[24.11] curl: 8.11.1 -> 8.12.0 #380764
[24.11] curl: 8.11.1 -> 8.12.0 #380764
Conversation
|
CVE-2025-0665 is not fixed by this PR, I believe. That's the patch you're removing. |
|
Sorry, I don't follow - this is straight cherry-pick of #379541, and the bump to 8.12 fixes that CVE: https://curl.se/docs/CVE-2025-0665.html |
|
Yes, It's wrong described in the original PR. We were applying patch for that CVE. This PR removes that patch and uses a release that contains the same patch. In other words, we had the CVE fix some time ago already, so it's confusing to say that this PR fixes it. |
|
I'm happy to change the commit message if you'd like me to! My understanding was it was good form for backport PRs to not alter commit messages much when you cherry-pick. The more pressing reason to backport the 8.11.1 -> 8.12 bump is to fix curl/curl#15767, which breaks everything that uses Basic HTTP auth via netrc. (e.g., Cachix, which has been busted on 24.11 since the 8.11.1 bump in December.) |
https://github.com/curl/curl/releases/tag/curl-8_12_0 https://curl.se/ch/8.12.0.html Fixes Basic HTTP auth via netrc: curl/curl#15767 (cherry picked from commit b158812)
Signed-off-by: Sefa Eyeoglu <[email protected]> (cherry picked from commit 4608f17)
Makes tests pass on 8.12.0 Co-authored-by: Martin Weinelt <[email protected]> (cherry picked from commit bb92d2b)
mrkline
force-pushed
the
backport-379541-to-staging-24.11
branch
from
7465a05 to
d39cb7e
Compare
|
I've removed the confusing mentions of the specific CVEs from the commit message. Let me know if there's anything else I should do. |
Backports #379541
https://github.com/curl/curl/releases/tag/curl-8_12_0
https://curl.se/ch/8.12.0.html
Fixes Basic HTTP auth via netrc:
curl/curl#15767
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.