Ubuntu
curl package

please merge curl from debian

Bug #1459685 reported by LocutusOfBorg on 2015-05-28
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

debdiff attached.

Related branches

lp:ubuntu/wily-proposed/curl

CVE References

LocutusOfBorg (costamagnagianfranco) wrote :
LocutusOfBorg (costamagnagianfranco) wrote :

package building on ppa:costamagnagianfranco/locutusofborg-ppa
(and built successfully on local wily pbuilder)

Martin Pitt (pitti) wrote :

There is nothing in debian/ which would fill the two udebs (ubuntu delta) with anything -- no *.install files, no code in debian/rules. And indeed libcurl3-udeb and curl-udeb are empty. While this is certainly not the fault of *this* merge, this should be rectified.

Please do some research when this got broken. If this situation is already like that for a long time (pre-trusty), then obviously nobody has actually missed these udebs and they should just be removed. Please talk to the installer team about that, in particular https://launchpad.net/~mathieu-tl . If we don't need them any more, please drop the remainders (in debian/control and merge changelog) in that merge. If we still need them, and the empty udebs broke anything, please fish them out of the previous merge which broke this. Thanks!

Changed in curl (Ubuntu):
status: New → Incomplete
LocutusOfBorg (costamagnagianfranco) wrote :

Hi Martin, after some research I found they were added for bug
https://bugs.launchpad.net/ubuntu/+source/xmlrpc-c/+bug/831496

there were both .install and .links files, after a while they became symlinks, and after they disappeared between 7.29 and 7.30, so far before trusty.

Since we are in the early development, I proposed to sed them out and see if any regression (unlikely) is spotted.

@mathieu, what is your opinion on this matter? do we really need the two empty packages?

Changed in curl (Ubuntu):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in curl (Ubuntu):
status: New → Confirmed
Martin Pitt (pitti) wrote :

> Since we are in the early development, I proposed to sed them out and see if any regression (unlikely) is spotted.

Works for me. If this got broken pre-trusty it's indeed unlikely to still be needed.

LocutusOfBorg (costamagnagianfranco) wrote :

I'm attaching an updated debdiff.

Martin Pitt (pitti) wrote :

Looks good now, thank you!

LocutusOfBorg (costamagnagianfranco) wrote :

Please note this upload is stuck by LP: #1462934

Marc Deslauriers (mdeslaur) wrote :

curl 7.43.0-1ubuntu1 is now in wily-proposed, awaiting a transition.
Since there is nothing to sponsor, I am unsubscribing ubuntu-sponsors from this bug.

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.43.0-1ubuntu1

---------------
curl (7.43.0-1ubuntu1) wily; urgency=medium

  * Merge from Debian. Remaining changes:
    - Drop dependencies not in main:
      + Build-Depends: Drop stunnel4 and libssh2-1-dev.
      + Drop libssh2-1-dev from binary package Depends.

curl (7.43.0-1) unstable; urgency=medium

  * New upstream release
    - Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236
      http://curl.haxx.se/docs/adv_20150617A.html
    - Fix SMB send off unrelated memory contents as per CVE-2015-3237
      http://curl.haxx.se/docs/adv_20150617B.html
  * Refresh patches
  * Fix spelling-error-in-description

 -- Marc Deslauriers <email address hidden> Thu, 18 Jun 2015 07:39:39 -0400

Changed in curl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers