Opened 4 months ago

Closed 3 months ago

#20790 closed enhancement (fixed)

cURL-8.11.1

Reported by: zeckma Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point release.

Change History (10)

comment:1 by zeckma, 4 months ago

Full changelog: https://curl.se/ch/8.11.1.html

There was also a CVE fixed, see https://curl.se/docs/CVE-2024-11053.html.

CVE-2024-11053 allows cURL to leak the password for the first-host to the followed-to host under certain conditions when being asked to use a .netrc file and to follow HTTP redirects. Read more details at the link above.

comment:2 by zeckma, 4 months ago

Priority: normalelevated

comment:3 by martyj19, 4 months ago

Arch has a workaround (ac_cv_func_eventfd=no) for this

https://github.com/curl/curl/issues/15725

in reply to:  3 comment:4 by Xi Ruoyao, 4 months ago

Replying to martyj19:

Arch has a workaround (ac_cv_func_eventfd=no) for this

https://github.com/curl/curl/issues/15725

https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf24ab84e103200e2.patch

Or maybe just use a sed to remove these 3 lines supposed to be taken out by the ifdef.

comment:5 by martyj19, 4 months ago

Arch has now picked up the patch referenced above, which wasn't available at the time of their workaround.

comment:6 by zeckma, 4 months ago

I should reiterate that this update fixes the CVE, not discovered after the update released. For all the bugs this update fixes, to me it just makes sense to update this package instead of just applying a patch/sed and skipping this update.

comment:7 by martyj19, 3 months ago

Both are needed. The 8.11.1 update fixes bugs, but it has a regression involving eventfd that is fixed by the patch/sed applied to 8.11.1.

comment:8 by Douglas R. Reno, 3 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:9 by Douglas R. Reno, 3 months ago

Fixed at 90c24db17664c42d4491ed47102462170c3df24d

SA to come in the morning.

comment:10 by Douglas R. Reno, 3 months ago

Resolution: fixed
Status: assignedclosed

SA-12.2-059 issued

Note: See TracTickets for help on using tickets.