Created attachment 240586 [details] Patch file Update to 7.88.1. ChangeLog: https://curl.se/changes.html#7_88_1 MFH: 2023Q1 Security: be233fc6-bae7-11ed-a4fb-080027f5fec9
Please change importance to: affects many people this upgrade fixes multiple vulnerabilities: <topic>curl -- multiple vulnerabilities</topic> <affects> <package> <name>curl</name> <range><lt>7.88.0</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Harry Sintonen and Patrick Monnerat report:</p> <blockquote cite="https://curl.se/docs/security.html"> <dl> <dt>CVE-2023-23914</dt> <dt>CVE-2023-23915</dt> <dt>CVE-2023-23916</dt>
Please set Keyword: security
Created attachment 240728 [details] [PATCH] lib/url.c - update the patch Hi, Is there any specific reason to remove the patch-lib-url.c patch? I've added the updated version of that one. Thank you.
(In reply to Sergey A. Osokin from comment #3) I remove it because it can't be cleanly applied to lib/url.c of 7.88.1.
Sergey, can you please submit that upstream?
(In reply to Daniel Engberg from comment #5) Hi Daniel, the original patch was committed by @roam 20 years go, https://github.com/freebsd/freebsd-ports/commit/e206293405dfb60cbbea01d542d7e367eca8a9d3 I'm not totally sure of its validity for now, so I'd prefer to pass your request to the port maintainer, thanks.
While we are here, can we change the WWW: value to a single website please?
(In reply to Dan Langille from comment #7) Please submit patch as another bug report.
Hi, Sorry it took me a while to reply even after I was summoned :) (there was some trouble with my Bugzilla account, all sorted out now, thanks to the bugmeisters!) So I'd just like to say that I wrote that patch 20 years ago, and it was certainly needed back then, but "back then" was in the times of FreeBSD 4.x's very special threading libraries, and of FreeBSD 5.x's SMPng being still a work in progress... ...so it is entirely possible, and I would even say very, very likely, that cURL does not need that patch in the year 2023. I'd say that if it builds, if the tests pass, then it would be better to drop the patch (and maybe I should have dropped it at some point in the years before 2012 when I handed my commit bit for safekeeping). Thanks a lot to everyone for taking care of cURL - and not just cURL - in FreeBSD! G'luck, Peter
(In reply to Peter Pentchev from comment #9) Thank you, Peter!
Maintainer timeout. Take.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=90ac2baf0f47d4ab631ddeb3f88c23590de64423 commit 90ac2baf0f47d4ab631ddeb3f88c23590de64423 Author: Yasuhiro Kimura <yasu@FreeBSD.org> AuthorDate: 2023-03-05 00:33:51 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2023-03-19 02:36:59 +0000 ftp/curl: Update to 7.88.1 ChangeLog: https://curl.se/changes.html#7_88_1 PR: 269967 Approved by: maintainer timeout MFH: 2023Q1 Security: be233fc6-bae7-11ed-a4fb-080027f5fec9 ftp/curl/Makefile | 3 +-- ftp/curl/distinfo | 6 +++--- ftp/curl/files/patch-lib-url.c (gone) | 18 ------------------ ftp/curl/pkg-plist | 1 - 4 files changed, 4 insertions(+), 24 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9f291ac624c038f2f45f3a9b000228a38dee929f commit 9f291ac624c038f2f45f3a9b000228a38dee929f Author: Yasuhiro Kimura <yasu@FreeBSD.org> AuthorDate: 2023-03-05 00:33:51 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2023-03-19 02:45:36 +0000 ftp/curl: Update to 7.88.1 ChangeLog: https://curl.se/changes.html#7_88_1 PR: 269967 Approved by: maintainer timeout MFH: 2023Q1 Security: be233fc6-bae7-11ed-a4fb-080027f5fec9 (cherry picked from commit 90ac2baf0f47d4ab631ddeb3f88c23590de64423) ftp/curl/Makefile | 3 +-- ftp/curl/distinfo | 6 +++--- ftp/curl/files/patch-lib-url.c (gone) | 18 ------------------ ftp/curl/pkg-plist | 1 - 4 files changed, 4 insertions(+), 24 deletions(-)
(In reply to Peter Pentchev from comment #9) Thanks for providing additional information! :-)