Opened 4 months ago
Closed 4 months ago
#20790 closed enhancement (fixed)
cURL-8.11.1
| Reported by: | zeckma | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.3 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point release.
Change History (10)
comment:1 by , 4 months ago
comment:2 by , 4 months ago
| Priority: | normal → elevated |
|---|
follow-up: 4 comment:3 by , 4 months ago
Arch has a workaround (ac_cv_func_eventfd=no) for this
https://github.com/curl/curl/issues/15725
comment:4 by , 4 months ago
Replying to martyj19:
Arch has a workaround (ac_cv_func_eventfd=no) for this
https://github.com/curl/curl/issues/15725
https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2.patch
Or maybe just use a sed to remove these 3 lines supposed to be taken out by the ifdef.
comment:5 by , 4 months ago
Arch has now picked up the patch referenced above, which wasn't available at the time of their workaround.
comment:6 by , 4 months ago
I should reiterate that this update fixes the CVE, not discovered after the update released. For all the bugs this update fixes, to me it just makes sense to update this package instead of just applying a patch/sed and skipping this update.
comment:7 by , 4 months ago
Both are needed. The 8.11.1 update fixes bugs, but it has a regression involving eventfd that is fixed by the patch/sed applied to 8.11.1.
comment:8 by , 4 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:9 by , 4 months ago
Fixed at 90c24db17664c42d4491ed47102462170c3df24d
SA to come in the morning.
Full changelog: https://curl.se/ch/8.11.1.html
There was also a CVE fixed, see https://curl.se/docs/CVE-2024-11053.html.
CVE-2024-11053 allows cURL to leak the password for the first-host to the followed-to host under certain conditions when being asked to use a
.netrcfile and to follow HTTP redirects. Read more details at the link above.