Ubuntu
curl package

Merge ~danilogondolfo/ubuntu/+source/curl:merge-lp2039798-noble into ubuntu/+source/curl:debian/sid

  1. Git
  2. lp:~danilogondolfo/ubuntu/+source/curl
  3. merge-lp2039798-noble
  4. Merge into debian/sid
Proposed by Danilo Egea Gondolfo
Status: Needs review
Proposed branch: ~danilogondolfo/ubuntu/+source/curl:merge-lp2039798-noble
Merge into: ubuntu/+source/curl:debian/sid
Diff against target: 254 lines (+163/-2)
2 files modified
debian/changelog (+160/-0)
debian/control (+3/-2)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
git-ubuntu import Pending
Review via email: mp+455006@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Danilo.

I'm leaving two minor comments regarding the changelog entry, but otherwise it's looking great. Let me know when you address the comments and I'll sponsor the upload.

review: Needs Fixing
Reply
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Thank you, Sergio. Just fixed it.

Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks. Uploaded:

$ dput ssh-ubuntu curl_8.4.0-2ubuntu1_source.changes
  177 D: Setting host argument.
  178 Checking signature on .changes
  179 gpg: /home/sergio/work/curl/curl_8.4.0-2ubuntu1_source.changes: Valid signature from 106DA1C8C3CBBF14
  180 Checking signature on .dsc
  181 gpg: /home/sergio/work/curl/curl_8.4.0-2ubuntu1.dsc: Valid signature from 106DA1C8C3CBBF14
  182 Package includes an .orig.tar.gz file although the debian revision suggests
  183 that it might not be required. Multiple uploads of the .orig.tar.gz may be
  184 rejected by the upload queue management software.
  185 Uploading to ssh-ubuntu (via sftp to upload.ubuntu.com):
  186 Uploading curl_8.4.0-2ubuntu1.dsc: done.
  187 Uploading curl_8.4.0.orig.tar.gz: done.
  188 Uploading curl_8.4.0.orig.tar.gz.asc: done.
  189 Uploading curl_8.4.0-2ubuntu1.debian.tar.xz: done.
  190 Uploading curl_8.4.0-2ubuntu1_source.buildinfo: done.
  191 Uploading curl_8.4.0-2ubuntu1_source.changes: done.
  192 Successfully uploaded packages.

review: Approve
Reply

Unmerged commits

c692550... by Danilo Egea Gondolfo

Changelog

d553817... by Danilo Egea Gondolfo

update-maintainer

ad78cad... by Danilo Egea Gondolfo

reconstruct-changelog

10757bf... by Danilo Egea Gondolfo

merge-changelogs

9d66e78... by Danilo Egea Gondolfo

debian/control

Don't build-depend on python3-impacket on i386 so we can drop it
(and its dependencies) from the i386 partial port. It's only used for
the tests, which do not block the build in any case.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b69d34a..1e5c29f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,19 @@
6+curl (8.4.0-2ubuntu1) noble; urgency=medium
7+
8+ * Merge from Debian unstable (LP: #2039798). Remaining changes:
9+ - debian/control: Don't build-depend on python3-impacket on i386
10+ so we can drop it (and its dependencies) from the i386 partial port.
11+ It's only used for the tests, which do not block the build in any case.
12+ * Drop patches for CVEs fixed upstream:
13+ - debian/patches/CVE-2023-38039.patch
14+ - debian/patches/CVE-2023-38545.patch
15+ - debian/patches/CVE-2023-38546.patch
16+ * Drop delta merged in Debian
17+ - debian/tests/control
18+ - debian/tests/curl-ldapi-test
19+
20+ -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Wed, 01 Nov 2023 12:06:23 +0000
21+
22 curl (8.4.0-2) unstable; urgency=medium
23
24 * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in
25@@ -57,6 +73,46 @@ curl (8.2.1-2) unstable; urgency=medium
26
27 -- Samuel Henrique <samueloph@debian.org> Fri, 25 Aug 2023 20:05:02 +0100
28
29+curl (8.2.1-1ubuntu3.1) mantic-security; urgency=medium
30+
31+ * SECURITY UPDATE: SOCKS5 heap buffer overflow
32+ - debian/patches/CVE-2023-38545.patch: return error if hostname too
33+ long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
34+ tests/data/test728.
35+ - CVE-2023-38545
36+ * SECURITY UPDATE: cookie injection with none file
37+ - debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
38+ in lib/cookie.c, lib/cookie.h, lib/easy.c.
39+ - CVE-2023-38546
40+
41+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 03 Oct 2023 20:03:05 -0400
42+
43+curl (8.2.1-1ubuntu3) mantic; urgency=medium
44+
45+ * SECURITY UPDATE: HTTP headers eat all memory
46+ - debian/patches/CVE-2023-38039.patch: return error when receiving too
47+ large header set in lib/c-hyper.c, lib/cf-h1-proxy.c, lib/http.c,
48+ lib/http.h, lib/pingpong.c, lib/urldata.h.
49+ - CVE-2023-38039
50+
51+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Sep 2023 09:05:17 -0400
52+
53+curl (8.2.1-1ubuntu2) mantic; urgency=medium
54+
55+ * d/t/control, d/t/curl-ldapi-test: move test-command to an actual
56+ test script and add a retry logic (LP: #2030911)
57+
58+ -- Andreas Hasenack <andreas@canonical.com> Wed, 09 Aug 2023 17:10:40 -0300
59+
60+curl (8.2.1-1ubuntu1) mantic; urgency=low
61+
62+ * Merge from Debian unstable. Remaining changes:
63+ - Don't build-depend on python3-impacket on i386 so we can drop it
64+ (and its dependencies) from the i386 partial port. It's only used for
65+ the tests, which do not block the build in any case.
66+
67+ -- Gianfranco Costamagna <locutusofborg@debian.org> Sat, 05 Aug 2023 16:06:26 +0200
68+
69 curl (8.2.1-1) unstable; urgency=medium
70
71 [ Samuel Henrique ]
72@@ -97,6 +153,15 @@ curl (7.88.1-11) unstable; urgency=medium
73
74 -- Samuel Henrique <samueloph@debian.org> Fri, 28 Jul 2023 21:11:25 +0100
75
76+curl (7.88.1-10ubuntu1) mantic; urgency=low
77+
78+ * Merge from Debian unstable. Remaining changes:
79+ - Don't build-depend on python3-impacket on i386 so we can drop it
80+ (and its dependencies) from the i386 partial port. It's only used for
81+ the tests, which do not block the build in any case.
82+
83+ -- Gianfranco Costamagna <locutusofborg@debian.org> Fri, 19 May 2023 08:46:54 +0200
84+
85 curl (7.88.1-10) unstable; urgency=medium
86
87 * Add new patches to fix CVEs (closes: #1036239):
88@@ -109,6 +174,15 @@ curl (7.88.1-10) unstable; urgency=medium
89
90 -- Samuel Henrique <samueloph@debian.org> Thu, 18 May 2023 23:43:40 +0100
91
92+curl (7.88.1-9ubuntu1) mantic; urgency=low
93+
94+ * Merge from Debian unstable. Remaining changes:
95+ - Don't build-depend on python3-impacket on i386 so we can drop it
96+ (and its dependencies) from the i386 partial port. It's only used for
97+ the tests, which do not block the build in any case.
98+
99+ -- Gianfranco Costamagna <locutusofborg@debian.org> Tue, 02 May 2023 08:47:52 +0200
100+
101 curl (7.88.1-9) unstable; urgency=medium
102
103 [ Sergio Durigan Junior ]
104@@ -123,6 +197,15 @@ curl (7.88.1-9) unstable; urgency=medium
105
106 -- Samuel Henrique <samueloph@debian.org> Sat, 15 Apr 2023 20:03:44 +0100
107
108+curl (7.88.1-8ubuntu1) lunar; urgency=low
109+
110+ * Merge from Debian unstable. Remaining changes:
111+ - Don't build-depend on python3-impacket on i386 so we can drop it
112+ (and its dependencies) from the i386 partial port. It's only used for
113+ the tests, which do not block the build in any case.
114+
115+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 27 Mar 2023 07:50:29 +0200
116+
117 curl (7.88.1-8) unstable; urgency=medium
118
119 [ Samuel Henrique ]
120@@ -136,6 +219,15 @@ curl (7.88.1-8) unstable; urgency=medium
121
122 -- Samuel Henrique <samueloph@debian.org> Sun, 26 Mar 2023 11:36:24 +0100
123
124+curl (7.88.1-7ubuntu1) lunar; urgency=low
125+
126+ * Merge from Debian unstable. Remaining changes:
127+ - Don't build-depend on python3-impacket on i386 so we can drop it
128+ (and its dependencies) from the i386 partial port. It's only used for
129+ the tests, which do not block the build in any case.
130+
131+ -- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 22 Mar 2023 11:51:25 +0100
132+
133 curl (7.88.1-7) unstable; urgency=medium
134
135 * Bump Standards-Version to 4.6.2
136@@ -151,6 +243,15 @@ curl (7.88.1-7) unstable; urgency=medium
137
138 -- Samuel Henrique <samueloph@debian.org> Tue, 21 Mar 2023 22:39:05 +0000
139
140+curl (7.88.1-6ubuntu1) lunar; urgency=low
141+
142+ * Merge from Debian unstable. Remaining changes:
143+ - Don't build-depend on python3-impacket on i386 so we can drop it
144+ (and its dependencies) from the i386 partial port. It's only used for
145+ the tests, which do not block the build in any case.
146+
147+ -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 13 Mar 2023 10:10:19 +0100
148+
149 curl (7.88.1-6) unstable; urgency=medium
150
151 * d/rules: Ignore test results from tests that fail on IPv6-only builders
152@@ -203,6 +304,22 @@ curl (7.88.1-2) unstable; urgency=medium
153
154 -- Samuel Henrique <samueloph@debian.org> Fri, 03 Mar 2023 08:28:19 +0000
155
156+curl (7.88.1-1ubuntu1) lunar; urgency=medium
157+
158+ * Merge from Debian unstable (LP: #2008123). Remaining changes:
159+ + Drop patches for CVEs fixed upsteam.
160+ - debian/patches/CVE-2023-23914_5-1.patch
161+ - debian/patches/CVE-2023-23914_5-2.patch
162+ - debian/patches/CVE-2023-23914_5-3.patch
163+ - debian/patches/CVE-2023-23914_5-4.patch
164+ - debian/patches/CVE-2023-23914_5-5.patch
165+ - debian/patches/CVE-2023-23916.patch
166+ + Don't build-depend on python3-impacket on i386 so we can drop it
167+ (and its dependencies) from the i386 partial port. It's only used for
168+ the tests, which do not block the build in any case.
169+
170+ -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Wed, 22 Feb 2023 17:14:26 +0000
171+
172 curl (7.88.1-1) unstable; urgency=medium
173
174 * New upstream version 7.88.1
175@@ -217,6 +334,41 @@ curl (7.88.1-1) unstable; urgency=medium
176
177 -- Samuel Henrique <samueloph@debian.org> Mon, 20 Feb 2023 22:35:53 +0000
178
179+curl (7.87.0-2ubuntu2) lunar; urgency=medium
180+
181+ * SECURITY UPDATE: multiple HSTS issues
182+ - debian/patches/CVE-2023-23914_5-1.patch: add sharing of HSTS cache
183+ among handles in docs/libcurl/opts/CURLSHOPT_SHARE.3,
184+ docs/libcurl/symbols-in-versions, include/curl/curl.h, lib/hsts.c,
185+ lib/hsts.h, lib/setopt.c, lib/share.c, lib/share.h, lib/transfer.c,
186+ lib/url.c, lib/urldata.h.
187+ - debian/patches/CVE-2023-23914_5-2.patch: share HSTS between handles
188+ in src/tool_operate.c.
189+ - debian/patches/CVE-2023-23914_5-3.patch: handle adding the same host
190+ name again in lib/hsts.c.
191+ - debian/patches/CVE-2023-23914_5-4.patch: support crlf="yes" for
192+ verify/proxy in tests/FILEFORMAT.md, tests/runtests.pl.
193+ - debian/patches/CVE-2023-23914_5-5.patch: verify hsts with two URLs in
194+ tests/data/Makefile.inc, tests/data/test446.
195+ - CVE-2023-23914
196+ - CVE-2023-23915
197+ * SECURITY UPDATE: HTTP multi-header compression denial of service
198+ - debian/patches/CVE-2023-23916.patch: do not reset stage counter for
199+ each header in lib/content_encoding.c, lib/urldata.h,
200+ tests/data/Makefile.inc, tests/data/test387, tests/data/test418.
201+ - CVE-2023-23916
202+
203+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 17 Feb 2023 08:19:10 -0500
204+
205+curl (7.87.0-2ubuntu1) lunar; urgency=low
206+
207+ * Merge from Debian unstable. Remaining changes:
208+ - Don't build-depend on python3-impacket on i386 so we can drop it
209+ (and its dependencies) from the i386 partial port. It's only used for
210+ the tests, which do not block the build in any case.
211+
212+ -- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 01 Feb 2023 11:24:47 +0100
213+
214 curl (7.87.0-2) unstable; urgency=medium
215
216 * d/patches: Add new upstream patch to fix regression in setopt/getinfo
217@@ -225,6 +377,14 @@ curl (7.87.0-2) unstable; urgency=medium
218
219 -- Samuel Henrique <samueloph@debian.org> Sun, 15 Jan 2023 21:12:09 +0000
220
221+curl (7.87.0-1ubuntu1) lunar; urgency=medium
222+
223+ * Don't build-depend on python3-impacket on i386 so we can drop it
224+ (and its dependencies) from the i386 partial port. It's only used for
225+ the tests, which do not block the build in any case.
226+
227+ -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 08 Jan 2023 00:40:54 +0000
228+
229 curl (7.87.0-1) unstable; urgency=medium
230
231 * New upstream version 7.87.0
232diff --git a/debian/control b/debian/control
233index 8fd48c5..a39683e 100644
234--- a/debian/control
235+++ b/debian/control
236@@ -1,7 +1,8 @@
237 Source: curl
238 Section: web
239 Priority: optional
240-Maintainer: Alessandro Ghedini <ghedo@debian.org>
241+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
242+XSBC-Original-Maintainer: Alessandro Ghedini <ghedo@debian.org>
243 Uploaders: Samuel Henrique <samueloph@debian.org>,
244 Sergio Durigan Junior <sergiodj@debian.org>
245 Build-Depends:
246@@ -27,7 +28,7 @@ Build-Depends:
247 locales-all <!nocheck>,
248 openssh-server <!nocheck>,
249 python3:native <!nocheck>,
250- python3-impacket <!nocheck>,
251+ python3-impacket [!i386] <!nocheck>,
252 gnutls-bin [amd64 arm64 armel armhf i386 mips64el mipsel s390x powerpc ppc64 riscv64] <!nocheck>,
253 quilt,
254 stunnel4 <!nocheck>,

Subscribers

People subscribed via source and target branches