Version in base suite: 8.14.1-2+deb13u2 Base version: curl_8.14.1-2+deb13u2 Target version: curl_8.14.1-2+deb13u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_8.14.1-2+deb13u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_8.14.1-2+deb13u3.dsc changelog | 7 ++++++ patches/CVE-2025-13034.patch | 45 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 53 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvdltfjuv/curl_8.14.1-2+deb13u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvdltfjuv/curl_8.14.1-2+deb13u3.dsc: no acceptable signature found diff -Nru curl-8.14.1/debian/changelog curl-8.14.1/debian/changelog --- curl-8.14.1/debian/changelog 2025-11-09 14:49:56.000000000 +0000 +++ curl-8.14.1/debian/changelog 2026-01-30 02:20:09.000000000 +0000 @@ -1,3 +1,10 @@ +curl (8.14.1-2+deb13u3) trixie; urgency=medium + + * Team upload. + * d/p/CVE-2025-13034.patch: cherry-pick from upstream + + -- Matheus Souza Zanzin Thu, 29 Jan 2026 23:20:09 -0300 + curl (8.14.1-2+deb13u2) trixie; urgency=medium * d/p/wcurl-CVE-2025-11563.patch: Pull upstream changes to actually fix diff -Nru curl-8.14.1/debian/patches/CVE-2025-13034.patch curl-8.14.1/debian/patches/CVE-2025-13034.patch --- curl-8.14.1/debian/patches/CVE-2025-13034.patch 1970-01-01 00:00:00.000000000 +0000 +++ curl-8.14.1/debian/patches/CVE-2025-13034.patch 2026-01-30 02:20:09.000000000 +0000 @@ -0,0 +1,45 @@ +From: Daniel Stenberg +Date: Fri, 14 Nov 2025 16:42:23 +0100 +Subject: [PATCH] vquic-tls/gnutls: call Curl_gtls_verifyserver unconditionally + +Closes #19531 + +[PATCH] When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` +with the curl tool, curl should check the public key of the server certificate to +verify the peer. This check was skipped in a certain condition that would then make +curl allow the connection without performing the proper check, thus not noticing a +possible impostor. To skip this check, the connection had to be done with QUIC with +ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard +certificate verification. + +Backported-by: Matheus Souza Zanzin + * removes host verification so that it always verifies. +Origin: backport, https://github.com/curl/curl/commit/3d91ca8cdb3b434226e743946d428b4dd3acf2c9 +Last-Update: 2026-01-29 +--- + lib/vquic/vquic-tls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c +index 2a5be13..b8b0e6b 100644 +--- a/lib/vquic/vquic-tls.c ++++ b/lib/vquic/vquic-tls.c +@@ -169,13 +169,11 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, + (void)conn_config; + result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer); + #elif defined(USE_GNUTLS) +- if(conn_config->verifyhost) { +- result = Curl_gtls_verifyserver(data, ctx->gtls.session, +- conn_config, &data->set.ssl, peer, +- data->set.str[STRING_SSL_PINNEDPUBLICKEY]); +- if(result) +- return result; +- } ++ result = Curl_gtls_verifyserver(data, ctx->gtls.session, ++ conn_config, &data->set.ssl, peer, ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); ++ if(result) ++ return result; + #elif defined(USE_WOLFSSL) + (void)data; + if(conn_config->verifyhost) { diff -Nru curl-8.14.1/debian/patches/series curl-8.14.1/debian/patches/series --- curl-8.14.1/debian/patches/series 2025-11-09 14:49:56.000000000 +0000 +++ curl-8.14.1/debian/patches/series 2026-01-30 02:20:09.000000000 +0000 @@ -16,3 +16,4 @@ wcurl-Fix-example-for-continue-at.patch # CVE-2025-11563 wcurl-CVE-2025-11563.patch +CVE-2025-13034.patch