Description: "An application that performs multiple requests with libcurl's multi API and sets the `CURLOPT_CONNECT_ONLY` option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then. [...] The application could then accidentally send data over that connection which wasn't at all intended for that recipient, entirely unknowingly."
Please bump to 7.72.0. Thanks!
(In reply to Sam James from comment #1) > Please bump to 7.72.0. Thanks! bumped
(In reply to Anthony Basile from comment #2) > (In reply to Sam James from comment #1) > > Please bump to 7.72.0. Thanks! > > bumped Thanks, let us know when ready to stable.
Sanity check failed: > net-misc/curl-7.72.0 > depend hppa stable profile default/linux/hppa/17.0 (11 total) > net-libs/mbedtls:0= > rdepend hppa stable profile default/linux/hppa/17.0 (11 total) > net-libs/mbedtls:0=
(In reply to NATTkA bot from comment #4) > Sanity check failed: > > > net-misc/curl-7.72.0 > > depend hppa stable profile default/linux/hppa/17.0 (11 total) > > net-libs/mbedtls:0= > > rdepend hppa stable profile default/linux/hppa/17.0 (11 total) > > net-libs/mbedtls:0= looks like httpa will either have to stabilize mbedtls or mask. @sam It should be ready now. Would you give a quick test at your end and start the process if it works for you --- I did test at my end, but two eyes are better than one.
(In reply to Anthony Basile from comment #5) > @sam It should be ready now. Would you give a quick test at your end and > start the process if it works for you --- I did test at my end, but two eyes > are better than one. Of course. I'll get on it shortly and let you know. BTW: [18:30:50] <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or something [18:31:01] <@sam_> to allow us to stabilise without the new curl use magic :/ [18:31:26] <@sam_> I can do it if you want (kill -r0, -r1 without the magic which we stable soon, -r2 with curl use magic) [18:31:52] <@sam_> I only realised when Nattka complained about mbedtls [18:31:53] <@sam_> then it twigged. If you're happy with the "new USE magic", we can just go with it provided it works fine on my machine. For reference, the changes were committed on the 4th August, but I think all the issues were to do with LibreSSL which we shook out pretty quick. No more bugs as far as I see.
(In reply to Sam James from comment #6) > (In reply to Anthony Basile from comment #5) > > @sam It should be ready now. Would you give a quick test at your end and > > start the process if it works for you --- I did test at my end, but two eyes > > are better than one. > > Of course. I'll get on it shortly and let you know. > > BTW: > [18:30:50] <@sam_> blueness_: I wonder if we need a 7.72.0-r1 for curl or > something > [18:31:01] <@sam_> to allow us to stabilise without the new curl use magic > :/ > [18:31:26] <@sam_> I can do it if you want (kill -r0, -r1 without the magic > which we stable soon, -r2 with curl use magic) > [18:31:52] <@sam_> I only realised when Nattka complained about mbedtls > [18:31:53] <@sam_> then it twigged. > > If you're happy with the "new USE magic", we can just go with it provided it > works fine on my machine. > > For reference, the changes were committed on the 4th August, but I think all > the issues were to do with LibreSSL which we shook out pretty quick. No more > bugs as far as I see. Let's go with the new USE magic.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c31fa4af24cf680de0b3c5b0764189ae224d000 commit 1c31fa4af24cf680de0b3c5b0764189ae224d000 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-31 02:54:08 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-31 02:54:53 +0000 profiles/arch/{hppa, sparc}: stable-mask net-misc/curl[mbedtls] Bug: https://bugs.gentoo.org/737990 Signed-off-by: Sam James <sam@gentoo.org> profiles/arch/hppa/package.use.stable.mask | 2 +- profiles/arch/sparc/package.use.stable.mask | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
(In reply to Anthony Basile from comment #7) > (In reply to Sam James from comment #6) [...] > Let's go with the new USE magic. Sorry for delay, wanted to check I was happy as per our IRC chat!
x86 stable
amd64 done
sparc done
arm done
arm64 done
ppc64 stable
hppa stable
ppc, s390: ping
s390 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Added to an existing GLSA request.
Unable to check for sanity: > no match for package: net-misc/curl-7.72.0
This issue was resolved and addressed in GLSA 202012-14 at https://security.gentoo.org/glsa/202012-14 by GLSA coordinator Thomas Deutschmann (whissi).
