1bf951113c87195a64848565bfc149ad668443653ce358377ea15d581b1d9ac 56096 curl_7.88.1-10ubuntu1.debian.tar.xz
 65345b86e65f8c937c6411454de34d9b67319b9176de95a59ee0bd31d3533ba5 9044 curl_7.88.1-10ubuntu1_source.buildinfo
Files:
 4714005b8f00a9203acdb6cc96303956 3278 web optional curl_7.88.1-10ubuntu1.dsc
 bc1ffd673de2f4e22b0444f8bd8c7f3b 56096 web optional curl_7.88.1-10ubuntu1.debian.tar.xz
 2de5301fc8a5fdcab37eb17d1b218172 9044 web optional curl_7.88.1-10ubuntu1_source.buildinfo
Original-Maintainer: Alessandro Ghedini <ghedo at debian.org>

More information about the mantic-changes mailing list