Version in base suite: 7.74.0-1.3+deb11u3
Version in overlay suite: 7.74.0-1.3+deb11u5

Base version: curl_7.74.0-1.3+deb11u5
Target version: curl_7.74.0-1.3+deb11u6
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.74.0-1.3+deb11u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.74.0-1.3+deb11u6.dsc

 changelog                           |   11 +++++++++++
 patches/CVE-2022-27774_2_of_4.patch |   14 +++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog	2022-12-31 14:35:15.000000000 +0000
+++ curl-7.74.0/debian/changelog	2023-02-21 13:47:56.000000000 +0000
@@ -1,3 +1,14 @@
+curl (7.74.0-1.3+deb11u6) bullseye-security; urgency=high
+
+  * Follow up to CVE-2022-27774:
+    The revised patch for this CVE in 7.74.0-1.3+deb11u5 contained a defect
+    such that it incorrectly manages redirects with authentication.  As a
+    result, authetication credentials are cleared in some instances where they
+    should be retained, breaking certain requests.  The patch is corrected in
+    this version.
+
+ -- Roberto C. Sánchez <roberto@debian.org>  Tue, 21 Feb 2023 08:47:56 -0500
+
 curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high
 
   * Follow up to CVE-2022-27774:
diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch
--- curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch	2022-12-31 14:35:15.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch	2023-02-21 13:47:56.000000000 +0000
@@ -21,14 +21,22 @@
 Reported-by: Harry Sintonen
 Closes #8748
 ---
- lib/transfer.c |   47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ lib/transfer.c |   48 +++++++++++++++++++++++++++++++++++++++++++++++-
  lib/url.c      |   35 +++++++++++++++++++++--------------
  lib/urldata.h  |    1 +
- 3 files changed, 68 insertions(+), 15 deletions(-)
+ 3 files changed, 69 insertions(+), 15 deletions(-)
 
 --- a/lib/transfer.c
 +++ b/lib/transfer.c
-@@ -1645,10 +1645,55 @@
+@@ -1467,6 +1467,7 @@
+   data->state.wildcardmatch = data->set.wildcard_enabled;
+   data->set.followlocation = 0; /* reset the location-follow counter */
+   data->state.this_is_a_follow = FALSE; /* reset this */
++  data->state.this_is_a_follow_without_auth = FALSE;
+   data->state.errorbuf = FALSE; /* no error has occurred */
+   data->state.httpversion = 0; /* don't assume any particular server version */
+ 
+@@ -1645,10 +1646,55 @@
        return CURLE_OUT_OF_MEMORY;
    }
    else {