Package: curl X-Debbugs-Cc: [email protected], [email protected], [email protected] Version: 8.3.0-2 Severity: serious Tags: upstream security
Due to a recent email on the curl-library mailing list, I want to block the migration of the latest release to testing. https://curl.se/mail/lib-2023-10/0002.html The email mentions: > Due to the discovery of a serious security vulnerability we have now been > forced to immediately close the feature window and instead start preparing for > a cycle-breaking early release. I don't know which versions of curl this "serious security vulnerability" affects, but I'm being extra careful here in blocking the migration of 8.3.0 to testing. In case this CVE only affects 8.3.0, then testing will be safe. If it also affects older releases, then blocking the migration doesn't change anything, but it's still worthy to take this precaution (no harm in keeping with 8.2.1 in testing for a few days). The CVE that's currently fixed by 8.3.0 (CVE-2023-38039) is not serious so we can postpone the fix for that on testing. I usually receive curl CVE details through an embargo process, I haven't received anything yet so this is all based on public information. >From the moment I receive any details under embargo, I'll stop interacting with this in any way that might leak information. This means this migration block will stay in place up until public details are published (even if I might know, under embargo, whether the new vulnerability only affects 8.3.0 or not). Cheers, -- Samuel Henrique <samueloph>

