curl: CVE-2023-46219

Debian Bug report logs - #1057645
curl: CVE-2023-46219

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: curl: CVE-2023-46219

Date: Wed, 06 Dec 2023 14:42:25 +0100

Source: curl
Version: 8.4.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 7.88.1-10+deb12u4
Control: found -1 7.88.1-1

Hi,

The following vulnerability was published for curl.

CVE-2023-46219[0]:
| curl: HSTS long file name clears contents

For bullseye it can be ignored. For one we do not yet built there with
HSTS support (although it was introduced codewise in upstrema later,
the issue is introduced due to the fix for CVE-2022-32207).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46219
    https://www.cve.org/CVERecord?id=CVE-2023-46219
[1] https://curl.se/docs/CVE-2023-46219.html
[2] https://github.com/curl/curl/commit/73b65e94f3531179de45c6f3c836a610e3d0a846

Regards,
Salvatore

Message #14 received at 1057645-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1057645-close@bugs.debian.org

Subject: Bug#1057645: fixed in curl 8.5.0-1

Date: Wed, 06 Dec 2023 20:37:48 +0000

Source: curl
Source-Version: 8.5.0-1
Done: Samuel Henrique <samueloph@debian.org>

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1057645@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Henrique <samueloph@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Dec 2023 20:15:49 +0000
Source: curl
Built-For-Profiles: nocheck
Architecture: source
Version: 8.5.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Curl Maintainers <team+curl@tracker.debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 1057645 1057646
Changes:
 curl (8.5.0-1) unstable; urgency=medium
 .
   [ Samuel Henrique ]
   * New upstream version 8.5.0
     - Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646)
     - Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645)
   * d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION
   * d/p/90_gnutls.patch: Update patch
   * d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to
     fix tests
   * d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream
     tarball
 .
   [ Carlos Henrique Lima Melara ]
   * d/control: change Maintainer field to curl packaging team
   * d/README.Debian: add readme to explain curl's team creation
   * d/control: add myself to Uploaders
Checksums-Sha1:
 e1b67fd23e5700eda61722c33533dc5233cf535a 3117 curl_8.5.0-1.dsc
 d7877b39b6efda66e9ac5f9c28b8b28d8c0b7b7e 4372979 curl_8.5.0.orig.tar.gz
 288c3b1cd5819ca35f1659677bdc746c712fc4fb 488 curl_8.5.0.orig.tar.gz.asc
 0261a43bbc3d5a5ef62240ee82d17d970e89d3bf 47404 curl_8.5.0-1.debian.tar.xz
 e00343aaeb8aa96e9f600e253572cb9083a67a90 10046 curl_8.5.0-1_amd64.buildinfo
Checksums-Sha256:
 1856d6058ee4c7fbf0138ae7fdd2273ad8b59cd13e9a4a3d20c0a575e89b46e5 3117 curl_8.5.0-1.dsc
 05fc17ff25b793a437a0906e0484b82172a9f4de02be5ed447e0cab8c3475add 4372979 curl_8.5.0.orig.tar.gz
 e5c4311a86b03daea93290de17cf0e3b46e468a1d99bd5b9934d91af5409d378 488 curl_8.5.0.orig.tar.gz.asc
 f6fd9b1732ac9c10978ab3b9bcfecba4bceaee43b323c5f71332958022e698d1 47404 curl_8.5.0-1.debian.tar.xz
 201c1033bd6a4f176973d5f22dc3b7ca1402cd97e24db45e928cfbcd6855c26a 10046 curl_8.5.0-1_amd64.buildinfo
Files:
 cb8d6b61e29d711cb21d85a7629a9993 3117 web optional curl_8.5.0-1.dsc
 0bc69288b20ae165ff4b7d6d7bbe70d2 4372979 web optional curl_8.5.0.orig.tar.gz
 436599fb65f4bd57b741a7be077314eb 488 web optional curl_8.5.0.orig.tar.gz.asc
 8f7596336de1edda9190edbc03f39c2a 47404 web optional curl_8.5.0-1.debian.tar.xz
 9abfbf8bdf968408ed33e265a1af240b 10046 web optional curl_8.5.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmVw17wACgkQu6n6rcz7
RwfYPw/7B6NpaXeIhvbgktYXX4ZDz4nrhmeAaEkjJofvzyWEinAXFc1AYkKDKl7y
N0wnanHAfwr8Nc1zJ6fpu1+1DnCq4SPlBCMjQ7LGMWYi3KT3RGUd9qlBvHsU7+GU
9hDjoI6OeS4UcgYMoOfOxY9gN68vEpxIFJwtA8crINexm4gRxJKuz/fBi0n8r0xW
Ep1EU1jz2HQkbbsO0SogRNfWl13hPr2J4MtE/0GLZUqCOBOLKDeLa27k/RLGZDx9
rv19VAjAP8fa5Yq7Tj2Df6n16ghJSL3RL6P4IxPIpAlkbnECmVPtU37rnrXuB+H0
FIDI8RBVPDT7hoyiqRGF45YwkJ6bvt99yEEZ2QNFw0PfFhr5UsjNDkAd3vp/uPCI
Smr1G5WJr17xph0JXC37cGFEX9WSDneITpcRt3SWEm0mhnPxBvwToWriNezhFSzF
n9sTOWNVIR5lX7SJXoNHZ7glTyPVPVnHldtmvznihZVkE73xR6XLRNolyrnvgBjv
W2q+gdFcxhyr9xCZSxVDWRh97mGFEhO0KBEnsRh/iz91oQLTk9KKuFdaQL7R4Y8h
UlBZCHh7dlr23cXz5ZCftcU9gQYJX/+c2z52dViu5p2UgChRudDLfoyLXqVovL9z
OyyvmTOO9kVBP2tFnsFAW4IRKPmOItnouE6KOGKwAIjReNuYRCw=
=kAlv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.