Debian Bug report logs - #658276
libcurl3: No more compatible with older SSL implementations

version graph

Package: libcurl3; Maintainer for libcurl3 is Alessandro Ghedini <ghedo@debian.org>; Source for libcurl3 is src:curl.

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Wed, 1 Feb 2012 18:30:02 UTC

Severity: grave

Tags: fixed-upstream

Found in versions curl/7.21.0-2.1+squeeze1, curl/7.24.0-1

Fixed in versions curl/7.25.0-1, curl/7.21.0-2.1+squeeze2

Done: Alessandro Ghedini <ghedo@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://curl.haxx.se/mail/lib-2012-02/0001.html

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Wed, 01 Feb 2012 18:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>.

Your message had a Version: pseudo-header with an invalid package version:

7.21.0-2.1+squeeze1, 7.24.0-1

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Wed, 01 Feb 2012 18:30:05 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: submit@bugs.debian.org
Cc: team@security.debian.org
Subject: libcurl3: Doesn't work for all sites anymore
Date: Wed, 1 Feb 2012 19:27:06 +0100
Package: libcurl3
Version: 7.21.0-2.1+squeeze1, 7.24.0-1
Severity: grave

Hi,

After the upgrade from 7.21.0-2 or 7.23.1-3 some sites stop to
work while others continue to work.

My guess is that this is related to the CVE-2011-3389 change.
If my memory is any good, the reason why openssl still does
something with that option is because not all implementations
work without it.  I think I at least saw a blog post about
the state of that issue a few months ago.

I can reproduce this with:
$ curl https://www.eboekhuis.nl
curl: (52) Empty reply from server

Downgrading libcurl3 fixes my issue.


Kurt





Added indication that 658276 affects security.debian.org and release.debian.org Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 01 Feb 2012 19:39:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions curl/7.21.0-2.1+squeeze1. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Wed, 01 Feb 2012 20:03:07 GMT) Full text and rfc822 format available.

Bug Marked as found in versions curl/7.24.0-1. Request was from kurt@roeckx.be (Kurt Roeckx) to control@bugs.debian.org. (Wed, 01 Feb 2012 20:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 04 Feb 2012 21:16:37 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 04 Feb 2012 21:16:43 GMT) Full text and rfc822 format available.

Message #16 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 4 Feb 2012 22:11:31 +0100
retitle 658276 libcurl3: No more compatible with older SSL implementations
forwarded 658276 http://curl.haxx.se/mail/lib-2012-02/0001.html
kthxbye

On Wed, Feb 01, 2012 at 07:27:06PM +0100, Kurt Roeckx wrote:
> Package: libcurl3
> Version: 7.21.0-2.1+squeeze1, 7.24.0-1
> Severity: grave
> 
> Hi,

Hi,

> After the upgrade from 7.21.0-2 or 7.23.1-3 some sites stop to
> work while others continue to work.
>
> My guess is that this is related to the CVE-2011-3389 change.
> If my memory is any good, the reason why openssl still does
> something with that option is because not all implementations
> work without it.  I think I at least saw a blog post about
> the state of that issue a few months ago.

AFAIU, the problem is that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option is 
meant to keep compatibility with some older and broken SSL implementations 
that don't support empty fragments, but it also re-introduces a security 
issue.

That's why such option was disabled in curl 7.24.0 (and backported to 
stable-security). It was a mistake on the curl developers side to enable it
in the first place (it was done by accident because of the not-so-clear 
OpenSSL documentation, according to upstream).

I understand that this may cause problems (the incompatibility didn't show 
up in my tests with live SSL servers though), but leaving a security issue 
open *by default* is not a better solution IMO.

Maybe an option, for both libcurl and curl, to explicitly enable the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS would do the trick? 

Alternative solutions/opinions would be welcome, if you happen to have any.

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'




Changed Bug title to 'libcurl3: No more compatible with older SSL implementations' from 'libcurl3: Doesn't work for all sites anymore' Request was from Alessandro Ghedini <al3xbio@gmail.com> to control@bugs.debian.org. (Sat, 04 Feb 2012 21:17:01 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://curl.haxx.se/mail/lib-2012-02/0001.html'. Request was from Alessandro Ghedini <al3xbio@gmail.com> to control@bugs.debian.org. (Sat, 04 Feb 2012 21:17:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 04 Feb 2012 21:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 04 Feb 2012 21:51:03 GMT) Full text and rfc822 format available.

Message #25 received at 658276@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 4 Feb 2012 22:45:59 +0100
On Sat, Feb 04, 2012 at 10:11:31PM +0100, Alessandro Ghedini wrote:
> 
> AFAIU, the problem is that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option is 
> meant to keep compatibility with some older and broken SSL implementations 
> that don't support empty fragments, but it also re-introduces a security 
> issue.
> 
> That's why such option was disabled in curl 7.24.0 (and backported to 
> stable-security). It was a mistake on the curl developers side to enable it
> in the first place (it was done by accident because of the not-so-clear 
> OpenSSL documentation, according to upstream).
> 
> I understand that this may cause problems (the incompatibility didn't show 
> up in my tests with live SSL servers though), but leaving a security issue 
> open *by default* is not a better solution IMO.
> 
> Maybe an option, for both libcurl and curl, to explicitly enable the
> SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS would do the trick? 
> 
> Alternative solutions/opinions would be welcome, if you happen to have any.

Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
would be fine if I had the option to turn it on.  In that case
it's my decision to ignore the security consequences.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 10 Feb 2012 09:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 10 Feb 2012 09:18:17 GMT) Full text and rfc822 format available.

Message #30 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 658276@bugs.debian.org, team@security.debian.org, control@bugs.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 10 Feb 2012 10:15:44 +0100
tags 658276 fixed-upstream
kthxbye

On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> On Sat, Feb 04, 2012 at 10:11:31PM +0100, Alessandro Ghedini wrote:
> > 
> > AFAIU, the problem is that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option is 
> > meant to keep compatibility with some older and broken SSL implementations 
> > that don't support empty fragments, but it also re-introduces a security 
> > issue.
> > 
> > That's why such option was disabled in curl 7.24.0 (and backported to 
> > stable-security). It was a mistake on the curl developers side to enable it
> > in the first place (it was done by accident because of the not-so-clear 
> > OpenSSL documentation, according to upstream).
> > 
> > I understand that this may cause problems (the incompatibility didn't show 
> > up in my tests with live SSL servers though), but leaving a security issue 
> > open *by default* is not a better solution IMO.
> > 
> > Maybe an option, for both libcurl and curl, to explicitly enable the
> > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS would do the trick? 
> > 
> > Alternative solutions/opinions would be welcome, if you happen to have any.
> 
> Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> would be fine if I had the option to turn it on.  In that case
> it's my decision to ignore the security consequences.

This has been fixed upstream now (commits 2a699bc6 and 62d15f15).

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'




Added tag(s) fixed-upstream. Request was from Alessandro Ghedini <al3xbio@gmail.com> to control@bugs.debian.org. (Fri, 10 Feb 2012 09:18:23 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 10 Feb 2012 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 10 Feb 2012 19:27:03 GMT) Full text and rfc822 format available.

Message #37 received at 658276@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 10 Feb 2012 20:23:24 +0100
On Fri, Feb 10, 2012 at 10:15:44AM +0100, Alessandro Ghedini wrote:
> On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> > Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> > would be fine if I had the option to turn it on.  In that case
> > it's my decision to ignore the security consequences.
> 
> This has been fixed upstream now (commits 2a699bc6 and 62d15f15).

Do you plan to upload this to stable-proposed-updates?


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 11 Feb 2012 12:27:43 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 11 Feb 2012 12:27:49 GMT) Full text and rfc822 format available.

Message #42 received at 658276@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org
Cc: Alessandro Ghedini <al3xbio@gmail.com>, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 11 Feb 2012 13:23:49 +0100
[Message part 1 (text/plain, inline)]
On Fri, Feb 10, 2012 at 20:23:24 +0100, Kurt Roeckx wrote:

> On Fri, Feb 10, 2012 at 10:15:44AM +0100, Alessandro Ghedini wrote:
> > On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> > > Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> > > would be fine if I had the option to turn it on.  In that case
> > > it's my decision to ignore the security consequences.
> > 
> > This has been fixed upstream now (commits 2a699bc6 and 62d15f15).
> 
> Do you plan to upload this to stable-proposed-updates?
> 
In general, regressions on security should be fixed on security, not
spu.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 11 Feb 2012 13:06:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 11 Feb 2012 13:06:08 GMT) Full text and rfc822 format available.

Message #47 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 11 Feb 2012 14:04:01 +0100
On Fri, Feb 10, 2012 at 08:23:24PM +0100, Kurt Roeckx wrote:
> On Fri, Feb 10, 2012 at 10:15:44AM +0100, Alessandro Ghedini wrote:
> > On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> > > Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> > > would be fine if I had the option to turn it on.  In that case
> > > it's my decision to ignore the security consequences.
> > 
> > This has been fixed upstream now (commits 2a699bc6 and 62d15f15).
> 
> Do you plan to upload this to stable-proposed-updates?

Yep, once curl 7.25.0 is released and uploaded to unstable (as Julian said 
I'll prepare another upload for security).

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'




Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sun, 12 Feb 2012 19:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sun, 12 Feb 2012 19:27:03 GMT) Full text and rfc822 format available.

Message #52 received at 658276@bugs.debian.org (full text, mbox):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sun, 12 Feb 2012 20:23:02 +0100
On Sat, Feb 11, 2012 at 02:04:01PM +0100, Alessandro Ghedini wrote:
> On Fri, Feb 10, 2012 at 08:23:24PM +0100, Kurt Roeckx wrote:
> > On Fri, Feb 10, 2012 at 10:15:44AM +0100, Alessandro Ghedini wrote:
> > > On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> > > > Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> > > > would be fine if I had the option to turn it on.  In that case
> > > > it's my decision to ignore the security consequences.
> > > 
> > > This has been fixed upstream now (commits 2a699bc6 and 62d15f15).
> > 
> > Do you plan to upload this to stable-proposed-updates?
> 
> Yep, once curl 7.25.0 is released and uploaded to unstable (as Julian said 
> I'll prepare another upload for security).

We should fix this through stable-security. Please send a debdiff once
the fix has been testing in unstable for a few days.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 23 Mar 2012 17:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 23 Mar 2012 17:42:08 GMT) Full text and rfc822 format available.

Message #57 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 23 Mar 2012 18:38:40 +0100
[Message part 1 (text/plain, inline)]
Hi Kurt,

curl 7.25.0 was released yesterday and I'm now working on updating the
Debian package. A problem come up though with the --ssl-enable-beast
new option of curl (which should fix the bug that you have reported)
and the new version of openssl. If I build curl against the current
version 1.0.1-2 (uploaded a few days ago) of libssl the option has no
effect with the URL you posted above and curl fails with the error:

curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

(the 35 means that the error happened in the SSL handshake).

But if I build with a slightly older libssl (1.0.0h-1) the option works
as expected and if the option is not used at all the error is the same
that you reported ("Empty reply from server").

Now, since you did the openssl uploads, do you know of any change in
openssl that may have caused this problem and if there's anything that
can be done on the curl's side to fix it?

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 23 Mar 2012 18:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 23 Mar 2012 18:06:03 GMT) Full text and rfc822 format available.

Message #62 received at 658276@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 23 Mar 2012 19:02:34 +0100
On Fri, Mar 23, 2012 at 06:38:40PM +0100, Alessandro Ghedini wrote:
> Hi Kurt,
> 
> curl 7.25.0 was released yesterday and I'm now working on updating the
> Debian package. A problem come up though with the --ssl-enable-beast
> new option of curl (which should fix the bug that you have reported)
> and the new version of openssl. If I build curl against the current
> version 1.0.1-2 (uploaded a few days ago) of libssl the option has no
> effect with the URL you posted above and curl fails with the error:
> 
> curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
> 
> (the 35 means that the error happened in the SSL handshake).
> 
> But if I build with a slightly older libssl (1.0.0h-1) the option works
> as expected and if the option is not used at all the error is the same
> that you reported ("Empty reply from server").
> 
> Now, since you did the openssl uploads, do you know of any change in
> openssl that may have caused this problem and if there's anything that
> can be done on the curl's side to fix it?

So I see:
openssl s_client -connect www.eboekhuis.nl:443
CONNECTED(00000003)
140090768766632:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:708:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 324 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

But it works when I use:
openssl s_client -no_tls1_2 -no_tls1_1 -connect www.eboekhuis.nl:443


Tls1.1 and 1.2 support is new since openssl 1.0.1.

I'm not sure what to do about this.  I can at least let them know that that is an issue too.
But maybe I should contact upstream openssl so they can take a look too that it's not a bug
in openssl.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 23 Mar 2012 18:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 23 Mar 2012 18:24:03 GMT) Full text and rfc822 format available.

Message #67 received at 658276@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 23 Mar 2012 19:20:40 +0100
On Fri, Mar 23, 2012 at 07:02:34PM +0100, Kurt Roeckx wrote:
> On Fri, Mar 23, 2012 at 06:38:40PM +0100, Alessandro Ghedini wrote:
> > Hi Kurt,
> > 
> > curl 7.25.0 was released yesterday and I'm now working on updating the
> > Debian package. A problem come up though with the --ssl-enable-beast
> > new option of curl (which should fix the bug that you have reported)
> > and the new version of openssl. If I build curl against the current
> > version 1.0.1-2 (uploaded a few days ago) of libssl the option has no
> > effect with the URL you posted above and curl fails with the error:
> > 
> > curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
> > 
> > (the 35 means that the error happened in the SSL handshake).
> > 
> > But if I build with a slightly older libssl (1.0.0h-1) the option works
> > as expected and if the option is not used at all the error is the same
> > that you reported ("Empty reply from server").
> > 
> > Now, since you did the openssl uploads, do you know of any change in
> > openssl that may have caused this problem and if there's anything that
> > can be done on the curl's side to fix it?
> 
> So I see:
> openssl s_client -connect www.eboekhuis.nl:443
> CONNECTED(00000003)
> 140090768766632:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:708:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 324 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> 
> But it works when I use:
> openssl s_client -no_tls1_2 -no_tls1_1 -connect www.eboekhuis.nl:443
> 
> 
> Tls1.1 and 1.2 support is new since openssl 1.0.1.
> 
> I'm not sure what to do about this.  I can at least let them know that that is an issue too.
> But maybe I should contact upstream openssl so they can take a look too that it's not a bug
> in openssl.

gnutls-cli also has problems with the site if tls1.1 and 1.2 are
enabled.


Kurt





Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Fri, 23 Mar 2012 18:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Fri, 23 Mar 2012 18:45:06 GMT) Full text and rfc822 format available.

Message #72 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Fri, 23 Mar 2012 19:42:15 +0100
[Message part 1 (text/plain, inline)]
On Fri, Mar 23, 2012 at 07:02:34PM +0100, Kurt Roeckx wrote:
> On Fri, Mar 23, 2012 at 06:38:40PM +0100, Alessandro Ghedini wrote:
> > Hi Kurt,
> > 
> > curl 7.25.0 was released yesterday and I'm now working on updating the
> > Debian package. A problem come up though with the --ssl-enable-beast
> > new option of curl (which should fix the bug that you have reported)
> > and the new version of openssl. If I build curl against the current
> > version 1.0.1-2 (uploaded a few days ago) of libssl the option has no
> > effect with the URL you posted above and curl fails with the error:
> > 
> > curl: (35) error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
> > 
> > (the 35 means that the error happened in the SSL handshake).
> > 
> > But if I build with a slightly older libssl (1.0.0h-1) the option works
> > as expected and if the option is not used at all the error is the same
> > that you reported ("Empty reply from server").
> > 
> > Now, since you did the openssl uploads, do you know of any change in
> > openssl that may have caused this problem and if there's anything that
> > can be done on the curl's side to fix it?
> 
> So I see:
> openssl s_client -connect www.eboekhuis.nl:443
> CONNECTED(00000003)
> 140090768766632:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:708:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 324 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> 
> But it works when I use:
> openssl s_client -no_tls1_2 -no_tls1_1 -connect www.eboekhuis.nl:443
> 
> 
> Tls1.1 and 1.2 support is new since openssl 1.0.1.
> 
> I'm not sure what to do about this.  I can at least let them know that that is an issue too.
> But maybe I should contact upstream openssl so they can take a look too that it's not a bug
> in openssl.

Indeed, explicitly setting TLSv1 (--tlsv1 option in curl) works. I was afraid
this was a new bug in curl's OpenSSL code but apparently it's not (or at least
it is not as grave as I thought). I'll go on with the curl uploads then.

Thanks

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alessandro Ghedini <al3xbio@gmail.com>:
You have taken responsibility. (Tue, 27 Mar 2012 18:51:10 GMT) Full text and rfc822 format available.

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Tue, 27 Mar 2012 18:51:10 GMT) Full text and rfc822 format available.

Message #77 received at 658276-close@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: 658276-close@bugs.debian.org
Subject: Bug#658276: fixed in curl 7.25.0-1
Date: Tue, 27 Mar 2012 18:48:16 +0000
Source: curl
Source-Version: 7.25.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.25.0-1.debian.tar.gz
  to main/c/curl/curl_7.25.0-1.debian.tar.gz
curl_7.25.0-1.dsc
  to main/c/curl/curl_7.25.0-1.dsc
curl_7.25.0-1_i386.deb
  to main/c/curl/curl_7.25.0-1_i386.deb
curl_7.25.0.orig.tar.gz
  to main/c/curl/curl_7.25.0.orig.tar.gz
libcurl3-dbg_7.25.0-1_i386.deb
  to main/c/curl/libcurl3-dbg_7.25.0-1_i386.deb
libcurl3-gnutls_7.25.0-1_i386.deb
  to main/c/curl/libcurl3-gnutls_7.25.0-1_i386.deb
libcurl3-nss_7.25.0-1_i386.deb
  to main/c/curl/libcurl3-nss_7.25.0-1_i386.deb
libcurl3_7.25.0-1_i386.deb
  to main/c/curl/libcurl3_7.25.0-1_i386.deb
libcurl4-gnutls-dev_7.25.0-1_i386.deb
  to main/c/curl/libcurl4-gnutls-dev_7.25.0-1_i386.deb
libcurl4-nss-dev_7.25.0-1_i386.deb
  to main/c/curl/libcurl4-nss-dev_7.25.0-1_i386.deb
libcurl4-openssl-dev_7.25.0-1_i386.deb
  to main/c/curl/libcurl4-openssl-dev_7.25.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 658276@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <al3xbio@gmail.com> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Mar 2012 16:24:51 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg
Architecture: source i386
Version: 7.25.0-1
Distribution: unstable
Urgency: low
Maintainer: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Changed-By: Alessandro Ghedini <al3xbio@gmail.com>
Description: 
 curl       - command line tool for transferring data with URL syntax
 libcurl3   - easy-to-use client-side URL transfer library (OpenSSL flavour)
 libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
 libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
 libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
 libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
 libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
 libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
Closes: 658276 659591
Changes: 
 curl (7.25.0-1) unstable; urgency=low
 .
   * New upstream release
     - Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276)
     - Allow negative numbers as option value (Closes: #659591)
   * Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends
   * Bump debhelper compat level to 9
     - Make *.links files executable to simplify rules file
   * Pass --as-needed ld flag to avoid unneeded dependencies
     - Add workaround_as_needed_bug to workaround a libtool bug
     - Drop dont_link_to_krb5 (not needed because of --as-needed)
   * Do some clean-up in debian/rules
   * Update debian/copyright format as in Debian Policy 3.9.3
   * Bump Standards-Version to 3.9.3
   * Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict)
   * Add openssh-server to build depends to enable some more tests
   * Update upstream copyright years
   * Refresh patches
Checksums-Sha1: 
 cbdb81e41db82b1c80a5c78afbf9595bcc520d98 1913 curl_7.25.0-1.dsc
 5711ab08be96910b5ad8354a4331b17ffdd5876d 3064610 curl_7.25.0.orig.tar.gz
 3bf6c79bc1bdaa97314a4686f4cc7349c84b1524 29819 curl_7.25.0-1.debian.tar.gz
 82a6c6beab994cef3f85f1a5f0f7ee13ee9aff2f 270388 curl_7.25.0-1_i386.deb
 173e5a1d7104d25aea92f569f92f00c7acb8fb26 341984 libcurl3_7.25.0-1_i386.deb
 05b6ab05024e89b5af0086def9b5bc288e338957 333028 libcurl3-gnutls_7.25.0-1_i386.deb
 23192f106933a5459db27bfd62ebfbeb12a27894 338778 libcurl3-nss_7.25.0-1_i386.deb
 c04b4a2ef0ef331913b890f22204fee26e99cec8 1238986 libcurl4-openssl-dev_7.25.0-1_i386.deb
 0dad37661b07c04e3defcc1216d86fb956427bee 1231570 libcurl4-gnutls-dev_7.25.0-1_i386.deb
 c15c65fbc9b50c8fd4f683895ed46f997da7e8a3 1236402 libcurl4-nss-dev_7.25.0-1_i386.deb
 fdd719f28ff55f335b62a1fed332717954ed84fa 2823026 libcurl3-dbg_7.25.0-1_i386.deb
Checksums-Sha256: 
 846dd6415936247a4cd02c892fd1b51542818c6c5c32c8ca832ee7d5ebb46625 1913 curl_7.25.0-1.dsc
 622d571aac4f0176890bd79cc62dbd217e3e3a8997de6ded229024fe39ce635f 3064610 curl_7.25.0.orig.tar.gz
 0907ac61f5191b436c8699e1d3cbf296b539c6d7068b9725ae0de78193645b10 29819 curl_7.25.0-1.debian.tar.gz
 73bca4ba932b900575f1d4fabcd249b27732dd7abd03d4d79efea45ef98bb90c 270388 curl_7.25.0-1_i386.deb
 a1b87d6509932ec0c989af49148df97a877ea1b9a3fb34450836256154d8dce4 341984 libcurl3_7.25.0-1_i386.deb
 c1b348de9d98f1e49aa55829727a62f7df0e0c61a1b26260abd7691bc32b5ee7 333028 libcurl3-gnutls_7.25.0-1_i386.deb
 1103f13e3774580b6e5015c02b63a0628fabf7fd8b20c0dc1d7b5206d4c2df6f 338778 libcurl3-nss_7.25.0-1_i386.deb
 257da78c24bb7a583f830ab957fa6ebf0a6fb5e1cade3a3d73bdc65ed71da686 1238986 libcurl4-openssl-dev_7.25.0-1_i386.deb
 ae20638976dd9b0930d784cc8113f97fc3c80f79e8065e970cc171aa81dd066f 1231570 libcurl4-gnutls-dev_7.25.0-1_i386.deb
 e5e80eebb5cd5a88404abf2c425cab441afca99f905931ad0c09f41b4dffa82f 1236402 libcurl4-nss-dev_7.25.0-1_i386.deb
 3399af41daf01c52f572db422258a3a746f1908e9b1822925f2c9550bb193833 2823026 libcurl3-dbg_7.25.0-1_i386.deb
Files: 
 fc38daa1a8c152fda24199d8dae21507 1913 web optional curl_7.25.0-1.dsc
 a56cbe2778b09769f8a5ba17d8f4d92a 3064610 web optional curl_7.25.0.orig.tar.gz
 aa9d396e5958528c3c08051846482408 29819 web optional curl_7.25.0-1.debian.tar.gz
 0ba7de04a945bb09aeb6841cb0a2dc72 270388 web optional curl_7.25.0-1_i386.deb
 c72c0f0da71655cbe4cedfe8bd55ab80 341984 libs optional libcurl3_7.25.0-1_i386.deb
 9bc6dcbeef3e6fb7b0651f1ea6244950 333028 libs optional libcurl3-gnutls_7.25.0-1_i386.deb
 94fe7d21d4716982d7a1a40c6eb9dd64 338778 libs optional libcurl3-nss_7.25.0-1_i386.deb
 0a9ebd6509318208d6553a16419fb288 1238986 libdevel optional libcurl4-openssl-dev_7.25.0-1_i386.deb
 5e830b7dc27a67de2e5a35b174fd8921 1231570 libdevel optional libcurl4-gnutls-dev_7.25.0-1_i386.deb
 ac052d4e8a1065498c3261c49e1d7d5f 1236402 libdevel optional libcurl4-nss-dev_7.25.0-1_i386.deb
 ea45353ea4a898510f6e2ef8652d5de8 2823026 debug extra libcurl3-dbg_7.25.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9yCIIACgkQ5UTeB5t8Mo3ZjwCgjlvX4o899M1Qg6Qm2hzSJQ/n
aNYAn2PTMcrgaFhum7giC2Xh6bqk6Xkh
=K4uu
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Wed, 28 Mar 2012 10:21:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Wed, 28 Mar 2012 10:21:36 GMT) Full text and rfc822 format available.

Message #82 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Wed, 28 Mar 2012 12:18:19 +0200
[Message part 1 (text/plain, inline)]
On Sun, Feb 12, 2012 at 08:23:02PM +0100, Moritz Mühlenhoff wrote:
> On Sat, Feb 11, 2012 at 02:04:01PM +0100, Alessandro Ghedini wrote:
> > On Fri, Feb 10, 2012 at 08:23:24PM +0100, Kurt Roeckx wrote:
> > > On Fri, Feb 10, 2012 at 10:15:44AM +0100, Alessandro Ghedini wrote:
> > > > On Sat, Feb 04, 2012 at 10:45:59PM +0100, Kurt Roeckx wrote:
> > > > > Having SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS disabled by default
> > > > > would be fine if I had the option to turn it on.  In that case
> > > > > it's my decision to ignore the security consequences.
> > > > 
> > > > This has been fixed upstream now (commits 2a699bc6 and 62d15f15).
> > > 
> > > Do you plan to upload this to stable-proposed-updates?
> > 
> > Yep, once curl 7.25.0 is released and uploaded to unstable (as Julian said 
> > I'll prepare another upload for security).
> 
> We should fix this through stable-security. Please send a debdiff once
> the fix has been testing in unstable for a few days.

Attached is the debdiff for stable-security. If everything's ok I will upload
it (I'm a DD since a few hours) in a few days, once the sid version has been
tested more.

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[curl_7.21.0-2.1+squeeze2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Wed, 28 Mar 2012 20:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Wed, 28 Mar 2012 20:57:03 GMT) Full text and rfc822 format available.

Message #87 received at 658276@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Wed, 28 Mar 2012 22:51:53 +0200
* Alessandro Ghedini:

>> We should fix this through stable-security. Please send a debdiff once
>> the fix has been testing in unstable for a few days.
>
> Attached is the debdiff for stable-security.

Looks good.

> If everything's ok I will upload it (I'm a DD since a few hours) in
> a few days, once the sid version has been tested more.

Do you really think this option will actually be used in practice,
except if there's a failure?

Anyway, you can upload to security-master when ready.  You must build
the package with specifying the -sa flag, on a squeeze system.




Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Thu, 29 Mar 2012 11:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Thu, 29 Mar 2012 11:12:03 GMT) Full text and rfc822 format available.

Message #92 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Thu, 29 Mar 2012 13:09:41 +0200
[Message part 1 (text/plain, inline)]
On Wed, Mar 28, 2012 at 10:51:53PM +0200, Florian Weimer wrote:
> * Alessandro Ghedini:
> 
> >> We should fix this through stable-security. Please send a debdiff once
> >> the fix has been testing in unstable for a few days.
> >
> > Attached is the debdiff for stable-security.
> 
> Looks good.
> 
> > If everything's ok I will upload it (I'm a DD since a few hours) in
> > a few days, once the sid version has been tested more.
> 
> Do you really think this option will actually be used in practice,
> except if there's a failure?

Well... not really. I'm doing some tests on my own though.

> Anyway, you can upload to security-master when ready.  You must build
> the package with specifying the -sa flag, on a squeeze system.

Ok, thank you.

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 31 Mar 2012 17:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 31 Mar 2012 17:15:07 GMT) Full text and rfc822 format available.

Message #97 received at 658276@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Alessandro Ghedini <al3xbio@gmail.com>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 31 Mar 2012 19:12:36 +0200
* Alessandro Ghedini:

>> Anyway, you can upload to security-master when ready.  You must build
>> the package with specifying the -sa flag, on a squeeze system.
>
> Ok, thank you.

Thanks for uploading.  I'm a bit confused--is this an interoperability
issue introduced by DSA-2398-1?




Information forwarded to debian-bugs-dist@lists.debian.org, Ramakrishnan Muthukrishnan <rkrishnan@debian.org>:
Bug#658276; Package libcurl3. (Sat, 31 Mar 2012 18:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alessandro Ghedini <al3xbio@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ramakrishnan Muthukrishnan <rkrishnan@debian.org>. (Sat, 31 Mar 2012 18:21:06 GMT) Full text and rfc822 format available.

Message #102 received at 658276@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <al3xbio@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Kurt Roeckx <kurt@roeckx.be>, 658276@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#658276: libcurl3: Doesn't work for all sites anymore
Date: Sat, 31 Mar 2012 20:12:18 +0200
[Message part 1 (text/plain, inline)]
On Sat, Mar 31, 2012 at 07:12:36PM +0200, Florian Weimer wrote:
> * Alessandro Ghedini:
> 
> >> Anyway, you can upload to security-master when ready.  You must build
> >> the package with specifying the -sa flag, on a squeeze system.
> >
> > Ok, thank you.
> 
> Thanks for uploading.  I'm a bit confused--is this an interoperability
> issue introduced by DSA-2398-1?

Yes, the fix for the CVE-2011-3389 related issue broke backwards compatibility
with older SSL implementations.

Cheers

-- 
perl -E'$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alessandro Ghedini <ghedo@debian.org>:
You have taken responsibility. (Fri, 13 Apr 2012 22:48:16 GMT) Full text and rfc822 format available.

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Fri, 13 Apr 2012 22:48:16 GMT) Full text and rfc822 format available.

Message #107 received at 658276-close@bugs.debian.org (full text, mbox):

From: Alessandro Ghedini <ghedo@debian.org>
To: 658276-close@bugs.debian.org
Subject: Bug#658276: fixed in curl 7.21.0-2.1+squeeze2
Date: Fri, 13 Apr 2012 22:47:11 +0000
Source: curl
Source-Version: 7.21.0-2.1+squeeze2

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.21.0-2.1+squeeze2.debian.tar.gz
  to main/c/curl/curl_7.21.0-2.1+squeeze2.debian.tar.gz
curl_7.21.0-2.1+squeeze2.dsc
  to main/c/curl/curl_7.21.0-2.1+squeeze2.dsc
curl_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/curl_7.21.0-2.1+squeeze2_amd64.deb
libcurl3-dbg_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/libcurl3-dbg_7.21.0-2.1+squeeze2_amd64.deb
libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb
libcurl3_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/libcurl3_7.21.0-2.1+squeeze2_amd64.deb
libcurl4-gnutls-dev_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/libcurl4-gnutls-dev_7.21.0-2.1+squeeze2_amd64.deb
libcurl4-openssl-dev_7.21.0-2.1+squeeze2_amd64.deb
  to main/c/curl/libcurl4-openssl-dev_7.21.0-2.1+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 658276@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <ghedo@debian.org> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 24 Mar 2012 15:01:45 +0100
Source: curl
Binary: curl libcurl3 libcurl3-gnutls libcurl4-openssl-dev libcurl4-gnutls-dev libcurl3-dbg
Architecture: source amd64
Version: 7.21.0-2.1+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Ramakrishnan Muthukrishnan <rkrishnan@debian.org>
Changed-By: Alessandro Ghedini <ghedo@debian.org>
Description: 
 curl       - Get a file from an HTTP, HTTPS or FTP server
 libcurl3   - Multi-protocol file transfer library (OpenSSL)
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library (GnuTLS)
 libcurl4-gnutls-dev - Development files and documentation for libcurl (GnuTLS)
 libcurl4-openssl-dev - Development files and documentation for libcurl (OpenSSL)
Closes: 658276
Changes: 
 curl (7.21.0-2.1+squeeze2) stable-security; urgency=low
 .
   * Non-maintainer upload
   * Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276)
Checksums-Sha1: 
 c6ce1d0916e5281f01a46918b742311f9091d14a 2168 curl_7.21.0-2.1+squeeze2.dsc
 d0e5a1184315b9abb9cc54d77d4a0200526f046d 2714501 curl_7.21.0.orig.tar.gz
 4a238c2898d6ed4dde1b5786b35a91838795074c 100157 curl_7.21.0-2.1+squeeze2.debian.tar.gz
 d781b7de2462906615993a116dd54a92d9bf032b 228998 curl_7.21.0-2.1+squeeze2_amd64.deb
 1e19fd99b4cbe8e80cb4b6f757067b3d04ebfe20 285450 libcurl3_7.21.0-2.1+squeeze2_amd64.deb
 aab1b432abd91b4dbf271dae4d13189b0764a76e 265656 libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb
 886af90d771a95a3e6258d203a722565770c732a 1098168 libcurl4-openssl-dev_7.21.0-2.1+squeeze2_amd64.deb
 331dc907046f81730376b9e1d189f4b44bc22905 1074226 libcurl4-gnutls-dev_7.21.0-2.1+squeeze2_amd64.deb
 ea91639e405a0932cd9029c1f425e801b3a69c03 106266 libcurl3-dbg_7.21.0-2.1+squeeze2_amd64.deb
Checksums-Sha256: 
 337f1b0c559fb34325460fb43e36e9aaec76b1ad5c5e65c4975c8a40b7642e23 2168 curl_7.21.0-2.1+squeeze2.dsc
 b3e2047c6f70eb321557af980a9554f0a98fb122d9636f1c98833262eed8de1d 2714501 curl_7.21.0.orig.tar.gz
 eab89a1678b23b4a9ba5cfb70489889e710f299765ab34017b988fd6901efa83 100157 curl_7.21.0-2.1+squeeze2.debian.tar.gz
 c129d139b628aae54c1643176b16e8477a6e603b58080e01f372ae97ecbe2130 228998 curl_7.21.0-2.1+squeeze2_amd64.deb
 9cf2ead12a56ca684c1427195537c479de3027c4665356cad48d3db391e119f5 285450 libcurl3_7.21.0-2.1+squeeze2_amd64.deb
 45c149e89f54ad56cd888345ba5d7f5dfd7412281a26d8a901920e348db90269 265656 libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb
 12e7c723628085d6a489a1cc8f1aa1daa8e453f42b49c203cfa492fc08e96504 1098168 libcurl4-openssl-dev_7.21.0-2.1+squeeze2_amd64.deb
 6269050a6bc7b4c182844087b4bf7d6fe2908a8d5549c041e4d45aa97dd5c9ed 1074226 libcurl4-gnutls-dev_7.21.0-2.1+squeeze2_amd64.deb
 cb211d4418aa5b990771cfe6fdca6c0795615f88e18bfc112b461a4ad06b0435 106266 libcurl3-dbg_7.21.0-2.1+squeeze2_amd64.deb
Files: 
 a9bbb2ed75ca53cbd31be481f6ee5206 2168 web optional curl_7.21.0-2.1+squeeze2.dsc
 6dfb911a254a1b5ca8b534b98f2196aa 2714501 web optional curl_7.21.0.orig.tar.gz
 104fcca385ea7ecae85f1bdfe18611d9 100157 web optional curl_7.21.0-2.1+squeeze2.debian.tar.gz
 ddb799952cbc28f63e06f674b77deb98 228998 web optional curl_7.21.0-2.1+squeeze2_amd64.deb
 ec82d3d931fecaf8a2131db3c570079e 285450 libs optional libcurl3_7.21.0-2.1+squeeze2_amd64.deb
 cad3749e58c431693c7df7a81918d124 265656 libs optional libcurl3-gnutls_7.21.0-2.1+squeeze2_amd64.deb
 84405ae1ab114887428bb95bdbcce7ab 1098168 libdevel optional libcurl4-openssl-dev_7.21.0-2.1+squeeze2_amd64.deb
 ae076f77b8efa0e8d8eb6834a469d149 1074226 libdevel optional libcurl4-gnutls-dev_7.21.0-2.1+squeeze2_amd64.deb
 359624088d1a7d8fd738d1613b15df7c 106266 debug extra libcurl3-dbg_7.21.0-2.1+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJPdgB/AAoJEK+lG9bN5XPLa2EP/iKt11suxnv7a1k9Uh/49fCq
cR+GmdgZ+/FjapeQ0mUFnAQe8FwXPW1gZCFMhbLGz1nEyGZOmMX5PMfzOAu60uO2
w3D/6tsX0zXGC2qRxnbmtWRbumyD2QEUcIr7fwwzhXVO7VNCcxFGMgAf97UeiX6m
PulFiw69nKEW7dmCIP27TPcgnwUY3zkAlwGvhn9ZUK2YiMSfhR7SQAS2tYi82YBG
1ezseRQBfJlYbn2wQQ5tWZcy67BJMsfVGwZk/GspsEe070BpKH8M/vXSSrLtppku
H9egsNCABeMFyHBta6a3UvrtVrgWm7vzNl+gUaZJMbGOEdaxSow32M39mraac4k0
x4m4yQrGfiqZmtKUeXFJj6KfcpgD6F2cI2iBDf0oVmQpjLbUqsvNkeXCZhM3gohF
Ka+MgLizTX1FUYrihp7C/r8xbC8gHiXaYTDidbpxzje0t4TlVXRLF94pDqyF5B2U
v2AGj4bllcIVy/zzXpLU8UNtb7VvuYGUJMW+qh2/iOYGdfWkeaqb6+MxZSjZOIHQ
Qp28+fg3vVcHzA38yu/VeILXCdkLkQ4NAqWXLya5YQxrApN0IdDuG+/Erdf1kok+
Q2/eYD4PVGjNkXMO/s7N2oC9UwLYxiOWhO5Mluzm/n3+zDvLP301zistOliEFJr8
xgqaV9F48bGxbJ6RhEmS
=GtRE
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 12 May 2012 07:41:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 06:45:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.