Package: release.debian.org
Control: affects -1 + src:curl
X-Debbugs-Cc: c...@packages.debian.org, aquilamac...@riseup.net,
samuel...@debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
[ Reason ]
The reason is to fix CVE-2024-9681 [1], which inadvertently allowed
subdomain HSTS expiry times to overwrite parent domain entries, leading
to unintended behavior.
[ Impact ]
The vulnerabilities in the curl code of bookworm can be exploited by
attackers, potentially compromising secure connections or causing access
failures.
[ Tests ]
The upstream created specific tests to validate the changes that fix the
CVE-2024-9681, ensuring that the fix works correctly and that nothing is
broken. I imported these tests along with the CVE patches, but they are
being SKIPPED in the autopkgtest for the curl repository on Salsa. This
happens because these imported tests are event-based and require a
different execution method compared to the others.
There is already an open merge request in the official curl repository
on Salsa, where we are discussing about the best approach to add support
for these event-based tests. Since this functionality has not yet been
implemented in this repository, I added support via a fork of the
debian/bookworm branch to demonstrate that the imported tests are
functional and passing [2].
Currently, only the tests-upstream-openssl test is passing in this job
of the autopkgtest on salsa-ci. This is because, when adding support for
the event-based tests, the autopkgtest tests for the gnutls and nss
backends on bookworm fail. Fixing this, at the moment, would be
unnecessary effort, as the CVE patch affects only HSTS, which is
independent of the gnutls and nss backends. Thus, not running these
tests does not compromise the validation of the fix.
[ Risks ]
The risks are minimal, as the upstream has added tests to validate the
CVE patch. These tests were imported to ensure that the fix performs as
intended.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1. Imported and backported the upstream patch that fixes CVE-2024-9681.
2. Imported and backported an upstream patch to fix the autopkgtest
failure in the debian/bookworm branch. We were encountering this
issue [3], and after analyzing the problem together with @sergiodj,
he suggested adding the upstream patch [4] to address the error
occurring in autopkgtest.
3. Imported and backported an upstream patch to make available the
'large-time' feature that some tests imported from CVE-2024-9681
needed to run.
[ Other info ]
@samueloph opened a bug in proposed-updates for another issue using the
version curl/7.88.1-10+deb12u9. I'll use the same version for my
upload, and if both are accepted, he notified me that he will adjust his
version to avoid conflicts.
[1] https://security-tracker.debian.org/tracker/CVE-2024-9681
[2] https://salsa.debian.org/aquilamacedo/curl/-/jobs/6861321#L3681
[3] https://salsa.debian.org/debian/curl/-/jobs/6728790/viewer#L7684
[4]
https://github.com/curl/curl/commit/f9e8c5f5781c85a16f1da1c55af02e0bdd688af6
diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog 2024-09-17 16:29:24.000000000 -0300
+++ curl-7.88.1/debian/changelog 2025-01-02 21:11:56.000000000 -0300
@@ -1,3 +1,21 @@
+curl (7.88.1-10+deb12u9) bookworm; urgency=medium
+
+ * Team upload.
+ * Import patches for CVE-2024-9681
+ - A vulnerability in curl's HSTS handling allows a subdomainâs expiry time
+ to overwrite its parent domainâs cache entry. This can lead to unintended
+ HTTPS upgrades or premature reversion to HTTP when both subdomains and
+ parent domains are used. Affects applications with HSTS enabled,
+ potentially disrupting access when a domain stops supporting HTTPS.
+ * d/patches:
+ - CVE-2024-9681-*.patch: Backport patches.
+ - CVE-2024-9681-1: fix backport inconsistencies
+ - large-time-testable-feature.patch: Import 'large-time' feature for tests
+ - dont-stop-stunnel-before-retry.patch: Import patch to avoid stopping
+ stunnel before retrying
+
+ -- Aquila Macedo Costa <aquilamac...@riseup.net> Thu, 02 Jan 2025 21:11:56 -0300
+
curl (7.88.1-10+deb12u8) bookworm; urgency=medium
* Team upload.
diff -Nru curl-7.88.1/debian/patches/CVE-2024-9681-0.patch curl-7.88.1/debian/patches/CVE-2024-9681-0.patch
--- curl-7.88.1/debian/patches/CVE-2024-9681-0.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-9681-0.patch 2025-01-02 21:11:56.000000000 -0300
@@ -0,0 +1,88 @@
+From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 9 Oct 2024 10:04:35 +0200
+Subject: [PATCH] hsts: improve subdomain handling
+
+- on load, only replace existing HSTS entries if there is a full host
+ match
+
+- on matching, prefer a full host match and secondary the longest tail
+ subdomain match
+
+Closes #15210
+
+Backported by: Aquila Macedo Costa <aquilamac...@riseup.net>.
+
+Changes:
+- Refresh patch context.
+---
+ lib/hsts.c | 16 +++++++++++-----
+ tests/data/test1660 | 2 +-
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 64cbae1..7701703 100644
+--- a/lib/hsts.c
++++ b/lib/hsts.c
+@@ -248,12 +248,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
+ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ bool subdomain)
+ {
++ struct stsentry *bestsub = NULL;
+ if(h) {
+ char buffer[MAX_HSTS_HOSTLEN + 1];
+ time_t now = time(NULL);
+ size_t hlen = strlen(hostname);
+ struct Curl_llist_element *e;
+ struct Curl_llist_element *n;
++ size_t blen = 0;
+
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+ return NULL;
+@@ -278,15 +280,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
+ if(ntail < hlen) {
+ size_t offs = hlen - ntail;
+ if((hostname[offs-1] == '.') &&
+- strncasecompare(&hostname[offs], sts->host, ntail))
+- return sts;
++ strncasecompare(&hostname[offs], sts->host, ntail) &&
++ (ntail > blen)) {
++ /* save the tail match with the longest tail */
++ bestsub = sts;
++ blen = ntail;
++ }
+ }
+ }
+ if(strcasecompare(hostname, sts->host))
+ return sts;
+ }
+ }
+- return NULL; /* no match */
++ return bestsub;
+ }
+
+ /*
+@@ -438,8 +444,8 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+ e = Curl_hsts(h, p, subdomain);
+ if(!e)
+ result = hsts_create(h, p, subdomain, expires);
+- else {
+- /* the same host name, use the largest expire time */
++ else if(strcasecompare(p, e->host)) {
++ /* the same hostname, use the largest expire time */
+ if(expires > e->expires)
+ e->expires = expires;
+ }
+diff --git a/tests/data/test1660 b/tests/data/test1660
+index cbbcf75..662026b 100644
+--- a/tests/data/test1660
++++ b/tests/data/test1660
+@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
+ Input 12: error 43
+ Input 13: error 43
+ Input 14: error 43
+-3.example.com [example.com]: 1569905261 includeSubDomains
++3.example.com [3.example.com]: 1569905261 includeSubDomains
+ 3.example.com [example.com]: 1569905261 includeSubDomains
+ foo.example.com [example.com]: 1569905261 includeSubDomains
+ 'foo.xample.com' is not HSTS
diff -Nru curl-7.88.1/debian/patches/CVE-2024-9681-1.patch curl-7.88.1/debian/patches/CVE-2024-9681-1.patch
--- curl-7.88.1/debian/patches/CVE-2024-9681-1.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/CVE-2024-9681-1.patch 2025-01-02 21:11:56.000000000 -0300
@@ -0,0 +1,405 @@
+From 5ee43bb82e1a5259c5dea482e9921419aee887bb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Wed, 9 Oct 2024 11:27:29 +0200
+Subject: [PATCH] tests: 780 - 783, new HSTS tests
+
+test780: verify updated HSTS data in response header
+
+test781: HSTS update expiry, with parent includeSubDomains domain
+present
+
+test782: HSTS update expiry, with two includeSubDomains domains present
+
+test783: HSTS update expiry, removing includesubdomains in update
+
+Backported by: Aquila Macedo Costa <aquilamac...@riseup.net>.
+
+Changes:
+- Adjust `tests/data/Makefile.inc` to include new HSTS tests (780 - 783).
+- Updates 'Debug' to 'debug' in test data files (`test780`, `test781`,
+ `test782`, `test783`) to align with curl conventions in bookworm and
+ ensure consistency in feature definitions.
+- Additionally, `%LOGDIR` is replaced with log in the test files due to
+ its absence in curl bookworm.
+---
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test780 | 81 +++++++++++++++++++++++++++++++++++++++++++++++
+ tests/data/test781 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++
+ tests/data/test782 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++
+ tests/data/test783 | 84 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 335 insertions(+)
+ create mode 100644 tests/data/test780
+ create mode 100644 tests/data/test781
+ create mode 100644 tests/data/test782
+ create mode 100644 tests/data/test783
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 85b2e8c..379e6e0 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -102,6 +102,8 @@ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+ test718 test719 test720 test721 test728\
+ \
++test780 test781 test782 test783 \
++\
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+ test818 test819 test820 test821 test822 test823 test824 test825 test826 \
+diff --git a/tests/data/test780 b/tests/data/test780
+new file mode 100644
+index 0000000..7bd362a
+--- /dev/null
++++ b/tests/data/test780
+@@ -0,0 +1,81 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++HSTS
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 200 OK
++Server: fake
++
++</connect>
++
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000
++
++</data>
++</reply>
++
++<client>
++<server>
++http
++http-proxy
++https
++</server>
++<features>
++HSTS
++proxy
++https
++debug
++</features>
++
++<setenv>
++CURL_HSTS_HTTP=yes
++CURL_TIME=1728465947
++</setenv>
++
++<file name="log/input%TESTNUMBER">
++this.hsts.example "99991001 04:47:41"
++</file>
++
++<name>
++HSTS with updated expiry in response
++</name>
++<command>
++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k
++</command>
++</client>
++
++<verify>
++
++<stdout>
++HTTP/1.1 200 OK
++Server: fake
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000
++
++</stdout>
++
++<file name="log/input%TESTNUMBER" mode="text">
++# Your HSTS cache. https://curl.se/docs/hsts.html
++# This file was generated by libcurl! Edit at your own risk.
++this.hsts.example "20241009 09:42:27"
++</file>
++</verify>
++</testcase>
+diff --git a/tests/data/test781 b/tests/data/test781
+new file mode 100644
+index 0000000..e9a023a
+--- /dev/null
++++ b/tests/data/test781
+@@ -0,0 +1,84 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++HSTS
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 200 OK
++Server: fake
++
++</connect>
++
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000
++
++</data>
++</reply>
++
++<client>
++<server>
++http
++http-proxy
++https
++</server>
++<features>
++HSTS
++proxy
++https
++debug
++large-time
++</features>
++
++<setenv>
++CURL_HSTS_HTTP=yes
++CURL_TIME=1728465947
++</setenv>
++
++<file name="log/input%TESTNUMBER">
++.hsts.example "20991001 04:47:41"
++this.hsts.example "99991001 04:47:41"
++</file>
++
++<name>
++HSTS update expiry, with parent includeSubDomains domain present
++</name>
++<command>
++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k
++</command>
++</client>
++
++<verify>
++
++<stdout>
++HTTP/1.1 200 OK
++Server: fake
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000
++
++</stdout>
++
++<file name="log/input%TESTNUMBER" mode="text">
++# Your HSTS cache. https://curl.se/docs/hsts.html
++# This file was generated by libcurl! Edit at your own risk.
++.hsts.example "20991001 04:47:41"
++this.hsts.example "20241009 09:42:27"
++</file>
++</verify>
++</testcase>
+diff --git a/tests/data/test782 b/tests/data/test782
+new file mode 100644
+index 0000000..8f12658
+--- /dev/null
++++ b/tests/data/test782
+@@ -0,0 +1,84 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++HSTS
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 200 OK
++Server: fake
++
++</connect>
++
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000; includesubdomains
++
++</data>
++</reply>
++
++<client>
++<server>
++http
++http-proxy
++https
++</server>
++<features>
++HSTS
++proxy
++https
++debug
++large-time
++</features>
++
++<setenv>
++CURL_HSTS_HTTP=yes
++CURL_TIME=1728465947
++</setenv>
++
++<file name="log/input%TESTNUMBER">
++.hsts.example "20991001 04:47:41"
++.this.hsts.example "99991001 04:47:41"
++</file>
++
++<name>
++HSTS update expiry, with two includeSubDomains domains present
++</name>
++<command>
++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k
++</command>
++</client>
++
++<verify>
++
++<stdout>
++HTTP/1.1 200 OK
++Server: fake
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000; includesubdomains
++
++</stdout>
++
++<file name="log/input%TESTNUMBER" mode="text">
++# Your HSTS cache. https://curl.se/docs/hsts.html
++# This file was generated by libcurl! Edit at your own risk.
++.hsts.example "20991001 04:47:41"
++.this.hsts.example "20241009 09:42:27"
++</file>
++</verify>
++</testcase>
+diff --git a/tests/data/test783 b/tests/data/test783
+new file mode 100644
+index 0000000..59313d3
+--- /dev/null
++++ b/tests/data/test783
+@@ -0,0 +1,84 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP proxy
++HSTS
++</keywords>
++</info>
++
++<reply>
++
++# we use this as response to a CONNECT
++<connect nocheck="yes">
++HTTP/1.1 200 OK
++Server: fake
++
++</connect>
++
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000;
++
++</data>
++</reply>
++
++<client>
++<server>
++http
++http-proxy
++https
++</server>
++<features>
++HSTS
++proxy
++https
++debug
++large-time
++</features>
++
++<setenv>
++CURL_HSTS_HTTP=yes
++CURL_TIME=1728465947
++</setenv>
++
++<file name="log/input%TESTNUMBER">
++.hsts.example "20991001 04:47:41"
++.this.hsts.example "99991001 04:47:41"
++</file>
++
++<name>
++HSTS update expiry, removing includesubdomains in update
++</name>
++<command>
++-x http://%HOSTIP:%PROXYPORT http://this.hsts.example:%HTTPSPORT/%TESTNUMBER --hsts log/input%TESTNUMBER -k
++</command>
++</client>
++
++<verify>
++
++<stdout>
++HTTP/1.1 200 OK
++Server: fake
++
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake swsclose
++Content-Type: text/html
++Funny-head: yesyes
++Strict-Transport-Security: max-age=1000;
++
++</stdout>
++
++<file name="log/input%TESTNUMBER" mode="text">
++# Your HSTS cache. https://curl.se/docs/hsts.html
++# This file was generated by libcurl! Edit at your own risk.
++.hsts.example "20991001 04:47:41"
++this.hsts.example "20241009 09:42:27"
++</file>
++</verify>
++</testcase>
diff -Nru curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch
--- curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/dont-stop-stunnel-before-retry.patch 2025-01-02 21:11:56.000000000 -0300
@@ -0,0 +1,45 @@
+From f9e8c5f5781c85a16f1da1c55af02e0bdd688af6 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <d...@coneharvesters.com>
+Date: Mon, 17 Apr 2023 16:57:17 -0700
+Subject: [PATCH] runtests: don't try to stop stunnel before trying again
+
+Calling stopserver() before retrying stunnel due to an error would stop
+the dependent server (such as HTTP) meaning stunnel would have nothing
+to talk to when it came up. Don't try to force a stop when it didn't
+actually start. Also, don't mark the server as bad for future use when
+it starts up on a retry.
+
+Reported-by: eaglegai at github
+Tested-by: eaglegai at github
+Fixes #10976
+
+Backported by: Aquila Macedo Costa <aquilamac...@riseup.net>.
+
+Changes:
+- Apply the changes to `runtests.pl` instead of `servers.pm`, as
+ `servers.pm` does not exist in this version of bookworm.
+---
+ tests/runtests.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index c4c7717..7ac9de2 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -1837,12 +1837,15 @@ sub runhttpsserver {
+
+ if($httpspid <= 0 || !pidexists($httpspid)) {
+ # it is NOT alive
+- stopserver($server, "$pid2");
++ # don't call stopserver since that will also kill the dependent
++ # server that has already been started properly
+ displaylogs($testnumcheck);
+ $doesntrun{$pidfile} = 1;
+ $httpspid = $pid2 = 0;
+ next;
+ }
++
++ $doesntrun{$pidfile} = 0;
+ # we have a server!
+ if($verbose) {
+ logmsg "RUN: $srvrname server is PID $httpspid port $port\n";
diff -Nru curl-7.88.1/debian/patches/large-time-testable-feature.patch curl-7.88.1/debian/patches/large-time-testable-feature.patch
--- curl-7.88.1/debian/patches/large-time-testable-feature.patch 1969-12-31 21:00:00.000000000 -0300
+++ curl-7.88.1/debian/patches/large-time-testable-feature.patch 2025-01-02 21:11:56.000000000 -0300
@@ -0,0 +1,60 @@
+From 1c3fcbdaa99a2859ea008061782223f4d1b40cce Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <dan...@haxx.se>
+Date: Sat, 19 Aug 2023 21:20:03 +0200
+Subject: [PATCH] tests: add 'large-time' as a testable feature
+
+This allows test cases to require this feature to run and to be used in
+%if conditions.
+
+Large here means larger than 32 bits. Ie does not suffer from y2038.
+
+Closes #11696
+
+Backported by: Aquila Macedo Costa <aquilamac...@riseup.net>.
+
+Changes:
+- Refresh patch context
+---
+ tests/FILEFORMAT.md | 1 +
+ tests/runtests.pl | 1 +
+ tests/server/disabled.c | 3 +++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
+index aff0e2d..65df41c 100644
+--- a/tests/FILEFORMAT.md
++++ b/tests/FILEFORMAT.md
+@@ -417,6 +417,7 @@ Features testable here are:
+ - `ipv6`
+ - `Kerberos`
+ - `large_file`
++- `large-time` (time_t is larger than 32 bit)
+ - `ld_preload`
+ - `libssh2`
+ - `libssh`
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index 1510527..c4c7717 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -3064,6 +3064,7 @@ sub setupfeatures {
+ $feature{"wakeup"} = 1;
+ $feature{"headers-api"} = 1;
+ $feature{"xattr"} = 1;
++ $feature{"large-time"} = 1;
+ $feature{"nghttpx"} = !!$ENV{'NGHTTPX'};
+ $feature{"nghttpx-h3"} = !!$nghttpx_h3;
+ }
+diff --git a/tests/server/disabled.c b/tests/server/disabled.c
+index 7ce2903..48cf878 100644
+--- a/tests/server/disabled.c
++++ b/tests/server/disabled.c
+@@ -78,6 +78,9 @@ static const char *disabled[]={
+ #endif
+ #ifndef USE_XATTR
+ "xattr",
++#endif
++#if (SIZEOF_TIME_T < 5)
++ "large-time",
+ #endif
+ NULL
+ };
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series 2024-09-17 16:29:24.000000000 -0300
+++ curl-7.88.1/debian/patches/series 2025-01-02 21:11:56.000000000 -0300
@@ -8,6 +8,8 @@
fix-unix-domain-socket.patch
openldap-create-ldap-URLs-correctly-for-IPv6-addresses.patch
+large-time-testable-feature.patch
+dont-stop-stunnel-before-retry.patch
# CVE fixes.
# Patches from 8.0.1.
@@ -51,6 +53,10 @@
# Patches from 8.10.0.
CVE-2024-8096.patch
+# Patches from 8.11.0.
+CVE-2024-9681-0.patch
+CVE-2024-9681-1.patch
+
# Do not add patches below.
# Used to generate packages for the other crypto libraries.
90_gnutls.patch
