Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, I prepared a pu upload for curl based on 7.26.0-1+wheezy3 (already in pu via stable-sec), which fixes #705783 for wheezy as well. This bug is related to #705648 in apt, which got fixed in the apt 0.9.7.9 stable upload [0]. Basically, the fix in apt for #705648 is partly useless without the fix in curl for #705783 (also see #719300), and since the fixed apt got included into pu [1], I figured that the curl fix should probably go into pu as well. Anyway, see attached diff and let me know what you think. Cheers [0] http://packages.qa.debian.org/a/apt/news/20130605T231705Z.html [1] http://lists.debian.org/debian-release/2013/06/msg00130.html -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-1-amd64 (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog --- curl-7.26.0/debian/changelog 2013-08-10 16:40:41.000000000 +0200 +++ curl-7.26.0/debian/changelog 2013-08-10 16:46:18.000000000 +0200 @@ -1,3 +1,9 @@ +curl (7.26.0-1+wheezy4) stable-proposed-updates; urgency=low + + * Add 09_reset-timecond.patch (Closes: #705783, #719300) + + -- Alessandro Ghedini <gh...@debian.org> Sat, 10 Aug 2013 16:45:38 +0200 + curl (7.26.0-1+wheezy3) stable-security; urgency=high * Fix URL decode buffer boundary flaw as per CVE-2013-2174 diff -Nru curl-7.26.0/debian/patches/09_reset-timecond.patch curl-7.26.0/debian/patches/09_reset-timecond.patch --- curl-7.26.0/debian/patches/09_reset-timecond.patch 1970-01-01 01:00:00.000000000 +0100 +++ curl-7.26.0/debian/patches/09_reset-timecond.patch 2013-08-10 16:46:18.000000000 +0200 @@ -0,0 +1,20 @@ +From b4e6a3a974c24ca2aee77150a633ac85e807a3e7 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini <alessan...@ghedini.me> +Date: Sat, 20 Apr 2013 12:09:55 +0200 +Subject: [PATCH] getinfo.c: reset timecond when clearing session-info + variables + +Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783 +Reported-by: Ludovico Cavedon <cave...@debian.org> +Origin: upstream, https://github.com/bagder/curl/commit/c49ed0b + +--- a/lib/getinfo.c ++++ b/lib/getinfo.c +@@ -55,6 +55,7 @@ + info->httpcode = 0; + info->httpversion=0; + info->filetime=-1; /* -1 is an illegal time and thus means unknown */ ++ info->timecond=0; + + if(info->contenttype) + free(info->contenttype); diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series --- curl-7.26.0/debian/patches/series 2013-08-10 16:40:41.000000000 +0200 +++ curl-7.26.0/debian/patches/series 2013-08-10 16:46:18.000000000 +0200 @@ -6,6 +6,7 @@ 06_curl-tailmatch-CVE-2013-1944.patch 07_test1218-another-cookie-tailmatch-test.patch 08_CVE-2013-2174.patch +09_reset-timecond.patch 90_gnutls.patch 99_nss.patch
