Package: curl
X-Debbugs-Cc: [email protected], [email protected],
[email protected]
Version: 8.3.0-2
Severity: serious
Tags: upstream security

Due to a recent email on the curl-library mailing list, I want to
block the migration of the latest release to testing.

https://curl.se/mail/lib-2023-10/0002.html

The email mentions:
> Due to the discovery of a serious security vulnerability we have now been
> forced to immediately close the feature window and instead start preparing for
> a cycle-breaking early release.

I don't know which versions of curl this "serious security
vulnerability" affects, but I'm being extra careful here in blocking
the migration of 8.3.0 to testing.

In case this CVE only affects 8.3.0, then testing will be safe.
If it also affects older releases, then blocking the migration doesn't
change anything, but it's still worthy to take this precaution (no
harm in keeping with 8.2.1 in testing for a few days).

The CVE that's currently fixed by 8.3.0 (CVE-2023-38039) is not
serious so we can postpone the fix for that on testing.

I usually receive curl CVE details through an embargo process, I
haven't received anything yet so this is all based on public
information.

>From the moment I receive any details under embargo, I'll stop
interacting with this in any way that might leak information.

This means this migration block will stay in place up until public
details are published (even if I might know, under embargo, whether
the new vulnerability only affects 8.3.0 or not).

Cheers,


-- 
Samuel Henrique <samueloph>

Reply via email to