-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 10 Feb 2025 11:45:37 +0100 Source: curl Built-For-Profiles: nocheck Architecture: source Version: 7.88.1-10+deb12u11 Distribution: bookworm Urgency: medium Maintainer: Alessandro Ghedini Changed-By: Dr. Tobias Quathamer Changes: curl (7.88.1-10+deb12u11) bookworm; urgency=medium . * Team upload. * Import patch for CVE-2025-0167. - When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. . curl (7.88.1-10+deb12u10) bookworm; urgency=medium . * Team upload. * Import patch for CVE-2024-11053 - When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. * d/patches: - url-use-same-credentials-on-redirect.patch: Backport upstream patch to fix the issue of reusing closed connections when the server disconnects unexpectedly, and ensure redirects keep both username and password. This patch is required for CVE-2024-11053. - CVE-2024-11053.patch: Import and backport upstream patch to fix CVE-2024-11053 Checksums-Sha1: b7e17cd1c45012700b3687579a23d83626977ecb 3256 curl_7.88.1-10+deb12u11.dsc 6ae5229c36badb822641bb14958e7d227c57611d 4343562 curl_7.88.1.orig.tar.gz 9222035242431a3ef31d33a2ca3d881bcf4572fe 488 curl_7.88.1.orig.tar.gz.asc b3dffe42291c2baea76a882dc1b9937a307f7195 81044 curl_7.88.1-10+deb12u11.debian.tar.xz 65cf4a977e565567984181d05b6ceb2301deb295 11645 curl_7.88.1-10+deb12u11_amd64.buildinfo Checksums-Sha256: 2f9b408d4a784212929d746bcf979dcccf3744136dc016e9a69b2e86ed11b4b5 3256 curl_7.88.1-10+deb12u11.dsc cdb38b72e36bc5d33d5b8810f8018ece1baa29a8f215b4495e495ded82bbf3c7 4343562 curl_7.88.1.orig.tar.gz 7a5a55d7123149a1b357f298cf895bd0a601e3a2807005ef6c95f3752803485f 488 curl_7.88.1.orig.tar.gz.asc cdeb4b512b5a845b3bad4d4685a773efb47d882c60627873aed5318ae927a7ca 81044 curl_7.88.1-10+deb12u11.debian.tar.xz dc78f15558917c7c4290737a061acc90d64c5b9279f72d33d69b6ea839f7e5ce 11645 curl_7.88.1-10+deb12u11_amd64.buildinfo Files: 4be44339dc6cafc15e61d9172aa6d0cd 3256 web optional curl_7.88.1-10+deb12u11.dsc 1211d641ae670cebce361ab6a7c6acff 4343562 web optional curl_7.88.1.orig.tar.gz 08b846caa2ce56ccb4b4caa268b30dc2 488 web optional curl_7.88.1.orig.tar.gz.asc 9d5cdcf35a92f9d54c5b0db26a17deae 81044 web optional curl_7.88.1-10+deb12u11.debian.tar.xz 3c928d563078feb893e69fe796c064d4 11645 web optional curl_7.88.1-10+deb12u11_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmfLeoEACgkQu6n6rcz7 RwfwGw//RF2x/iWtkWZzf4Q9HO9+JzaItJoUQOtYXordv5Lh13/baQ2mqbHM6PjI 9etBhthC0UnwL/MXGWeXrEx7KFqGZHZtQHGpVIP5p0uFIGcaS/xI5gRWP+WbeI7X nAkTcuY2Voe3/pzeg91858kV9tDNaX9PCzRRDZqASaT7J9Z7rIuV/1RgQty7nEiT 7GUHMpzCISQjU2V+q+kEHLKSapDAeyZK+iZ2QUZCvH8V7fe/WFWejfsB47E/hFdP ycQBzrsESlPiAd8Vr0u3JDEAWA3rc7OcqLKitfUtRhM04W/bPpUuq+kN9DatCjC7 EIG4b1Qcpd7omgzOnruaenxpdLgcc5qEH6X6EcSUNenp85TcZKnrBPcJG+FIFYVy LZsZj0AfY35a6iWtk1eykQIC40SY7Yuvihf9Gxs+0yCMt/o1Len6OmEaNLEnkf9h b9QyJNvk7lfO7PPF3uqfaoO/969PM5L/r/zU+bRylN1NRe5njRZ6iIHlwkVjBVs2 QIvBGKjJBqgI6y/G5D1m0tBPQeaRWdoj6FLiDwEoxUySU38uvUC1tZzCNRuiR327 SP8pcQB2Vv/rkJIi/0+HVoOkDBn5wVR1N6CoiZu8fCeCBSoZu589iOTdnL/gdEhs ZLTivksbAJyPHPniir+stk3H4EEsfR3/twEUOcxxSqkUGZ4ZYo8= =4ROT -----END PGP SIGNATURE-----