Version in base suite: 7.74.0-1.3+deb11u3
Version in overlay suite: 7.74.0-1.3+deb11u5

Base version: curl_7.74.0-1.3+deb11u5
Target version: curl_7.74.0-1.3+deb11u7
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.74.0-1.3+deb11u5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.74.0-1.3+deb11u7.dsc

 changelog                           |   18 ++
 patches/CVE-2022-27774_2_of_4.patch |   14 +-
 patches/CVE-2023-23916.patch        |  217 ++++++++++++++++++++++++++++++++++++
 patches/series                      |    1 
 4 files changed, 247 insertions(+), 3 deletions(-)

diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog
--- curl-7.74.0/debian/changelog	2022-12-31 14:35:15.000000000 +0000
+++ curl-7.74.0/debian/changelog	2023-02-23 22:09:57.000000000 +0000
@@ -1,3 +1,21 @@
+curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium
+
+  * Fix CVE-2023-23916: HTTP multi-header compression denial of service:
+    - Done by d/p/CVE-2023-23916.patch.
+
+ -- Samuel Henrique <samueloph@debian.org>  Thu, 23 Feb 2023 22:09:57 +0000
+
+curl (7.74.0-1.3+deb11u6) bullseye-security; urgency=high
+
+  * Follow up to CVE-2022-27774:
+    The revised patch for this CVE in 7.74.0-1.3+deb11u5 contained a defect
+    such that it incorrectly manages redirects with authentication.  As a
+    result, authetication credentials are cleared in some instances where they
+    should be retained, breaking certain requests.  The patch is corrected in
+    this version (closes: #1030863).
+
+ -- Roberto C. Sánchez <roberto@debian.org>  Tue, 21 Feb 2023 08:47:56 -0500
+
 curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high
 
   * Follow up to CVE-2022-27774:
diff -Nru curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch
--- curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch	2022-12-31 14:35:15.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2022-27774_2_of_4.patch	2023-02-23 22:09:57.000000000 +0000
@@ -21,14 +21,22 @@
 Reported-by: Harry Sintonen
 Closes #8748
 ---
- lib/transfer.c |   47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ lib/transfer.c |   48 +++++++++++++++++++++++++++++++++++++++++++++++-
  lib/url.c      |   35 +++++++++++++++++++++--------------
  lib/urldata.h  |    1 +
- 3 files changed, 68 insertions(+), 15 deletions(-)
+ 3 files changed, 69 insertions(+), 15 deletions(-)
 
 --- a/lib/transfer.c
 +++ b/lib/transfer.c
-@@ -1645,10 +1645,55 @@
+@@ -1467,6 +1467,7 @@
+   data->state.wildcardmatch = data->set.wildcard_enabled;
+   data->set.followlocation = 0; /* reset the location-follow counter */
+   data->state.this_is_a_follow = FALSE; /* reset this */
++  data->state.this_is_a_follow_without_auth = FALSE;
+   data->state.errorbuf = FALSE; /* no error has occurred */
+   data->state.httpversion = 0; /* don't assume any particular server version */
+ 
+@@ -1645,10 +1646,55 @@
        return CURLE_OUT_OF_MEMORY;
    }
    else {
diff -Nru curl-7.74.0/debian/patches/CVE-2023-23916.patch curl-7.74.0/debian/patches/CVE-2023-23916.patch
--- curl-7.74.0/debian/patches/CVE-2023-23916.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.74.0/debian/patches/CVE-2023-23916.patch	2023-02-23 22:09:57.000000000 +0000
@@ -0,0 +1,217 @@
+From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Origin: https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9
+
+This patch was backported and may contain changes done by
+Samuel Henrique <samueloph@debian.org>
+
+Index: curl/lib/content_encoding.c
+===================================================================
+--- curl.orig/lib/content_encoding.c
++++ curl/lib/content_encoding.c
+@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str
+ {
+   struct Curl_easy *data = conn->data;
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+       /* Stack the unencoding stage. */
+Index: curl/lib/urldata.h
+===================================================================
+--- curl.orig/lib/urldata.h
++++ curl/lib/urldata.h
+@@ -665,6 +665,7 @@ struct SingleRequest {
+   struct dohdata doh; /* DoH specific data for this request */
+ #endif
+   unsigned char setcookies;
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);       /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);  /* set to TRUE when doing chunked transfer-encoding
+Index: curl/tests/data/test418
+===================================================================
+--- /dev/null
++++ curl/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
+Index: curl/tests/data/Makefile.inc
+===================================================================
+--- curl.orig/tests/data/Makefile.inc
++++ curl/tests/data/Makefile.inc
+@@ -64,7 +64,7 @@ test359 \
+ test393 test394 test395 test396 test397 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+-test409 \
++test409 test418 \
+ \
+ test430 test431 test432 test433 test434 \
+ \
diff -Nru curl-7.74.0/debian/patches/series curl-7.74.0/debian/patches/series
--- curl-7.74.0/debian/patches/series	2022-12-31 14:35:15.000000000 +0000
+++ curl-7.74.0/debian/patches/series	2023-02-23 22:09:57.000000000 +0000
@@ -31,6 +31,7 @@
 test8-verify-that-ctrl-byte-cookies-are-ignored.patch
 CVE-2022-32221.patch
 CVE-2022-43552.patch
+CVE-2023-23916.patch
 
 # Always add CVE patches before these two patches
 90_gnutls.patch