Skip to content

[25.05] curlMinimal: apply patches for CVE-2025-9086 and CVE-2025-10148#441889

Merged
Scrumplex merged 1 commit intoNixOS:staging-25.05from
LeSuisse:curl-CVE-2025-9086-CVE-2025-10148-25.05
Sep 11, 2025
Merged

[25.05] curlMinimal: apply patches for CVE-2025-9086 and CVE-2025-10148#441889
Scrumplex merged 1 commit intoNixOS:staging-25.05from
LeSuisse:curl-CVE-2025-9086-CVE-2025-10148-25.05

Conversation

@LeSuisse
Copy link
Member

@LeSuisse LeSuisse commented Sep 10, 2025

https://curl.se/docs/CVE-2025-9086.html
https://curl.se/docs/CVE-2025-10148.html

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@LeSuisse LeSuisse added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 10, 2025
github-actions[bot]

This comment was marked as resolved.

Sign in to view

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 4.workflow: backport This targets a stable branch labels Sep 10, 2025
@nix-owners nix-owners bot requested review from Scrumplex and lovek323 September 10, 2025 21:02
@LeSuisse LeSuisse force-pushed the curl-CVE-2025-9086-CVE-2025-10148-25.05 branch from 86fbb6a to 1af2de9 Compare September 10, 2025 21:13
@Scrumplex Scrumplex dismissed github-actions[bot]’s stale review September 11, 2025 08:57

Manual backport of a security fix. We don't intend to ship a newer curl unless absolutely needed

@Scrumplex Scrumplex merged commit e1c2e8e into NixOS:staging-25.05 Sep 11, 2025
35 of 39 checks passed
@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages. labels Sep 11, 2025
@LeSuisse LeSuisse deleted the curl-CVE-2025-9086-CVE-2025-10148-25.05 branch September 14, 2025 20:42
@vcunat
Copy link
Member

vcunat commented Sep 19, 2025
edited
Loading

This broke curlFull build:
https://hydra.nixos.org/build/307337093/nixlog/4/tail
/cc the staging-next-2505: #442130

@LeSuisse LeSuisse mentioned this pull request Sep 19, 2025
Merged
13 tasks
@LeSuisse
Copy link
Member Author

LeSuisse commented Sep 19, 2025

Whoops, I thought I had built curlFull.

Anyway, fix can be reviewed here: #444299

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scrumplex Scrumplex Scrumplex approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

@lovek323 lovek323 Awaiting requested review from lovek323

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: backport This targets a stable branch 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person. 12.approved-by: package-maintainer This PR was reviewed and approved by a maintainer listed in any of the changed packages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LeSuisse @vcunat @Scrumplex