FEDORA-2024-634a6662aa created by jamacku 3 months ago for Fedora 40

Automatic update for curl-8.6.0-1.fc40.

* Thu Feb  1 2024 Jan Macku <> - 8.6.0-1
- new upstream release, which fixes the following vulnerabilities
    CVE-2024-0853 - OCSP verification bypass with TLS session reuse
- drop (replaced by upstream fix)
- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-634a6662aa

This update was automatically created

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago

This update has been submitted for stable by bodhi

3 months ago
User Icon lis commented & provided feedback 3 months ago

This breaks two distinct things for us (Cockpit project):

  • this upstream change causes --unix to stop working. OK, fair enough. --unix was never a valid option (the correct spelling is --unix-socket) and the change here is that the "partial match" feature was removed. Easy enough for us to fix, but that's surely going to hit other people as well.
  • worse, though: there's a new "curl: (8) Failed reading the chunked-encoded stream" failure coming from our tests and it's not clear why. I've tried to reproduce this with various versions from upstream git, but have been unable to do so.

Thank you for your feedback.

There was a big refactor/rewrite related to transfer response handling. So it's possible that there might be some regression -

I managed to bisect it to this commit: which is not included in that PR (which never got merged) but (indeed, curiously) tags it as Closed in the commit message.

It is "merged" via Closes #12480 in the commit message. (They add Closes to all commits and push them to the master branch. This results in closing the original PR) It is included in the curl 8.6.0

I've done some additional research. It happens when the --head command-line option is used and the server returns a non-empty encoding with Transfer-Encoding: chunked. MDN says:

Warning: A response to a HEAD method should not have a body. If it has one anyway, that body must be ignored

which suggests that the server is behaving in a way it should not, but the bug is with curl for not ignoring it. The MDN article links the RFC which says something else:

The HEAD method is identical to GET except that the server MUST NOT send content in the response.

.... so, our bug?

Based on the links you provided, I would say so. Could you try updating your server so that the body is not sent for the HEAD method?

Could you provide a reproducer? I can report this issue to the upstream.

Or you can report it yourself here -

We ended up changing our webserver implementation to be more RFC compliant. Strictly speaking, this is not a curl bug (although the error message could certainly be improved...).

More info here:

Upstream merged commit, which ignores body when HEAD method was used.

I'm going to backport it to rawhide.

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
0 days
3 months ago
in testing
3 months ago
in stable
3 months ago
3 months ago

Automated Test Results