commit caa23e9ccfa82cd916d073c1bbc928f520c03c08 Author: Adrian Schröter Date: Fri Feb 9 15:24:49 2024 +0100 Sync from SUSE:ALP:Source:Standard:1.0 curl revision d02880ca69623f40b6a05705826f7da7 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..6cd7345 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,6 @@ +libcurl4 + obsoletes "curl- <= " + provides "curl- = " +libcurl-devel + requires -curl- + requires "libcurl4- = " diff --git a/curl-8.6.0.tar.xz b/curl-8.6.0.tar.xz new file mode 100644 index 0000000..ed3b524 --- /dev/null +++ b/curl-8.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15 +size 2630108 diff --git a/curl-8.6.0.tar.xz.asc b/curl-8.6.0.tar.xz.asc new file mode 100644 index 0000000..3f300d5 --- /dev/null +++ b/curl-8.6.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmW58RcACgkQXMkI/bce +EsKLvgf9Em0etBEnbJzkhmCiKUOfn3sTKhIHA4y1/O+anaNfEx0E89VUQuFZRcUz +i4ENOVjTXxVy4zZUobOOWz7RXrvv6XnX9A++RYkBoEk4mmNB3A6ShsTeCR2mS4yi +dL5UfH2YEu7B6x/ONROKKuGawsqw0D6wzVgrD+J1e8Bu+1P8YOUqsQWVJmJFlYMN +2A8NP4GZHnmP3rnupx1RY3/MgJU0FjlQ428BOA7PIiYKEVto0dp6cqd4AQsLgQPy +J1RBcge1Uwqe+k/IenUx7bUaQfr+NY34ryrMxbLPghPimfeyjjsDxyr+OwoQM1aw +64WqLXBgQmhluT0STyHdD0Tc/JHYrw== +=GboB +-----END PGP SIGNATURE----- diff --git a/curl-disabled-redirect-protocol-message.patch b/curl-disabled-redirect-protocol-message.patch new file mode 100644 index 0000000..79a5565 --- /dev/null +++ b/curl-disabled-redirect-protocol-message.patch @@ -0,0 +1,20 @@ +Index: curl-7.82.0/lib/url.c +=================================================================== +--- curl-7.82.0.orig/lib/url.c ++++ curl-7.82.0/lib/url.c +@@ -1832,9 +1832,13 @@ static CURLcode findprotocol(struct Curl + /* it is allowed for "normal" request, now do an extra check if this is + the result of a redirect */ + if(data->state.this_is_a_follow && +- !(data->set.redir_protocols & p->protocol)) ++ !(data->set.redir_protocols & p->protocol)) { + /* nope, get out */ +- ; ++ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " ++ LIBCURL_NAME, protostr); ++ ++ return CURLE_UNSUPPORTED_PROTOCOL; ++ } + else { + /* Perform setup complement if some. */ + conn->handler = conn->given = p; diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch new file mode 100644 index 0000000..9970c58 --- /dev/null +++ b/curl-secure-getenv.patch @@ -0,0 +1,41 @@ +Index: curl-8.5.0/lib/getenv.c +=================================================================== +--- curl-8.5.0.orig/lib/getenv.c ++++ curl-8.5.0/lib/getenv.c +@@ -29,6 +29,14 @@ + + #include "memdebug.h" + ++#ifndef HAVE_SECURE_GETENV ++# ifdef HAVE___SECURE_GETENV ++# define secure_getenv __secure_getenv ++# else ++# error neither secure_getenv nor __secure_getenv is available ++# endif ++#endif ++ + static char *GetEnv(const char *variable) + { + #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \ +@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable + /* else rc is bytes needed, try again */ + } + #else +- char *env = getenv(variable); ++ char *env = secure_getenv(variable); + return (env && env[0])?strdup(env):NULL; + #endif + } +Index: curl-8.5.0/configure.ac +=================================================================== +--- curl-8.5.0.orig/configure.ac ++++ curl-8.5.0/configure.ac +@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy + ac_configure_args="$ac_configure_args --enable-curldebug" + fi + ++AC_CHECK_FUNCS([__secure_getenv secure_getenv]) ++ + AC_CONFIG_FILES([Makefile \ + docs/Makefile \ + docs/examples/Makefile \ diff --git a/curl.changes b/curl.changes new file mode 100644 index 0000000..e7017fa --- /dev/null +++ b/curl.changes @@ -0,0 +1,6114 @@ +------------------------------------------------------------------- +Wed Jan 31 09:11:56 UTC 2024 - Pedro Monreal + +- Update to 8.6.0: [bsc#1219149, CVE-2024-0853] + * Security fixes: + - CVE-2024-0853: OCSP verification bypass with TLS session reuse + * Changes: + - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T + * Bugfixes: + - altsvc: free 'as' when returning error + - asyn-ares: with modern c-ares, use its default timeout + - cf-socket: show errno in tcpkeepalive error messages + - cmdline-opts: update availability for the *-ca-native options + - configure: when enabling QUIC, check that TLS supports QUIC + - content_encoding: change return code to typedef'ed enum + - curl: show ipfs and ipns as supported "protocols" + - CURLINFO_REFERER.3: clarify that it is the *request* header + - dist: add tests/errorcodes.pl to the tarball + - gen.pl: support ## for doing .IP in table-like lists + - GHA: bump ngtcp2, gnutls, mod_h2, quiche + - hostip: return error immediately when Curl_ip2addr() fails + - http3/quiche: fix result code on a stream reset + - http3: initial support for OpenSSL 3.2 QUIC stack + - http: check for "Host:" case insensitively + - http: fix off-by-one error in request method length check + - http: only act on 101 responses when they are HTTP/1.1 + - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT + - lib: error out on multissl + http3 + - lib: fix variable undeclared error caused by `infof` changes + - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding + - lib: strndup/memdup instead of malloc, memcpy and null-terminate + - libssh2: use `libssh2_session_callback_set2()` with v1.11.1 + - ngtcp2: put h3 at the front of alpn + - openldap: fix an LDAP crash + - openldap: fix STARTTLS + - openssl: re-match LibreSSL deinit with init + - rtsp: deal with borked server responses + - sasl: make login option string override http auth + - tool: prepend output_dir in header callback + - tool_getparam: stop supporting `@filename` style for --cookie + - transfer: fix upload rate limiting, add test cases + - url: don't set default CA paths for Secure Transport backend + - url: for disabled protocols, mention if found in redirect + - vquic: extract TLS setup into own source + - websockets: check for negative payload lengths + * Remove patches fixed upstream: + - curl-adjust-pollset-fix.patch + - curl-tests-errorcodes.patch + * Rebase dont-mess-with-rpmoptflags.patch + +------------------------------------------------------------------- +Fri Jan 5 17:54:08 UTC 2024 - Michael Pujos + +- Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming: + https://github.com/curl/curl/issues/12632 + +------------------------------------------------------------------- +Wed Dec 6 09:51:20 UTC 2023 - Pedro Monreal + +- Update to 8.5.0: + * Security fixes: + - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass + - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents + * Changes: + - gnutls: support CURLSSLOPT_NATIVE_CA + - HTTP3: ngtcp2 builds are no longer experimental + * Bugfixes: + - asyn-thread: use pipe instead of socketpair for IPC when available + - cmake: fix OpenSSL quic detection in quiche builds + - conncache: use the closure handle when disconnecting surplus connections + - content_encoding: make Curl_all_content_encodings allocless + - cookie: lowercase the domain names before PSL checks + - Curl_http_body: cleanup properly when Curl_getformdata errors + - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range + - doh: provide better return code for responses w/o addresses + - doh: use PIPEWAIT when HTTP/2 is attempted + - duphandle: also free 'outcurl->cookies' in error path + - duphandle: make dupset() not return with pointers to old alloced data + - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set + - easy: in duphandle, init the cookies for the new handle + - easy_lock: add a pthread_mutex_t fallback + - fopen: create new file using old file's mode + - fopen: create short(er) temporary file name + - getenv: PlayStation doesn't have getenv() + - hostip: show the list of IPs when resolving is done + - hsts: skip single-dot hostname + - HTTP/2, HTTP/3: handle detach of onoing transfers + - http: allow longer HTTP/2 request method names + - hyper: temporarily remove HTTP/2 support + - IPFS: fix IPFS_PATH and file parsing + - multi: during ratelimit multi_getsock should return no sockets + - multi: use pipe instead of socketpair to *wakeup() + - ngtcp2: fix races in stream handling + - ntlm_wb: use pipe instead of socketpair when possible + - openssl: avoid BN_num_bits() NULL pointer derefs + - openssl: fix building with v3 `no-deprecated` + add CI test + - openssl: fix infof() to avoid compiler warning for %s with null + - openssl: identify the "quictls" backend correctly + - openssl: include SIG and KEM algorithms in verbose + - openssl: two multi pointer checks should probably rather be asserts + - openssl: when a session-ID is reused, skip OCSP stapling + - quic: make eyeballers connect retries stop at weird replies + - quic: manage connection idle timeouts + - setopt: check CURLOPT_TFTP_BLKSIZE range on set + - socks: better buffer size checks for socks4a user and hostname + - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice + - tool: fix --capath when proxy support is disabled + - tool_getparam: limit --rate to be smaller than number of ms + - transfer: abort pause send when connection is marked for closing + - transfer: avoid calling the read callback again after EOF + - transfer: only reset the FTP wildcard engine in CLEAR state + - url: don't touch the multi handle when closing internal handles + - urlapi: avoid null deref if setting blank host to url encode + - urlapi: skip appending NULL pointer query + - urlapi: when URL encoding the fragment, pass in the right length + - vtls: cleanup SSL config management + - vtls: consistently use typedef names for OpenSSL structs + - vtls: late clone of connection ssl config + - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 + * Rebase curl-secure-getenv.patch + * Add curl-tests-errorcodes.patch + +------------------------------------------------------------------- +Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal + +- Update to 8.4.0: + * Security fixes: + - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545] + - cookie injection with none file [bsc#1215889, CVE-2023-38546] + * Changes: + - curl: add support for the IPFS protocols via HTTP gateway + - curl_multi_get_handles: get easy handles from a multi handle + - mingw: delete support for legacy mingw.org toolchain + * Bugfixes: + - base64: also build for curl + - cf-socket: simulate slow/blocked receives in debug + - configure: check for the capath by default + - connect: expire the timeout when trying next + - connect: only start the happy eyeballs timer when needed + - cookie: do not store the expire or max-age strings + - cookie: remove unnecessary struct fields + - cookie: set ->running in cookie_init even if data is NULL + - create-dirs.d: clarify it also uses --output-dirs + - http2: refused stream handling for retry + - http: h1/h2 proxy unification + - http: use per-request counter to check too large headers + - idn: if idn2_check_version returns NULL, return error + - lib: enable hmac for digest as well + - lib: let the max filesize option stop too big transfers too + - lib: move handling of 'data->req.writer_stack' into Curl_client_write() + - lib: provide and use Curl_hexencode + - lib: use wrapper for curl_mime_data fseek callback + - libssh2: fix error message on failed pubkey-from-file + - libssh: cap SFTP packet size sent + - MQTT: improve receive of ACKs + - multi: do CURLM_CALL_MULTI_PERFORM at two more places + - multi: round the timeout up to prevent early wakeups + - openssl: improve ssl shutdown handling + - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR + - pytest: exclude test_03_goaway in CI runs due to timing dependency + - quic: set ciphers/curves the same way regular TLS does + - quiche: fix build error with --with-ca-fallback + - socks: return error if hostname too long for remote resolve + - tftpd: always use curl's own tftp.h + - tool_getparam: accept variable expansion on file names too + - upload-file.d: describe the file name slash/backslash handling + - url: fall back to http/https proxy env-variable if ws/wss not set + - url: fix netrc info message + - wolfssh: do cleanup in Curl_ssh_cleanup + - wolfssl: allow capath with CURLOPT_CAINFO_BLOB + - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files + - wolfssl: ignore errors in CA path + * Rebase libcurl-ocloexec.patch + +------------------------------------------------------------------- +Wed Sep 13 06:45:33 UTC 2023 - Pedro Monreal + +- Update to 8.3.0: [bsc#1215026, CVE-2023-38039] + * Changes: + - curl: make %output{} in -w specify a file to write to + - gskit: remove + - lib: --disable-bindlocal builds curl without local binding support + - nss: remove support for this TLS library + - tool: add "variable" support + - trace: make tracing available in non-debug builds + - url: change default value for CURLOPT_MAXREDIRS to 30 + - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name + * Bugfixes: + - altsvc: accept and parse IPv6 addresses in response headers + - asyn-ares: reduce timeout to 2000ms + - aws-sigv4: canonicalize the query + - aws-sigv4: fix having date header twice in some cases + - aws-sigv4: handle no-value user header entries + - c-hyper: adjust the hyper to curlcode conversion + - c-hyper: fix memory leaks in `Curl_http` + - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP + - cf-socket: log successful interface bind + - cmake: add GnuTLS option + - cmake: add support for `CURL_DEFAULT_SSL_BACKEND` + - cmake: detect `SSL_set0_wbio` in OpenSSL + - configure: trust pkg-config when it's used for zlib + - configure: use the pkg-config --libs-only-l flag for libssh2 + - connect: stop halving the remaining timeout when less than 600 ms left + - crypto: ensure crypto initialization works + - digest: Use hostname to generate spn instead of realm + - ftp: fix temp write of ipv6 address + - headers: accept leading whitespaces on first response header + - http2: fix in h2 proxy tunnel: progress in ingress on sending + - http3/ngtcp2: shorten handshake, trace cleanup + - http3: quiche, handshake optimization, trace cleanup + - http: close the connection after a late 417 is received + - http: fix sending of large requests + - http: return error when receiving too large header set + - lib: fix null ptr derefs and uninitialized vars (h2/h3) + - lib: move mimepost data from ->req.p.http to ->state + - list-only.d: mention SFTP as supported protocol + - ngtcp2: fix handling of large requests + - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED` + - openssl: clear error queue after SSL_shutdown + - openssl: make aws-lc version support OCSP + - openssl: Support async cert verify callback + - openssl: switch to modern init for LibreSSL 2.7.0+ + - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before + - quic: don't set SNI if hostname is an IP address + - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s + - quiche: enable quiche to handle timeout events + - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set + - schannel: verify hostname independent of verify cert + - tool_filetime: make -z work with file dates before 1970 + - tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR + - tool_operate: make aws-sigv4 not require TLS to be used + - transfer: also stop the sending on closed connection + - urlapi: fix heap buffer overflow + - urlapi: setting a blank URL ("") is not an ok URL + +------------------------------------------------------------------- +Fri Jul 28 08:54:52 UTC 2023 - Pedro Monreal + +- Update to 8.2.1: + * Bugfixes: + - cfilters: rename close/connect functions to avoid clashes + - ciphers.d: put URL in first column + - cmake: add 'libcurlu'/'libcurltool' for unit tests + - cmake: update ngtcp2 detection + - configure: check for nghttp2_session_get_stream_local_window_size + - docs: mark two TLS options for TLS, not SSL + - docs: provide more see also for cipher options + - hostip: return IPv6 first for localhost resolves + - http2: fix regression on upload EOF handling + - http: VLH, very large header test and fixes + - libcurl-errors.3: add CURLUE_OK + - os400: correct EXPECTED_STRING_LASTZEROTERMINATED + - quiche: fix lookup of transfer at multi + - quiche: fix segfault and other things + - rustls: update rustls-ffi 0.10.0 + - socks: print ipv6 address within brackets + - src/mkhelp: strip off escape sequences + - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T + - transfer: do not clear the credentials on redirect to absolute URL + - unittest: remove unneeded *_LDADD + - websocket: rename arguments/variables to match docs + +------------------------------------------------------------------- +Wed Jul 19 06:22:14 UTC 2023 - Pedro Monreal + +- Update to 8.2.0 [bsc#1213237, CVE-2023-32001] + * Security fix: + - CVE-2023-32001: fopen race condition + * Changes: + - curl: add --ca-native and --proxy-ca-native + - curl: add --trace-ids + - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS + - haproxy: add --haproxy-clientip flag to set client IPs + - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID + * Bugfixes: + - cf-socket: don't bypass fclosesocket callback if cancelled before connect + - cf-socket: skip getpeername()/getsockname for TFTP + - curl: count uploaded data to stop at the originally given size + - curl: return error when asked to use an unsupported HTTP version + - http2: fix crash in handling stream weights + - http2: send HEADER & DATA together if possible + - http3/ngtcp2: upload EAGAIN handling + - http: rectify the outgoing Cookie: header field size check + - hyper: fix EOF handling on input + - imap: Provide method to disable SASL if it is advertised + - libssh2: provide error message when setting host key type fails + - libssh2: use custom memory functions + - ngtcp2: assigning timeout, but value is overwritten before used + - quiche: avoid NULL deref in debug logging + - sectransp: fix EOF handling + - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles + - timeval: use CLOCK_MONOTONIC_RAW if available + - tls13-ciphers.d: include Schannel + - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION` + - tool_operate: allow cookie lines up to 8200 bytes + - tool_parsecfg: accept line lengths up to 10M + - tool_writeout_json: fix encoding of control characters + - transfer: clear credentials when redirecting to absolute URL + - urlapi: have *set(PATH) prepend a slash if one is missing + - urlapi: scheme must start with alpha + - vtls: avoid memory leak if sha256 call fails + - websocket-cb: example doing WebSocket download using callback + - ws: make the curl_ws_meta() return pointer a const + +------------------------------------------------------------------- +Tue May 30 09:08:35 UTC 2023 - Pedro Monreal + +- Update to 8.1.2: + * Bugfixes: + - configure: quote the assignments for run-compiler + - configure: without pkg-config and no custom path, use -lnghttp2 + - curl: cache the --trace-time value for a second + - http2: fix EOF handling on uploads with auth negotiation + - http3: send EOF indicator early as possible + - lib1560: verify more scheme guessing + - lib: remove unused functions, make single-use static + - libcurl.m4: remove trailing 'dnl' that causes this to break autoconf + - libssh: when keyboard-interactive auth fails, try password + - misc: fix spelling mistakes + - page-header: mention curl version and how to figure out current release + - page-header: minor wording polish in the URL segment + - scripts/singleuse.pl: add more API calls + - urlapi: remove superfluous host name check + +------------------------------------------------------------------- +Tue May 23 10:14:39 UTC 2023 - Pedro Monreal + +- Update to 8.1.1: + * Bugfixes: + - cf-socket: completely remove the disabled + USE_RECV_BEFORE_SEND_WORKAROUND + - checksrc: disallow spaces before labels + - curl_easy_getinfo: clarify on return data types + - docs: document that curl_url_cleanup(NULL) is a safe no-op + - hostip: move easy_lock.h include above curl_memory.h + - http2: double http request parser max line length + - http2: increase stream window size to 10 MB + - lib: rename struct 'http_req' to 'httpreq' + - ngtcp2: proper handling of uint64_t when adjusting send buffer + - sectransp.c: make the code c89 compatible + - select: avoid returning an error on EINTR from select() or poll() + - url: provide better error message when URLs fail to parse + - urlapi: allow numerical parts in the host name + +------------------------------------------------------------------- +Wed May 17 08:13:32 UTC 2023 - David Anes + +- Update to 8.1.0: + * Security fixes: + - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319] + - siglongjmp race condition [bsc#1211231, CVE-2023-28320] + - IDN wildcard match [bsc#1211232, CVE-2023-28321] + - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322] + - See also: https://curl.se/docs/security.html + * Changes: + - curl: add --proxy-http2 + - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2 + - hostip: refuse to resolve the .onion TLD + - tool_writeout: add URL component variables + * Bugfixes: + - See full changelog here: https://curl.se/changes.html#8_1_0 + +------------------------------------------------------------------- +Tue Mar 21 08:44:52 UTC 2023 - Pedro Monreal + +- Update to 8.0.1: + * Bugfixes: + - fix crash in curl_easy_cleanup + +------------------------------------------------------------------- +Mon Mar 20 07:19:32 UTC 2023 - Pedro Monreal + +- Update to 8.0.0: + * Security fixes: + - TELNET option IAC injection [bsc#1209209, CVE-2023-27533] + - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534] + - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535] + - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536] + - HSTS double-free [bsc#1209213, CVE-2023-27537] + - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538] + * Changes: + - build: remove support for curl_off_t < 8 bytes + * Bugfixes: + - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 + - BINDINGS: add Fortran binding + - cf-socket: use port 80 when resolving name for local bind + - cookie: don't load cookies again when flushing + - curl_path: create the new path with dynbuf + - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe + - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure + - ftp: active mode with SSL, add the filter + - hostip: avoid sscanf and extra buffer copies + - http2: fix for http2-prior-knowledge when reusing connections + - http2: fix handling of RST and GOAWAY to recognize partial transfers + - http: don't send 100-continue for short PUT requests + - http: fix unix domain socket use in https connects + - libssh: use dynbuf instead of realloc + - ngtcp2-gnutls.yml: bump to gnutls 3.8.0 + - sectransp: make read_cert() use a dynbuf when loading + - telnet: only accept option arguments in ascii + - telnet: parse telnet options without sscanf + - url: fix the SSH connection reuse check + - url: only reuse connections with same GSS delegation + - urlapi: '%' is illegal in host names + - ws: keep the socket non-blocking + * Rebase libcurl-ocloexec.patch + +------------------------------------------------------------------- +Mon Feb 20 10:35:11 UTC 2023 - Guillaume GARDET + +- Update to 7.88.1: + * Bugfix release +- Drop upstreamed patch: + * curl-fix-uninitialized-value-in-tests.patch + +------------------------------------------------------------------- +Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal + +- Update to 7.88.0: [bsc#1207990, CVE-2023-23914] + [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916] + * Security fixes: + - CVE-2023-23914: HSTS ignored on multiple requests + - CVE-2023-23915: HSTS amnesia with --parallel + - CVE-2023-23916: HTTP multi-header compression denial of service + * Changes: + - curl.h: add CURL_HTTP_VERSION_3ONLY + - share: add sharing of HSTS cache among handles + - src: add --http3-only + - tool_operate: share HSTS between handles + - urlapi: add CURLU_PUNYCODE + - writeout: add %{certs} and %{num_certs} + * Bugfixes: + - cf-socket: keep sockaddr local in the socket filters + - cfilters:Curl_conn_get_select_socks: use the first non-connected filter + - curl.h: allow up to 10M buffer size + - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated + - curl/websockets.h: extend the websocket frame struct + - curl: output warning at --verbose output for debug-enabled version + - curl_free.3: fix return type of `curl_free` + - curl_log: for failf/infof and debug logging implementations + - dict: URL decode the entire path always + - docs/DEPRECATE.md: deprecate gskit + - easyoptions: fix header printing in generation script + - haxproxy: send before TLS handhshake + - hsts.d: explain hsts more + - hsts: handle adding the same host name again + - HTTP/[23]: continue upload when state.drain is set + - http: decode transfer encoding first + - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro + - http_proxy: do not assign data->req.p.http use local copy + - lib: connect/h2/h3 refactor + - libssh2: try sha2 algos for hostkey methods + - md4: fix build with GnuTLS + OpenSSL v1 + - ngtcp2: replace removed define and stop using removed function + - noproxy: support for space-separated names is deprecated + - nss: implement data_pending method + - openldap: fix missing sasl symbols at build in specific configs + - openssl: adapt to boringssl's error code type + - openssl: don't ignore CA paths when using Windows CA store (redux) + - openssl: don't log raw record headers + - openssl: make the BIO_METHOD a local variable in the connection filter + - openssl: only use CA_BLOB if verifying peer + - openssl: remove attached easy handles from SSL instances + - openssl: store the CA after first send (ClientHello) + - setopt: use >, not >=, when checking if uarg is larger than uint-max + - smb: return error on upload without size + - socketpair: allow localhost MITM sniffers + - strdup: name it Curl_strdup + - tool_getparam: fix hiding of command line secrets + - tool_operate: fix error codes on bad URL & OOM + - tool_operate: repair --rate + - transfer: break the read loop when RECV is cleared + - typecheck: accept expressions for option/info parameters + - urlapi: avoid Curl_dyn_addf() for hex outputs + - urlapi: skip path checks if path is just "/" + - urlapi: skip the extra dedotdot alloc if no dot in path + - urldata: cease storing TLS auth type + - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP + - urldata: make set.http200aliases conditional on HTTP being present + - urldata: move the cookefilelist to the 'set' struct + - urldata: remove unused struct fields, made more conditional + - vquic: stabilization and improvements + - vtls: fix hostname handling in filters + - vtls: manage current easy handle in nested cfilter calls + - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used + * Rebase libcurl-ocloexec.patch + * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091 + - runtests: fix "uninitialized value $port" + - Add curl-fix-uninitialized-value-in-tests.patch + +------------------------------------------------------------------- +Wed Dec 21 08:19:23 UTC 2022 - David Anes + +- Update to 7.87.0: + * Security fixes: + - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN + - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free + * Changes + - curl: add --url-query + - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit + - lib: add CURL_WRITEFUNC_ERROR to signal write callback error + - openssl: reduce CA certificate bundle reparsing by caching + - version: add a feature names array to curl_version_info_data + * Bugfixes + - altsvc: fix rejection of negative port numbers + - aws_sigv4: consult x-%s-content-sha256 for payload hash + - aws_sigv4: fix typos in aws_sigv4.c + - base64: better alloc size + - base64: encode without using snprintf + - base64: faster base64 decoding + - build: assume assert.h is always available + - build: assume errno.h is always available + - c-hyper: CONNECT respones are not server responses + - c-hyper: fix multi-request mechanism + - CI: Change FreeBSD image from 12.3 to 12.4 + - CI: LGTM.com will be shut down in December 2022 + - ci: Remove zuul fuzzing job as it's superseded by CIFuzz + - cmake: check for cross-compile, not for toolchain + - CMake: fix build with `CURL_USE_GSSAPI` + - cmake: really enable warnings with clang + - cmake: set the soname on the shared library + - cmdline-opts/gen.pl: fix the linkifier + - cmdline-opts/page-footer: remove long option nroff formatting + - config-mac: define HAVE_SYS_IOCTL_H + - config-mac: fix typo: size_T -> size_t + - config-mac: remove HAVE_SYS_SELECT_H + - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW + - configure: require fork for NTLM-WB + - contributors.sh: actually use $CURLWWW instead of just setting it + - cookie: compare cookie prefixes case insensitively + - cookie: expire cookies at once when max-age is negative + - cookie: open cookie jar as a binary file + - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS + - curl-rustls.m4: on macOS, rustls also needs the Security framework + - curl.h: include on SerenityOS + - curl.h: name all public function parameters + - curl.h: reword comment to not use deprecated option + - curl: override the numeric locale and set "C" by force + - curl: timeout in the read callback + - curl_endian: remove Curl_write64_le from header + - curl_get_line: allow last line without newline char + - curl_path: do not add '/' if homedir ends with one + - curl_url_get.3: remove spurious backtick + - curl_url_set.3: document CURLU_DISALLOW_USER + - curl_url_set.3: fix typo + - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE + - CURLOPT_COOKIEFILE.3: advice => advise + - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example + - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw" + - CURLOPT_POST.3: Explain setting to 0 changes request type + - docs/curl_ws_send: Fixed typo in websocket docs + - docs/EARLY-RELEASE.md: how to determine an early release + - docs/examples: spell correction ('Retrieve') + - docs/INSTALL.md: expand on static builds + - docs/WEBSOCKET.md: explain the URL use + - docs: add missing parameters for --retry flag + - docs: add more "SEE ALSO" links to CA related pages + - docs: explain the noproxy CIDR notation support + - docs: extend the dump-header documentation + - docs: remove performance note in CURLOPT_SSL_VERIFYPEER + - examples/10-at-a-time: fix possible skipped final transfers + - examples: update descriptions + - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH + - gen.pl: do not generate CURLHELP bitmask lines > 79 characters + - GHA: clarify workflows permissions, set least possible privilege + - GHA: NSS use clang instead of clang-9 + - gnutls: use common gnutls init and verify code for ngtcp2 + - headers: add endif comments + - HTTP-COOKIES.md: mention that http://localhost is a secure context + - HTTP-COOKIES.md: update the 6265bis link to draft-11 + - http: do not send PROXY more than once + - http: fix the ::1 comparison for IPv6 localhost for cookies + - http: set 'this_is_a_follow' in the Location: logic + - http: use the IDN decoded name in HSTS checks + - hyper: classify headers as CONNECT and 1XX + - hyper: fix handling of hyper_task's when reusing the same address + - idn: remove Curl_win32_ascii_to_idn + - INSTALL: update operating systems and CPU archs + - KNOWN_BUGS: remove eight entries + - lib1560: add some basic IDN host name tests + - lib: connection filters (cfilter) addition to curl: + - lib: feature deprecation warnings in gcc >= 4.3 + - lib: fix some type mismatches and remove unneeded typecasts + - lib: parse numbers with fixed known base 10 + - lib: remove bad set.opt_no_body assignments + - lib: rewind BEFORE request instead of AFTER previous + - lib: sync guard for Curl_getaddrinfo_ex() definition and use + - lib: use size_t or int etc instead of longs + - libcurl-errors.3: remove duplicate word + - libssh2: return error when ssh_hostkeyfunc returns error + - limit-rate.d: see also --rate + - log2changes.pl: wrap long lines at 80 columns + - Makefile.mk: address minor issues + - Makefile.mk: improve a GNU Make hack + - Makefile.mk: portable Makefile.m32 + - maketgz: set the right version in lib/libcurl.plist + - mime: relax easy/mime structures binding + - misc: Fix incorrect spelling + - misc: remove duplicated include files + - misc: typo and grammar fixes + - negtelnetserver.py: have it call its close() method + - netrc.d: provide mutext info + - netware: remove leftover traces + - noproxy: also match with adjacent comma + - noproxy: guard against empty hostnames in noproxy check + - noproxy: tailmatch like in 7.85.0 and earlier + - nroff-scan.pl: detect double highlights + - ntlm: improve comment for encrypt_des + - ntlm: silence ubsan warning about copying from null target_info pointer + - openssl/mbedtls: use %d for outputing port with failf (int) + - openssl: prefix errors with '[lib]/[version]: ' + - os400: use platform socklen_t in Curl_getnameinfo_a + - page-header: grammar improvement (display transfer rate) + - proxy: refactor haproxy protocol handling as connection filter + - README.md: remove badges and xmas-tree garnish + - rtsp: fix RTSP auth + - runtests: --no-debuginfod now disables DEBUGINFOD_URLS + - runtests: do CRLF replacements per section only + - scripts/checksrc.pl: detect duplicated include files + - sendf: change Curl_read_plain to wrap Curl_recv_plain + - sendf: remove unnecessary if condition + - setup: do not require __MRC__ defined for Mac OS 9 builds + - smb/telnet: do not free the protocol struct in *_done() + - socks: fix username max size is 255 (0xFF) + - spellcheck.words: remove 'github' as an accepted word + - ssl-reqd.d: clarify that this is for upgrading connections only + - strcase: use curl_str(n)equal for case insensitive matches + - styled-output.d: this option does not work on Windows + - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS + - system.h: support 64-bit curl_off_t for NonStop 32-bit + - test1421: fix typo + - test3026: reduce runtime in legacy mingw builds + - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ + - tests: add authorityInfoAccess to generated certs + - tests: add HTTP/3 test case, custom location for proper nghttpx + - tls: backends use connection filters for IO, enabling HTTPS-proxy + - tool: determine the correct fopen option for -D + - tool_cfgable: free the ssl_ec_curves on exit + - tool_cfgable: make socks5_gssapi_nec a boolean + - tool_formparse: avoid clobbering on function params + - tool_getparam: make --no-get work as the opposite of --get + - tool_operate: provide better errmsg for -G with bad URL + - tool_operate: when aborting, make sure there is a non-NULL error buffer + - tool_paramhlp: free the proto strings on exit + - url: move back the IDN conversion of proxy names + - urlapi: reject more bad letters from the host name: &+() + - urldata: change port num storage to int and unsigned short + - vms: remove SIZEOF_SHORT + - vtls: fix build without proxy support + - vtls: localization of state data in filters + - WEBSOCKET.md: fix broken link + - Websocket: fixes for partial frames and buffer updates + - websockets: fix handling of partial frames + - windows: fail early with a missing windres in autotools + - windows: fix linking .rc to shared curl with autotools + - winidn: drop WANT_IDN_PROTOTYPES + - ws: if no connection is around, return error + - ws: return CURLE_NOT_BUILT_IN when websockets not built in + - x509asn1: avoid freeing unallocated pointers + +------------------------------------------------------------------- +Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos + +- Add 1.50.0 as the minimum libnghttp2 build requirement version as + a bandaid. Curl's 7.86.0 release introduces the use of + nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, + introduced by nghttp2 1.50.0 release, without introducing a check + for the function/right version in their build scripts. This will + make Zypper/cURL unusable in some corner cases where users + installing something that requires libcurl4 before doing full + system upgrade, thus updating the cURL stack, but not + libnghttp2's. Background: boo#1204983, Factory mailing list + threadd: + "? broken dependency in curl and/or *zyp* ?", and forums thread: + Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. + +------------------------------------------------------------------- +Wed Oct 26 07:51:51 UTC 2022 - Pedro Monreal + +- Update to 7.86.0: + * Security fixes: + - POST following PUT confusion [bsc#1204383, CVE-2022-32221] + - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] + - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] + - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916] + * Changes: + - NPN: remove support for and use of + - Websockets: initial support + * Bugfixes: + - altsvc: reject bad port numbers + - autotools: reduce brute-force when detecting recv/send arg list + - aws_sigv4: fix header computation + - cli tool: do not use disabled protocols + - connect: change verbose IPv6 address:port to [address]:port + - connect: fix builds without AF_INET6 + - connect: fix Curl_updateconninfo for TRNSPRT_UNIX + - connect: fix the wrong error message on connect failures + - content_encoding: use writer struct subclasses for different encodings + - cookie: reject cookie names or content with TAB characters + - curl/add_file_name_to_url: use the libcurl URL parser + - curl/get_url_file_name: use libcurl URL parser + - curl: warn for --ssl use, considered insecure + - docs/libcurl/symbols-in-versions: add several missing symbols + - ftp: ignore a 550 response to MDTM + - functypes: provide the recv and send arg and return types + - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled + - header: define public API functions as extern c + - headers: reset the requests counter at transfer start + - hostip: guard PF_INET6 use + - hostip: lazily wait to figure out if IPv6 works until needed + - http, vauth: always provide Curl_allow_auth_to_host() functionality + - http2: make nghttp2 less picky about field whitespace + - http: try parsing Retry-After: as a number first + - http_proxy: restore the protocol pointer on error + - lib: add missing limits.h includes + - lib: prepare the incoming of additional protocols + - lib: sanitize conditional exclusion around MIME + - libssh: if sftp_init fails, don't get the sftp error code + - mprintf: reject two kinds of precision for the same argument + - mqtt: return error for too long topic + - netrc: compare user name case sensitively + - netrc: replace fgets with Curl_get_line + - netrc: use the URL-decoded user + - ngtcp2: fix build errors due to changes in ngtcp2 library + - noproxy: support proxies specified using cidr notation + - openssl: make certinfo available for QUIC + - resolve: make forced IPv4 resolve only use A queries + - schannel: ban server ALPN change during recv renegotiation + - schannel: don't reset recv/send function pointers on renegotiation + - schannel: when importing PFX, disable key persistence + - setopt: use the handler table for protocol name to number conversions + - setopt: when POST is set, reset the 'upload' field + - single_transfer: use the libcurl URL parser when appending query parts + - smb: replace CURL_WIN32 with WIN32 + - tool: avoid generating ambiguous escaped characters in --libcurl + - tool_main: exit at once if out of file descriptors + - tool_operate: more transfer cleanup after parallel transfer fail + - tool_operate: prevent over-queuing in parallel mode + - tool_paramhelp: asserts verify maximum sizes for string loading + - tool_xattr: save the original URL, not the final redirected one + - url: a zero-length userinfo part in the URL is still a (blank) user + - url: allow non-HTTPS HSTS-matching for debug builds + - url: rename function due to name-clash in Watt-32 + - url: use IDN decoded names for HSTS checks + - urlapi: detect scheme better when not guessing + - urlapi: fix parsing URL without slash with CURLU_URLENCODE + - urlapi: reject more bad characters from the host name field + * Remove patch upstream: + - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch + +------------------------------------------------------------------- +Sat Oct 8 17:06:50 UTC 2022 - Vasily Ulyanov + +- Update connection info when using UNIX socket as endpoint + connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch + +------------------------------------------------------------------- +Fri Sep 30 12:35:59 UTC 2022 - Pedro Monreal + +- Change the deprecated configure option --enable-hidden-symbols + to the new --enable-symbol-hiding. + +------------------------------------------------------------------- +Wed Aug 31 07:34:20 UTC 2022 - Pedro Monreal + +- Update to 7.85.0: + * Security fixes: [bsc#1202593, CVE-2022-35252] + - control code in cookie denial of service + * Changes: + - quic: add support via wolfSSL + - schannel: Add TLS 1.3 support + - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR + * Bugfixes: + - asyn-thread: fix socket leak on OOM + - asyn-thread: make getaddrinfo_complete return CURLcode + - base64: base64url encoding has no padding + - configure: fix broken m4 syntax in TLS options + - configure: if asked to use TLS, fail if no TLS lib was detected + - connect: add quic connection information + - connect: set socktype/protocol correctly + - cookie: reject cookies with "control bytes" + - cookie: treat a blank domain in Set-Cookie: as non-existing + - curl: output warning when a cookie is dropped due to size + - Curl_close: call Curl_resolver_cancel to avoid memory-leak + - digest: fix memory leak, fix not quoted 'opaque' + - digest: fix missing increment of 'nc' value for auth-int + - digest: pass over leading spaces in qop values + - digest: reject broken header with session protocol but without qop + - doh: use https protocol by default + - easy_lock.h: include sched.h if available to fix build + - easy_lock.h: use __asm__ instead of asm to fix build + - easy_lock: switch to using atomic_int instead of bool + - ftp: use a correct expire ID for timer expiry + - h2h3: fix overriding the 'TE: Trailers' header + - hostip: resolve *.localhost to 127.0.0.1/::1 + - HTTP3.md: update to msh3 v0.4.0 + - hyper: use wakers for curl pause/resume + - lib3026: reduce the number of threads to 100 + - libssh2: make atime/mtime date overflow return error + - libssh2: provide symlink name in SFTP dir listing + - multi: have curl_multi_remove_handle close CONNECT_ONLY transfer + - multi: use larger dns hash table for multi interface + - multi_wait: fix skipping to populate revents for extra_fds + - netrc: Use the password from lines without login + - ngtcp2: Fix build error due to change in nghttp3 prototypes + - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data + - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks + - openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL + - openssl: add cert path in error message + - openssl: add details to "unable to set client certificate" error + - openssl: fix BoringSSL symbol conflicts with LDAP and Schannel + - select: do not return fatal error on EINTR from poll() + - sendf: fix paused header writes since after the header API + - sendf: skip storing HTTP headers if HTTP disabled + - url: really use the user provided in the url when netrc entry exists + - url: reject URLs with hostnames longer than 65535 bytes + - url: treat missing usernames in netrc as empty + - urldata: reduce size of several struct fields + - vtls: make Curl_ssl_backend() return the enum type curl_sslbackend + * Remove tests-for-32bit.patch fixed in the update + * Rebase libcurl-ocloexec.patch + +------------------------------------------------------------------- +Sun Jul 24 19:37:01 UTC 2022 - Dirk Müller + +- add tests-for-32bit.patch to fix testsuite on 32bit platforms + +------------------------------------------------------------------- +Mon Jun 27 14:36:10 UTC 2022 - David Anes + +- Update to 7.84.0: + * Security fixes: + - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification + - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions + - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service + - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service + * Changes: + - curl: add --rate to set max request rate per time unit + - curl: deprecate --random-file and --egd-file + - curl_version_info: add CURL_VERSION_THREADSAFE + - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl + - lib: make curl_global_init() threadsafe when possible + - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION + - opts: deprecate RANDOM_FILE and EGDSOCKET + - socks: support unix sockets for socks proxy + * Bugfixes: + - aws-sigv4: fix potentional NULL pointer arithmetic + - bindlocal: don't use a random port if port number would wrap + - c-hyper: mark status line as status for Curl_client_write() + - ci: avoid `cmake -Hpath` + - CI: bump FreeBSD 13.0 to 13.1 + - ci: update github actions + - cmake: add libpsl support + - cmake: do not add libcurl.rc to the static libcurl library + - cmake: enable curl.rc for all Windows targets + - cmake: fix detecting libidn2 + - cmake: support adding a suffix to the OS value + - configure: skip libidn2 detection when winidn is used + - configure: use the SED value to invoke sed + - configure: warn about rustls being experimental + - content_encoding: return error on too many compression steps + - cookie: address secure domain overlay + - cookie: apply limits + - copyright.pl: parse and use .reuse/dep5 for skips + - copyright: make repository REUSE compliant + - curl.1: add a few see also --tls-max + - curl.1: mention exit code zero too + - curl: re-enable --no-remote-name + - curl_easy_pause.3: remove explanation of progress function + - curl_getdate.3: document that some illegal dates pass through + - Curl_parsenetrc: don't access local pwbuf outside of scope + - curl_url_set.3: clarify by default using known schemes only + - CURLOPT_ALTSVC.3: document the file format + - CURLOPT_FILETIME.3: fix the protocols this works with + - CURLOPT_HTTPHEADER.3: improve comment in example + - CURLOPT_NETRC.3: document the .netrc file format + - CURLOPT_PORT.3: We discourage using this option + - CURLOPT_RANGE.3: remove ranged upload advice + - digest: added detection of more syntax error in server headers + - digest: tolerate missing "realm" + - digest: unquote realm and nonce before processing + - DISABLED: disable 1021 for hyper again + - docs/cmdline-opts: add copyright and license identifier to each file + - docs/CONTRIBUTE.md: document the 'needs-votes' concept + - docs: clarify data replacement policy for MIME API + - doh: remove UNITTEST macro definition + - examples/crawler.c: use the curl license + - examples: remove fopen.c and rtsp.c + - FAQ: Clarify Windows double quote usage + - fopen: add Curl_fopen() for better overwriting of files + - ftp: restore protocol state after http proxy CONNECT + - ftp: when failing to do a secure GSSAPI login, fail hard + - GHA/hyper: enable debug in the build + - gssapi: improve handling of errors from gss_display_status + - gssapi: initialize gss_buffer_desc strings + - headers api: remove EXPERIMENTAL tag + - http2: always debug print stream id in decimal with %u + - http2: reject overly many push-promise headers + - http: restore header folding behavior + - hyper: use 'alt-used' + - krb5: return error properly on decode errors + - lib: make more protocol specific struct fields #ifdefed + - libcurl-security.3: add "Secrets in memory" + - libcurl-security.3: document CRLF header injection + - libssh: skip the fake-close when libssh does the right thing + - links: update dead links to the curl-wiki + - log2changes: do not indent empty lines [ci skip] + - macos9: remove partial support + - Makefile.am: fix portability issues + - Makefile.m32: delete obsolete options, improve -On [ci skip] + - Makefile.m32: delete two obsolete OpenSSL options [ci skip] + - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] + - max-time.d: clarify max-time sets max transfer time + - mprintf: ignore clang non-literal format string + - netrc: check %USERPROFILE% as well on Windows + - netrc: support quoted strings + - ngtcp2: allow curl to send larger UDP datagrams + - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types + - ngtcp2: enable Linux GSO + - ngtcp2: extend QUIC transport parameters buffer + - ngtcp2: fix alert_read_func return value + - ngtcp2: fix typo in preprocessor condition + - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data + - ngtcp2: send appropriate connection close error code + - ngtcp2: support boringssl crypto backend + - ngtcp2: use helper funcs to simplify TLS handshake integration + - ntlm: provide a fixed fake host name + - projects: fix third-party SSL library build paths for Visual Studio + - quic: add Curl_quic_idle + - quiche: support ca-fallback + - rand: stop detecting /dev/urandom in cross-builds + - remote-name.d: mention --output-dir + - runtests.pl: add the --repeat parameter to the --help output + - runtests: fix skipping tests not done event-based + - runtests: skip starting the ssh server if user name is lacking + - scripts/copyright.pl: fix the exclusion to not ignore man pages + - sectransp: check for a function defined when __BLOCKS__ is undefined + - select: return error from "lethal" poll/select errors + - server/sws: support spaces in the HTTP request path + - speed-limit/time.d: mention these affect transfers in either direction + - strcase: some optimisations + - test 2081: add a valid reply for the second request + - test 675: add missing CR so the test passes when run through Privoxy + - test414: add the '--resolve' keyword + - test681: verify --no-remote-name + - tests 266, 116 and 1540: add a small write delay + - tests/data/test1501: kill ftp server after slow LIST response + - tests/getpart: fix getpartattr to work with "data" and "data2" + - tests/server/sws.c: change the HTTP writedelay unit to milliseconds + - test{440,441,493,977}: add "HTTP proxy" keywords + - tool_getparam: fix --parallel-max maximum value constraint + - tool_operate: make sure --fail-with-body works with --retry + - transfer: fix potential NULL pointer dereference + - transfer: maintain --path-as-is after redirects + - transfer: upload performance; avoid tiny send + - url: free old conn better on reuse + - url: remove redundant #ifdefs in allocate_conn() + - url: URL encode the path when extracted, if spaces were set + - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts + - urlapi: support CURLU_URLENCODE for curl_url_get() + - urldata: reduce size of a few struct fields + - urldata: remove three unused booleans from struct UserDefined + - urldata: store tcp_keepidle and tcp_keepintvl as ints + - version: allow stricmp() for sorting the feature list + - vtls: make curl_global_sslset thread-safe + - wolfssh.h: removed + - wolfssl: correct the failf() message when a handle can't be made + - wolfSSL: explicitly use compatibility layer + - x509asn1: mark msnprintf return as unchecked + +------------------------------------------------------------------- +Wed May 11 07:11:50 UTC 2022 - David Anes + +- Update to 7.83.1: + * Security fixes: + - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot + - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse + - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop + - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host + - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD + - (bsc#1199220, CVE-2022-27778) removes wrong file on error + * Bugfixes: + - altsvc: fix host name matching for trailing dots + - cirrus: Update to FreeBSD 12.3 + - cirrus: Use pip for Python packages on FreeBSD + - conn: fix typo 'connnection' -> 'connection' in two function names + - cookies: make bad_domain() not consider a trailing dot fine + - curl: free resource in error path + - curl: guard against size_t wraparound in no-clobber code + - CURLOPT_DOH_URL.3: mention the known bug + - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well + - CURLOPT_SSH_AUTH_TYPES.3: fix the default + - data/test376: set a proper name + - GHA/mbedtls: enabled nghttp2 in the build + - gha: build msh3 + - gskit: fixed bogus setsockopt calls + - gskit: remove unused function set_callback + - hsts: ignore trailing dots when comparing hosts names + - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION + - http: move Curl_allow_auth_to_host() + - http_proxy/hyper: handle closed connections + - hyper: fix test 357 + - Makefile: fix "make ca-firefox" + - mbedtls: bail out if rng init fails + - mbedtls: fix compile when h2-enabled + - mbedtls: fix some error messages + - misc: use "autoreconf -fi" instead buildconf + - msh3: get msh3 version from MsH3Version + - msh3: print boolean value as text representation + - msh3: psss remote_port to MsH3ConnectionOpen + - ngtcp2: add ca-fallback support for OpenSSL backend + - nss: return error if seemingly stuck in a cert loop + - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl + - post_per_transfer: remove the updated file name + - sectransp: bail out if SSLSetPeerDomainName fails + - tests/server: declare variable 'reqlogfile' static + - tests: fix markdown formatting in README + - test{898,974,976}: add 'HTTP proxy' keywords + - tls: check more TLS details for connection reuse + - url: check SSH config match on connection reuse + - urlapi: address (harmless) UndefinedBehavior sanitizer warning + - urlapi: reject percent-decoding host name into separator bytes + - x509asn1: make do_pubkey handle EC public keys + +------------------------------------------------------------------- +Fri Apr 22 11:39:46 UTC 2022 - David Anes + +- Patches rework: + * Refreshed all patches as -p1. + * Use autopatch macro. + * Renamed: + - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch + * Removed (already upstream): + - curl-fix-verifyhost.patch + +- Update to 7.83.0: + * Security fixes: + - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect + - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse + - (bsc#1198608, CVE-2022-27774) Credential leak on redirect + - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use + * Changes: + - curl: add %header{name} experimental support in -w handling + - curl: add %{header_json} experimental support in -w handling + - curl: add --no-clobber + - curl: add --remove-on-error + - header api: add curl_easy_header and curl_easy_nextheader + - msh3: add support for QUIC and HTTP/3 using msh3 + * Bugfixes: + - appveyor: add Cygwin build + - appveyor: only add MSYS2 to PATH where required + - BearSSL: add CURLOPT_SSL_CIPHER_LIST support + - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support + - BINDINGS.md: add Hollywood binding + - CI: Do not use buildconf. Instead, just use: autoreconf -fi + - CI: install Python package impacket to run SMB test 1451 + - configure.ac: move -pthread CFLAGS setting back where it used to be + - configure: bump the copyright year range int the generated output + - conncache: include the zone id in the "bundle" hashkey + - connecache: remove duplicate connc->closure_handle check + - connect: make Curl_getconnectinfo work with conn cache from share handle + - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined + - cookie.d: clarify when cookies are sent + - cookies: improve errorhandling for reading cookiefile + - curl/system.h: update ifdef condition for MCST-LCC compiler + - curl: error out if -T and -d are used for the same URL + - curl: error out when options need features not present in libcurl + - curl: escape '?' in generated --libcurl code + - curl: fix segmentation fault for empty output file names. + - curl_easy_header: fix typos in documentation + - CURLINFO_PRIMARY_PORT.3: clarify which port this is + - CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS + - CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL + - CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs + - CURLOPT_PROGRESSFUNCTION.3: fix typo in example + - CURLOPT_UNRESTRICTED_AUTH.3: extended explanation + - CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype + - docs/HYPER.md: updated to reflect current hyper build needs + - docs/opts: Mention Schannel client cert type is P12 + - docs: Fix missing semicolon in example code + - docs: lots of minor language polish + - English: use American spelling consistently + - fail.d: tweak the description + - firefox-db2pem.sh: make the shell script safer + - ftp: fix error message for partial file upload + - gen.pl: change wording for mutexed options + - GHA: add openssl3 jobs moved over from zuul + - GHA: build hyper with nightly rustc + - GHA: move bearssl jobs over from zuul + - gha: move the event-based test over from Zuul + - gtls: fix build for disabled TLS-SRP + - http2: handle DONE called for the paused stream + - http2: RST the stream if we stop it on our own will + - http: avoid auth/cookie on redirects same host diff port + - http: close the stream (not connection) on time condition abort + - http: reject header contents with nul bytes + - http: return error on colon-less HTTP headers + - http: streamclose "already downloaded" + - hyper: fix status_line() return code + - hyper: fix tests 580 and 581 for hyper + - hyper: no h2c support + - infof: consistent capitalization of warning messages + - ipv4/6.d: clarify that they are about using IP addresses + - json.d: fix typo (overriden -> overridden) + - keepalive-time.d: It takes many probes to detect brokenness + - lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 + - lib670: avoid double check result + - lib: #ifdef on USE_HTTP2 better + - lib: fix some misuse of curlx_convert_wchar_to_UTF8 + - lib: remove exclamation marks + - libssh2: compare sha256 strings case sensitively + - libssh2: make the md5 comparison fail if wrong length + - libssh: fix build with old libssh versions + - libssh: fix double close + - libssh: Improve fix for missing SSH_S_ stat macros + - libssh: unstick SFTP transfers when done event-based + - macos: set .plist version in autoconf + - mbedtls: remove 'protocols' array from backend when ALPN is not used + - mbedtls: remove server_fd from backend + - mk-ca-bundle.pl: Use stricter logic to process the certificates + - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl + - mlc_config.json: add file to ignore known troublesome URLs + - mqtt: better handling of TCP disconnect mid-message + - ngtcp2: add client certificate authentication for OpenSSL + - ngtcp2: avoid busy loop in low CWND situation + - ngtcp2: deal with sub-millisecond timeout + - ngtcp2: disconnect the QUIC connection proper + - ngtcp2: enlarge H3_SEND_SIZE + - ngtcp2: fix HTTP/3 upload stall and avoid busy loop + - ngtcp2: fix memory leak + - ngtcp2: fix QUIC_IDLE_TIMEOUT + - ngtcp2: make curl 1ms faster + - ngtcp2: remove remote_addr which is not used in a meaningful way + - ngtcp2: update to work after recent ngtcp2 updates + - ngtcp2: use token when detecting :status header field + - nonblock: restore setsockopt method to curlx_nonblock + - openssl: check SSL_get_peer_cert_chain return value + - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL + - openssl: fix CN check error code + - options: remove mistaken space before paren in prototype + - perl: removed a double semicolon at end of line + - pop3/smtp: return *WEIRD_SERVER_REPLY when not understood + - projects/README: converted to markdown + - projects: Update VC version names for VS2017, VS2022 + - rtsp: don't let CSeq error override earlier errors + - runtests: add 'bearssl' as testable feature + - runtests: make 'oldlibssh' be before 0.9.4 + - schannel: remove dead code that will never run + - scripts/copyright.pl: ignore the new mlc_config.json file + - scripts: move three scripts from lib/ to scripts/ + - test1135: sync with recent API updates + - test1459: disable for oldlibssh + - test375: fix line endings on Windows + - test386: Fix an incorrect test markup tag + - test718: edited slightly to return better HTTP + - tests/server/util.h: align WIN32 condition with util.c + - tests: refactor server/socksd.c to support --unix-socket + - timediff.[ch]: add curlx helper functions for timeval conversions + - tls: make mbedtls and NSS check for h2, not nghttp2 + - tool and tests: force flush of all buffers at end of program + - tool_cb_hdr: Turn the Location: into a terminal hyperlink + - tool_getparam: error out on missing -K file + - tool_listhelp.c: uppercase URL + - tool_operate: fix a scan-build warning + - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) + - transfer: redirects to other protocols or ports clear auth + - unit1620: call global_init before calling Curl_open + - url: check sasl additional parameters for connection reuse. + - vtls: provide a unified APLN-disagree string for all backends + - vtls: use a backend standard message for "ALPN: offers %s" + - vtls: use a generic "ALPN, server accepted" message + - winbuild/README.md: fixup dead link + - winbuild: Add a Visual Studio example to the README + - wolfssl: fix compiler error without IPv6 + +------------------------------------------------------------------- +Fri Mar 11 16:36:50 UTC 2022 - Pedro Monreal + +- Fix: openssl: fix CN check error code + * Add curl-fix-verifyhost.patch + +------------------------------------------------------------------- +Mon Mar 7 08:01:26 UTC 2022 - Paolo Stivanin + +- Update to 7.82.0: + * curl: add --json command line option + * curl: make it so that sensitive command line arguments do not + show as easily in the output of ps(1) + * curl_multi_socket.3: remove callback and typical usage descriptions + * ftp: provide error message for control bytes in path + * ldap: return CURLE_URL_MALFORMAT for bad URL + * lib: remove support for CURL_DOES_CONVERSIONS + * mqtt: plug some memory leaks + * multi: allow user callbacks to call curl_multi_assign + * multi: remember connection_id before returning connection to pool + * multi: set in_callback for multi interface callbacks + * netware: remove support + * ngtcp2: adapt to changed end of headers callback proto + * openldap: implement SASL authentication + * openssl: return error if TLS 1.3 is requested when not supported + * sectransp: mark a 3DES cipher as weak + * smb: pass socket for writing and reading data instead of FIRSTSOCKET + * tool_getparam: DNS options that need c-ares now fail without it + * TPF: drop support + * url: given a user in the URL, find pwd for that user in netrc + * url: keep trailing dot in host name + * urlapi: handle "redirects" smarter + * urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled + * urldata: remove conn->bits.user_passwd + +------------------------------------------------------------------- +Sun Jan 9 21:24:30 UTC 2022 - Dirk Müller + +- update to 7.81.0: + * mime: use percent-escaping for multipart form field and file names + * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer + * azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper + * BINDINGS: add cURL client for PostgreSQL + * BINDINGS: add one from Everything curl and update a link + * checksrc: detect more kinds of NULL comparisons we avoid + * CI: build examples for additional code verification + * CI: bump job to use mbedtls 3.1.0 + * cmake: don't set _USRDLL on a static Windows build + * cmake: prevent dev warning due to mismatched arg + * cmake: private identifiers use CURL_ instead of CMAKE_ prefix + * config.d: update documentation to match the path search + * configure: add -lm to configure for rustls build. + * configure: better diagnostics if hyper is built wrong + * configure: don't enable TLS when --without-* flags are used + * configure: fix runtime-lib detection on macOS + * curl.1: require "see also" for every documented option + * curl: improve error message for --head with -J + * curl_easy_cleanup.3: remove from multi handle first + * curl_easy_escape.3: call curl_easy_cleanup in example + * curl_easy_unescape.3: call curl_easy_cleanup in example + * curl_multi_init.3: fix EXAMPLE formatting + * curl_multi_perform/socket_action.3: clarify what errors mean + * curl_share_setopt.3: split out options into their own manpages + * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL + * digest: compute user:realm:pass digest w/o userhash + * docs/checksrc: Add documentation for STRERROR + * docs/cmdline-opts: do not say "protocols: all" + * docs/examples: workaround broken -Wno-pedantic-ms-format + * docs/HTTP3: describe how to setup a h3 reverse-proxy for testing + * docs/INSTALL.md: typo fix : added missing "get" verb + * docs/URL-SYNTAX.md: space is not fine in a given URL + * docs: add known bugs list to HTTP3.md + * docs: address proselint nits + * docs: consistent manpage SYNOPSIS + * docs: fix dead links, remove ECH.md + * docs: fix typo in OpenSSL 3 build instructions + * docs: Update the Reducing Size section + * example/progressfunc: remove code for old libcurls + * examples/multi-single.c: remove WAITMS() + * FAQ: typo fix : "yout" ➤ "your" + * ftp: disable warning 4706 in MSVC + * gen.pl: improve example output format + * github workflow: add wolfssl (removed from zuul) + * github/workflows: add mbedtls and mbedtls-clang (removed from zuul) + * gtls: check return code for gnutls_alpn_set_protocols + * hash: lazy-alloc the table in Curl_hash_add() + * http2:set_transfer_url() return early on OOM + * HTTP3: update quiche build instructions + * http: enable haproxy support for hyper backend + * http: Fix CURLOPT_HTTP200ALIASES + * http_proxy: don't close the socket (too early) + * insecure.d: detail its use for SFTP and SCP as well + * insecure.d: expand and clarify + * libcurl-multi.3: "SOCKS proxy handshakes" are not blocking + * libcurl-security.3: mention address and URL mitigations + * libssh2: fix error message for sha256 mismatch + * libtest: avoid "assignment within conditional expression" + * lift: ignore is a deprecated config option, use ignoreRules + * linkcheck.yml: add CI job that checks markdown links + * m4/curl-compilers: tell clang -Wno-pointer-bool-conversion + * Makefile.m32: rename -winssl option to -schannel and tidy up + * mbedTLS: add support for CURLOPT_CAINFO_BLOB + * mbedtls: fix CURLOPT_SSLCERT_BLOB + * mbedtls: fix private member designations for v3.1.0 + * misc: remove unused doh flags when CURL_DISABLE_DOH is defined + * misc: s/e-mail/email + * multi: cleanup the socket hash when destroying it + * multi: handle errors returned from socket/timer callbacks + * multi: shut down CONNECT in Curl_detach_connnection + * netrc.d: edit the .netrc example to look nicer + * ngtcp2: verify the server cert on connect (quictls) + * ngtcp2: verify the server certificate for the gnutls case + * nss:set_cipher don't clobber the cipher list + * openldap: implement STARTTLS + * openldap: process search query response messages one by one + * openldap: several minor improvements + * openldap: simplify ldif generation code + * openssl: check the return value of BIO_new() + * openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+ + * openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable + * openssl: remove usage of deprecated `SSL_get_peer_certificate` + * openssl: use non-deprecated API to read key parameters + * page-footer: add a mention of how to report bugs to the man page + * page-footer: document more environment variables + * request.d: refer to 'method' rather than 'command' + * retry-all-errors.d: make the example complete + * runtests: make the SSH library a testable feature + * rustls: read of zero bytes might be okay + * rustls: remove comment about checking handshaking + * rustls: remove incorrect EOF check + * sha256/md5: return errors when init fails + * socks5: use appropriate ATYP for numerical IP address host names + * test1156: enable for hyper + * test1156: fixup the stdout check for Windows + * test1525: tweaked for hyper + * test1526: enable for hyper + * test1527: enable for hyper + * test1528: enable for hyper + * test1554: adjust for hyper + * test1556: adjust for hyper + * test302[12]: run only with the libssh2 backend + * test661: enable for hyper + * tests/CI.md: add more information on CI environments + * tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 + * tftp: mark protocol as not possible to do over CONNECT + * tool_findfile: updated search for a file in the homedir + * tool_operate: only set SSH related libcurl options for SSH URLs + * tool_operate: warn if too many output arguments were found + * url.c: fix the SIGPIPE comment for Curl_close + * url: check ssl_config when re-use proxy connection + * url: reduce ssl backend count for CURL_DISABLE_PROXY builds + * urlapi: accept port number zero + * urlapi: if possible, shorten given numerical IPv6 addresses + * urlapi: provide more detailed return codes + * urlapi: reject short file URLs + * version_win32: Check build number and platform id + * vtls/rustls: adapt to the updated rustls_version proto + * writeout: fix %{http_version} for HTTP/3 + * x509asn1: return early on errors + * zuul.d: update rustls-ffi to version 0.8.2 + * zuul: fix quiche build pointing to wrong Cargo + +------------------------------------------------------------------- +Tue Nov 16 16:16:49 UTC 2021 - Pedro Monreal + +- Update to 7.80.0: + * Changes: + - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse + - CURLOPT_PREREQFUNCTION: add new callback + - libssh2: add SHA256 fingerprint support + - urlapi: add curl_url_strerror() + * Bugfixes: + - aws-sigv4: make signature work when post data is binary + - c-hyper: don't abort CONNECT responses early when auth-in-progress + - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work + - cmake: add CURL_ENABLE_SSL option + - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED + - configure.ac: replace krb5-config with pkg-config + - configure: when hyper is selected, deselect nghttp2 + - curl-confopts.m4: remove --enable/disable-hidden-symbols + - curl-openssl.m4: modify library order for openssl linking + - curl_ntlm_core: use OpenSSL only if DES is available + - Curl_updateconninfo: store addresses for QUIC connections too + - ftp: make the MKD retry to retry once per directory + - http: fix Basic auth with empty name field in URL + - http: reject HTTP response codes < 100 + - http: remove assert that breaks hyper + - http: set content length earlier + - imap: display quota information + - libssh2: Get the version at runtime if possible + - md5: fix compilation with OpenSSL 3.0 API + - ngtcp2: advertise h3 as well as h3-29 + - ngtcp2: compile with the latest nghttp3 + - ngtcp2: use latest QUIC TLS RFC9001 + - NTLM: use DES_set_key_unchecked with OpenSSL + - openssl: if verifypeer is not requested, skip the CA loading + - openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway + - schannel: fix memory leak due to failed SSL connection + - sendf: accept zero-length data in Curl_client_write() + - sha256: use high-level EVP interface for OpenSSL + - sws: fix memory leak on exit + - tool_operate: a failed etag save now only fails that transfer + - url: check the return value of curl_url() + - url: set "k->size" -1 at start of request + - urlapi: skip a strlen(), pass in zero + - urlapi: URL decode percent-encoded host names + - vtls: Fix a memory leak if an SSL session cannot be added to the cache + - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity +* Use --with-openssl configure option, --with-ssl is now deprecated + +------------------------------------------------------------------- +Wed Sep 22 11:17:15 UTC 2021 - Pedro Monreal + +- Update to 7.79.1: + * Bugfixes: + - Curl_http2_setup: don't change connection data on repeat invokes + - curl_multi_fdset: make FD_SET() not operate on sockets out of range + - dist: provide lib/.checksrc in the tarball + - FAQ: add GOPHERS + curl works on data, not files + - hsts: CURLSTS_FAIL from hsts read callback should fail transfer + - hsts: handle unlimited expiry + - http: fix the broken >3 digit response code detection + - strerror: use sys_errlist instead of strerror on Windows + - test1184: disable: https://github.com/curl/curl/issues/7725 + - tests/sshserver.pl: make it work with openssh-8.7p1 + +------------------------------------------------------------------- +Wed Sep 15 15:08:18 UTC 2021 - Pedro Monreal + +- Temporarily disable flaky test 1184 + * See https://github.com/curl/curl/issues/7725 + +------------------------------------------------------------------- +Wed Sep 15 06:21:42 UTC 2021 - Pedro Monreal + +- Update to 7.79.0: [bsc#1190213, CVE-2021-22945] + [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947] + * Changes: + - bearssl: support CURLOPT_CAINFO_BLOB + - http: consider cookies over localhost to be secure + - secure transport: support CURLINFO_CERTINFO + * Bugfixes: + - CVE-2021-22945: clear the leftovers pointer when sending succeeds + - CVE-2021-22946: do not ignore --ssl-reqd + - CVE-2021-22947: reject STARTTLS server response pipelining + - auth: do not append zero-terminator to authorisation id in kerberos + - auth: properly handle byte order in kerberos security message + - auth: use sasl authzid option in kerberos + - auth: we do not support a security layer after kerberos authentication + - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS + - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection + - c-hyper: initial step for 100-continue support + - c-hyper: initial support for "dumping" 1xx HTTP responses + - curl-openssl.m4: show correct output for OpenSSL v3 + - docs/MQTT: update state of username/password support + - docs: the security list is reached at security at curl.se now + - getparameter: fix the --local-port number parser + - hostip: Make Curl_ipv6works function independent of getaddrinfo + - http_proxy: fix the User-Agent inclusion in CONNECT + - http_proxy: fix user-agent and custom headers for CONNECT with hyper + - http_proxy: only wait for writable socket while sending request + - mailing lists: move from cool.haxx.se to lists.haxx.se + - mbedtls: avoid using a large buffer on the stack + - mbedTLS: initial 3.0.0 support + - ngtcp2: remove the acked_crypto_offset struct field init + - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read + - ngtcp2: reset the oustanding send buffer again when drained + - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream + - ngtcp2: stop buffering crypto data + - ngtcp2: utilize crypto API functions to simplify + - openssl: when creating a new context, there cannot be an old one + - scripts: invoke interpreters through /usr/bin/env + - tests/runtests.pl: cleanup copy&paste mistakes and unused code + - tests: be explicit about using 'python3' instead of 'python' + - tool/tests: fix potential year 2038 issues + - tool_operate: Fix --fail-early with parallel transfers + - x509asn1: fix heap over-read when parsing x509 certificates + * Rebase libcurl-ocloexec.patch + +------------------------------------------------------------------- +Wed Jul 21 06:50:22 UTC 2021 - Pedro Monreal + +- Update to 7.78.0: + [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923] + [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925] + * Changes: + - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE + - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax + - hostip: make 'localhost' return fixed values + - mbedtls: add support for cert and key blob options + - metalink: remove all support for it + - mqtt: add support for username and password + * Bugfixes: + - ares: always store IPv6 addresses first + - c-hyper: abort CONNECT response reading early on non 2xx responses + - c-hyper: add support for transfer-encoding in the request + - c-hyper: bail on too long response headers + - c-hyper: clear NTLM auth buffer when request is issued + - c-hyper: fix NTLM on closed connection tested with test159 + - conncache: lowercase the hash key for better match + - curl_multibyte: Remove local encoding fallbacks + - Curl_ntlm_core_mk_nt_hash: fix OOM in error path + - Curl_ssl_getsessionid: fail if no session cache exists + - easy: during upkeep, attach Curl_easy to connections in the cache + - gnutls: set the preferred TLS versions in correct order + - hsts: ignore numberical IP address hosts + - HSTS: not experimental anymore + - http2: init recvbuf struct for pushed streams + - http: fix crash in rate-limited upload + - http: make the haproxy support work with unix domain sockets + - http_proxy: deal with non-200 CONNECT response with Hyper + - lib: don't compare fd to FD_SETSIZE when using poll + - lib: fix compiler warnings with CURL_DISABLE_NETRC + - lib: fix type of len passed to *printf's %*s + - lib: more %u for port and int for %*s fixes + - lib: use %u instead of %ld for port number printf + - libssh2: limit time a disconnect can take to 1 second + - mqtt: detect illegal and too large file size + - msnprintf: return number of printed characters excluding null byte + - multi: add scan-build-6 work-around in curl_multi_fdset + - multi: alter transfer timeout ordering + - multi: do not switch off connect_only flag when closing + - multi: fix crash in curl_multi_wait / curl_multi_poll + - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS + - openssl: avoid static variable for seed flag + - openssl: don't remove session id entry in disassociate + - socketpair: fix potential hangs + - socks4: scan for the IPv4 address in resolve results + - ssl: read pending close notify alert before closing the connection + - telnet: fix option parser to not send uninitialized contents + - TLS: prevent shutdown loops to get stuck + - vtls: exit addsessionid if no cache is inited + - vtls: fix connection reuse checks for issuer cert and case sensitivity + +------------------------------------------------------------------- +Wed May 26 07:47:00 UTC 2021 - Pedro Monreal + +- Update to 7.77.0: [bsc#1186114, CVE-2021-22898] + [bsc#1186115, bsc#1185579, CVE-2021-22901] + * Security fixes: + - CVE-2021-22297: schannel cipher selection surprise + - CVE-2021-22298: TELNET stack contents disclosure + - CVE-2021-22901: TLS session caching disaster + * Changes: + - configure: make the TLS library choice(s) explicit + - curl: ignore options asking for SSLv2 or SSLv3 + - hsts: enable by default + - SSL: support in-memory CA certs for some backends + - vtls: refuse setting any SSL version + * Bugfixes: + - configure: provide --with-openssl, deprecate --with-ssl + - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies + - curl: include libmetalink version in --version output + - data_pending: check only SECONDARY socket for FTP(S) transfers + - gnutls: don't allow TLS 1.3 for versions that don't support it + - gnutls: make setting only the MAX TLS allowed version work + - http2: fix resource leaks in set_transfer_url() and push_promise() + - http: limit the initial send amount to used upload buffer size + - rustls: only return CURLE_AGAIN when TLS session is fully drained + - rustls: use ALPN + - schannel: Disable auto credentials; add an option to enable it + - schannel: Support strong crypto option + - sectransp: allow cipher name to be specified + - sockfilt: avoid getting stuck waiting for writable socket + +------------------------------------------------------------------- +Sun Apr 25 21:14:40 UTC 2021 - Dirk Müller + +- update to 7.76.1: + - ngtcp2: Use ALPN h3-29 for now + - TODO: remove 18.22 --fail-with-body + +------------------------------------------------------------------- +Wed Mar 31 08:40:06 UTC 2021 - Pedro Monreal + +- Update to 7.76.0 + * Security fixes: + - [bsc#1183933, CVE-2021-22876]: strip credentials from the + auto-referer header field + - [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to + Curl_ssl_get/addsessionid() + * Changes: + - cookies: Support multiple -b parameters + - curl: add --fail-with-body + - doh: add options to disable ssl verification + - http: add support to read and store the referrer header + - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl + - vtls: initial implementation of rustls backend + * Bugfixes: + - CVE-2021-22876: strip credentials from the auto-referer header field + - CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid() + - c-hyper: support automatic content-encoding + - configure: only add OpenSSL paths if they are defined + - configure: provide Largefile feature for curl-config + - curl: set CURLOPT_NEW_FILE_PERMS if requested + - doh: Fix sharing user's resolve list with DOH handles + - doh: Inherit CURLOPT_STDERR from user's easy handle + - dynbuf: bump the max HTTP request to 1MB + - ftp: add 'list_only' to the transfer state struct + - ftp: add 'prefer_ascii' to the transfer state struct + - ftp: allow SIZE to fail when doing (resumed) upload + - ftp: avoid SIZE when asking for a TYPE A file + - ftp: fix memory leak in ftp_done + - ftp: never set data->set.ftp_append outside setopt + - gnutls: assume nettle crypto support + - http2: don't set KEEP_SEND when there's no more data to be sent + - http2: fail if connection terminated without END_STREAM + - http: do not add a referrer header with empty value + - http: strip default port from URL sent to proxy + - http: use credentials from transfer, not connection + - lib: remove 'conn->data' completely + - multi: close the connection when h2=>h1 downgrading + - multi: do once-per-transfer inits in before_perform in DID state + - multi: rename the multi transfer states + - multi: update pending list when removing handle + - ngtcp2: adapt to the new recv_datagram callback + - ngtcp2: clarify calculation precedence + - ngtcp2: sync with recent API updates + - openssl: adapt to v3's new const for a few API calls + - openssl: ensure to check SSL_CTX_set_alpn_protos return values + - openssl: remove get_ssl_version_txt in favor of SSL_get_version + - parse_proxy: fix a memory leak in the OOM path + - url: fix memory leak if OOM in the HSTS handling + - url: fix possible use-after-free in default protocol + - urldata: don't touch data->set.httpversion at run-time + - urldata: merge "struct DynamicStatic" into "struct UrlState" + - urldata: remove the 'rtspversion' field + - urldata: remove the _ORIG suffix from string names + - wolfssl: don't store a NULL sessionid + +------------------------------------------------------------------- +Thu Mar 4 17:46:40 UTC 2021 - Cristian Rodríguez + +- Harden build, enable full RELRO +- Never allow undefined symbols anywhere. + +------------------------------------------------------------------- +Thu Feb 4 11:20:22 UTC 2021 - Pedro Monreal + +- Update to 7.75.0 + * Changes: + - curl: add --create-file-mode [mode] + - curl: add new variables to --write-out + - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries + - gopher: implement secure gopher protocol + - http: add Hyper as new optional HTTP backend + - http: introduce AWS HTTP v4 Signature support + * Bugfixes: + - cmake: Add an option to disable libidn2 + - cmake: enable gophers correctly in curl-config + - cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG + - digest_sspi: Show InitializeSecurityContext errors in verbose mode + - getinfo: build with disabled HTTP support + - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy + - http_proxy: Fix CONNECT chunked encoding race condition + - httpauth: make multi-request auth work with custom port + - lib: pass in 'struct Curl_easy *' to most functions + - lib: remove Curl_ prefix from many static functions + - lib: save a bit of space with some structure packing + - libssh: avoid plain free() of libssh-memory + - mime: make sure setting MIMEPOST to NULL resets properly + - multi_runsingle: bail out early on data->conn == NULL + - ngtcp2: Fix http3 upload stall + - ngtcp2: Fix stack buffer overflow + - openssl: lowercase the hostname before using it for SNI + - socks: use the download buffer instead + - speedcheck: exclude paused transfers + - tooĺ_writeout: fix the -w time output units + - url: if IDNA conversion fails, fallback to Transitional +- Refresh libcurl-ocloexec.patch + +------------------------------------------------------------------- +Fri Dec 18 20:04:33 UTC 2020 - Cristian Rodríguez + +- Enable zstd and brotli support + +------------------------------------------------------------------- +Mon Dec 14 15:25:07 UTC 2020 - Pedro Monreal + +- Update to 7.74.0 + * Changes: + hsts: add experimental support for Strict-Transport-Security + * Bugfixes: + - Inferior OCSP verification [bsc#1179593, CVE-2020-8286] + - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285] + - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284] + - Revert "multi: implement wait using winsock events" + - openssl: free mem_buf in error path + - ntlm: avoid malloc(0) on zero length user and domain + - ngtcp2: use the minimal version of QUIC supported by ngtcp2 + - ngtcp2: advertise h3 ALPN unconditionally + - file: avoid duplicated code sequence + - openssl: guard against OOM on context creation + - docs: document the 8MB input string limit for curl_easy_escape + and curl_easy_setopt() + - hsts: add read/write callbacks + - hsts: add support for Strict-Transport-Security + - alt-svc: enable by default + - checksrc: warn on empty line before open brace + - connect: repair build without ipv6 availability + - curl.se: new home + - ftp: retry getpeername for FTP with TCP_FASTOPEN + - gnutls: fix memory leaks (certfields memory wasn't released) + - http: pass correct header size to debug callback for chunked post + - libssh2: fix transport over HTTPS proxy + - openssl: guard against OOM on context creation + - openssl: use OPENSSL_init_ssl() with >= 1.1.0 + - Revert "multi: implement wait using winsock events" + - socks: check for DNS entries with the right port number + - tool_operate: --retry for HTTP 408 responses too + - tool_operate: bail out proper on errors during parallel transfers + - urlapi: don't accept blank port number field without scheme + - urlapi: URL encode a '+' in the query part + - vquic/ngtcp2.h: define local_addr as sockaddr_storage +- Update check section: + * runtests now supports dynamically base64 encoded sections in tests + * Replace env interpreter for perl and python3 +- Remove curl-use_OPENSSL_config.patch since the OpenSSL initialization + has been updated to use OPENSSL_init_ssl() with >= 1.1.0 + +------------------------------------------------------------------- +Tue Oct 20 10:33:34 UTC 2020 - Pedro Monreal + +- Update patches to fix compiling warnings: + * curl-disabled-redirect-protocol-message.patch + * libcurl-ocloexec.patch +- Enable test 1165 + +------------------------------------------------------------------- +Wed Oct 14 21:29:48 UTC 2020 - Pedro Monreal + +- Update to 7.73.0 + * Changes: + - curl: add --output-dir + - curl: support XDG_CONFIG_HOME to find .curlrc + - curl: update --help with categories + - curl_easy_option_*: new API for meta-data about easy options + - CURLE_PROXY: new error code + - mqtt: enable by default + - sftp: add new quote commands 'atime' and 'mtime' + - ssh: add the option CURLKHSTAT_FINE_REPLACE + - tls: add CURLOPT_SSL_EC_CURVES and --curves + * Bugfixes: + - base64: also build for smtp, pop3 and imap + - cleanups: avoid curl_ on local variables + - configure: let --enable-debug set -Wenum-conversion with gcc >= 10 + - conn: check for connection being dead before reuse + - curl: in retry output don't call all problems "transient" + - curl: make checkpasswd, file2memory, file2string and + glob_match_url use dynbuf + - curl: retry delays in parallel mode no longer sleeps blocking + - curl: use curlx_dynbuf for realloc when loading config files + - curl:parallel_transfers: make sure retry readds the transfer + - curl_get_line: build only if cookies or alt-svc are enabled + - Curl_pgrsTime - return new time to avoid timeout integer overflow + - Curl_send: return error when pre_receive_plain can't malloc + - dynbuf: make sure Curl_dyn_tail() zero terminates + - etag: save and use the full received contents + - ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND + - ftp: avoid risk of reading uninitialized integers + - ftp: get rid of the PPSENDF macro + - ftp: make a 552 response return CURLE_REMOTE_DISK_FULL + - ftp: separate FTPS from FTP over "HTTPS proxy" + - HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29 + - http: consolidate nghttp2_session_mem_recv() call paths + - http_proxy: do not count proxy headers in the header bytecount + - http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set + - imap: make imap_send use dynbuf for the send buffer management + - imap: set cselect_bits to CURL_CSELECT_IN initially + - lib1560: verify "redirect" to double-slash leading URL + - lib: make Curl_gethostname accept a const pointer + - libssh2: handle the SSH protocols done over HTTPS proxy + - libssh2: pass on the error from ssh_force_knownhost_key_type + - memdebug: remove 9 year old unused debug function + - multi: expand pre-check for socket readiness + - ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define + - ngtcp2: adapt to the new pkt_info arguments + - openssl: avoid error conditions when importing native CA + - openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification + - parsedate: tune the date to epoch conversion + - pause: only trigger a reread if the unpause sticks + - pingpong: use a dynbuf for the *_pp_sendf() function + - runtests: allow creating files without newlines + - runtests: allow generating a binary sequence from hex + - runtests: clear pid variables when failing to start a server + - schannel: fix memory leak when using get_cert_location + - schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root + - sectransp: make it build with --disable-proxy + - select.h: make socket validation macros test for INVALID_SOCKET + - select: align poll emulation to return all relevant events + - select: fix poll-based check not detecting connect failure + - select: simplify return code handling for poll and select + - setopt: if the buffer exists, refuse the new BUFFERSIZE + - setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument + - socketpair: allow CURL_DISABLE_SOCKETPAIR + - sockfilt: handle FD_CLOSE winsock event on write socket + - symbian: drop support + - tests: remove pipelining tests + - tls: fix SRP detection by using the proper #ifdefs + - tls: provide the CApath verbose log on its own line + - tool_setopt: escape binary data to hex, not octal + - url: use blank credentials when using proxy w/o username and password + - urlapi: use more Curl_safefree + - vtls: deduplicate client certificates in ssl_config_data + +------------------------------------------------------------------- +Wed Aug 19 07:47:34 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.72.0 [bsc#1175109, CVE-2020-8231] + * Changes: + - content_encoding: add zstd decoding support + - CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream + - CURLINFO_EFFECTIVE_METHOD: added + * Bugfixes: + - CVE-2020-8231: libcurl: wrong connect-only connection + - curl-config: ignore REQUIRE_LIB_DEPS in --libs output + - curl: improve the existing file check with -J + - curl_multi_setopt: fix compiler warning "result is always false" + - curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated + - docs: Add video link to docs/CONTRIBUTE.md + - docs: clarify MAX_SEND/RECV_SPEED functionality + - ftp: don't do ssl_shutdown instead of ssl_close + - ftpserver: don't verify SMTP MAIL FROM names + - getinfo: reset retry-after value in initinfo + - gnutls: repair the build with 'CURL_DISABLE_PROXY' + - gtls: survive not being able to get name/issuer + - h2: repair trailer handling + - http2: close the http2 connection when no more requests may be sent + - http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages + - libssh2: s/ssherr/sftperr/ + - mprintf: Fix dollar string handling + - mprintf: Fix stack overflows + - multi_remove_handle: close unused connect-only connections + - ngtcp2: adapt to error code rename + - ngtcp2: adjust to recent sockaddr updates + - ngtcp2: update to modified qlog callback prototype + - ntlm: free target_info before (re-)malloc + - page-header: provide protocol details in the curl.1 man page + - quiche: handle calling disconnect twice + - setopt: unset NOBODY switches to GET if still HEAD + - smtp_parse_address: handle blank input string properly + - socks: use size_t for size variable + - tls-max.d: this option is only for TLS-using connections + - tlsv1.3.d. only for TLS-using connections + - tool_getparam: make --krb option work again + - transfer: fix data_pending for builds with both h2 and h3 enabled + - transfer: fix memory-leak with CURLOPT_CURLU in a duped handle + - transfer: move retrycount from connect struct to easy handle + - url: fix CURLU and location following + +------------------------------------------------------------------- +Wed Jul 1 12:59:25 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.71.1 + * Bugfixes: + - Curl_inet_ntop: always check the return code + - CURLOPT_READFUNCTION.3: provide the upload data size up front + - escape: make the URL decode able to reject only %00-bytes + - escape: zero length input should return a zero length output + - examples/multithread.c: call curl_global_cleanup() + - http2: set the correct URL in pushed transfers + - http: fix proxy auth with blank password + - mbedtls: fix build with disabled proxy support + - ngtcp2: sync with current master + - Revert "multi: implement wait using winsock events" + - sendf: improve the message on client write errors + - terminology: call them null-terminated strings + - tool_cb_hdr: Fix etag warning output and return code + - url: allow user + password to contain "control codes" for HTTP(S) + - vtls: compare cert blob when finding a connection to reuse + +------------------------------------------------------------------- +Wed Jun 24 07:13:22 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177] + * Changes: + - CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl) + - setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency + - setopt: support certificate options in memory with struct curl_blob + - tool: Add option --retry-all-errors to retry on any error + * Bugfixes: + - *_sspi: fix bad uses of CURLE_NOT_BUILT_IN + - altsvc: bump to h3-29 + - altsvc: fix 'dsthost' may be used uninitialized in this function + - altsvc: fix parser for lines ending with CRLF + - altsvc: remove the num field from the altsvc struct + - asyn-*: remove support for never-used NULL entry pointers + - azure: use matrix strategy to avoid configuration redundancy + - build: disable more code/data when built without proxy support + - buildconf: remove -print from the find command that removes files + - checksrc: enhance the ASTERISKSPACE and update code accordingly + - cirrus: disable SFTP and SCP tests + - CMake: add ENABLE_ALT_SVC option + - CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche) + - CMake: add libssh build support + - configure: fix pthread check with static boringssl + - configure: for wolfSSL, check for the DES func needed for NTLM + - configure: only strip first -L from LDFLAGS + - configure: repair the check if argv can be written to + - configure: the wolfssh backend does not provide SCP + - connect: improve happy eyeballs handling + - connect: make happy eyeballs work for QUIC (again) + - curl: remove -J "informational" written on stdout + - Curl_addrinfo: use one malloc instead of three + - dynbuf: introduce internal generic dynamic buffer functions + - easy: fix dangling pointer on easy_perform fail + - examples/ephiperfifo: turn off interval when setting timerfd + - examples/http2-down/upload: add error checks + - FILEFORMAT: add more features that tests can depend on + - FILEFORMAT: describe verify/stderr + - ftp: make domore_getsock() return the secondary socket properly + - ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void) + - ftp: shut down the secondary connection properly when SSL is used + - GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT + - hostip: make Curl_printable_address not return anything + - http2: keep trying to send pending frames after req.upload_done + - http2: simplify and clean up trailer handling + - http: move header storage to Curl_easy from connectdata + - libssh2: improved error output for wrong quote syntax + - libssh2: keep sftp errors as 'unsigned long' + - libssh2: set the expected total size in SCP upload init + - multi: add defensive check on data->multi->num_alive + - multi: implement wait using winsock events + - ngtcp2: cleanup memory when failing to connect + - ngtcp2: fix build with current ngtcp2 master implementing draft 28 + - ngtcp2: fix happy eyeballs quic connect crash + - ngtcp2: introduce qlog support + - ngtcp2: never call fprintf() in lib code in release version + - ngtcp2: update with recent API changes + - ntlm: enable NTLM support with wolfSSL + - OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN + - openssl: set FLAG_TRUSTED_FIRST unconditionally + - projects: Add crypt32.lib to dependencies for all OpenSSL configs + - quiche: clean up memory properly when failing to connect + - quiche: enable qlog output + - quiche: update SSLKEYLOGFILE support + - Revert "ssh: ignore timeouts during disconnect" + - select: fix overflow protection in Curl_socket_check + - sendf: make failf() use the mvsnprintf() return code + - server/sws: fix asan warning on use of uninitialized variable + - server/util: fix logmsg format using curl_off_t argument + - sha256: fixed potentially uninitialized variable + - share: don not set the share flag it something fails + - sockfilt: make select_ws stop waiting on exit signal event + - socks: detect connection close during handshake + - socks: fix expected length of SOCKS5 reply + - socks: remove unreachable breaks in socks.c and mime.c + - source cleanup: remove all custom typedef structs + - timeouts: change millisecond timeouts to timediff_t from time_t + - timeouts: move ms timeouts to timediff_t from int and long + - tool_cfgable: free login_options at exit + - tool_getparam: -i is not OK if -J is used + - tool_getparam: fix memory leak in parse_args + - tool_operate: fixed potentially uninitialized variables + - tool_paramhlp: fixed potentially uninitialized strtol() variable + - transfer: close connection after excess data has been read + - typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *' + - unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode' + - url: accept "any length" credentials for proxy auth + - url: alloc the download buffer at transfer start + - url: make the updated credentials URL-encoded in the URL + - url: reject too long input when parsing credentials + - url: sort the protocol schemes in rough popularity order + - urlapi: accept :: as a valid IPv6 address + - urldata: leave the HTTP method untouched in the set.* struct + - urlglob: treat literal IPv6 addresses with zone IDs as a host name + - user-agent.d: spell out what happens given a blank argument + - vauth/cleartext: fix theoretical integer overflow + - version.d: expanded and alpha-sorted + - vtls: Extract and simplify key log file handling from OpenSSL + - wolfssl: add SSLKEYLOGFILE support + - wording: avoid blacklist/whitelist stereotypes + - write-out.d: added "response_code" + +------------------------------------------------------------------- +Fri Jun 12 09:07:50 UTC 2020 - Dominique Leuenberger + +- Change with-gssapi configure parameter: krb5 is changing location + in the future: ask krb5-config about the correct prefix values. + +------------------------------------------------------------------- +Wed Apr 29 07:45:48 UTC 2020 - Paolo Stivanin + +- Update to 7.70.0 + * Changes: + - curl: add --ssl-revoke-best-effort to allow a "best effort" revocation check + - mqtt: add new experimental protocol + - schannel: add "best effort" revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT + - writeout: support to generate JSON output with '%{json}' + * Bugfixes: + - gnutls: Don't skip really long certificate fields + - gnutls: ensure TLS 1.3 when SRP isn't requested + - lib: never define CURL_CA_BUNDLE with a getenv + - libcurl-multi.3: added missing full stop + - libssh: avoid options override by configuration files + - libssh: Use new ECDSA key types to check known hosts + - tons of other fixes + +------------------------------------------------------------------- +Thu Mar 12 22:07:26 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.69.1 + * Bugfixes: + - ares: store dns parameters for duphandle + - cirrus-ci: disable the FreeBSD 13 builds + - curl_share_setopt.3: Note sharing cookies doesn't enable the engine + - lib1564: reduce number of mid-wait wakeup calls + - libssh: Fix matching user-specified MD5 hex key + - MANUAL: update a dict-using command line + - mime: do not perform more than one read in a row + - mime: fix the binary encoder to handle large data properly + - mime: latch last read callback status + - multi: skip EINTR check on wakeup socket if it was closed + - pause: bail out on bad input + - pause: force a connection recheck after unpausing (take 2) + - pause: return early for calls that don't change pause state + - runtests.1: rephrase how to specify what tests to run + - runtests: fix missing use of exe_ext helper function + - seek: fix fall back for missing ftruncate on Windows + - sftp: fix segfault regression introduced by #4747 in 7.69.0 + - sha256: Added SecureTransport implementation + - sha256: Added WinCrypt implementation + - socks4: fix host resolve regression + - socks5: host name resolv regression fix + - tests/server: fix missing use of exe_ext helper function + - tests: fix static ip:port instead of dynamic values being used + - tests: make sleeping portable by avoiding select + - unit1612: fix the inclusion and compilation of the HMAC unit test + - urldata: remove the 'stream_was_rewound' connectdata struct member + - version: make curl_version* thread-safe without using global context + +------------------------------------------------------------------- +Mon Mar 9 12:54:08 UTC 2020 - Andreas Schwab + +- ignore_runtests_failure.patch: remove, no longer needed + +------------------------------------------------------------------- +Wed Mar 4 08:56:45 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.69.0 + * Changes: + - polarssl: removed + - smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails + - wolfSSH: new SSH backend + * Bugfixes: + - altsvc: improved header parser + - altsvc: keep a copy of the file name to survive handle reset + - altsvc: make saving the cache an atomic operation + - altsvc: use h3-27 + - azure: disable brotli on the macos debug-builds + - build: remove all HAVE_OPENSSL_ENGINE_H defines + - cleanup: fix several comment typos + - cleanup: fix typos and wording in docs and comments + - cmake: add support for CMAKE_LTO option + - cmake: clean up and improve build procedures + - cmake: Show HTTPS-proxy in the features output + - cmake: use check_symbol_exists also for inet_pton + - configure.ac: fix comments about --with-quiche + - configure: disable metalink if mbedTLS is specified + - configure: disable metalink support for incompatible SSL/TLS + - conn: do not reuse connection if SOCKS proxy credentials differ + - conncache: removed unused Curl_conncache_bundle_size() + - connect: remove some spurious infof() calls + - connection reuse: respect the max_concurrent_streams limits + - cookie: check __Secure- and __Host- case sensitively + - cookies: make saving atomic with a rename + - create-dirs.d: mention the mode + - curl: avoid using strlen for testing if a string is empty + - curl: error on --alt-svc use w/o support + - curl: let -D merge headers in one file again + - curl: make #0 not output the full URL + - curl: make the -# spaceship bar not wrap the line + - curl: remove 'config' field from OutStruct + - curl:progressbarinit: ignore column width from terminals < 20 + - curl_escape.3: add a link to curl_free + - curl_getenv.3: fix the memory handling description + - curl_global_init: assume the EINTR bit by default + - curl_global_init: move the IPv6 works status bool to multi handle + - CURLINFO_COOKIELIST.3: Fix example + - CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording + - CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3 + - CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section + - data.d: remove "Multiple files can also be specified" + - digest: do not quote algorithm in HTTP authorisation + - docs/HTTP3: add --enable-alt-svc to curl's configure + - docs/HTTP3: update the OpenSSL branch to use for ngtcp2 + - docs: fix typo on CURLINFO_RETRY_AFTER + - easy: remove dead code + - form.d: fix two minor typos + - ftp: convert 'sock_accepted' to a plain boolean + - ftp: remove superfluous checking for crlf in user or pwd + - ftp: shrink temp buffers used for PORT + - github: Instructions to post "uname -a" on Unix systems in issues + - GnuTLS: always send client cert + - gtls: fixed compilation when using GnuTLS < 3.5.0 + - hostip: move code to resolve IP address literals to 'Curl_resolv' + - HTTP-COOKIES: describe the cookie file format + - HTTP-COOKIES: mention that a trailing newline is required + - http2: make pausing/unpausing set/clear local stream window + - http2: now requires nghttp2 >= 1.12.0 + - http: added 417 response treatment + - http: increase EXPECT_100_THRESHOLD to 1Mb + - http: mark POSTs with no body as "upload done" from the start + - http: move "oauth_bearer" from connectdata to Curl_easy + - include: remove non-curl prefixed defines + - KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header + - libssh2: add support for forcing a hostkey type + - libssh2: fix variable type + - libssh: improve known hosts handling + - llist: removed unused Curl_llist_move() + - location.d: the method change is from POST to GET only + - md4: fixed compilation issues when using GNU TLS gcrypt + - md4: use init/update/final functions in Secure Transport + - md5: added implementation for mbedTLS + - mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER + - multi: change curl_multi_wait/poll to error on negative timeout + - multi: fix outdated comment + - multi: if Curl_readwrite sets 'comeback' use expire, not loop + - multi_done: if multiplexed, make conn->data point to another transfer + - multi_wait: stop loop when sread() returns zero + - ngtcp2: add error code for QUIC connection errors + - ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6 + - ngtcp2: update to git master and its draft-25 support + - ntlm: removed the dependency on the TLS libaries when using MD5 + - ntlm_wb: use Curl_socketpair() for greater portability + - oauth2-bearer.d: works for HTTP too + - openssl: make CURLINFO_CERTINFO not truncate x509v3 fields + - openssl: remove redundant assignment + - os400: fixed the build + - pause: force-drain the transfer on unpause + - quiche: update to draft-25 + - README: mention that the docs is in docs/ + - runtests: make random seed fixed for a month + - runtests: restore the command log + - schannel_verify: Fix alt names manual verify for UNICODE builds + - sha256: use crypto implementations when available + - singleuse.pl: support new API functions, fix curl_dbg_ handling + - smtp: support the SMTPUTF8 extension + - smtp: support UTF-8 based host names in MAIL FROM + - SOCKS: make the connect phase non-blocking + - strcase: turn Curl_raw_tolower into static + - strerror: increase STRERROR_LEN 128 -> 256 + - test1323: added missing 'unit test' feature requirement + - tests: add a unit test for MD4 digest generation + - tests: add a unit test for SHA256 digest generation + - tests: add a unit test for the HMAC hash generation + - tests: deduce the tool name from the test case for unit tests + - tests: fix Python 3 compatibility of smbserver.py + - tool_dirhie: allow directory traversal during creation + - tool_homedir: change GetEnv() to use libcurl's curl_getenv() + - url: include the failure reason when curl_win32_idn_to_ascii() fails + - urlapi: guess scheme properly with credentials given + - urldata: do string enums without #ifdefs for build scripts + - vtls: refactor Curl_multissl_version to make the code clearer +- Refresh patches: + * curl-secure-getenv.patch + * libcurl-ocloexec.patch + +------------------------------------------------------------------- +Tue Feb 18 14:11:29 UTC 2020 - Dominique Leuenberger + +- Eliminate curl-mini: The reason for this to exist was that cmake + pulled in curl into too many places, causing build cycles. A new + cmake-mini was generated, eliminating that need. + +------------------------------------------------------------------- +Wed Jan 8 09:54:50 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 7.68.0 + * Changes: + - TLS: add BearSSL vtls implementation + - XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE + - curl: add --etag-compare and --etag-save + - curl: add --parallel-immediate + - multi: add curl_multi_wakeup() + - openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains + * Bugfixes: + - CVE-2019-15601: file: on Windows, refuse paths that start with \\ + - Azure Pipelines: add several builds + - CMake: add support for building with the NSS vtls backend + - CURL-DISABLE: initial docs for the CURL_DISABLE_* defines + - CURLOPT_HEADERFUNCTION.3: Document that size is always 1 + - CURLOPT_QUOTE.3: fix typos + - CURLOPT_READFUNCTION.3: fix the example + - CURLOPT_URL.3: "curl supports SMB version 1 (only)" + - CURLOPT_VERBOSE.3: see also ERRORBUFFER + - HISTORY: added cmake, HTTP/3 and parallel downloads with curl + - HISTORY: the SMB(S) support landed in 2014 + - INSTALL.md: provide Android build instructions + - KNOWN_BUGS: Connection information when using TCP Fast Open + - KNOWN_BUGS: LDAP on Windows doesn't work correctly + - KNOWN_BUGS: TLS session cache doesn't work with TFO + - OPENSOCKETFUNCTION.3: correct the purpose description + - TrackMemory tests: always remove CR before LF + - altsvc: bump to h3-24 + - altsvc: make the save function ignore NULL filenames + - build: Disable Visual Studio warning "conditional expression is constant" + - build: fix for CURL_DISABLE_DOH + - checksrc.bat: Add a check for vquic and vssh directories + - checksrc: repair the copyrightyear check + - cirrus-ci: enable clang sanitizers on freebsd 13 + - cirrus: Drop the FreeBSD 10.4 build + - config-win32: cpu-machine-OS for Windows on ARM + - configure: avoid unportable `==' test(1) operator + - configure: enable IPv6 support without `getaddrinfo` + - configure: fix typo in help text + - conncache: CONNECT_ONLY connections assumed always in-use + - conncache: fix multi-thread use of shared connection cache + - copyrights: fix copyright year range + - create_conn: prefer multiplexing to using new connections + - curl -w: handle a blank input file correctly + - curl.h: add two missing defines for "pre ISO C" compilers + - curl/parseconfig: fix mem-leak + - curl/parseconfig: use curl_free() to free memory allocated by libcurl + - curl: cleanup multi handle on failure + - curl: fix --upload-file . hangs if delay in STDIN + - curl: fix -T globbing + - curl: improved cleanup in upload error path + - curl: make a few char pointers point to const char instead + - curl: properly free mimepost data + - curl: show better error message when no homedir is found + - curl: show error for --http3 if libcurl lacks support + - curl_setup_once: consistently use WHILE_FALSE in macros + - define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore + - docs: Change 'experiemental' to 'experimental' + - docs: TLS SRP doesn't work with TLS 1.3 + - docs: fix several typos + - docs: mention CURL_MAX_INPUT_LENGTH restrictions + - doh: improved both encoding and decoding + - doh: make it behave when built without proxy support + - examples/postinmemory.c: Call curl_global_cleanup always + - examples/url2file.c: corrected erroneous comment + - examples: add multi-poll.c + - global_init: undo the "intialized" bump in case of failure + - hostip: suppress compiler warning + - http_ntlm: Remove duplicate NSS initialisation + - lib: Move lib/ssh.h -> lib/vssh/ssh.h + - lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS` + - lib: fix warnings found when porting to NuttX + - lib: remove ASSIGNWITHINCONDITION exceptions, use our code style + - lib: remove erroneous +x file permission on some c files + - libssh2: add support for ECDSA and ed25519 knownhost keys + - multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header + - multi: free sockhash on OOM + - multi_poll: avoid busy-loop when called without easy handles attached + - ngtcp2: Support the latest update key callback type + - ngtcp2: fix thread-safety bug in error-handling + - ngtcp2: free used resources on disconnect + - ngtcp2: handle key updates as ngtcp2 master branch tells us + - ngtcp2: increase QUIC window size when data is consumed + - ngtcp2: use overflow buffer for extra HTTP/3 data + - ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set + - ntlm_wb: fix double-free in OOM + - openssl: Revert to less sensitivity for SYSCALL errors + - openssl: improve error message for SYSCALL during connect + - openssl: prevent recursive function calls from ctx callbacks + - openssl: retrieve reported LibreSSL version at runtime + - openssl: set X509_V_FLAG_PARTIAL_CHAIN by default + - parsedate: offer a getdate_capped() alternative + - pause: avoid updating socket if done was already called + - projects: Fix Visual Studio projects SSH builds + - projects: Fix Visual Studio wolfSSL configurations + - quiche: reject HTTP/3 headers in the wrong order + - remove_handle: clear expire timers after multi_done() + - runtests: --repeat=[num] to repeat tests + - runtests: introduce --shallow to reduce huge torture tests + - schannel: fix --tls-max for when min is --tlsv1 or default + - setopt: Fix ALPN / NPN user option when built without HTTP2 + - strerror: Add Curl_winapi_strerror for Win API specific errors + - strerror: Fix an error looking up some Windows error strings + - strerror: Fix compiler warning "empty expression" + - system.h: fix for MCST lcc compiler + - test/sws: search for "Testno:" header unconditionally if no testno + - test1175: verify symbols-in-versions and libcurl-errors.3 in sync + - test1270: a basic -w redirect_url test + - test1456: remove the use of a fixed local port number + - test1558: use double slash after file: + - test1560: require IPv6 for IPv6 aware URL parsing + - tests/lib1557: fix mem-leak in OOM + - tests/lib1559: fix mem-leak in OOM + - tests/lib1591: free memory properly on OOM, in the trailers callback + - tests/unit1607: fix mem-leak in OOM + - tests/unit1609: fix mem-leak in OOM + - tests/unit1620: fix bad free in OOM + - tests: Change NTLM tests to require SSL + - tests: Fix bounce requests with truncated writes + - tests: fix build with `CURL_DISABLE_DOH` + - tests: fix permissions of ssh keys in WSL + - tests: make it possible to set executable extensions + - tests: make sure checksrc runs on header files too + - tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests + - tests: use DoH feature for DoH tests + - tests: use \r\n for log messages in WSL + - tool_operate: fix mem leak when failed config parse + - travis: Fix error detection + - travis: abandon coveralls, it is not reliable + - travis: build ngtcp2 with --enable-lib-only + - travis: export the CC/CXX variables when set + - vtls: make BearSSL possible to set with CURL_SSL_BACKEND + - winbuild: Define CARES_STATICLIB when WITH_CARES=static + - winbuild: Document CURL_STATICLIB requirement for static libcurl +- Remove curl-expire-clear.patch + +------------------------------------------------------------------- +Thu Nov 14 16:55:18 UTC 2019 - Pedro Monreal Gonzalez + +- Fix segfault in zypper ref: [bsc#1156481] + * remove_handle: clear expire timers after multi_done() + * Add patch curl-expire-clear.patch + +------------------------------------------------------------------- +Wed Nov 6 15:52:24 UTC 2019 - Pedro Monreal Gonzalez + +- Update spec file with spec-cleaner + +------------------------------------------------------------------- +Wed Nov 6 09:36:43 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.67.0 + * Changes: + - curl: added --no-progress-meter + - setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new + - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part + * Bugfixes: + - BINDINGS: five new bindings addded + - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time + - CURLOPT_TIMEOUT.3: remove the mention of "minutes" + - ESNI: initial build/setup support + - FTP: FTPFILE_NOCWD: avoid redundant CWDs + - FTP: allow "rubbish" prepended to the SIZE response + - FTP: remove trailing slash from path for LIST/MLSD + - FTP: skip CWD to entry dir when target is absolute + - FTP: url-decode path before evaluation + - HTTP3.md: move -p for mkdir, remove -j for make + - HTTP3: fix invalid use of sendto for connected UDP socket + - HTTP3: fix prefix parameter for ngtcp2 build + - HTTP3: show an --alt-svc using example too + - INSTALL: add missing space for configure commands + - INSTALL: add vcpkg installation instructions + - altsvc: accept quoted ma and persist values + - altsvc: both backends run h3-23 now + - appveyor: Add MSVC ARM64 build + - appveyor: Use two parallel compilation on appveyor with CMake + - appveyor: add --disable-proxy autotools build + - appveyor: publish artifacts on appveyor + - appveyor: upgrade VS2017 to VS2019 + - asyn-thread: make use of Curl_socketpair() where available + - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris + - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines + - checksrc: fix uninitialized variable warning + - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error + - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build + - cirrus: switch off blackhole status on the freebsd CI machines + - cleanups: 21 various PVS-Studio warnings + - configure: only say ipv6 enabled when the variable is set + - configure: remove all cyassl references + - conn-reuse: requests wanting NTLM can reuse non-NTLM connections + - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT + - connect: silence sign-compare warning + - cookie: avoid harmless use after free + - cookie: pass in the correct cookie amount to qsort() + - cookies: change argument type for Curl_flush_cookies + - cookies: using a share with cookies shouldn't enable the cookie engine + - copyrights: update copyright notices to 2019 + - curl: create easy handles on-demand and not ahead of time + - curl: ensure HTTP 429 triggers --retry + - curl: exit the create_transfers loop on errors + - curl: fix memory leaked by parse_metalink() + - curl: load large files with -d @ much faster + - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag + - docs: added multi-event.c example + - docs: disambiguate CURLUPART_HOST is for host name (ie no port) + - docs: note on failed handles not being counted by curl_multi_perform + - doh: allow only http and https in debug mode + - doh: avoid truncating DNS QTYPE to lower octet + - doh: clean up dangling DOH memory on easy close + - doh: fix (harmless) buffer overrun + - doh: fix undefined behaviour and open up for gcc and clang optimization + - doh: return early if there is no time left + - examples/sslbackend: fix -Wchar-subscripts warning + - gnutls: make gnutls_bye() not wait for response on shutdown + - http2: expire a timeout at end of stream + - http2: prevent dup'ed handles to send dummy PRIORITY frames + - http2: relax verification of :authority in push promise requests + - http2_recv: a closed stream trumps pause state + - http: lowercase headernames for HTTP/2 and HTTP/3 + - ldap: Stop using wide char version of ldapp_err2string + - ldap: fix OOM error on missing query string + - mbedtls: add error message for cert validity starting in the future + - mime: when disabled, avoid C99 macro + - ngtcp2: adapt to API change + - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 + - ngtcp2: remove fprintf() calls + - openssl: close_notify on the FTP data connection doesn't mean closure + - openssl: use strerror on SSL_ERROR_SYSCALL + - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr + - parsedate: fix date parsing disabled builds + - quiche: don't close connection at end of stream + - quiche: persist connection details (fixes -I with --http3) + - quiche: set 'drain' when returning without having drained the queues + - quiche: update HTTP/3 config creation to new API + - redirect: handle redirects to absolute URLs containing spaces + - runtests: get textaware info from curl instead of perl + - schannel: reverse the order of certinfo insertions + - schannel_verify: Fix concurrent openings of CA file + - security: silence conversion warning + - setopt: handle ALTSVC set to NULL + - setopt: make it easier to add new enum values + - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly + - smb: check for full size message before reading message details + - smbserver: fix Python 3 compatibility + - socks: Fix destination host shown on SOCKS5 error + - test1162: disable MSYS2's POSIX path conversion + - test1591: fix spelling of http feature + - tests: add 'connect to non-listen' keywords + - tests: fix narrowing conversion warnings + - tests: fix the test 3001 cert failures + - tests: makes tests succeed when using --disable-proxy + - tests: use %FILE_PWD for file:// URLs + - tests: use port 2 instead of 60000 for a safer non-listening port + - tool_operate: Fix retry sleep time shown to user when Retry-After + - url: Curl_free_request_state() should also free doh handles + - url: don't set appconnect time for non-ssl/non-ssh connections + - url: fix the NULL hostname compiler warning + - url: normalize CURLINFO_EFFECTIVE_URL + - url: only reuse TLS connections with matching pinning + - urlapi: avoid index underflow for short ipv6 hostnames + - urlapi: fix URL encoding when setting a full URL + - urlapi: question mark within fragment is still fragment + - urldata: use 'bool' for the bit type on MSVC compilers + - vtls: fix narrowing conversion warnings + +------------------------------------------------------------------- +Wed Sep 11 08:17:06 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] + * Changes: + - CURLINFO_RETRY_AFTER: parse the Retry-After header value + - HTTP3: initial (experimental still not working) support + - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + - curl: support parallel transfers with -Z + - curl_multi_poll: a sister to curl_multi_wait() that waits more + - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID + * Bugfixes: + - CVE-2019-5481: FTP-KRB double-free + - CVE-2019-5482: TFTP small blocksize heap buffer overflow + - CMake: remove needless newlines at end of gss variables + - CMake: use platform dependent name for dlopen() library + - CURLINFO docs: mention that in redirects times are added + - CURLOPT_ALTSVC.3: use a "" file name to not load from a file + - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + - CURLOPT_HEADERFUNCTION.3: clarify + - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly + - CURLOPT_READFUNCTION.3: provide inline example + - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 + - Curl_addr2string: take an addrlen argument too + - Curl_fillreadbuffer: avoid double-free trailer buf on error + - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown + - alt-svc: add protocol version selection masking + - alt-svc: fix removal of expired cache entry + - alt-svc: make it use h3-22 with ngtcp2 as well + - alt-svc: more liberal ALPN name parsing + - alt-svc: send Alt-Used: in redirected requests + - alt-svc: with quiche, use the quiche h3 alpn string + - asyn-thread: create a socketpair to wait on + - cleanup: move functions out of url.c and make them static + - cleanup: remove the 'numsocks' argument used in many places + - configure: avoid undefined check_for_ca_bundle + - curl.h: add CURL_HTTP_VERSION_3 to the version enum + - curl: cap the maximum allowed values for retry time arguments + - curl: handle a libcurl build without netrc support + - curl: make use of CURLINFO_RETRY_AFTER when retrying + - curl: use CURLINFO_PROTOCOL to check for HTTP(s) + - curl_global_init_mem.3: mention it was added in 7.12.0 + - curl_version: bump string buffer size to 250 + - curl_version_info.3: mentioned ALTSVC and HTTP3 + - curl_version_info: offer quic (and h3) library info + - curl_version_info: provide nghttp2 details + - defines: avoid underscore-prefixed defines + - docs/ALTSVC: remove what works and the experimental explanation + - docs/EXPERIMENTAL: explain what it means and what's experimental now + - docs/MANUAL.md: converted to markdown from plain text + - docs/examples/curlx: fix errors + - docs: s/curl_debug/curl_dbg_debug in comments and docs + - easy: resize receive buffer on easy handle reset + - examples: Avoid reserved names in hiperfifo examples + - examples: add http3.c, altsvc.c and http3-present.c + - http09: disable HTTP/0.9 by default in both tool and library + - http2: when marked for closure and wanted to close == OK + - http2_recv: trigger another read when the last data is returned + - http: fix use of credentials from URL when using HTTP proxy + - http_negotiate: improve handling of gss_init_sec_context() failures + - md4: Use our own MD4 when no crypto libraries are available + - multi: call detach_connection before Curl_disconnect + - nss: use TLSv1.3 as default if supported + - openssl: build warning free with boringssl + - openssl: use SSL_CTX_set__proto_version() when available + - plan9: add support for running on Plan 9 + - progress: reset download/uploaded counter between transfers + - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp + - scp: fix directory name length used in memcpy + - smb: init *msg to NULL in smb_send_and_recv() + - smtp: check for and bail out on too short EHLO response + - source: remove names from source comments + - spnego_sspi: add typecast to fix build warning + - src/makefile: fix uncompressed hugehelp.c generation + - ssh-libssh: do not specify O_APPEND when not in append mode + - ssh: move code into vssh for SSH backends + - sspi: fix memory leaks + - tests: Replace outdated test case numbering documentation + - tftp: return error when packet is too small for options + - timediff: make it 64 bit (if possible) even with 32 bit time_t + - travis: reduce number of torture tests in 'coverage' + - url: make use of new HTTP version if alt-svc has one + - urlapi: verify the IPv6 numerical address + - urldata: avoid 'generic', use dedicated pointers + - vauth: Use CURLE_AUTH_ERROR for auth function errors + +------------------------------------------------------------------- +Fri Jul 19 13:51:15 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.3 + * progress: make the progress meter appear again + +------------------------------------------------------------------- +Wed Jul 17 09:07:25 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.2 + * Bugfixes: + - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH + - CMake: Fix finding Brotli on case-sensitive file systems + - CURLOPT_RANGE.3: Caution against using it for HTTP PUT + - CURLOPT_SEEKDATA.3: fix variable name + - bindlocal: detect and avoid IP version mismatches in bind() + - build: fix Codacy warnings + - c-ares: honor port numbers in CURLOPT_DNS_SERVERS + - config-os400: add getpeername and getsockname defines + - configure: --disable-progress-meter + - configure: fix --disable-code-coverage + - configure: more --disable switches to toggle off individual features + - configure: remove CURL_DISABLE_TLS_SRP + - conn_maxage: move the check to prune_dead_connections() + - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds + - docs: Explain behavior change in --tlsv1. options since 7.54 + - docs: Fix links to OpenSSL docs + - docs: fix string suggesting HTTP/2 is not the default + - headers: Remove no longer exported functions + - http2: call done_sending on end of upload + - http2: don't call stream-close on already closed streams + - http2: remove CURL_DISABLE_TYPECHECK define + - http: allow overriding timecond with custom header + - http: clarify header buffer size calculation + - krb5: fix compiler warning + - lib: Use UTF-8 encoding in comments + - libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS + - multi: enable multiplexing by default (again) + - multi: fix the transfer hashes in the socket hash entries + - multi: make sure 'data' can present in several sockhash entries + - netrc: Return the correct error code when out of memory + - nss: don't set unused parameter + - nss: inspect returnvalue of token check + - nss: only cache valid CRL entries + - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number + - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined + - openssl: fix pubkey/signature algorithm detection in certinfo + - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support + - quote.d: asterisk prefix works for SFTP as well + - runtests: keep logfiles around by default + - runtests: report single test time + total duration + - test1165: verify that CURL_DISABLE_ symbols are in sync + - test1521: adapt to SLISTPOINT + - test1523: test CURLOPT_LOW_SPEED_LIMIT + - test153: fix content-length to avoid occasional hang + - test188/189: fix Content-Length + - tests: have runtests figure out disabled features + - tests: support non-localhost HOSTIP for dict/smb servers + - tests: update fixed IP for hostip/clientip split + - tool_cb_prg: Fix integer overflow in progress bar + - typecheck: CURLOPT_CONNECT_TO takes an slist too + - typecheck: add 3 missing strings and a callback data pointer + - unit1654: cleanup on memory failure + - unpause: trigger a timeout for event-based transfers + - url: Fix CURLOPT_MAXAGE_CONN time comparison +- Rebased patch curl-use_OPENSSL_config.patch +- Disable new added failing test1165 + +------------------------------------------------------------------- +Wed Jun 5 15:34:01 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.1 + * Bugfixes: + - CURLOPT_LOW_SPEED_* repaired + - NTLM: reset proxy "multipass" state when CONNECT request is done + - PolarSSL: deprecate support step 1. Removed from configure + - cmake: check for if_nametoindex() + - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + - conncache: Remove the DEBUGASSERT on length check + - conncache: make "bundles" per host name when doing proxy tunnels + - curl_share_setopt.3: improve wording + - dump-header.d: spell out that no headers == empty file + - example/http2-download: fix format specifier + - examples: cleanups and compiler warning fixes + - http2: Stop drain from being permanently set + - http: don't parse body-related headers in bodyless responses + - md4: build correctly with openssl without MD4 + - md4: include the mbedtls config.h to get the MD4 info + - multi: track users of a socket better + - nss: allow to specify TLS 1.3 ciphers if supported by NSS + - parse_proxy: make sure portptr is initialized + - parse_proxy: use the IPv6 zone id if given + - sectransp: handle errSSLPeerAuthCompleted from SSLRead() + - singlesocket: use separate variable for inner loop + - ssl: Update outdated "openssl-only" comments for supported backends + - tests: add HAProxy keywords + - tests: make test 1420 and 1406 work with rtsp-disabled libcurl + - tls13-docs: mention it is only for OpenSSL >= 1.1.1 + - tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + - url: fix bad feature-disable #ifdef + - url: use correct port in ConnectionExists() + +------------------------------------------------------------------- +Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] + * Changes: + - CURLOPT_DNS_USE_GLOBAL_CACHE: removed + - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse + - pipelining: removed + * Bugfixes: + - CVE-2019-5435: Integer overflows in curl_url_set + - CVE-2019-5436: tftp: use the current blksize for recvfrom() + - --config: clarify that initial : and = might need quoting + - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk + - CURLOPT_ADDRESS_SCOPE: fix range check and more + - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE + - CURL_MAX_INPUT_LENGTH: largest acceptable string input size + - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + - OS400/ccsidcurl: replace use of Curl_vsetopt + - OpenSSL: Report -fips in version if OpenSSL is built with FIPS + - WRITEFUNCTION: add missing set_in_callback around callback + - altsvc: Fix building with cookies disabled + - auth: Rename the various authentication clean up functions + - base64: build conditionally if there are users + - cmake: avoid linking executable for some tests with cmake 3.6+ + - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + - cmake: set SSL_BACKENDS + - configure: avoid unportable '==' test(1) operator + - configure: error out if OpenSSL wasn't detected when asked for + - configure: fix default location for fish completions + - cookie: Guard against possible NULL ptr deref + - curl: make code work with protocol-disabled libcurl + - curl: report error for "--no-" on non-boolean options + - curlver.h: use parenthesis in CURL_VERSION_BITS macro + - docs/INSTALL: fix broken link + - doh: acknowledge CURL_DISABLE_DOH + - doh: disable DOH for the cases it doesn't work + - examples: remove unused variables + - ftplistparser: fix LGTM alert "Empty block without comment" + - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS + - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + - http: acknowledge CURL_DISABLE_HTTP_AUTH + - http: mark bundle as not for multiuse on < HTTP/2 response + - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + - http_negotiate: do not treat failure of gss_init_sec_context() as fatal + - http_ntlm: Corrected the name of the include guard + - http_ntlm_wb: Handle auth for only a single request + - http_ntlm_wb: Return the correct error on receiving an empty auth message + - lib509: add missing include for strdup + - lib557: initialize variables + - mbedtls: enable use of EC keys + - mime: acknowledge CURL_DISABLE_MIME + - multi: improved HTTP_1_1_REQUIRED handling + - netrc: acknowledge CURL_DISABLE_NETRC + - nss: allow fifos and character devices for certificates + - nss: provide more specific error messages on failed init + - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup + - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + - openssl: mark connection for close on TLS close_notify + - openvms: Remove pre-processor for SecureTransport + - parse_proxy: use the URL parser API + - parsedate: disabled on CURL_DISABLE_PARSEDATE + - pingpong: disable more when no pingpong protocols are enabled + - polarssl_threadlock: remove conditionally unused code + - progress: acknowledge CURL_DISABLE_PROGRESS_METER + - proxy: acknowledge DISABLE_PROXY more + - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries + - revert "multi: support verbose conncache closure handle" + - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + - sasl: only enable if there's a protocol enabled using it + - singleipconnect: show port in the verbose "Trying ..." message + - socks5: user name and passwords must be shorter than 256 + - socks: fix error message + - socksd: new SOCKS 4+5 server for tests + - spnego_gssapi: fix return code on gss_init_sec_context() failure + - ssh-libssh: remove unused variable + - ssh: define USE_SSH if SSH is enabled (any backend) + - ssh: move variable declaration to where it's used + - test1002: correct the name + - test2100: Fix typos in test description + - tests: Run global cleanup at end of tests + - tests: make Impacket (SMB server) Python 3 compatible + - tool_cb_wrt: fix bad-function-cast warning + - tool_formparse: remove redundant assignment + - tool_help: Warn if curl and libcurl versions do not match + - tool_help: include for strcasecmp + - url: always clone the CUROPT_CURLU handle + - url: convert the zone id from a IPv6 URL to correct scope id + - urlapi: add CURLUPART_ZONEID to set and get + - urlapi: increase supported scheme length to 40 bytes + - urlapi: require a non-zero host name length when parsing URL + - urlapi: stricter CURLUPART_PORT parsing + - urlapi: strip off zone id from numerical IPv6 addresses + - urlapi: urlencode characters above 0x7f correctly + - vauth/cleartext: update the PLAIN login to match RFC 4616 + - vauth/oauth2: Fix OAUTHBEARER token generation + - vauth: Fix incorrect function description for Curl_auth_user_contains_domain + - vtls: fix potential ssl_buffer stack overflow + - wildcard: disable from build when FTP isn't present + - xattr: skip unittest on unsupported platforms + +------------------------------------------------------------------- +Tue Apr 9 12:11:46 UTC 2019 - Pedro Monreal Gonzalez + +- Install curl.fish completions file from curl rather than from the fish package + +------------------------------------------------------------------- +Tue Apr 9 11:41:07 UTC 2019 - Pedro Monreal Gonzalez + +- update to version 7.64.1 + * Changes: + - alt-svc: experiemental support added + - configure: add --with-amissl + * Bugfixes: + - AppVeyor: switch VS 2015 builds to VS 2017 image + - CURLU: fix NULL dereference when used over proxy + - Curl_easy: remove req.maxfd - never used! + - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + - DoH: inherit some SSL options from user's easy handle + - Secure Transport: no more "darwinssl" + - Secure Transport: tvOS 11 is required for ALPN support + - cirrus: Added FreeBSD builds using Cirrus CI + - cleanup: make local functions static + - cli tool: do not use mime.h private structures + - cmdline-opts/proxytunnel.d: the option tunnnels all protocols + - configure: add additional libraries to check for LDAP support + - configure: remove the unused fdopen macro + - configure: show features as well in the final summary + - conncache: use conn->data to know if a transfer owns it + - connection: never reuse CONNECT_ONLY connections + - connection_check: restore original conn->data after the check + - connection_check: set ->data to the transfer doing the check + - cookie: Add support for cookie prefixes + - cookies: dotless names can set cookies again + - cookies: fix NULL dereference if flushing cookies with no CookieInfo set + - curl.1: --user and --proxy-user are hidden from ps output + - curl.1: mark the argument to --cookie as + - curl.h: use __has_declspec_attribute for shared builds + - curl: display --version features sorted alphabetically + - curl: fix FreeBSD compiler warning in the --xattr code + - curl: remove MANUAL from -M output + - curl_easy_duphandle.3: clarify that a duped handle has no shares + - curl_multi_remove_handle.3: use at any time, just not from within callbacks + - curl_url.3: this API is not experimental anymore + - dns: release sharelock as soon as possible + - docs: update max-redirs.d phrasing + - examples/10-at-a-time.c: improve readability and simplify + - examples/cacertinmem.c: use multiple certificates for loading CA-chain + - examples/crawler: Fix the Accept-Encoding setting + - examples/ephiperfifo.c: various fixes + - examples/externalsocket: add missing close socket calls + - examples/http2-download: cleaned up + - examples/http2-serverpush: add some sensible error checks + - examples/http2-upload: cleaned up + - examples/httpcustomheader: Value stored to 'res' is never read + - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' + - examples/sftpuploadresume: Value stored to 'result' is never read + - examples: only include + - examples: remove recursive calls to curl_multi_socket_action + - examples: remove superfluous null-pointer checks + - file: fix "Checking if unsigned variable 'readcount' is less than zero." + - fnmatch: disable if FTP is disabled + - gnutls: remove call to deprecated gnutls_compression_get_name + - gopher: remove check for path == NULL + - gssapi: fix deprecated header warnings + - hostip: make create_hostcache_id avoid alloc + free + - http2: multi_connchanged() moved from multi.c, only used for h2 + - http2: verify :athority in push promise requests + - http: make adding a blank header thread-safe + - http: send payload when (proxy) authentication is done + - http: set state.infilesize when sending multipart formposts + - makefile: make checksrc and hugefile commands "silent" + - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set + - mbedtls: release sessionid resources on error + - memdebug: log pointer before freeing its data + - memdebug: make debug-specific functions use curl_dbg_ prefix + - mime: put the boundary buffer into the curl_mime struct + - multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME + - multi: remove verbose "Expire in" ... messages + - multi: removed unused code for request retries + - multi: support verbose conncache closure handle + - negotiate: fix for HTTP POST with Negotiate + - openssl: add support for TLS ASYNC state + - openssl: if cert type is ENG and no key specified, key is ENG too + - pretransfer: don't strlen() POSTFIELDS set for GET requests + - rand: Fix a mismatch between comments in source and header + - runtests: detect "schannel" as an alias for "winssl" + - schannel: be quiet - remove verbose output + - schannel: close TLS before removing conn from cache + - schannel: support CALG_ECDH_EPHEM algorithm + - scripts/completion.pl: also generate fish completion file + - singlesocket: fix the 'sincebefore' placement + - source: fix two 'nread' may be used uninitialized warnings + - ssh: fix Condition '!status' is always true + - ssh: loop the state machine if not done and not blocking + - strerror: make the strerror function use local buffers + - test578: make it read data from the correct test + - tests: Fixed XML validation errors in some test files + - tests: add stderr comparison to the test suite + - tests: fix multiple may be used uninitialized warnings + - threaded-resolver: shutdown the resolver thread without error message + - tool_cb_wrt: fix writing to Windows null device NUL + - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + - tool_operate: build on AmigaOS + - tool_operate: fix typecheck warning + - transfer.c: do not compute length of undefined hex buffer + - travis: add build using gnutls + - travis: add scan-build + - travis: bump the used wolfSSL version to 4.0.0 + - travis: enable valgrind for the iconv tests + - travis: use updated compiler versions: clang 7 and gcc 8 + - unit1307: require FTP support + - unit1651: survive curl_easy_init() fails + - url/idnconvert: remove scan for <= 32 ascii values + - url: change conn shutdown order to ensure SOCKETFUNCTION callbacks + - urlapi: reduce variable scope, remove unreachable 'break' + - urldata: convert bools to bitfields and move to end + - urldata: simplify bytecounters + - urlglob: Argument with 'nonnull' attribute passed null + - version.c: silent scan-build even when librtmp is not enabled + - vtls: rename some of the SSL functions + - wolfssl: stop custom-adding curves + - x509asn1: "Dereference of null pointer" + - x509asn1: cleanup and unify code layout + - zsh.pl: escape ':' character + - zsh.pl: update regex to better match curl -h output +- Dropped patches fixed upstream: + * 0001-connection_check-set-data-to-the-transfer-doing-the-.patch + * 0002-connection_check-restore-original-conn-data-after-th.patch + * curl-singlesocket-sincebefore-placement.patch + +------------------------------------------------------------------- +Mon Mar 18 10:34:14 UTC 2019 - Pedro Monreal Gonzalez + +- Fix variable placement that wasn't properly reset within a loop + missing to notify sockets. [bsc#1129083, bsc#1129470] + * Added curl-singlesocket-sincebefore-placement.patch + +------------------------------------------------------------------- +Fri Mar 8 16:10:39 UTC 2019 - Fabian Vogt + +- Add patches to fix use-after-free (boo#1127849): + * 0001-connection_check-set-data-to-the-transfer-doing-the-.patch + * 0002-connection_check-restore-original-conn-data-after-th.patch + +------------------------------------------------------------------- +Wed Feb 27 08:53:31 UTC 2019 - Stephan Kulow + +- BuildRequire libcurl4-mini for !bootstrap to avoid build cycles + due to cmake pulling libcurl4 + +------------------------------------------------------------------- +Wed Feb 6 09:16:58 UTC 2019 - Pedro Monreal Gonzalez + +- update to version 7.64.0 + [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822] + [bcs#1123378, CVE-2019-3823] + * Changes: + - cookies: leave secure cookies alone + - hostip: support wildcard hosts + - http: Implement trailing headers for chunked transfers + - http: added options for allowing HTTP/0.9 responses + - timeval: Use high resolution timestamps on Windows + * Bugfixes: + - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read + - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow + - CVE-2019-3823: SMTP end-of-response out-of-bounds read + - FAQ: remove mention of sourceforge for github + - OS400: handle memory error in list conversion + - OS400: upgrade ILE/RPG binding. + - README: add codacy code quality badge + - Revert http_negotiate: do not close connection + - THANKS: added several missing names from year <= 2000 + - build: make 'tidy' target work for metalink builds + - cmake: added checks for variadic macros + - cmake: updated check for HAVE_POLL_FINE to match autotools + - cmake: use lowercase for function name like the rest of the code + - configure: detect xlclang separately from clang + - configure: fix recv/send/select detection on Android + - configure: rewrite --enable-code-coverage + - conncache_unlock: avoid indirection by changing input argument type + - cookie: fix comment typo + - cookies: allow secure override when done over HTTPS + - cookies: extend domain checks to non psl builds + - cookies: skip custom cookies when redirecting cross-site + - curl --xattr: strip credentials from any URL that is stored + - curl -J: refuse to append to the destination file + - curl/urlapi.h: include "curl.h" first + - curl_multi_remove_handle() don't block terminating c-ares requests + - darwinssl: accept setting max-tls with default min-tls + - disconnect: separate connections and easy handles better + - disconnect: set conn->data for protocol disconnect + - docs/version.d: mention MultiSSL + - docs: fix the --tls-max description + - docs: use $(INSTALL_DATA) to install man page + - docs: use meaningless port number in CURLOPT_LOCALPORT example + - gopher: always include the entire gopher-path in request + - http2: clear pause stream id if it gets closed + - if2ip: remove unused function Curl_if_is_interface_name + - libssh: do not let libssh create socket + - libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh + - libssh: free sftp_canonicalize_path() data correctly + - libtest/stub_gssapi: use "real" snprintf + - mbedtls: use VERIFYHOST + - multi: multiplexing improvements + - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time + - ntlm: fix NTMLv2 compliance + - ntlm_sspi: add support for channel binding + - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated + - openssl: fix the SSL_get_tlsext_status_ocsp_resp call + - openvms: fix OpenSSL discovery on VAX + - openvms: fix typos in documentation + - os400: add a missing closing bracket + - os400: fix extra parameter syntax error + - pingpong: change default response timeout to 120 seconds + - pingpong: ignore regular timeout in disconnect phase + - printf: fix format specifiers + - runtests.pl: Fix perl call to include srcdir + - schannel: fix compiler warning + - schannel: preserve original certificate path parameter + - schannel: stop calling it "winssl" + - sigpipe: if mbedTLS is used, ignore SIGPIPE + - smb: fix incorrect path in request if connection reused + - ssh: log the libssh2 error message when ssh session startup fails + - test1558: verify CURLINFO_PROTOCOL on file:// transfer + - test1561: improve test name + - test1653: make it survive torture tests + - tests: allow tests to pass by 2037-02-12 + - tests: move objnames-* from lib into tests + - timediff: fix math for unsigned time_t + - timeval: Disable MSVC Analyzer GetTickCount warning + - tool_cb_prg: avoid integer overflow + - travis: added cmake build for osx + - urlapi: Fix port parsing of eol colon + - urlapi: distinguish possibly empty query + - urlapi: fix parsing ipv6 with zone index + - urldata: rename easy_conn to just conn + - winbuild: conditionally use /DZLIB_WINAPI + - wolfssl: fix memory-leak in threaded use + - spnego_sspi: add support for channel binding + +------------------------------------------------------------------- +Mon Jan 28 18:47:00 UTC 2019 - Jan Engelhardt + +- Fix wrong summary, curl is at version 7, not 4. + +------------------------------------------------------------------- +Fri Jan 18 15:18:57 UTC 2019 - Vítězslav Čížek + +- Provide libcurl4 = %version in the mini library package + +------------------------------------------------------------------- +Thu Dec 27 04:44:48 UTC 2018 - sean@suspend.net + +- Update to version 7.63.0 + Changes: + * curl: add %{stderr} and %{stdout} for --write-out + * curl: add undocumented option --dump-module-paths for w32 + * setopt: add CURLOPT_CURLU + + Bugfixes: + * (lib)curl.rc: fixup for minor bugs + * CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated + * CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc + * CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times + * Curl_follow: accept non-supported schemes for "fake" redirects + * KNOWN_BUGS: add --proxy-any connection issue + * NTLM: Remove redundant ifdef USE_OPENSSL + * NTLM: force the connection to HTTP/1.1 + * OS400: add URL API ccsid wrappers and sync ILE/RPG bindings + * SECURITY-PROCESS: bountygraph shuts down again + * TODO: Have the URL API offer IDN decoding + * ares: remove fd from multi fd set when ares is about to close the fd + * axtls: removed + * checksrc: add COPYRIGHTYEAR check + * cmake: fix MIT/Heimdal Kerberos detection + * configure: include all libraries in ssl-libs fetch + * configure: show CFLAGS, LDFLAGS etc in summary + * connect: fix building for recent versions of Minix + * cookies: create the cookiejar even if no cookies to save + * cookies: expire "Max-Age=0" immediately + * curl: --local-port range was not "including" + * curl: fix --local-port integer overflow + * curl: fix memory leak reading --writeout from file + * curl: fixed UTF-8 in current console code page (Win) + * curl_easy_perform: fix timeout handling + * curl_global_sslset(): id == -1 is not necessarily an error + * curl_multibyte: fix a malloc overcalculation + * curle: move deprecated error code to ifndef block + * docs: curl_formadd field and file names are now escaped + * docs: escape "\n" codes + * doh: fix memory leak in OOM situation + * doh: make it work for h2-disabled builds too + * examples/ephiperfifo: report error when epoll_ctl fails + * ftp: avoid unsigned int overflows in FTP listing parser + * host names: allow trailing dot in name resolve, then strip it + * http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 + * http: don't set CURLINFO_CONDIITON_UNMET for http status code 204 + * http: fix HTTP DIgest auth to include query in URI + * http_negotiate: do not close connection until negotiation is completed + * impacket: add LICENSE + * infof: clearly indicate truncation + * ldap: fix LDAP URL parsing regressions + * libcurl: stop reading from paused transfers + * mprintf: avoid unsigned integer overflow warning + * netrc: don't ignore the login name specified with "--user" + * nss: Fall back to latest supported SSL version + * nss: Fix compatibility with nss versions 3.14 to 3.15 + * nss: fix fallthrough comment to fix picky compiler warning + * nss: remove version selecting dead code + * nss: set default max-tls to 1.3/1.2 + * openssl: Remove SSLEAY leftovers + * openssl: do not log excess "TLS app data" lines for TLS 1.3 + * openssl: do not use file BIOs if not requested + * openssl: fix unused variable compiler warning with old openssl + * openssl: support session resume with TLS 1.3 + * openvms: fix example name + * os400: Add curl_easy_conn_upkeep() to ILE/RPG binding + * os400: add CURLOPT_CURLU to ILE/RPG binding + * os400: fix return type of curl_easy_pause() in ILE/RPG binding + * packages: remove old leftover files and dirs + * pop3: only do APOP with a valid timestamp + * runtests: use the local curl for verifying + * schannel: be consistent in Schannel capitalization + * schannel: better CURLOPT_CERTINFO support + * schannel: use Curl_prefix for global private symbols + * snprintf: renamed and now we only use msnprintf() + * ssl: fix compilation with OpenSSL 0.9.7 + * ssl: replace all internal uses of CURLE_SSL_CACERT + * symbols-in-versions: add missing CURLU_symbols + * test328: verify Content-Encoding: none + * tests: disable SO_EXCLUSIVEADDRUSE for stunnel/Win + * tests: drop http_pipe.py script no longer used + * tests: drop http_pipe.py script no longer used + * tool_cb_wrt: Silence function cast compiler warning + * tool_doswin: Fix uninitialized field warning + * travis: build with clang sanitizers + * travis: remove curl before a normal build + * url: a short host name + port is not a scheme + * url: fix IPv6 numeral address parser + * urlapi: only skip encoding the first '=' with APPENDQUERY set +- refreshed curl-disabled-redirect-protocol-message.patch + +------------------------------------------------------------------- +Wed Oct 31 09:23:37 UTC 2018 - Pedro Monreal Gonzalez + +- Update to version 7.62.0 + Changes: + * multiplex: enable by default + * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled + * setopt: add CURLOPT_DOH_URL + * curl: --doh-url added + * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size + * imap: change from "FETCH" to "UID FETCH" + * configure: add option to disable automatic OpenSSL config loading + * upkeep: add a connection upkeep API: curl_easy_upkeep() + * URL-API: added five new functions + * vtls: MesaLink is a new TLS backend + Bugfixes: + * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] + * CVE-2018-16840: use-after-free in handle close [bsc#1113029] + * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] + * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated + * Curl_dedotdotify(): always nul terminate returned string + * Curl_follow: Always free the passed new URL + * Curl_http2_done: fix memleak in error path + * Curl_retry_request: fix memory leak + * Curl_saferealloc: Fixed typo in docblock + * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + * GnutTLS: TLS 1.3 support + * SECURITY-PROCESS: mention the bountygraph program + * VS projects: add USE_IPV6: + * certs: generate tests certs with sha256 digest algorithm + * checksrc: enable strict mode and warnings + * checksrc: handle zero scoped ignore commands + * cmake: Backport to work with CMake 3.0 again + * cmake: Improve config installation + * cmake: add support for transitive ZLIB target + * cmake: disable -Wpedantic-ms-format + * cmake: don't require OpenSSL if USE_OPENSSL=OFF + * cmake: fixed path used in generation of docs/tests + * cmake: remove unused *SOCKLEN_T variables + * cmake: suppress MSVC warning C4127 for libtest + * cmake: test and set missed defines during configuration + * config: Remove unused SIZEOF_VOIDP + * configure: force-use -lpthreads on HPUX + * configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T + * configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE + * cookies: Remove redundant expired check + * cookies: fix leak when writing cookies to file + * curl-config.in: remove dependency on bc + * curl.1: --ipv6 mutexes ipv4 (fixed typo) + * curl: update the documentation of --tlsv1.0 + * curl_multi_wait: call getsock before figuring out timeout + * curl_ntlm_wb: check aprintf() return codes + * data-binary.d: clarify default content-type is x-www-form-urlencoded + * docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers + * docs/CIPHERS: fix the TLS 1.3 cipher names + * docs/CIPHERS: mention the colon separation for OpenSSL + * docs/examples: URL updates + * docs: add "see also" links for SSL options + * example/asiohiper: insert warning comment about its status + * example/htmltidy: fix include paths of tidy libraries + * examples/http2-pushinmemory: receive HTTP/2 pushed files in memory + * examples/parseurl.c: show off the URL API + * examples: Fix memory leaks from realloc errors + * examples: do not wait when no transfers are running + * ftp: include command in Curl_ftpsend sendbuffer + * gskit: make sure to terminate version string + * gtls: Values stored to but never read + * hostip: fix check on Curl_shuffle_addr return value + * http2: fix memory leaks on error-path + * http: fix memleak in rewind error path + * krb5: fix memory leak in krb_auth + * memory: add missing curl_printf header + * memory: ensure to check allocation results + * multi: Fix error handling in the SENDPROTOCONNECT state + * multi: fix memory leak in content encoding related error path + * multi: make the closure handle "inherit" CURLOPT_NOSIGNAL + * netrc: free temporary strings if memory allocation fails + * nss: try to connect even if libnssckbi.so fails to load + * ntlm_wb: Fix memory leaks in ntlm_wb_response + * ntlm_wb: bail out if the response gets overly large + * openssl: assume engine support in 0.9.8 or later + * openssl: enable TLS 1.3 post-handshake auth + * openssl: fix gcc8 warning + * openssl: load built-in engines too + * openssl: make 'done' a proper boolean + * openssl: output the correct cipher list on TLS 1.3 error + * openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer + * openssl: show "proper" version number for libressl builds + * pipelining: deprecated + * rand: add comment to skip a clang-tidy false positive + * rtmp: fix for compiling with lwIP + * runtests: ignore disabled even when ranges are given + * schannel: unified error code handling + * sendf: Fix whitespace in infof/failf concatenation + * ssh: free the session on init failures + * ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code + * system.h: use proper setting with Sun C++ as well + * test1299: use single quotes around asterisk + * test1452: mark as flaky + * test1651: unit test Curl_extract_certinfo() + * test320: strip out more HTML when comparing + * tests/negtelnetserver.py: fix Python2-ism in neg TELNET server + * tests: add unit tests for url.c + * tool_cb_hdr: handle failure of rename() + * travis: add a "make tidy" build that runs clang-tidy + * travis: add build for "configure --disable-verbose" + * travis: bump the Secure Transport build to use xcode + * travis: make distcheck scan for BOM markers + * unit1300: fix stack-use-after-scope AddressSanitizer warning + * urldata: Fix "connecting" comment + * urlglob: improve error message on bad globs + * vtls: fix ssl version "or later" behavior change for many backends + * x509asn1: Fix SAN IP address verification + * x509asn1: always check return code from getASN1Element() + * x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert + * x509asn1: suppress left shift on signed value +- Rebased patches after update: + * curl-disabled-redirect-protocol-message.patch + * curl-use_OPENSSL_config.patch + +------------------------------------------------------------------- +Wed Sep 5 07:12:59 UTC 2018 - Karol Babioch + +- Update to version 7.61.1 + Bugfixes: + * CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019) + * CURLINFO_SIZE_UPLOAD: fix missing counter update + * CURLOPT_ACCEPT_ENCODING.3: list them comma-separated + * CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse + * Curl_getoff_all_pipelines: improved for multiplexed + * DEPRECATE: remove release date from 7.62.0 + * HTTP: Don't attempt to needlessly decompress redirect body + * INTERNALS: require GnuTLS >= 2.11.3 + * README.md: add LGTM.com code quality grade for C/C++ + * SSLCERTS: improve the openssl command line + * Silence GCC 8 cast-function-type warnings + * ares: check for NULL in completed-callback + * asyn-thread: Remove unused macro + * auth: only pick CURLAUTH_BEARER if we *have* a Bearer token + * auth: pick Bearer authentication whenever a token is available + * cmake: CMake config files are defining CURL_STATICLIB for static builds + * cmake: Respect BUILD_SHARED_LIBS + * cmake: Update scripts to use consistent style + * cmake: bumped minimum version to 3.4 + * cmake: link curl to the OpenSSL targets instead of lib absolute paths + * configure: conditionally enable pedantic-errors + * configure: fix for -lpthread detection with OpenSSL and pkg-config + * conn: remove the boolean 'inuse' field + * content_encoding: accept up to 4 unknown trailer bytes after raw deflate data + * cookie tests: treat files as text + * cookies: support creation-time attribute for cookies + * curl: Fix segfault when -H @headerfile is empty + * curl: add http code 408 to transient list for --retry + * curl: fix time-of-check, time-of-use race in dir creation + * curl: use Content-Disposition before the "URL end" for -OJ + * curl: warn the user if a given file name looks like an option + * curl_threads: silence bad-function-cast warning + * darwinssl: add support for ALPN negotiation + * docs/CURLOPT_URL: fix indentation + * docs/CURLOPT_WRITEFUNCTION: size is always 1 + * docs/SECURITY-PROCESS: mention bounty, drop pre-notify + * docs/examples: add hiperfifo example using linux epoll/timerfd + * docs: add disallow-username-in-url.d and haproxy-protocol.d to dist + * docs: clarify NO_PROXY env variable functionality + * docs: improved the manual pages of some callbacks + * docs: mention NULL is fine input to several functions + * formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT + * gopher: Do not translate `?' to `%09' + * header output: switch off all styles, not just unbold + * hostip: fix unused variable warning + * http2: Use correct format identifier for stream_id + * http2: abort the send_callback if not setup yet + * http2: avoid set_stream_user_data() before stream is assigned + * http2: check nghttp2_session_set_stream_user_data return code + * http2: clear the drain counter in Curl_http2_done + * http2: make sure to send after RST_STREAM + * http2: separate easy handle from connections better + * http: fix for tiny "HTTP/0.9" response + * http_proxy: Remove unused macro SELECT_TIMEOUT + * lib/Makefile: only do symbol hiding if told to + * lib1502: fix memory leak in torture test + * lib1522: fix curl_easy_setopt argument type + * libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation + * mime: check Curl_rand_hex's return code + * multi: always do the COMPLETED procedure/state + * openssl: assume engine support in 1.0.0 or later + * openssl: fix debug messages + * projects: Improve Windows perl detection in batch scripts + * retry: return error if rewind was necessary but didn't happen + * reuse_conn(): memory leak - free old_conn->options + * schannel: client certificate store opening fix + * schannel: enable CALG_TLS1PRF for w32api >= 5.1 + * schannel: fix MinGW compile break + * sftp: don't send post-qoute sequence when retrying a connection + * smb: fix memory leak on early failure + * smb: fix memory-leak in URL parse error path + * smb_getsock: always wait for write socket too + * ssh-libssh: fix infinite connect loop on invalid private key + * ssh-libssh: reduce excessive verbose output about pubkey auth + * ssh-libssh: use FALLTHROUGH to silence gcc8 + * ssl: set engine implicitly when a PKCS#11 URI is provided + * sws: handle EINTR when calling select() + * system_win32: fix version checking + * telnet: Remove unused macros TELOPTS and TELCMDS + * test1143: disable MSYS2's POSIX path conversion + * test1148: disable if decimal separator is not point + * test1307: (fnmatch testing) disabled + * test1422: add required file feature + * test1531: Add timeout + * test1540: Remove unused macro TEST_HANG_TIMEOUT + * test214: disable MSYS2's POSIX path conversion for URL + * test320: treat curl320.out file as binary + * tests/http_pipe.py: Use /usr/bin/env to find python + * tests: Don't use Windows path %PWD for SSH tests + * tests: fixes for Windows line endlings + * tool_operate: Fix setting proxy TLS 1.3 ciphers + * travis: build darwinssl on macos 10.12 to fix linker errors + * travis: execute "set -eo pipefail" for coverage build + * travis: run a 'make checksrc' too + * travis: update to GCC-8 + * travis: verify that man pages can be regenerated + * upload: allocate upload buffer on-demand + * upload: change default UPLOAD_BUFSIZE to 64KB + * urldata: remove unused pipe_broke struct field + * vtls: reinstantiate engine on duplicated handles + * windows: implement send buffer tuning + * wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random +- Remove patch included upstream: + * curl-switch-off-all-styles.patch + +------------------------------------------------------------------- +Wed Aug 22 12:32:50 UTC 2018 - kbabioch@suse.com + +- Added curl-switch-off-all-styles.patch: Fix output of wrong escape sequences, + which might mess up the terminal (bsc#1105624) + +------------------------------------------------------------------- +Tue Jul 17 13:56:05 UTC 2018 - pgajdos@suse.com + +- Update to version 7.61.0 + [bsc#1099793, CVE-2018-0500] + Changes: + * getinfo: add microsecond precise timers for seven intervals + * curl: show headers in bold, switch off with --no-styled-output + * httpauth: add support for Bearer tokens + * Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS + * curl: --tls13-ciphers and --proxy-tls13-ciphers + * Add CURLOPT_DISALLOW_USERNAME_IN_URL + * curl: --disallow-username-in-url + Bugfixes: + * CVE-2018-0500: smtp: fix SMTP send buffer overflow + * schannel: disable client cert option if APIs not available + * schannel: disable manual verify if APIs not available + * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags + * openssl: acknowledge --tls-max for default version too + * stub_gssapi: fix 'unused parameter' warnings + * examples/progressfunc: make it build on both new and old libcurls + * docs: mention it is HA Proxy protocol "version 1" + * curl_fnmatch: only allow two asterisks for matching + * docs: clarify CURLOPT_HTTPGET + * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE + * configure: do compile-time SIZEOF checks instead of run-time + * checksrc: make sure sizeof() is used *with* parentheses + * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit + * schannel: make CAinfo parsing resilient to CR/LF + * tftp: make sure error is zero terminated before printfing it + * http resume: skip body if http code 416 (range error) is ignored + * configure: add basic test of --with-ssl prefix + * cmake: set -d postfix for debug builds + * multi: provide a socket to wait for in Curl_protocol_getsock + * content_encoding: handle zlib versions too old for Z_BLOCK + * winbuild: only delete OUTFILE if it exists + * winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST + * schannel: add failf calls for client certificate failures + * cmake: Fix the test for fsetxattr and strerror_r + * curl.1: Fix cmdline-opts reference errors + * cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options + * cmake: check for getpwuid_r + * configure: fix ssh2 linking when built with a static mbedtls + * psl: use latest psl and refresh it periodically + * fnmatch: insist on escaped bracket to match + * KNOWN_BUGS: restore text regarding #2101 + * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib + * configure: override AR_FLAGS to silence warning + * os400: implement mime api EBCDIC wrappers + * curl.rc: embed manifest for correct Windows version detection + * strictness: correct {infof, failf} format specifiers + * tests: update .gitignore for libtests + * configure: check for declaration of getpwuid_r + * fnmatch: use the system one if available + * CURLOPT_RESOLVE: always purge old entry first + * multi: remove a potentially bad DEBUGF() + * curl_addrinfo: use same #ifdef conditions in source as header + * build: remove the Borland specific makefiles + * axTLS: not considered fit for use + * cmdline-opts/cert-type.d: mention "p12" as a recognized type + * system.h: add support for IBM xlc C compiler + * tests/libtest: Add lib1521 to nodist_SOURCES + * mk-ca-bundle.pl: leave certificate name untouched + * boringssl + schannel: undef X509_NAME in lib/schannel.h + * openssl: assume engine support in 1.0.1 or later + * cppcheck: fix warnings + * test 46: make test pass after year 2025 + * schannel: support selecting ciphers + * Curl_debug: remove dead printhost code + * test 1455: unflakified + * Curl_init_do: handle NULL connection pointer passed in + * progress: remove a set of unused defines + * mk-ca-bundle.pl: make -u delete certdata.txt if found not changed + * GOVERNANCE.md: explains how this project is run + * configure: use pkg-config for c-ares detection + * configure: enhance ability to build with static openssl + * maketgz: fix sed issues on OSX + * multi: fix memory leak when stopped during name resolve + * CURLOPT_INTERFACE.3: interface names not supported on Windows + * url: fix dangling conn->data pointer + * cmake: allow multiple SSL backends + * system.h: fix for gcc on 32 bit OpenServer + * ConnectionExists: make sure conn->data is set when "taking" a connection + * multi: fix crash due to dangling entry in connect-pending list + * CURLOPT_SSL_VERIFYPEER.3: Add performance note + * netrc: use a larger buffer to support longer passwords + * url: check Curl_conncache_add_conn return code + * configure: Add dependent libraries after crypto + * easy_perform: faster local name resolves by using *multi_timeout() + * getnameinfo: not used, removed all configure checks + * travis: add a build using the synchronous name resolver + * CURLINFO_TLS_SSL_PTR.3: improve the example + * openssl: allow TLS 1.3 by default + * openssl: make the requested TLS version the *minimum* wanted + * openssl: Remove some dead code + * telnet: fix clang warnings + * DEPRECATE: new doc describing planned item removals + * example/crawler.c: simple crawler based on libxml2 + * libssh: goto DISCONNECT state on error, not SESSION_FREE + * CMake: Remove unused functions + * darwinssl: allow High Sierra users to build the code using GCC + * scripts: include _curl as part of CLEANFILES + * examples: fix -Wformat warnings + * curl_setup: include before + * schannel: make more cipher options conditional + * CMake: remove redundant and old end-of-block syntax + * post303.d: clarify that this is an RFC violation +- refreshed libcurl-ocloexec.patch + +------------------------------------------------------------------- +Fri May 18 11:47:00 UTC 2018 - vcizek@suse.com + +- Use OPENSSL_config instead of CONF_modules_load_file() to avoid + crashes due to openssl engines conflicts (bsc#1086367) + * add curl-use_OPENSSL_config.patch + +------------------------------------------------------------------- +Wed May 16 08:41:48 UTC 2018 - pmonrealgonzalez@suse.com + +- Update to version 7.60.0 + [bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301] + Changes: + * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol + * Add --haproxy-protocol for the command line tool + * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses + Bugfixes: + * FTP: shutdown response buffer overflow CVE-2018-1000300 + * RTSP: bad headers buffer over-read CVE-2018-1000301 + * FTP: fix typo in recursive callback detection for seeking + * test1208: marked flaky + * HTTP: make header-less responses still count correct body size + * user-agent.d:: mention --proxy-header as well + * http2: fixes typo + * cleanup: misc typos in strings and comments + * rate-limit: use three second window to better handle high speeds + * examples/hiperfifo.c: improved + * pause: when changing pause state, update socket state + * multi: improved pending transfers handling => improved performance + * curl_version_info.3: fix ssl_version description + * add_handle/easy_perform: clear errorbuffer on start if set + * cmake: add support for brotli + * parsedate: support UT timezone + * vauth/ntlm.h: fix the #ifdef header guard + * lib/curl_path.h: added #ifdef header guard + * vauth/cleartext: fix integer overflow check + * CURLINFO_COOKIELIST.3: made the example not leak memory + * cookie.d: mention that "-" as filename means stdin + * CURLINFO_SSL_VERIFYRESULT.3: fixed the example + * http2: read pending frames (including GOAWAY) in connection-check + * timeval: remove compilation warning by casting + * cmake: avoid warn-as-error during config checks + * travis-ci: enable -Werror for CMake builds + * openldap: fix for NULL return from ldap_get_attribute_ber() + * threaded resolver: track resolver time and set suitable timeout values + * cmake: Add advapi32 as explicit link library for win32 + * docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T + * test1148: set a fixed locale for the test + * cookies: when reading from a file, only remove_expired once + * cookie: store cookies per top-level-domain-specific hash table + * openssl: fix build with LibreSSL 2.7 + * tls: fix mbedTLS 2.7.0 build + handle sha256 failures + * openssl: RESTORED verify locations when verifypeer==0 + * file: restore old behavior for file:////foo/bar URLs + * FTP: allow PASV on IPv6 connections when a proxy is being used + * build-openssl.bat: allow custom paths for VS and perl + * winbuild: make the clean target work without build-type + * build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 + * curl: retry on FTP 4xx, ignore other protocols + * configure: detect (and use) sa_family_t + * examples/sftpuploadresume: Fix Windows large file seek + * build: cleanup to fix clang warnings/errors + * winbuild: updated the documentation + * lib: silence null-dereference warnings + * travis: bump to clang 6 and gcc 7 + * travis: build libpsl and make builds use it + * proxy: show getenv proxy use in verbose output + * duphandle: make sure CURLOPT_RESOLVE is duplicated + * all: Refactor malloc+memset to use calloc + * checksrc: Fix typo + * system.h: Add sparcv8plus to oracle/sunpro 32-bit detection + * vauth: Fix typo + * ssh: show libSSH2 error code when closing fails + * test1148: tolerate progress updates better + * urldata: make service names unconditional + * configure: keep LD_LIBRARY_PATH changes local + * ntlm_sspi: fix authentication using Credential Manager + * schannel: add client certificate authentication + * winbuild: Support custom devel paths for each dependency + * schannel: add support for CURLOPT_CAINFO + * http2: handle on_begin_headers() called more than once + * openssl: support OpenSSL 1.1.1 verbose-mode trace messages + * openssl: fix subjectAltName check on non-ASCII platforms + * http2: avoid strstr() on data not zero terminated + * http2: clear the "drain counter" when a stream is closed + * http2: handle GOAWAY properly + * tool_help: clarify --max-time unit of time is seconds + * curl.1: clarify that options and URLs can be mixed + * http2: convert an assert to run-time check + * curl_global_sslset: always provide available backends + * ftplistparser: keep state between invokes + * Curl_memchr: zero length input can't match + * examples/sftpuploadresume: typecast fseek argument to long + * examples/http2-upload: expand buffer to avoid silly warning + * ctype: restore character classification for non-ASCII platforms + * mime: avoid NULL pointer dereference risk + * cookies: ensure that we have cookies before writing jar + * os400.c: fix checksrc warnings + * configure: provide --with-wolfssl as an alias for --with-cyassl + * cyassl: adapt to libraries without TLS 1.0 support built-in + * http2: get rid of another strstr + * checksrc: force indentation of lines after an else + * cookies: remove unused macro + * CURLINFO_PROTOCOL.3: mention the existing defined names + * tests: provide 'manual' as a feature to optionally require + * travis: enable libssh2 on both macos and Linux + * CURLOPT_URL.3: added ENCODING section + * wolfssl: Fix non-blocking connect + * vtls: don't define MD5_DIGEST_LENGTH for wolfssl + * docs: remove extraneous commas in man pages + * URL: fix ASCII dependency in strcpy_url and strlen_url + * ssh-libssh.c: fix left shift compiler warning + * configure: only check for CA bundle for file-using SSL backends + * travis: add an mbedtls build + * http: don't set the "rewind" flag when not uploading anything + * configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h + * transfer: don't unset writesockfd on setup of multiplexed conns + * vtls: use unified "supports" bitfield member in backends + * URLs: fix one more http url + * travis: add a build using WolfSSL + * openssl: change FILE ops to BIO ops + * travis: add build using NSS + * smb: reject negative file sizes + * cookies: accept parameter names as cookie name + * http2: getsock fix for uploads + * all over: fixed format specifiers + * http2: use the correct function pointer typedef + +------------------------------------------------------------------- +Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com + +- Added message about protocol redirection not supported or + disabled to the function findprotocol() [bsc#1076446] + * Added curl-disabled-redirect-protocol-message.patch + +------------------------------------------------------------------- +Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com + +- Update to version 7.59.0 + [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] + [bsc#1084532, CVE-2018-1000122] + Changes: + * curl: add --proxy-pinnedpubkey + * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T + * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry + * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS + * Add new tool option --happy-eyeballs-timeout-ms + * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA + Bugfixes: + * openldap: check ldap_get_attribute_ber() results for NULL before using + * FTP: reject path components with control codes + * readwrite: make sure excess reads don't go beyond buffer end + * lib555: drop text conversion and encode data as ascii codes + * lib517: make variable static to avoid compiler warning + * lib544: sync ascii code data with textual data + * GSKit: restore pinnedpubkey functionality + * darwinssl: Don't import client certificates into Keychain on macOS + * parsedate: fix date parsing for systems with 32 bit long + * openssl: fix pinned public key build error in FIPS mode + * SChannel/WinSSL: Implement public key pinning + * cookies: remove verbose "cookie size:" output + * progress-bar: don't use stderr explicitly, use bar->out + * build: open VC15 projects with VS 2017 + * curl_ctype: private is*() type macros and functions + * configure: set PATH_SEPARATOR to colon for PATH w/o separator + * curl_easy_reset: clear digest auth state + * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + * range: commonize FTP and FILE range handling + * progress-bar docs: update to match implementation + * fnmatch: do not match the empty string with a character set + * fnmatch: accept an alphanum to be followed by a non-alphanum in char set + * build: fix termios issue on android cross-compile + * getdate: return -1 for out of range + * formdata: use the mime-content type function + * openssl: Don't add verify locations when verifypeer==0 + * fnmatch: optimize processing of consecutive *s and ?s pattern characters + * schannel: fix compiler warnings + * content_encoding: Add "none" alias to "identity" + * get_posix_time: only check for overflows if they can happen + * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING + * README: language fix + * sha256: build with OpenSSL < 0.9.8 + * smtp: fix processing of initial dot in data + * --tlsauthtype: works only if libcurl is built with TLS-SRP support + * tests: new tests for http raw mode + * libcurl-security.3: man page discussion security concerns when using libcurl + * curl_gssapi: make sure this file too uses our *printf() + * BINDINGS: fix curb link (and remove ruby-curl-multi) + * nss: use PK11_CreateManagedGenericObject() if available + * travis: add build with iconv enabled + * ssh: add two missing state names + * CURLOPT_HEADERFUNCTION.3: mention folded headers + * http: fix the max header length detection logic + * header callback: don't chop headers into smaller pieces + * CURLOPT_HEADER.3: clarify problems with different data sizes + * curl --version: show PSL if the run-time lib has it enabled + * examples/sftpuploadresume: resume upload via CURLOPT_APPEND + * Return error if called recursively from within callbacks + * sasl: prefer PLAIN mechanism over LOGIN + * winbuild: Use CALL to run batch scripts + * curl_share_setopt.3: connection cache is shared within multi handles + * projects/README: remove reference to dead IDN link/package + * lib655: silence compiler warning + * configure: Fix version check for OpenSSL 1.1.1 + * docs/MANUAL: formfind.pl is not accessible on the site anymore + * unit1307: proper cleanup on OOM to fix torture tests + * curl_ctype: fix macro redefinition warnings + * build: get CFLAGS (including -werror) used for examples and tests + * NO_PROXY: fix for IPv6 numericals in the URL + * krb5: use nondeprecated functions + * http2: mark the connection for close on GOAWAY + * limit-rate: kick in even before "limit" data has been received + * HTTP: allow "header;" to replace an internal header with a blank one + * http2: verbose output new MAX_CONCURRENT_STREAMS values + * SECURITY: distros' max embargo time is 14 days + * curl tool: accept --compressed also if Brotli is enabled and zlib is not + * WolfSSL: adding TLSv1.3 + * checksrc.pl: add -i and -m options + * CURLOPT_COOKIEFILE.3: "-" as file name means stdin + +- Refreshed patch libcurl-ocloexec.patch + +------------------------------------------------------------------- +Tue Feb 20 09:48:49 UTC 2018 - tchvatal@suse.com + +- Sort a bit with spec-cleaner +- Install license with the library + +------------------------------------------------------------------- +Thu Jan 25 12:23:48 UTC 2018 - normand@linux.vnet.ibm.com + +- ignore all test failures for PowerPC as bypass boo#1075219 + (not only the 1501 previously skipped) + * Added patch ignore_runtests_failure.patch + +------------------------------------------------------------------- +Wed Jan 24 11:41:36 UTC 2018 - asn@cryptomilk.org + +- Build curl with libssh.org + libssh offers a lot more features than libssh2, for example: + * Key Exchange Methods: curve25519-sha256@libssh.org + * Hostkey Types: ssh-ed25519 + * Authentication: gssapi-with-mic + +------------------------------------------------------------------- +Wed Jan 24 10:31:58 UTC 2018 - pmonrealgonzalez@suse.com + +- Update to version 7.58.0 + [bsc#1076360,CVE-2018-1000005][bsc#1077001,CVE-2018-1000007] + Changes: + * new libssh-powered SSH SCP/SFTP back-end + * curl-config: add --ssl-backends + Bugfixes: + * http2: fix incorrect trailer buffer size + * http: prevent custom Authorization headers in redirects + * travis: add boringssl build + * examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL + * SSL: Avoid magic allocation of SSL backend specific data + * lib: don't export all symbols, just everything curl_* + * libssh2: send the correct CURLE error code on scp file not found + * libssh2: return CURLE_UPLOAD_FAILED on failure to upload + * openssl: enable pkcs12 in boringssl builds + * libssh2: remove dead code from SSH_SFTP_QUOTE + * sasl_getmesssage: make sure we have a long enough string to pass + * conncache: fix several lock issues + * threaded-shared-conn.c: new example + * conncache: only allow multiplexing within same multi handle + * configure: check for netinet/in6.h + * URL: tolerate backslash after drive letter for FILE: + * openldap: add commented out debug possibilities + * include: get netinet/in.h before linux/tcp.h + * CONNECT: keep close connection flag in http_connect_state struct + * BINDINGS: another PostgreSQL client + * curl: limit -# update frequency for unknown total size + * configure: add AX_CODE_COVERAGE only if using gcc + * curl.h: remove incorrect comment about ERRORBUFFER + * openssl: improve data-pending check for https proxy + * curl: remove __EMX__ #ifdefs + * CURLOPT_PRIVATE.3: fix grammar + * sftp: allow quoted commands to use relative paths + * CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE + * RESOLVE: output verbose text when trying to set a duplicate name + * multi_done: prune DNS cache + * tests: update .gitignore for libtests + * tests: mark data files as non-executable in git + * CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference + * curl.1: documented two missing valid exit codes + * curl.1: mention http:// and https:// as valid proxy prefixes + * vtls: replaced getenv() with curl_getenv() + * setopt: less *or equal* than INT_MAX/1000 should be fine + * examples/smtp-mail.c: use separate defines for options and mail + * curl: support >256 bytes warning messsages + * conncache: fix a return code + * krb5: fix a potential access of uninitialized memory + * rand: add a clang-analyzer work-around + * CURLOPT_READFUNCTION.3: refer to argument with correct name + * brotli: allow compiling with version 0.6.0 + * content_encoding: rework zlib_inflate + * curl_easy_reset: release mime-related data + * examples/rtsp: fix error handling macros + * curl: Support size modifiers for --max-filesize + * examples/cacertinmem: ignore cert-already-exists error + * brotli: data at the end of content can be lost + * curl_version_info.3: call the argument 'age' + * openssl: fix memory leak of SSLKEYLOGFILE filename + * build: remove HAVE_LIMITS_H check + * --mail-rcpt: fix short-text description + * scripts: allow all perl scripts to be run directly + * progress: calculate transfer speed on milliseconds if possible + * system.h: check __LONG_MAX__ for defining curl_off_t + * easy: fix connection ownership in curl_easy_pause + * setopt: reintroduce non-static Curl_vsetopt() for OS400 support + * setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values + * configure.ac: append extra linker flags instead of prepending them + * HTTP: bail out on negative Content-Length: values + * docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata + * mime: clone mime tree upon easy handle duplication + * openssl: enable SSLKEYLOGFILE support by default + * smtp/pop3/imap_get_message: decrease the data length too... + * CURLOPT_TCP_NODELAY.3: fix typo + * SMB: fix numeric constant suffix and variable types + * ftp-wildcard: fix matching an empty string with "*[^a]" + * curl_fnmatch: only allow 5 '*' sections in a single pattern + * openssl: fix potential memory leak in SSLKEYLOGFILE logic + * SSH: Fix state machine for ssh-agent authentication + * examples/url2file.c: add missing curl_global_cleanup() call + * http2: don't close connection when single transfer is stopped + * libcurl-env.3: first version + * curl: progress bar refresh, get width using ioctl() + * CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support + +------------------------------------------------------------------- +Tue Jan 9 17:55:14 UTC 2018 - normand@linux.vnet.ibm.com + +- disable 1501 test for PowerPC as byass boo#1075219 + +------------------------------------------------------------------- +Wed Nov 29 10:43:55 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816] + [bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818] + Changes: + * auth: add support for RFC7616 - HTTP Digest access authentication + * share: add support for sharing the connection cache + * HTTP: implement Brotli content encoding + Bugfixes: + * CVE-2017-8816: NTLM buffer overflow via integer overflow + * CVE-2017-8817: FTP wildcard out of bounds read + * CVE-2017-8818: SSL out of buffer access + * curl_mime_filedata.3: fix typos + * libtest: Add required test libraries for lib1552 and lib1553 + * fix time diffs for systems using unsigned time_t + * ftplistparser: memory leak fix: free temporary memory always + * multi: allow table handle sizes to be overridden + * wildcards: don't use with non-supported protocols + * curl_fnmatch: return error on illegal wildcard pattern + * transfer: Fix chunked-encoding upload too early exit + * resolvers: only include anything if needed + * setopt: fix CURLOPT_SSH_AUTH_TYPES option read + * Curl_timeleft: change return type to timediff_t + * cmake: Export libcurl and curl targets to use by other cmake projects + * curl: in -F option arg, comma is a delimiter for files only + * curl: improved ";type=" handling in -F option arguments + * timeval: use mach_absolute_time() on MacOS + * curlx: the timeval functions are no longer provided as curlx_* + * mkhelp.pl: do not generate comment with current date + * memdebug: use send/recv signature for curl_dosend/curl_dorecv + * cookie: avoid NULL dereference + * url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 + * include: remove conncache.h inclusion from where its not needed + * CURLOPT_MAXREDIRS: allow -1 as a value + * tests: Fixed torture tests on tests 556 and 650 + * http2: Fixed OOM handling in upgrade request + * url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 + * CURLOPT_INFILESIZE: accept -1 + * curl: pass through [] in URLs instead of calling globbing error + * curl: speed up handling of many URLs + * ntlm: avoid malloc(0) for zero length passwords + * url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES + * HTTP: support multiple Content-Encodings + * travis: add a job with brotli enabled + * url: remove unncessary NULL-check + * fnmatch: remove dead code + * connect: store IPv6 connection status after valid connection + * imap: deal with commands case insensitively + * --interface: add support for Linux VRF + * content_encoding: fix inflate_stream for no bytes available + * cmake: Add missing setmode check + * connect.c: remove executable bit on file + * SMB: fix uninitialized local variable + * zlib/brotli: only include header files in modules needing them + * URL: return error on malformed URLs with junk after IPv6 bracket + * openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY + * macOS: Fix missing connectx function with Xcode version older than 9.0 + * --resolve: allow IP address within [] brackets + * examples/curlx: Fix code style + * ntlm: remove unnecessary NULL-check to please scan-build + * Curl_llist_remove: fix potential NULL pointer deref + * mime: fix "Value stored to 'sz' is never read" scan-build error + * openssl: fix "Value stored to 'rc' is never read" scan-build error + * http2: fix "Value stored to 'hdbuf' is never read" scan-build error + * http2: fix "Value stored to 'end' is never read" scan-build error + * Curl_open: fix OOM return error correctly + * url: reject ASCII control characters and space in host names + * examples/rtsp: clear RANGE again after use + * connect: improve the bind error message + * make: fix "make distclean" + * connect: add support for new TCP Fast Open API on Linux + * metalink: fix memory-leak and NULL pointer dereference + * URL: update "file:" URL handling + * ssh: remove check for a NULL pointer + * global_init: ignore CURL_GLOBAL_SSL's absense + +------------------------------------------------------------------- +Mon Oct 23 09:12:11 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to version 7.56.1 [bsc#1063824] + Bugfixes: + * imap: if a FETCH response has no size, don't call write + callback [CVE-2017-1000257] + * ftp: UBsan fixup 'pointer index expression overflowed + * failf: skip the sprintf() if there are no consumers + * fuzzer: move to using external curl-fuzzer + * lib/Makefile.m32: allow customizing dll suffixes + * docs: fix typo in curl_mime_data_cb man page + * darwinssl: add support for TLSv1.3 + * build: fix --disable-crypto-auth + * openssl: fix build without HAVE_OPAQUE_EVP_PKEY + * strtoofft: Remove extraneous null check + * multi_cleanup: call DONE on handles that never got that + * tests: added flaky keyword to tests 587 and 644 + * pingpong: return error when trying to send without connection + * remove_handle: call multi_done() first, then clear dns cache pointer + * mime: be tolerant about setting the same header list twice in a part + * mime: improve unbinding top multipart from easy handle + * mime: avoid resetting a part's encoder when part's contents change + * mime: refuse to add subparts to one of their own descendants + * RTSP: avoid integer overflow on funny RTSP responses + * curl: don't pass semicolons when parsing Content-Disposition + * openssl: enable PKCS12 support for !BoringSSL + * FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION + * CURLOPT_NOPROGRESS.3: also refer to xferinfofunction + * CURLOPT_XFERINFODATA.3: fix duplicate see also + * test298: verify --ftp-method nowcwd with URL encoded path + * FTP: URL decode path for dir listing in nocwd mode + * smtp_done: fix memory leak on send failure + * ftpserver: support case insensitive commands + * test950; verify SMTP with custom request + * openssl: don't use old BORINGSSL_YYYYMM macros + * setopt: update current connection SSL verify params + * curl: reimplement stdin buffering in -F option + * mime: keep "text/plain" content type if user-specified + * mime: fix the content reader to handle >16K data properly + * configure: remove the C++ compiler check + * memdebug: trace send, recv and socket + * runtests: use valgrind for torture as well + * ldap: silence clang warning + * makefile.m32: allow to override gcc, ar and ranlib + * setopt: avoid integer overflows when setting millsecond values + * setopt: range check most long options + * ftp: reject illegal IP/port in PASV 227 response + * mime: do not reuse previously computed multipart size + * vtls: change struct Curl_ssl `close' field name to `close_one' + * os400: add missing symbols in config file + * mime: limit bas64-encoded lines length to 76 characters + * mk-ca-bundle: Remove URL for aurora + * mk-ca-bundle: Fix URL for NSS + +------------------------------------------------------------------- +Thu Oct 5 16:15:04 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254] + Changes: + * curl: enable compression for SCP/SFTP with --compressed-ssh + * libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION + * vtls: added dynamic changing SSL backend with curl_global_sslset() + * new MIME API, curl_mime_init() and friends + * openssl: initial SSLKEYLOGFILE implementation + Security fixes: + * CVE-2017-1000254 FTP PWD response parser out of bounds read + Bugfixes: + * FTP: zero terminate the entry path even on bad input + * examples/ftpuploadresume.c: use portable code + * runtests: match keywords case insensitively + * strtoofft: reduce integer overflow risks globally + * zsh.pl: produce a working completion script again + * cmake: remove dead code for CURL_DISABLE_RTMP + * progress: Track total times following redirects + * configure: fix --disable-threaded-resolver + * configure: fix clang version detection + * darwinssi: fix error: variable length array used + * configure: check for __builtin_available() availability + * http_proxy: fix build error for CURL_DOES_CONVERSIONS + * examples/ftpuploadresume: checksrc compliance + * ftp: fix CWD when doing multicwd then nocwd on same connection + * system.h: remove all CURL_SIZEOF_* defines + * http: Don't wait on CONNECT when there is no proxy + * system.h: check for __ppc__ as well + * http2_recv: return error better on fatal h2 errors + * tftp: fix memory leak on too long filename + * system.h: fix build for hppa + * cmake: enable picky compiler options with clang and gcc + * makefile.m32: add support for libidn2 + * curl: shorten and clean up CA cert verification error message + * imap: support PREAUTH + * CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD + * examples/threaded-ssl: mention that this is for openssl before 1.1 + * tests: Make sure libtests & unittests call curl_global_cleanup() + * system.h: include sys/poll.h for AIX + * darwinssl: handle long strings in TLS certs + * strtooff: fix build for systems with long long but no strtoll + * asyn-thread: Improved cleanup after OOM situations + * curl.h: CURLSSLBACKEND_WOLFSSL used wrong value + * unit1301: fix error message on first test + * ossfuzz: moving towards the ideal integration + * http: fix a memory leakage in checkrtspprefix() + * examples/post-callback: stop returning one byte at a time + * schannel: return CURLE_SSL_CACERT on failed verification + * http-proxy: treat all 2xx as CONNECT success + * openssl: use OpenSSL's default ciphers by default + * runtests.pl: support attribute "nonewline" in part verify/upload + * configure: remove --enable-soname-bump and SONAME_BUMP + * vtls: fix WolfSSL 3.12 build problems + * http-proxy: when not doing CONNECT, that phase is done immediately + * configure: fix curl_off_t check's include order + * configure: use -Wno-varargs on clang 3.9[.X] debug builds + * rtsp: do not call fwrite() with NULL pointer FILE * + * mbedtls: enable CA path processing + * checksrc: verify more code style rules + * HTTP proxy: on connection re-use, still use the new remote port + * tests: add initial gssapi test using stub implementation + * rtsp: Segfault when using WRITEDATA + * docs: clarify the CURLOPT_INTERLEAVE* options behavior + * non-ascii: use iconv() with 'char **' argument + * server/getpart: provide dummy function to build conversion enabled + * conversions: fix several compiler warnings + * openssl: add missing includes + * schannel: Support partial send for when data is too large + * socks: fix incorrect port number in SOCKS4 error message + * curl: fix integer overflow in timeout options + * cookies: reject oversized cookies instead of truncating + * cookies: use lock when using CURLINFO_COOKIELIST + * curl: check fseek() return code and bail on error + * examples/post-callback: use long for CURLOPT_POSTFIELDSIZE + * openssl: only verify RSA private key if supported + * tests: make the imap server not verify user+password + * imap: quote atoms properly when escaping characters + * tests: fix a compiler warning in test 643 + * file_range: avoid integer overflow when figuring out byte range + * reuse_conn: don't copy flags that are known to be equal + * http: fix adding custom empty headers to repeated requests + * docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS + * connect: fix race condition with happy eyeballs timeout + * cookie: fix memory leak if path was set twice in header + * vtls: compare and clone ssl configs properly + * proxy: read the "no_proxy" variable only if necessary + +- Refreshed patches: + * libcurl-ocloexec.patch + +- Removed patches fixed upstream: + * curl-man3.patch + * ppc-build.patch + * curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch + * curl-disable-test1427-i586.patch + +------------------------------------------------------------------- +Tue Aug 29 17:33:29 UTC 2017 - zaitor@opensuse.org + +- Add curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch: + Fix NetworkManagers connectivity test. + +------------------------------------------------------------------- +Mon Aug 28 16:15:30 UTC 2017 - schwab@suse.de + +- ppc-build.patch: Fix build for powerpc + +------------------------------------------------------------------- +Thu Aug 10 11:08:46 UTC 2017 - pmonrealgonzalez@suse.com + +- Upstream fix to build libcurl man3 pages + * Added patch curl-man3.patch + +------------------------------------------------------------------- +Thu Aug 10 10:53:23 UTC 2017 - pmonrealgonzalez@suse.com + +- Disabled test1425 that fails in i586 architecture + * Added patch curl-disable-test1427-i586.patch + +------------------------------------------------------------------- +Wed Aug 9 09:34:25 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to 7.55.0 + Changes: + * curl: allow --header and --proxy-header read from file + * getinfo: provide sizes as curl_off_t + * curl: prevent binary output spewed to terminal + * curl: added --request-target + * curl: added --socks5-{basic,gssapi}: control socks5 auth + * libcurl: added CURLOPT_REQUEST_TARGET + * libcurl: added CURLOPT_SOCKS5_AUTH + Bugfixes: + * Security Fixes: + - glob: do not parse after a strtoul() overflow range + (CVE-2017-1000101, bsc#1051643) + - tftp: reject file name lengths that don't fit + (CVE-2017-1000100, bsc#1051644) + - file: output the correct buffer to the user + (CVE-2017-1000099, bsc#1051645) + * includes: remove curl/curlbuild.h and curl/curlrules.h + * dist: make the hugehelp.c not get regenerated unnecessarily + * timers: store internal time stamps as time_t instead of doubles + * progress: let "current speed" be UL + DL speeds combined + * http-proxy: do the HTTP CONNECT process entirely non-blocking + * lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV + * fuzz: bring oss-fuzz initial code converted to C89 + * configure: disable nghttp2 too if HTTP has been disabled + * mk-ca-bundle.pl: Check curl's exit code after certdata download + * test1148: verify the -# progressbar + * tests: stabilize test 2032 and 2033 + * HTTPS-Proxy: don't offer h2 for https proxy connections + * http-proxy: only attempt FTP over HTTP proxy + * curl-compilers.m4: enable vla warning for clang + * curl-compilers.m4: enable double-promotion warning + * curl-compilers.m4: enable missing-variable-declarations clang + warning + * curl-compilers.m4: enable comma clang warning + * CURLOPT_PREQUOTE: not supported for SFTP + * http2: fix OOM crash + * PIPELINING_SERVER_BL: cleanup the internal list use + * mkhelp.pl: fix script name in usage text + * lib1521: add curl_easy_getinfo calls to the test set + * travis: do the distcheck test build out-of-tree as well + * if2ip: fix compiler warning in ISO C90 mode + * lib: fix the djgpp build + * typecheck-gcc: add support for CURLINFO_OFF_T + * travis: enable typecheck-gcc warnings + * maketgz: switch to xz instead of lzma + * CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case + * curl/system.h: add check for XTENSA for 32bit gcc + * test1537: fixed memory leak on OOM + * test1521: fix compiler warnings + * curl: fix memory leak on test 1147 OOM + * libtest/make: generate lib1521.c dynamically at build-time + * curl_strequal.3: fix typo in SYNOPSIS + * progress: prevent resetting t_starttransfer + * openssl: improve fallback seed of PRNG with a time based hash + * http2: improved PING frame handling + * test1450: add simple testing for DICT + * make: build the docs subdir only from within src + * gtls: fix build when sizeof(long) < sizeof(void *) + * url: make the original string get used on subsequent transfers + * timeval.c: Use long long constant type for timeval assignment + * tool_sleep: typecast to avoid macos compiler warning + * travis.yml: use --enable-werror on debug builds + * test1451: add SMB support to the testbed + * configure: remove checks for 5 functions never used + * configure: try ldap/lber in reversed order first + * smb: fix build for djgpp/MSDOS + * travis: install nghttp2 on linux builds + * smb: add support for CURLOPT_FILETIME + * select.h: avoid macro redefinition harder + * runtests: support "threaded-resolver" as a feature + * test506: skip if threaded-resolver + * cmake: remove spurious "-l" from linker flags + * cmake: add CURL_WERROR for enabling "warning as errors" + * memdebug: don't setbuf() if the file open failed + * curl_easy_escape.3: mention the (lack of) encoding + * test1452: add telnet negotiation + * CURLOPT_POSTFIELDS.3: explain the 100-continue magic better + * cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC + * tests/valgrind.supp: supress OpenSSL false positive seen on + travis + * curl_setup_once: Remove ERRNO/SET_ERRNO macros + * rtspd: fix MSVC level 4 warning + * sockfilt: suppress conversion warning with explicit cast + * libtest: fix MSVC warning C4706 + * tests/server/resolve.c: fix deprecation warning + * nss: fix a possible use-after-free in SelectClientCert() + * checksrc: escape open brace in regex + * multi: mention integer overflow risk if using > 500 million + sockets + * timeval: struct curltime is a struct timeval replacement + * curl_rtmp: fix a compiler warning + * include.d: clarify that it concerns the response headers + * cmake: support make uninstall + * include.d: clarify --include is only for response headers + * libcurl: Stop using error codes defined under CURL_NO_OLDIES + * http: fix response code parser to avoid integer overflow + * configure: fix the check for IdnToUnicode + * multi: fix request timer management + * curl_threads: fix MSVC compiler warning + * cmake: set MSVC warning level to 4 + * netrc: skip lines starting with '#' + * FTP: skip unnecessary CWD when in nocwd mode + * gssapi: fix memory leak of output token in multi round context + * getparameter: avoid returning uninitialized 'usedarg' + * curl (debug build) easy_events: make event data static + * curl: detect and bail out early on parameter integer overflows + +- Removed patch curl-invalid-free.patch + +------------------------------------------------------------------- +Wed Jun 28 13:50:08 UTC 2017 - dimstar@opensuse.org + +- Update License to 'curl' as per review on OBS sr#505976. + +------------------------------------------------------------------- +Fri Jun 23 10:49:11 UTC 2017 - dimstar@opensuse.org + +- Have the -mini packages conflict the real ones. + +------------------------------------------------------------------- +Tue Jun 20 11:30:01 UTC 2017 - idonmez@suse.com + +- Add curl-invalid-free.patch to fix an invalid free in + curl_multi_setopt function. + +------------------------------------------------------------------- +Wed Jun 14 11:19:16 UTC 2017 - idonmez@suse.com + +- Update to 7.54.1 + Changes: + * curl now shows release date in --version output + Bugfixes: + * Fixes CVE-2017-9502: default protocol drive letter + buffer overflow bsc#1044243 + * openssl: fix memory leak in servercert + * curl: set a 100K buffer size by default + * nss: do not leak PKCS #11 slot while loading a key + * nss: load libnssckbi.so if no other trust is specified + * curl: use utimes instead of obsolescent utime when available + * url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE + * CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size + * curl: non-boolean command line args reject --no- prefixes + * telnet: Write full buffer instead of byte-by-byte + * curl: remove --environment and tool_writeenv.c + * curl: generate the --help output + * curl.1: clarify --config + * curl.1: mention --oauth2-bearer's argument + * ssh: fix memory leak in disconnect due to timeout + * redirect: store the "would redirect to" URL when max redirs is reached + * file: make speedcheck use current time for checks + * urlglob: fix division by zero + +------------------------------------------------------------------- +Tue Jun 13 13:08:21 UTC 2017 - lnussel@suse.de + +- Create curl-mini for bootstrapping (boo#1042919) + +------------------------------------------------------------------- +Wed Apr 19 08:17:17 UTC 2017 - idonmez@suse.com + +- Update to 7.54.0 + Changes: + * Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION + * Add --max-tls + * Add CURLOPT_SUPPRESS_CONNECT_HEADERS + * Add --suppress-connect-headers + Bugfixes: + * CVE-2017-7468: switch off SSL session id when client cert is used + * bsc#1033413 + * tests: use consistent environment variables for setting charset + * proxy: fixed a memory leak on OOM + * ftp: removed an erroneous free in an OOM path + * ftp: fixed a NULL pointer dereference on OOM + * gopher: fixed detection of an error condition from Curl_urldecode + * url: fix unix-socket support for proxy-disabled builds + * fix potential use of uninitialized variables + * ares: return error at once if timed out before name resolve starts + * URL: return error on malformed URLs with junk after port number + * http2: Fix assertion error on redirect with CL=0 + * --insecure: clarify that this option is for server connections + * authneg: clear auth.multi flag at http_done + * curl_easy_reset: Also reset the authentication state + * proxy: skip SSL initialization for closed connections + * http_proxy: ignore TE and CL in CONNECT 2xx responses + * multi: fix streamclose() crash in debug mode + * openssl: fall back on SSL_ERROR_* string when no error detail + * asiohiper: make sure socket is open in event_cb + * curl: check for end of input in writeout backslash handling + * openssl: exclude DSA code when OPENSSL_NO_DSA is defined + * http: Fix proxy connection reuse with basic-auth + * pause: handle mixed types of data when paused + * http: do not treat FTPS over CONNECT as HTTPS + * conncache: make hashkey avoid malloc + * multi: fix queueing of pending easy handles + * low_speed_limit: improved function for longer time periods + * nss: load CA certificates even with --insecure + * Curl_expire_latest: ignore already expired timers + * http2: fix handle leak in error path + * openssl: make SSL_ERROR_to_str more future-proof + * openssl: fix thread-safety bugs in error-handling + * openssl: don't try to print nonexistant peer private keys + +------------------------------------------------------------------- +Fri Feb 24 11:42:10 UTC 2017 - idonmez@suse.com + +- Update to 7.53.1 + Bugfixes: + * url: Improve CURLOPT_PROXY_CAPATH error handling + * urldata: include curl_sspi.h when Windows SSPI is enabled + * formdata: check for EOF when reading from stdin + * tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047 + * url: Default the proxy CA bundle location to CURL_CA_BUNDLE + * rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header + +------------------------------------------------------------------- +Wed Feb 22 09:49:12 UTC 2017 - idonmez@suse.com + +- Update to 7.53.0 + Changes: + * unix_socket: added --abstract-unix-socket and + CURLOPT_ABSTRACT_UNIX_SOCKET + * CURLOPT_BUFFERSIZE: support enlarging receive buffer + + Bugfixes: + * CVE-2017-2629: make SSL_VERIFYSTATUS work again + * gnutls-random: check return code for failed random + * openssl-random: check return code when asking for random + * http: remove "Curl_http_done: called premature" message + * cyassl: use time_t instead of long for timeout + * build-wolfssl: Sync config with wolfSSL 3.10 + * ftp-gss: check for init before use + * configure: accept --with-libidn2 instead + * ftp: failure to resolve proxy should return that error code + * curl.1: add three more exit codes + * docs/ciphers: link to our own new page about ciphers + * vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl + * darwinssl: fix iOS build + * darwinssl: fix CFArrayRef leak + * cmake: use crypt32.lib when building with OpenSSL on windows + * curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked + * digest_sspi: copy terminating NUL as well + * curl: fix --remote-time incorrect times on Windows + * curl.1: several updates and corrections + * content_encoding: change return code on a failure + * curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use + * docs: TCP_KEEPALIVE start and interval default to 60 + * darwinssl: --insecure overrides --cacert if both settings are in use + * TheArtOfHttpScripting: grammar + * CIPHERS.md: document GSKit ciphers + * wolfssl: support setting cipher list + * wolfssl: display negotiated SSL version and cipher + * lib506: fix build for Open Watcom + * asiohiper: improved socket handling + * examples: make the C++ examples follow our code style too + * tests/sws: retry send() on EWOULDBLOCK + * cmake: Fix passing _WINSOCKAPI_ macro to compiler + * smtp: Fix STARTTLS denied error message + * imap/pop3: don't print response character in STARTTLS denied messages + * rand: make it work without TLS backing + * url: fix parsing for when 'file' is the default protocol + * url: allow file://X:/path URLs on windows again + * gnutls: check for alpn and ocsp in configure + * IDN: Use TR46 'non-transitional' for toASCII translations + * url: Fix NO_PROXY env var to work properly with --proxy option + * CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char* + * docs: Add note about libcurl copying strings to CURLOPT_* manpages + * curl: reset the easy handle at --next + * --next docs: --trace and --trace-ascii are also global + * --write-out docs: 'time_total' is not always shown with ms precision + * http: print correct HTTP string in verbose output when using HTTP/2 + * docs: improved language in README.md HISTORY.md CONTRIBUTE.md + * http2: disable server push if not requested + * nss: use the correct lock in nss_find_slot_by_name() + * usercertinmem.c: improve the short description + * CURLOPT_CONNECT_TO: Fix compile warnings + * docs: non-blocking SSL handshake is now supported with NSS + * *.rc: escape non-ASCII/non-UTF-8 character for clarity + * mbedTLS: fix multi interface non-blocking handshake + * PolarSSL: fix multi interface non-blocking handshake + * VC: remove the makefile.vc6 build infra + * telnet: fix windows compiler warnings + * cookies: do not assume a valid domain has a dot + * polarssl: fix hangs + * gnutls: disable TLS session tickets + * mbedtls: disable TLS session tickets + * mbedtls: implement CTR-DRBG and HAVEGE random generators + * openssl: Don't use certificate after transferring ownership + * cmake: Support curl --xattr when built with cmake + * OS400: Fix symbols + * docs: Add more HTTPS proxy documentation + * docs: use more HTTPS links + * cmdline-opts: Fixed build and test in out of source tree builds + * CHANGES.0: removed + * schannel: Remove incorrect SNI disabled message + * darwinssl: Avoid parsing certificates when not in verbose mode + * test552: Fix typos + * telnet: Fix typos + * transfer: only retry nobody-requests for HTTP + * http2: reset push header counter fixes crash + * nss: make FTPS work with --proxytunnel + * test1139: Added the --manual keyword since the manual is required + * polarssl, mbedtls: Fix detection of pending data + * http_proxy: Fix tiny memory leak upon edge case connecting to proxy + * URL: only accept ";options" in SMTP/POP3/IMAP URL schemes + * curl.1: ftp.sunet.se is no longer an FTP mirror + * tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT + * http2: fix memory-leak when denying push streams + * configure: Allow disabling pthreads, fall back on Win32 threads + * curl: fix typo in time condition warning message + * axtls: adapt to API changes + * tool_urlglob: Allow a glob range with the same start and stop + * winbuild: add note on auto-detection of MACHINE in Makefile.vc + * http: fix missing 'Content-Length: 0' while negotiating auth + * proxy: fix hostname resolution and IDN conversion + * docs: fix timeout handling in multi-uv example + * digest_sspi: Fix nonce-count generation in HTTP digest + * sftp: improved checks for create dir failures + * smb: use getpid replacement for windows UWP builds + * digest_sspi: Handle 'stale=TRUE' directive in HTTP digest +- Remove curl-7.52.1-idn-fixes.patch, fixed upstream. + +------------------------------------------------------------------- +Sun Feb 5 22:33:33 UTC 2017 - astieger@suse.com + +- build with libidn2 for IDNA2008 support + FATE#321897 CVE-2016-8625 bsc#1005649 + add curl-7.52.1-idn-fixes.patch to fix test, among other things +- re-enable tests that are no longer failing, + remove curl-disable_failing_tests.patch + +------------------------------------------------------------------- +Fri Dec 23 07:37:40 UTC 2016 - idonmez@suse.com + +- Update to 7.52.1 + Bugfixes: + * CVE-2016-9594: unititialized random bsc#1016738 + +------------------------------------------------------------------- +Wed Dec 21 07:10:10 UTC 2016 - idonmez@suse.com + +- Update to 7.52.0 + Changes: + * nss: map CURL_SSLVERSION_DEFAULT to NSS default + * vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3 + * curl: introduce the --tlsv1.3 option to force TLS 1.3 + * curl: Add --retry-connrefused + * proxy: Support HTTPS proxy and SOCKS+HTTP(s) + * add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme} + * curl: add --fail-early + Bugfixes: + * CVE-2016-9586: printf floating point buffer overflow + * curl -w: added more decimal digits to timing counters + * easy: Initialize info variables on easy init and duphandle + * http2: Don't send header fields prohibited by HTTP/2 spec + * ssh: check md5 fingerprints case insensitively (regression) + * openssl: initial TLS 1.3 adaptions + * SPNEGO: Fix memory leak when authentication fails + * realloc: use Curl_saferealloc to avoid common mistakes + * openssl: make sure to fail in the unlikely event that PRNG + seeding fails + * URL-parser: for file://[host]/ URLs, the [host] must be localhost + * timeval: prefer time_t to hold seconds instead of long + * glob: fix [a-c] globbing regression + * curl.1: Clarify --dump-header only writes received headers + * http2: Fix address sanitizer memcpy warning + * http2: Use huge HTTP/2 windows + * connects: Don't mix unix domain sockets with regular ones + * url: Fix conn reuse for local ports and interfaces + * x509: Limit ASN.1 structure sizes to 256K + * http2: check nghttp2_session_set_local_window_size exists + * http2: Fix crashes when parent stream gets aborted + * CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries + * URL parser: reject non-numerical port numbers + * CONNECT: reject TE or CL in 2xx responses + * CONNECT: read responses one byte at a time + * curl: support zero-length argument strings in config files + * openssl: don't use OpenSSL's ERR_PACK + * curl.1: generated with the new man page system + * curl_easy_recv: Improve documentation and example program + * Curl_getconnectinfo: avoid checking if the connection is closed + * CIPHERS.md: attempt to document TLS cipher names + +------------------------------------------------------------------- +Wed Nov 2 07:15:44 UTC 2016 - idonmez@suse.com + +- Update to 7.51.0 + Changes: + * nss: additional cipher suites are now accepted by + CURLOPT_SSL_CIPHER_LIST + * New option: CURLOPT_KEEP_SENDING_ON_ERROR + Bugfixes: + * CVE-2016-8615: cookie injection for other servers + * CVE-2016-8616: case insensitive password comparison + * CVE-2016-8617: OOB write via unchecked multiplication + * CVE-2016-8618: double-free in curl_maprintf + * CVE-2016-8619: double-free in krb5 code + * CVE-2016-8620: glob parser write/read out of bounds + * CVE-2016-8621: curl_getdate read out of bounds + * CVE-2016-8622: URL unescape heap overflow via integer truncation + * CVE-2016-8623: Use-after-free via shared cookies + * CVE-2016-8624: invalid URL parsing with '#' + * CVE-2016-8625: IDNA 2003 makes curl use wrong host + * openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 + * http: accept "Transfer-Encoding: chunked" for HTTP/2 as well + * LICENSE-MIXING.md: update with mbedTLS dual licensing + * examples/imap-append: Set size of data to be uploaded + * test2048: fix url + * darwinssl: disable RC4 cipher-suite support + * CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting + * openssl: don’t call CRYTPO_cleanup_all_ex_data + * libressl: fix version output + * easy: Reset all statistical session info in curl_easy_reset + * curl_global_cleanup.3: don't unload the lib with sub threads running + * dist: add CurlSymbolHiding.cmake to the tarball + * docs: Remove that --proto is just used for initial retrieval + * configure: Fixed builds with libssh2 in a custom location + * curl.1: --trace supports % for sending to stderr! + * cookies: same domain handling changed to match browser behavior + * formpost: trying to attach a directory no longer crashes + * CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning + * formpost: avoid silent snprintf() truncation + * ftp: fix Curl_ftpsendf + * mprintf: return error on too many arguments + * smb: properly check incoming packet boundaries + * GIT-INFO: remove the Mac 10.1-specific details + * resolve: add error message when resolving using SIGALRM + * cmake: add nghttp2 support + * dist: remove PDF and HTML converted docs from the releases + * configure: disable poll() in macOS builds + * vtls: only re-use session-ids using the same scheme + * pipelining: skip to-be-closed connections when pipelining + * win: fix Universal Windows Platform build + * curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically + * maketgz: make it support "only" generating version info + * Curl_socket_check: add extra check to avoid integer overflow + * gopher: properly return error for poll failures + * curl: set INTERLEAVEDATA too + * polarssl: clear thread array at init + * polarssl: fix unaligned SSL session-id lock + * polarssl: reduce #ifdef madness with a macro + * curl_multi_add_handle: set timeouts in closure handles + * configure: set min version flags for builds on mac + * INSTALL: converted to markdown => INSTALL.md + * curl_multi_remove_handle: fix a double-free + * multi: fix inifinte loop in curl_multi_cleanup() + * nss: fix tight loop in non-blocking TLS handhsake over proxy + * mk-ca-bundle: Change URL retrieval to HTTPS-only by default + * mbedtls: stop using deprecated include file + * docs: fix req->data in multi-uv example + * configure: Fix test syntax for monotonic clock_gettime + * CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2 +- Refresh libcurl-ocloexec.patch + +------------------------------------------------------------------- +Wed Sep 14 07:13:02 UTC 2016 - idonmez@suse.com + +- update to 7.50.3 + Bugfixes: + * CVE-2016-7167: escape and unescape integer overflows + * mk-ca-bundle.pl: use SHA256 instead of SHA1 + * checksrc: detect strtok() use + * errors: new alias CURLE_WEIRD_SERVER_REPLY + * http2: support > 64bit sized uploads + * openssl: fix bad memory free (regression) + * CMake: hide private library symbols + * http: refuse to pass on response body when NO_NODY is set + * cmake: fix curl-config --static-libs + * mbedtls: switch off NTLM in build if md4 isn't available + * curl: --create-dirs on windows groks both forward and + backward slashes + +------------------------------------------------------------------- +Thu Sep 8 08:31:40 UTC 2016 - idonmez@suse.com + +- update to 7.50.2 + Bugfixes: + * mbedtls: Added support for NTLM + * SSH: fixed SFTP/SCP transfer problems + * multi: make Curl_expire() work with 0 ms timeouts + * mk-ca-bundle.pl: -m keeps ca cert meta data in output + * TFTP: Fix upload problem with piped input + * CURLOPT_TCP_NODELAY: now enabled by default + * mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined + * http2: always wait for readable socket + * cmake: Enable win32 large file support by default + * cmake: Enable win32 threaded resolver by default + * winbuild: Avoid setting redundant CFLAGS to compile commands + * curl.h: make CURL_NO_OLDIES define CURL_STRICTER + * docs: make more markdown files use .md extension + * docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown + * winbuild: Allow changing C compiler via environment variable CC + * rtsp: accept any RTSP session id + * HTTP: retry failed HEAD requests on reused connections too + * configure: add zlib search with pkg-config + * openssl: accept subjectAltName iPAddress if no dNSName match + * MANUAL: Remove invalid link to LDAP documentation + * socks: improved connection procedure + * proxy: reject attempts to use unsupported proxy schemes + * proxy: bring back use of "Proxy-Connection:" + * curl: allow "pkcs11:" prefix for client certificates + * spnego_sspi: fix memory leak in case *outlen is zero + * SOCKS: improve verbose output of SOCKS5 connection sequence + * SOCKS: display the hostname returned by the SOCKS5 proxy server + * http/sasl: Query authentication mechanism supported by SSPI before using + * sasl: Don't use GSSAPI authentication when domain name not specified + * win: Basic support for Universal Windows Platform apps + * nss: fix incorrect use of a previously loaded certificate from file, + https://curl.haxx.se/docs/adv_20160907.html + * nss: work around race condition in PK11_FindSlotByName() + * ftp: fix wrong poll on the secondary socket + * openssl: build warning-free with 1.1.0 (again) + * HTTP: stop parsing headers when switching to unknown protocols + * test219: Add http as a required feature + * TLS: random file/egd doesn't have to match for conn reuse + * schannel: Disable ALPN for Wine since it is causing problems + * http2: make sure stream errors don't needlessly close the connection + * http2: return CURLE_HTTP2_STREAM for unexpected stream close + * darwinssl: --cainfo is intended for backward compatibility only + * speed caps: not based on average speeds anymore + * configure: make the cpp -P detection not clobber CPPFLAGS + * http2: use named define instead of magic constant in read callback + * http2: skip the content-length parsing, detect unknown size + * http2: return EOF when done uploading without known size + * darwinssl: test for errSecSuccess in PKCS12 import rather than noErr + * openssl: fix CURLINFO_SSL_VERIFYRESULT + +------------------------------------------------------------------- +Fri Aug 5 12:41:43 UTC 2016 - pjanouch@suse.de + +- update to 7.50.1 + Bugfixes: + * TLS: switch off SSL session id when client cert is used + * TLS: only reuse connections with the same client cert + * curl_multi_cleanup: clear connection pointer for easy handles + * include the CURLINFO_HTTP_VERSION man page into the release tarball + * include the http2-server.pl script in the release tarball + * test558: fix test by stripping file paths from FD lines + * spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration + * tests: Fix for http/2 feature + * cmake: Fix for schannel support + * curl.h: make public types void * again + * win32: fix a potential memory leak in Curl_load_library + * travis: fix OSX build by re-installing libtool + * mbedtls: Fix debug function name +- removed 0001-tests-distribute-the-http2-server.pl-script-too.patch + +------------------------------------------------------------------- +Thu Jul 21 09:30:30 UTC 2016 - vcizek@suse.com + +- update to 7.50.0 + Changes: + * http: add CURLINFO_HTTP_VERSION and %{http_version} + Bugfixes: + * openssl: fix build with OPENSSL_NO_COMP + * cmake: Added missing mbedTLS support + * URL parser: allow URLs to use one, two or three slashes + * curl: fix -q [regression] + * openssl: Use correct buffer sizes for error messages + * curl: fix SIGSEGV while parsing URL with too many globs + * vtls: fix ssl session cache race condition + * http: Fix HTTP/2 connection reuse [regression] + * checksrc: Add LoadLibrary to the banned functions list + * configure: occasional ignorance of --enable-symbol-hiding with GCC + * http2: test17xx are the first real HTTP/2 tests + * resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS + * curl_multi_socket_action.3: rewording + * CURLOPT_POSTFIELDS.3: Clarify what happens when set empty + * cmake: Fix build with winldap + * openssl: fix cert check with non-DNS name fields present + * curl.1: mention the units for the progress meter + * openssl: use more 'const' to fix build warnings with 1.1.0 branch + * cmake: now using BUILD_TESTING=ON/OFF + * vtls: Only call add/getsession if session id is enabled + * headers: forward declare CURL, CURLM and CURLSH as structs + * configure: improve detection of CA bundle path on FreeBSD + * SFTP: set a generic error when no SFTP one exists + * curl_global_init.3: expand on the SSL and WIN32 bits purpose + * conn: don't free easy handle data in handler->disconnect + * cookie.c: Fix misleading indentation + * library: Fix memory leaks found during static analysis + * CURLMOPT_SOCKETFUNCTION.3: fix typo + * curl_global_init: moved the "IPv6 works" check here + * connect: disable TFO on Linux when using SSL + * vauth: Fixed memory leak due to function returning without free +- refresh libcurl-ocloexec.patch +- disable tests 1139 and 1140 which fail due to missing manpage + * add curl-disable_failing_tests.patch +- ship http2_server.pl for testing + * add 0001-tests-distribute-the-http2-server.pl-script-too.patch + +------------------------------------------------------------------- +Tue Jun 14 11:47:27 UTC 2016 - astieger@suse.com + +- curl 7.49.1: + * http2: use HTTP/2 in the HTTP/1.1-alike response + * ssh: fix build for libssh2 before 1.2.6 + * a number of bug and build fixes +- curl 7.49.0: + * schannel: Add ALPN support + * SSH: support CURLINFO_FILETIME + * SSH: new CURLOPT_QUOTE command "statvfs" + * wolfssl: Add ALPN support + * http2: added --http2-prior-knowledge + * http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE + * libcurl: added CURLOPT_CONNECT_TO + * curl: added --connect-to + * libcurl: added CURLOPT_TCP_FASTOPEN + * curl: added --tcp-fastopen + * curl: remove support for --ftpport, -http-request and --socks + * a number of bug and build fixes +- update upstream signing key and download URLs +- 0001-Fix-invalid-Network-is-unreachable-errors.patch is upstream + +------------------------------------------------------------------- +Mon Jun 6 10:18:29 UTC 2016 - idonmez@suse.com + +- Depend on libssh2 >= 1.6.0 since curl depends on the + libssh2_scp_recv2 symbol now. Fixes boo#983170 + +------------------------------------------------------------------- +Thu May 5 18:53:47 UTC 2016 - alarrosa@suse.com + +- Add 0001-Fix-invalid-Network-is-unreachable-errors.patch. + Fixes "Network is unreachable" errors in valid situations when ipv6 + is not available but ipv4 is working fine. This also fixes the same + error from happening in applications using libcurl4 (like zypper). + (bsc#915846) + +------------------------------------------------------------------- +Thu Mar 31 17:25:29 UTC 2016 - idonmez@suse.com + +- Update to 7.48.0 + * configure: --with-ca-fallback: use built-in TLS CA fallback + * TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS + * getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION + * Lots of bugfixes, see https://curl.haxx.se/changes.html#7_48_0 +- Drop curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff, + superseded by --with-ca-fallback configure option. + +------------------------------------------------------------------- +Thu Mar 17 10:58:24 UTC 2016 - astieger@suse.com + +- curl 7.47.1: + * getredirect.c: fix variable name + * tool_doswin: silence unused function warning + * curl.1: Explain remote-name behavior if file already exists + * sasl_sspi: Fix memory leak in domain populate + * openssl: Fix signed/unsigned mismatch warning in X509V3_ext + +------------------------------------------------------------------- +Fri Jan 29 21:17:56 UTC 2016 - mpluskal@suse.com + +- Enable PSL (Publix Suffix List) +- Make building more verbose + +------------------------------------------------------------------- +Wed Jan 27 13:10:50 UTC 2016 - vcizek@suse.com + +- update to 7.47.0 + * fixes CVE-2016-0755 (bsc#962983) + (NTLM credentials not-checked for proxy connection re-use) + * drop curl-fix-zsh-completion.patch (upstream) + Changes: + * version: Add flag CURL_VERSION_PSL for libpsl + * http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only + * curl: use 2TLS by default + * curl --expect100-timeout: added + * Add .dir-locals and set c-basic-offset to 2 (for emacs) + +------------------------------------------------------------------- +Wed Jan 6 13:18:33 UTC 2016 - idonmez@suse.com + +- Fix path to curl in zsh.pl to unbreak _curl completion + * curl-fix-zsh-completion.patch + +------------------------------------------------------------------- +Wed Dec 2 12:18:24 UTC 2015 - idonmez@suse.com + +- Update to 7.46.0 + * Added CURLOPT_STREAM_DEPENDS + * Added CURLOPT_STREAM_DEPENDS_E + * Added CURLOPT_STREAM_WEIGHT + * Added CURLFORM_CONTENTLEN + * oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, + POP3 and SNMP +* Many bugfixes, see http://curl.haxx.se/changes.html#7_46_0 for the + complete list. + +------------------------------------------------------------------- +Mon Oct 19 09:35:04 UTC 2015 - vcizek@suse.com + +- revert the curl-config change for bsc#900419 until we have a better + fix, because it was breaking builds of other packages + +------------------------------------------------------------------- +Sun Oct 18 21:43:16 UTC 2015 - crrodriguez@opensuse.org + +- Enable HTTP/2 support, buildrequires pkgconfig(libnghttp2) + +------------------------------------------------------------------- +Sat Oct 10 06:58:35 UTC 2015 - mpluskal@suse.com + +- Update to 7.45.0 + * added CURLOPT_DEFAULT_PROTOCOL + * added new tool option --proto-default + * getinfo: added CURLINFO_ACTIVESOCKET + * turned CURLINFO_* option docs as stand-alone man pages + * curl: point out unnecessary uses of -X in verbose mode +- Drop curl-disable_failing_tests.patch as it is now part of + upstream + +------------------------------------------------------------------- +Wed Aug 26 07:29:40 UTC 2015 - vcizek@suse.com + +- drop a hack that made curl-config print only -lcurl (bsc#900419) + * --as-needed is used by default now + +------------------------------------------------------------------- +Fri Aug 14 09:02:40 UTC 2015 - vcizek@suse.com + +- update to 7.44.0 + http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA + examples: added http2-serverpush.c + http2: added curl_pushheader_byname() and curl_pushheader_bynum() + docs: added CODE_OF_CONDUCT.md + curl: Add --ssl-no-revoke to disable certificate revocation checks + libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS + makefile: Added support for VC14 +- dropped unexpire-test46.patch (upstream) + +------------------------------------------------------------------- +Tue Aug 11 10:02:18 UTC 2015 - schwab@suse.de + +- unexpire-test46.patch: Unexpire test 46 + +------------------------------------------------------------------- +Fri Jul 31 08:22:39 UTC 2015 - normand@linux.vnet.ibm.com + +- do not run flaky tests for any architecture (bnc#940009) + at least test 1510 do fail for i586 and ppc64le + +------------------------------------------------------------------- +Fri Jul 3 08:29:55 UTC 2015 - vcizek@suse.com + +- fix a typo in curl-secure-getenv.patch (bsc#936676) + +------------------------------------------------------------------- +Fri Jun 19 13:07:44 UTC 2015 - mpluskal@suse.com + +- Update to 7.43.0 + * Added CURLOPT_PROXY_SERVICE_NAME + * Added CURLOPT_SERVICE_NAME + * New curl option: --proxy-service-name + * Mew curl option: --service-name + * New curl option: --data-raw + * Added CURLOPT_PIPEWAIT + * Added support for multiplexing transfers using HTTP/2, enable + this with the new CURLPIPE_MULTIPLEX bit for + CURLMOPT_PIPELINING + * HTTP/2: requires nghttp2 1.0.0 or later + * scripts: add zsh.pl for generating zsh completion + * curl.h: add CURL_HTTP_VERSION_2 + * CVE-2015-3236: lingering HTTP credentials in connection re-use + * CVE-2015-3237: SMB send off unrelated memory contents +- Disable HTTP/2 as it would create build cycle + +------------------------------------------------------------------- +Wed May 20 15:18:12 UTC 2015 - vcizek@suse.com + +- enable HTTP/2 support +- make the testsuite failure fatal + * added curl-disable_failing_tests.patch + * added groff to BuildRequires to enable builtin manual (test 1026) + +------------------------------------------------------------------- +Wed Apr 29 08:32:11 UTC 2015 - vcizek@suse.com + +- update to 7.42.1 + * fixes CVE-2015-3153 (bnc#928533) + - sensitive HTTP server headers also sent to proxies +- rename curl-devel to libcurl-devel in baselibs.conf + +------------------------------------------------------------------- +Wed Apr 22 08:03:02 UTC 2015 - vcizek@suse.com + +- update to 7.42.0 + * refresh libcurl-ocloexec.patch +- fixes security vulnerabilities: + * CVE-2015-3143 (bnc#927556) + - Re-using authenticated connection when unauthenticated + * CVE-2015-3144 (bnc#927608) + - host name out of boundary memory access + * CVE-2015-3145 (bnc#927607) + - cookie parser out of boundary memory access + * CVE-2015-3148 (bnc#927746) + - Negotiate not treated as connection-oriented + +------------------------------------------------------------------- +Tue Mar 24 12:49:35 UTC 2015 - lnussel@suse.de + +- don't hardcode /etc/ssl/certs. Use openssl's default instead + (curl-7.41.0-use-openssl-s-built-in-verify-path-as-fallback.diff) + +------------------------------------------------------------------- +Thu Feb 26 09:37:22 UTC 2015 - sor.alexei@meowr.ru + +- update to 7.41.0: + * Changes: + NetWare build: added TLS-SRP enabled build + winbuild: Added option to build with c-ares + Added --cert-status + Added CURLOPT_SSL_VERIFYSTATUS + sasl: implement EXTERNAL authentication mechanism + +------------------------------------------------------------------- +Sat Feb 14 18:29:37 UTC 2015 - mpluskal@suse.com + +- Re-enable metalink supoort +- Use pkgconfig() style dependencies + +------------------------------------------------------------------- +Thu Jan 8 09:55:11 UTC 2015 - vcizek@suse.com + +- update to 7.40.0: + * fixes CVE-2014-8150 (bnc#911363) + * Changes: + http_digest: Added support for Windows SSPI based authentication + version info: Added Kerberos V5 to the supported features + Makefile: Added VC targets for WinIDN + config-win32: Introduce build targets for VS2012+ + SSL: Add PEM format support for public key pinning + smtp: Added support for the conversion of Unix newlines during mail send + smb: Added initial support for the SMB/CIFS protocol + Added support for HTTP over unix domain sockets, + via CURLOPT_UNIX_SOCKET_PATH and --unix-socket + sasl: Added support for GSS-API based Kerberos V5 authentication + +------------------------------------------------------------------- +Thu Jan 1 23:08:25 UTC 2015 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Fri Nov 14 15:29:07 UTC 2014 - vcizek@suse.com + +- update to 7.39.0: +- changes: + SSLv3 is disabled by default + CURLOPT_COOKIELIST: Added "RELOAD" command + build: Added WinIDN build configuration options to Visual Studio projects + ssh: improve key file search + SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey + vtls: remove QsoSSL support, use gskit! + mk-ca-bundle: added SHA-384 signature algorithm + docs: added many examples for libcurl opts and other doc improvements + build: Added VC ssh2 target to main Makefile + MinGW: Added support to build with nghttp2 + NetWare: Added support to build with nghttp2 + build: added Watcom support to build with WinSSL + build: Added optional specific version generation of VC project files + ... and a bunch of bugfixes +- refreshed libcurl-ocloexec.patch +- removed gpg-offline verification +- spec-cleaned curl.spec + +------------------------------------------------------------------- +Thu Oct 23 15:13:30 UTC 2014 - crrodriguez@opensuse.org + +- Ensure the curl command line tool always require + the same libcurl it was used for build, even expert users + got confused. + +------------------------------------------------------------------- +Wed Sep 10 09:07:59 UTC 2014 - vcizek@suse.com + +- update to 7.38.0 + * fixes CVE-2014-3613 (bnc#894575) and CVE-2014-3620 (bnc#895991) + * cookie leaks with IP address as domain and TLDs respectively + Changes: + supports HTTP/2 draft-14 + CURLE_HTTP2 is a new error code + CURLAUTH_NEGOTIATE is a new auth define + CURL_VERSION_GSSAPI is a new capability bit + no longer use fbopenssl for anything + schannel: use CryptGenRandom for random numbers + axtls: define curlssl_random using axTLS's PRNG + cyassl: use RNG_GenerateBlock to generate a good random number + findprotocol: show unsupported protocol within quotes + version: detect and show LibreSSL + version: detect and show BoringSSL + imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI + http2: requires nghttp2 0.6.0 or later + Bugfixes: + SECURITY ADVISORY: cookie leak with IP address as domain + SECURITY ADVISORY: cookie leak for TLDs + And many other fixes + +------------------------------------------------------------------- +Thu Aug 28 21:59:59 UTC 2014 - andreas.stieger@gmx.de + +- curl 7.37.1: + This release includes many bugfixes and the following changes: + * bits.close: introduce connection close tracking + * darwinssl: Add support for --cacert + * polarssl: add ALPN support + * docs: Added new option man pages + +------------------------------------------------------------------- +Thu Jun 12 11:45:03 UTC 2014 - vcizek@suse.com + +- update to 7.37.0 + This release includes many bugfixes and the following changes: + * URL parser: IPv6 zone identifiers are now supported + * CURLOPT_PROXYHEADER: set headers for proxy-only + * CURLOPT_HEADEROPT: added + * curl: add --proxy-header + * sasl: Added support for DIGEST-MD5 via Windows SSPI + * sasl: Added DIGEST-MD5 qop-option validation in native challange handling + * imap: Expanded mailbox SEARCH support to use URL query strings [7] + * imap: Extended FETCH support to include PARTIAL URL specifier [7] + * nss: implement non-blocking SSL handshake + * build: Reworked Visual Studio project files + * poll: enable poll on darwin13 + * mk-ca-bundle: added -p + * libtests: add a wait_ms() function + - dropped patches: + * curl-mkhelp.patch (upstream) + * curl-test815.patch (upstream) + +------------------------------------------------------------------- +Fri Apr 11 06:51:54 UTC 2014 - vcizek@suse.com + +- remove the useless BuildRequires that were meant for debugging only + +------------------------------------------------------------------- +Wed Apr 9 11:40:19 UTC 2014 - vcizek@suse.com + +- update to 7.36 + * fixes CVE-2014-0138 (bnc#868627) and CVE-2014-0139 (bnc#868629) + * NEW FEATURES: + ntlm: Added support for NTLMv2 + tool: Added support for URL specific options + openssl: add ALPN support + gtls: add ALPN support + nss: add ALPN and NPN support + added CURLOPT_EXPECT_100_TIMEOUT_MS + tool: add --no-alpn and --no-npn + added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN + http2: build with current nghttp2 version + openssl: info message with SSL version used + * dropped curl-test172_cookie_expiration.patch (upstream) + * added patches to make it build: + - curl-mkhelp.patch + - curl-test815.patch + +------------------------------------------------------------------- +Thu Mar 13 13:53:08 CET 2014 - kukuk@suse.de + +- Disable BuildRequires for openssh, only needed for test suite, + but the test suite isn't able to start sshd anyways. + Solves the problem that openssh checkins triggers a nearly full + rebuild, too. + +------------------------------------------------------------------- +Tue Feb 4 15:17:18 UTC 2014 - vcizek@suse.com + +- update to 7.35.0 + * security fix: + CVE-2014-0015: re-use of wrong HTTP NTLM connection (bnc#858673) + * changes: + imap/pop3/smtp: Added support for SASL authentication downgrades + imap/pop3/smtp: Extended the login options to support multiple auth mechanisms + TheArtOfHttpScripting: major update, converted layout and more + mprintf: Added support for I, I32 and I64 size specifiers + makefile: Added support for VC7, VC11 and VC12 + SSL: protocol version can be specified more precisely + imap/pop3/smtp: Added graceful cancellation of SASL authentication + Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts + base64: Added validation of base64 input strings when decoding + curl_easy_setopt: Added the ability to set the login options separately + smtp: Added support for additional SMTP commands + curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals + nss: allow to use TLS > 1.0 if built against recent NSS + SECURITY: added this document to describe our security processes + parseconfig: warn if unquoted white spaces are detected + * and many bugfixes +- fix test failure because of an expired cookie (bnc#862144) + * added curl-test172_cookie_expiration.patch +- refresh libcurl-ocloexec.patch + +------------------------------------------------------------------- +Fri Nov 29 15:30:23 UTC 2013 - vcizek@suse.com + +- update to 7.33.0 + * fixes CVE-2013-4545 (bnc#849596) + = curl: ssl cert checks unclear behaviour + o test code for testing the event based API + o CURLM_ADDED_ALREADY: new error code + o test TFTP server: support "writedelay" within + o krb4 support has been removed + o imap/pop3/smtp: added basic SASL XOAUTH2 support + o Pass password to OpenSSL engine by user interface + o c-ares: Add support for various DNS binding options + o cookies: add expiration + o curl: added --oauth2-bearer option + +------------------------------------------------------------------- +Mon Aug 12 05:29:34 UTC 2013 - crrodriguez@opensuse.org + +- curl 7.32.0 +* curl: allow timeouts to accept decimal values +* CURLOPT_XFERINFOFUNCTION: introducing a new progress callback +* SIGPIPE: ignored while inside the library +* OpenSSL: check for read errors +* configure: automake 1.14 compatibility tweak +* curl_multi_wait: set revents for extra fds +* global dns cache: didn't work (regression) +* mk-ca-bundle.1: don't install on make install + + +------------------------------------------------------------------- +Mon Jul 1 18:56:33 UTC 2013 - coolo@suse.com + +- avoid cycle between curl and krb5 by using krb5-mini-devel + +------------------------------------------------------------------- +Mon Jun 24 14:00:11 UTC 2013 - vcizek@suse.com + +- update to 7.31.0 + * includes fix for CVE-2013-2174 (bnc#824517) + * SECURITY VULNERABILITY: curl_easy_unescape() may parse data + beyond the end of the input buffer [26] + * Changes: + darwinssl: add TLS session resumption + darwinssl: add TLS crypto authentication + imap/pop3/smtp: Added support for ;auth= in the URL + imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD + usercertinmem.c: add example showing user cert in memory + url: Added smtp and pop3 hostnames to the protocol detection list + imap/pop3/smtp: Added support for enabling the SASL initial response + curl -E: allow to use ':' in certificate nicknames + +------------------------------------------------------------------- +Fri Apr 12 11:36:47 UTC 2013 - vcizek@suse.com + +- update to 7.30.0 + includes security fixes for CVE-2013-0249 and CVE-2013-1944 + (bugs bnc#814655 and bnc#802411 respectively) + (dropped curl-CVE-2013-0249.patch) +- Changes: + imap: Changed response tag generation to be completely unique + imap: Added support for SASL-IR extension + imap: Added support for the list command + imap: Added support for the append command + imap: Added custom request parsing + imap: Added support to the fetch command for UID and SECTION properties + imap: Added parsing and verification of the UIDVALIDITY mailbox attribute + imap/pop3/smtp: Added support for the STARTTLS capability + checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets + curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag + Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS + for new multi interface connection handling + Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, + CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL + and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control + test: offer "automake" output and check for perl better + always-multi: always use non-blocking internals + imap: Added support for sasl digest-md5 authentication + imap: Added support for sasl cram-md5 authentication + imap: Added support for sasl ntlm authentication + imap: Added support for sasl login authentication + imap: Added support for sasl plain text authentication + imap: Added support for login disabled server capability + mk-ca-bundle: add -f, support passing to stdout and more + writeout: -w now supports remote_ip/port and local_ip/port +- refreshed patches + +------------------------------------------------------------------- +Sun Feb 17 17:04:34 UTC 2013 - crrodriguez@opensuse.org + +- Add curl-secure-getenv.patch: Use secure_getenv if available. + libcurl might be linked to a program where "secure execution" is + required. + +------------------------------------------------------------------- +Thu Feb 7 10:54:15 UTC 2013 - vcizek@suse.com + +- fixed CVE-2013-0249 (bnc#802411) +- refreshed patches + +------------------------------------------------------------------- +Fri Jan 11 21:34:38 CET 2013 - sbrabec@suse.cz + +- Break build loop and make GPG signature verification optional. + +------------------------------------------------------------------- +Tue Nov 27 20:05:00 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Tue Nov 20 23:43:24 UTC 2012 - crrodriguez@opensuse.org + +- Curl 7.28.1 +* FTP: prevent the multi interface from blocking Obsoletes + curl-ftp-prevent-the-multi-interface-from-blocking.patch +* don't send '#' fragments when using proxy +* OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack +* TFTP: handle resend +* memory leak: CURLOPT_RESOLVE with multi interface +* SSL: Several SSL-backend related fixes + +------------------------------------------------------------------- +Sun Nov 4 19:57:33 UTC 2012 - gber@opensuse.org + +- added curl-ftp-prevent-the-multi-interface-from-blocking.patch in + order to prevent the multi interface from blocking when using ftp + and the remote end responds very slowly (sf#3579064) + +------------------------------------------------------------------- +Sun Jul 29 22:14:25 UTC 2012 - crrodriguez@opensuse.org + +- Curl 7.27.0 +* support metalinks +* Add sasl authentication support +* various bugfixes +- Fix previous change, _GNU_SOURCE --> AC_USE_SYSTEM_EXTENSIONS + +------------------------------------------------------------------- +Mon Jul 9 13:12:24 UTC 2012 - dnh@opensuse.org + +- define _GNU_SOURCE for oS/SLES <= 11.4, as O_CLOEXEC is + defined inside a ifdef __USE_GNU + +------------------------------------------------------------------- +Sat May 12 23:24:56 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 7.25.0 +* Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, + CURLOPT_TCP_KEEPINTVL +* use new library-side TCP_KEEPALIVE options +* Added a new CURLOPT_MAIL_AUTH option +* Added support for --mail-auth +* (for more see the shipped CHANGES file) + +------------------------------------------------------------------- +Wed Feb 8 00:45:18 UTC 2012 - crrodriguez@opensuse.org + +- Problem with the c-ares backend, workaround for [bnc#745534] + +------------------------------------------------------------------- +Thu Feb 2 18:47:10 UTC 2012 - crrodriguez@opensuse.org + +- Update to version curl 7.24.0 +- refresh patches to fix broken build + +------------------------------------------------------------------- +Wed Jan 18 13:49:56 CET 2012 - dmueller@suse.de + +- use the rpmoptflags unconditionally, don't do own compiler flag + magic. Fixes debuginfo package built + +------------------------------------------------------------------- +Wed Dec 28 10:30:28 UTC 2011 - mmarek@suse.cz + +- Package /usr/share/aclocal to avoid build dependency on automake. + +------------------------------------------------------------------- +Wed Nov 30 22:39:35 UTC 2011 - crrodriguez@opensuse.org + +- Use O_CLOEXEC in library code. + +------------------------------------------------------------------- +Tue Nov 29 11:51:38 UTC 2011 - jengelh@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Tue Nov 29 08:20:23 UTC 2011 - idoenmez@suse.de + +- Use original source tarball + +------------------------------------------------------------------- +Mon Nov 28 12:00:00 UTC 2011 - opensuse@dstoecker.de + +- Update to version 7.23.1: + + Empty headers can be sent in HTTP requests by terminating with a semicolon + + SSL session sharing support added to curl_share_setopt() + + Added support to MAIL FROM for the optional SIZE parameter + + smtp: Added support for NTLM authentication + + curl tool: code split into tool_*.[ch] files + + lots of bugfixes +------------------------------------------------------------------- +Mon Oct 3 15:44:17 UTC 2011 - dimstar@opensuse.org + +- Update to version 7.22.0: + + Added CURLOPT_GSSAPI_DELEGATION + + Added support for NTLM delegation to Samba's winbind daemon + helper ntlm_auth + + Display notes from setup file in testcurl.pl + + BSD-style lwIP TCP/IP stack experimental support on Windows + + OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available + + --delegation was added to set CURLOPT_GSSAPI_DELEGATION + + nss: start with no database if the selected database is broken + + telnet: allow programatic use on Windows + + for a list of bugfixes, see + http://curl.haxx.se/changes.html#7_22_0 +- Drop curl-openssl-release-buffers.patch: fixed upstream. +- Add curl-fix-m4.patch: Use 'x' in configure scripts. Fixes issues + when configure is run with -Werror -Wall. + +------------------------------------------------------------------- +Sun Sep 18 00:10:42 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- +Fri Sep 16 17:22:44 UTC 2011 - jengelh@medozas.de + +- Add curl-devel to baselibs + +------------------------------------------------------------------- +Mon Aug 15 05:05:01 UTC 2011 - crrodriguez@opensuse.org + +- Use SSL_MODE_RELEASE_BUFFERS if available, accepted + in upstream as commit 3d919440c80333c496fb + +------------------------------------------------------------------- +Tue Jul 12 06:46:02 UTC 2011 - coolo@novell.com + +- remove support for old suse_versions + +------------------------------------------------------------------- +Mon Jul 11 11:40:17 CEST 2011 - pth@suse.de + +- Update to 7.21.7: + - Fix libcurl inappropriate GSSAPI delegation. Full details at + http://curl.haxx.se/docs/adv_20110623.html + - Some other minor fixes. + +- Use the lzma compressed tarball provided upstreams. + +------------------------------------------------------------------- +Fri May 20 16:25:34 UTC 2011 - crrodriguez@opensuse.org + +- remove unintented LDFLAGS from the spec file + +------------------------------------------------------------------- +Fri May 20 15:37:54 UTC 2011 - crrodriguez@opensuse.org + +- Update to 7.21.6 +* curl-config: fix --version +* use HTTPS properly after CONNECT +* SFTP: close file before post quote operations + +------------------------------------------------------------------- +Thu Apr 14 17:02:19 UTC 2011 - crrodriguez@opensuse.org + +- bnc#598574 has been fixed in upstream commit 8ab137b2bc9630ce20f4 + already, so enable c-ares support again. + +------------------------------------------------------------------- +Sat Apr 9 20:42:27 UTC 2011 - crrodriguez@opensuse.org + +- Support openSSL compiled without SSLv2 support +- Update to version 7.21.4 + * SMTP: add brackets for MAIL FROM + * multi: connect fail => use next IP address + * pubkey_show: allocate buffer to fit any-size result + * Curl_do: avoid using stale conn pointer + * tftpd test server: avoid buffer overflow report from glibc + * OpenSSL get_cert_chain: support larger data sets + * SCP/SFTP transfers: acknowledge speedcheck + * connect problem: use UDP correctly + * OpenSSL: improved error message on SSL_CTX_new failures + * HTTP: memory leak on multiple Location: + * curl.1: typo in -v description + * CURLOPT_SOCKOPTFUNCTION: return proper error code --keepalive-time + * file: add support for CURLOPT_TIMECONDITION + * multi: fix CURLM_STATE_TOOFAST for multi_socket +------------------------------------------------------------------- +Fri Oct 22 16:37:03 UTC 2010 - cristian.rodriguez@opensuse.org + +- Update to version 7.21.2 + * curl -T: ignore file size of special files + * Added GOPHER protocol support + * Added mk-ca-bundle.vbs script + * c-ares build now requires c-ares >= 1.6.0 + * --remote-header-name security vulnerability fixed + * multi: support the timeouts correctly, fixes known bug #62 + * multi: use timeouts properly for MAX_RECV/SEND_SPEED + * negotiation: Wrong proxy authorization + * multi: avoid sending multiple complete messages + * cmdline: make -F type= accept ;charset= + * RESUME_FROM: clarify what ftp uploads do + * http: handle trailer headers in all chunked responses + * Curl_is_connected: use correct errno + * progress: callback for POSTs less than MAX_INITIAL_POST_SIZE + * Link curl and the test apps with -lrt explicitly when necessary + * chunky parser: only rewind stream internally if needed + * remote-header-name: don't output filename when NULL + * Curl_timeleft: avoid returning "no timeout" by mistake + * timeout: use the correct start value as offset + * FTP: fix wrong timeout trigger + * rtsp: avoid SIGSEGV on malformed header + * LDAP: Support for tunnelling queries through HTTP proxy + * curl_easy_duphandle: clone the c-ares handle correctly + * support URL containing colon without trailing port number + * parsedate: allow time specified without seconds + * curl_easy_escape: don't escape "unreserved" characters + * SFTP: avoid downloading negative sizes + * Lots of GSS/KRB FTP fixes + * TFTP: Work around tftpd-hpa upload bug + * libcurl.m4: several fixes + * HTTP: remove special case for 416 + * globbing: fix crash on unballanced open brace + +------------------------------------------------------------------- +Wed Jun 2 14:12:54 UTC 2010 - lnussel@suse.de + +- allowing switching to nss instead of openssl via bcond + +------------------------------------------------------------------- +Mon May 10 01:12:22 UTC 2010 - crrodriguez@opensuse.org + +- disable c-ares support while bnc598574 is fixed. + +------------------------------------------------------------------- +Sat Apr 24 10:58:50 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Fri Apr 23 00:53:19 UTC 2010 - crrodriguez@opensuse.org + +- Update to libcurl 7.20.1 + * off-by-one in the chunked encoding trailer parser + * CURLOPT_CERTINFO memory leak + * threaded resolver double free when closing curl handle + * url_multi_remove_handle() caused use after free + * SSL possible double free when reusing curl handle + * alarm()-based DNS timeout bug + +------------------------------------------------------------------- +Wed Mar 24 18:39:57 UTC 2010 - crrodriguez@opensuse.org + +- enable libssh2 support unconditionally. + +------------------------------------------------------------------- +Wed Mar 10 13:46:45 UTC 2010 - crrodriguez@opensuse.org + +- enable libcares support unconditionally. + +------------------------------------------------------------------- +Sat Feb 13 21:39:56 CET 2010 - dimstar@opensuse.org + +- Update to version 7.20.0: + * support SSL_FILETYPE_ENGINE for client certificate + * curl-config can now show the arguments used when building curl + * non-blocking TFTP + * send Expect: 100-continue for POSTs with unknown sizes + * added support for IMAP(S), POP3(S), SMTP(S) and RTSP + * added new curl_easy_setopt() options for SMTP and RTSP + * added --mail-from and --mail-rcpt for SMTP + * VMS build system enhancements + * added support for the PRET ftp command + * curl supports --ssl and --ssl-reqd + * added -J/--remote-header-name for using server-provided + filename with -O + * enhanced asynchronous DNS lookups + * symbol CURL_FORMAT_OFF_T is obsoleted + * many bugfixes + +------------------------------------------------------------------- +Tue Jan 26 11:33:14 CET 2010 - mmarek@suse.cz + +- updated to 7.19.7 + * -T. is now for non-blocking uploading from stdin + * SYST handling on FTP for OS/400 FTP server cases + * libcurl refuses to read a single HTTP header longer than 100K + * added the --crlfile option to curl + * many bugfixes + + +------------------------------------------------------------------- +Mon Jan 11 11:38:16 CET 2010 - meissner@suse.de + +- add baselibs.conf as source + +------------------------------------------------------------------- +Thu Aug 13 21:30:37 CEST 2009 - mmarek@suse.cz + +- updated to 7.19.6 + * CURLOPT_FTPPORT (and curl's -P/--ftpport) support port ranges + * Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, + CURLOPT_SSH_KEYDATA + * CURLOPT_QUOTE, CURLOPT_POSTQUOTE and CURLOPT_PREQUOTE can be + told to ignore error responses when used with FTP + * fixed CVE-2009-2417 (matching certificates with embedded NUL + bytes) + * many other bugfixes + +------------------------------------------------------------------- +Tue May 19 15:03:25 CEST 2009 - mmarek@suse.cz + +- remove the Obsoletes: curl-ca-bundle, it breaks parallel + installation of older libcurl packages (bnc#484044). + +------------------------------------------------------------------- +Tue May 19 15:00:02 CEST 2009 - mmarek@suse.cz + +- updated to 7.19.5 + * libcurl now closes all dead connections whenever you attempt to + open a new connection + * libssh2's version number can now be figured out run-time + instead of using the build-time fixed number + * CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK + * curl can now upload with resume even when reading from a pipe + * a build-time configured curl_socklen_t is now used instead of + socklen_t +- by default, don't abort if the testsuite fails. + + +------------------------------------------------------------------- +Thu Mar 5 11:12:41 CET 2009 - mmarek@suse.cz + +- don't run autoreconf -fi as it breaks on older distros and + upstream uses recent autotools already. + +------------------------------------------------------------------- +Mon Mar 2 15:44:14 CET 2009 - mmarek@suse.cz + +- updated to 7.19.4 + * don't follow redirects to file:// and scp:// by default; add + new curl_easy_setopt options CURLOPT_PROTOCOLS and + CURLOPT_REDIR_PROTOCOLS to specify which protocols are allowed + and which protocols are allowed to redirect to (bnc#475103, + CVE-2009-0037) + * Added CURLOPT_NOPROXY and the corresponding --noproxy + * the OpenSSL-specific code disables TICKET (rfc5077) which is + enabled by default in openssl 0.9.8j + * Added CURLOPT_TFTP_BLKSIZE + * Added CURLOPT_SOCKS5_GSSAPI_SERVICE and + CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options + --socks5-gssapi-service and --socks5-gssapi-nec + * Improved IPv6 support when built with with c-ares >= 1.6.1 + * Added CURLPROXY_HTTP_1_0 and --proxy1.0 + * Added docs/libcurl/symbols-in-versions + * Added CURLINFO_CONDITION_UNMET + * Added support for Digest and NTLM authentication using GnuTLS + * CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry + the CWD even when MKD fails + * GnuTLS initing moved to curl_global_init() + * CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and + CURLOPT_PROXYAUTH + * pkg-config can now show supported_protocols and + supported_features + * Added CURLOPT_CERTINFO and CURLINFO_CERTINFO + * Added CURLOPT_POSTREDIR + * Better detect HTTP 1.0 servers and don't do HTTP 1.1 requests + on them + * configure --disable-proxy disables proxy support + * Added CURLOPT_USERNAME and CURLOPT_PASSWORD + * --interface now works with IPv6 connections on glibc systems + * Added CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD + + + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Mon Sep 15 11:26:06 CEST 2008 - mmarek@suse.cz + +- only buildrequire stunnel when built --with stunnel + +------------------------------------------------------------------- +Thu Sep 11 09:20:08 CEST 2008 - mmarek@suse.cz + +- test 279 no longer fails with runtests.pl -b + +------------------------------------------------------------------- +Tue Sep 2 14:23:51 CEST 2008 - mmarek@suse.cz + +- updated to 7.19.0 + * curl_off_t gets its size/typedef somewhat differently than + before. This _may_ cause an ABI change for you. See + /usr/share/doc/packages/curl/README.curl_off_t for a full + explanation. (Should not affect our package as it has LFS + enabled) + * Added CURLINFO_PRIMARY_IP + * Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE + * Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR + * curl's option parser for boolean options reworked + * Added --remote-name-all + * Added CURLINFO_APPCONNECT_TIME + * Added test selection by key word in runtests.pl + * the curl tool's -w option support the %{ssl_verify_result} + variable + * Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL + according to RFC4007 + * Support --append on SFTP uploads (not with OpenSSH, though) + * Added curlbuild.h and curlrules.h to the external library + interface + * lots of bugfixes + +------------------------------------------------------------------- +Wed Jun 4 18:05:43 CEST 2008 - mmarek@suse.cz + +- updated to 7.18.2 + * CURLFORM_STREAM was added + * CURLOPT_NOBODY is now supported over SFTP + * curl can now run on Symbian OS + * curl -w redirect_url and CURLINFO_REDIRECT_URL + * added curl_easy_send() and curl_easy_recv() + * some bugfixes + +------------------------------------------------------------------- +Sat May 17 19:22:10 CEST 2008 - coolo@suse.de + +- fix renaming of xxbit packages + +------------------------------------------------------------------- +Mon Apr 28 11:30:24 CEST 2008 - mmarek@suse.cz + +- disable c-ares support again until bnc#381709 is fixed +- build with libssh2 support in the devel:libraries:c_c++ project + +------------------------------------------------------------------- +Fri Apr 11 14:22:20 CEST 2008 - mmarek@suse.cz + +- build with c-ares support +- fixed build for older dists + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Apr 2 13:53:43 CEST 2008 - mmarek@suse.de + +- obsolete curl-ca-bundle by the library package + +------------------------------------------------------------------- +Mon Mar 31 10:16:30 CEST 2008 - mmarek@suse.cz + +- updated to 7.18.1 + * minor fixes since last update + +------------------------------------------------------------------- +Fri Mar 21 17:42:35 CET 2008 - mmarek@suse.cz + +- updated to cvs snapshot 20080321 + * added support for HttpOnly cookies + * we no longer distribute or install a ca cert bundle + * SSLv2 is now disabled by default for SSL operations + * the test509-style setting URL in callback is officially no + longer supported + * support a full chain of certificates in a given PKCS12 + certificate + * resumed transfers work with SFTP + * added type checking macros for curl_easy_setopt() and + curl_easy_getinfo(), watch out for new warnings in code using + libcurl (needs gcc-4.3 and currently only works in C mode) + * curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() + and curl_multi_setopt() uses are now checked to use exactly + three arguments + + +------------------------------------------------------------------- +Mon Mar 10 11:03:56 CET 2008 - mmarek@suse.cz + +- clean up curl-config --libs output, thanks to Cristian Rodríguez + for pointing it out + +------------------------------------------------------------------- +Fri Mar 7 11:03:25 CET 2008 - mmarek@suse.cz + +- build with gssapi support (thanks to Michael Calmer) + +------------------------------------------------------------------- +Mon Feb 18 15:00:12 CET 2008 - mmarek@suse.cz + +- removed Requires: openssl-certs - doesn't exist on older dists + and is required by libopenssl otherwise +- allow to build the package even if the testsuite fails + +------------------------------------------------------------------- +Fri Feb 8 10:21:10 CET 2008 - mmarek@suse.cz + +- use /etc/ssl/certs instead of own curl-ca-bundle.crt + * more up-to-date ca cert collection (bnc#334690) + * allows for easier updates of ca certs + +------------------------------------------------------------------- +Tue Jan 29 10:01:27 CET 2008 - mmarek@suse.cz + +- updated to 7.18.0 + * --data-urlencode + * CURLOPT_PROXY_TRANSFER_MODE + * --no-keepalive - now curl does connections with keep-alive + enabled by default + * --socks4a added (proxy type CURLPROXY_SOCKS4A for libcurl) + * --socks5-hostname added (CURLPROXY_SOCKS5_HOSTNAME for libcurl) + * curl_easy_pause() + * CURLOPT_SEEKFUNCTION and CURLOPT_SEEKDATA + * --keepalive-time + * curl --help output was re-ordered + * bugfixes +- fixed test553 to work with different port number + +------------------------------------------------------------------- +Thu Jan 10 16:21:34 CET 2008 - mmarek@suse.cz + +- only print -lcurl in curl-config to reduce dependencies + +------------------------------------------------------------------- +Tue Dec 11 17:59:57 CET 2007 - mmarek@suse.cz + +- backported the CURLOPT_PROXY_TRANSFER_MODE patch [#306272#c26] + +------------------------------------------------------------------- +Fri Nov 16 12:06:39 CET 2007 - mmarek@suse.cz + +- fixed the testsuite on hosts that have no IPv6 support [#341994] + curl-testsuite-safely-skip-http-ipv6.patch + curl-testsuite-remember-broken-servers.patch +- added stunnel to BuildRequires to enable SSL tests + +------------------------------------------------------------------- +Tue Oct 30 09:14:04 CET 2007 - mmarek@suse.cz + +- updated to 7.17.1 + * automatically append ";type=" when using HTTP proxies for + FTP urls [#306272] + * improved NSS support + * added --proxy-negotiate + * added --post301 and CURLOPT_POST301 + * builds with c-ares 1.5.0 + * added CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 + * renamed CURLE_SSL_PEER_CERTIFICATE to + CURLE_PEER_FAILED_VERIFICATION + * added CURLOPT_OPENSOCKETFUNCTION and CURLOPT_OPENSOCKETDATA + * CULROPT_COOKIELIST supports "FLUSH" + * added CURLOPT_COPYPOSTFIELDS + * added --static-libs to curl-config + * many bugfixes, inc. fix for bug #332917 + +------------------------------------------------------------------- +Thu Oct 11 16:19:56 CEST 2007 - mszeredi@suse.de + +- Add missing dependency (openldap2-devel) for libcurl-devel + +------------------------------------------------------------------- +Mon Oct 8 17:28:01 CEST 2007 - mmarek@suse.cz + +- updated to 7.17.0 + * curl_easy_setopt() now allocates strings passed to it + * LDAP libraries are now linked "regularly" and not with dlopen + (the strict-aliasing patch can go away) + * HTTP transfers have the download size info "available" earlier + * FTP transfers have the download size info "available" earlier + * several error codes and options were marked as obsolete and + subject to future removal (set CURL_NO_OLDIES to see if your + application is using them) + * some bugfixes (see /usr/share/doc/packages/curl/RELEASE-NOTES) +- added fixes for some post-7.17 bugs +- removed some less useful %%doc files + +------------------------------------------------------------------- +Fri Sep 14 09:20:35 CEST 2007 - mmarek@suse.cz + +- set transfer mode (binary/ascii) when retrieving ftp:// urls via + an http proxy (curl-ftp-httpproxy.patch) [#306272] + +------------------------------------------------------------------- +Wed Aug 29 12:25:59 CEST 2007 - mmarek@suse.cz + +- s/openssl-devel/libopenssl-devel/ [#305815] + +------------------------------------------------------------------- +Fri Aug 3 13:53:05 CEST 2007 - mmarek@suse.cz + +- updated to 7.16.4 + * added CURLOPT_NEW_FILE_PERMS and CURLOPT_NEW_DIRECTORY_PERMS + * improved hashing of sockets for the multi_socket API + * ftp kerberos5 support added + * some bugfixes (see /usr/share/doc/packages/curl/RELEASE-NOTES) +- fixed libcurl-devel Provides: [#293401] + + +------------------------------------------------------------------- +Mon Jul 9 10:35:48 CEST 2007 - mmarek@suse.cz + +- updated to 7.16.3 + * many bugfixes + * support for running multiple testsuites in paralell +- removed lfs patch leftover + +------------------------------------------------------------------- +Mon Jun 4 10:16:40 CEST 2007 - mmarek@suse.cz + +- install libcurl.m4 [#275462] + +------------------------------------------------------------------- +Fri Jun 1 11:57:28 CEST 2007 - dmueller@suse.de + +- fix obsoletes for alpha3 update +- fix ldconfig call + +------------------------------------------------------------------- +Wed May 23 16:22:39 CEST 2007 - bk@suse.de + +- updated to 7.16.2 (lots of fixes, fixes a segfault in git-http) + +------------------------------------------------------------------- +Fri May 4 14:55:41 CEST 2007 - mmarek@suse.cz + +- also avoid non-versioned obsoletes + +------------------------------------------------------------------- +Mon Apr 16 10:49:55 CEST 2007 - mmarek@suse.de + +- avoid non-versioned provides +- removed old curl_ssl provides/obsoletes from 7.1 times + +------------------------------------------------------------------- +Mon Apr 2 17:38:04 CEST 2007 - rguenther@suse.de + +- split off libcurl4 and curl-ca-bundle packages, rename curl-devel + to libcurl-devel + +------------------------------------------------------------------- +Sat Mar 31 18:53:00 CEST 2007 - rguenther@suse.de + +- add zlib-devel BuildRequires + +------------------------------------------------------------------- +Fri Feb 16 16:07:34 CET 2007 - mmarek@suse.cz + +- better patch for #246179 + +------------------------------------------------------------------- +Fri Feb 16 14:04:38 CET 2007 - mmarek@suse.cz + +- fix CURLOPT_RANGE reset for ftp transfers + [#246179] (ftp_range.patch) +- updated to 7.16.1 (other bugfixes) + +------------------------------------------------------------------- +Fri Jan 26 09:55:19 CET 2007 - mmarek@suse.cz + +- remove libcurl.a and libcurl.la (rationale: there are security + updates of curl from time to time, so statically linking it is + not acceptable) + +------------------------------------------------------------------- +Thu Jan 25 15:36:29 CET 2007 - mmarek@suse.cz + +- fixed strict aliasing warnings + +------------------------------------------------------------------- +Tue Dec 19 14:59:34 CET 2006 - mmarek@suse.cz + +- updated to 7.16.0 + * removed CURLOPT_SOURCE_* options and --3p* command line option + (breaks python-curl atm) + * for a complete list of changes, see + /usr/share/doc/packages/curl/RELEASE-NOTES + +------------------------------------------------------------------- +Tue Aug 15 11:23:58 CEST 2006 - mmarek@suse.cz + +- configure with --enable-hidden-symbols to compile libcurl with + -fvisibility=hidden, exporting only symbols from the API + +------------------------------------------------------------------- +Tue Aug 15 10:41:28 CEST 2006 - mmarek@suse.cz + +- updated to version 7.15.5 + * added --ftp-ssl-reqd + * modified the prototype for the socket callback set with + CURLMOPT_SOCKETFUNCTION + * added curl_multi_assign() + * added CURLOPT_FTP_ALTERNATIVE_TO_USER and --ftp-alternative-to-user + * added a vcproj file for building libcurl + * added curl_formget() + * added CURLOPT_MAX_SEND_SPEED_LARGE and CURLOPT_MAX_RECV_SPEED_LARGE + * Made -K on a file that couldn't be read cause a warning to be displayed + * some bugfixes +- dropped epsv-firewall.patch which was intergrated in 7.15.2 + +------------------------------------------------------------------- +Sat Jul 1 21:28:06 CEST 2006 - cthiel@suse.de + +- update to version 7.15.4, changes & fixes for this version: + * NTLM2 session response support + * CURLOPT_COOKIELIST set to "SESS" clears all session cookies + * CURLINFO_LASTSOCKET returned sockets are now checked more before + returned + * curl-config got a --checkfor option to compare version numbers + * line end conversions for FTP ASCII transfers + * curl_multi_socket() API added (still mostly untested) + * conversion callback options for EBCDIC <=> ASCII conversions + * added CURLINFO_FTP_ENTRY_PATH + * less blocking for the multi interface during (Open)SSL connect + negotiation + * builds fine on cygwin + * md5-sess with Digest authentication + * dict with letters such as space in a word + * dict with url-encoded words in the URL + * libcurl.m4 when default=yes but no libcurl was found + * numerous bugs fixed in the TFTP code + * possible memory leak when adding easy handles to multi stack + * TFTP works in a more portable fashion (== on more platforms) + * WSAGetLastError() is now used (better) on Windows + * GnuTLS non-block case that could cause data trashing + * deflate code survives lack of zlib header + * CURLOPT_INTERFACE works with hostname + * configure runs fine with ICC + * closed control connection with FTP when easy handle was removed from + multi + * curl --trace crash when built with VS2005 + * SSL connect time-out + * improved NTLM functionality + * following redirects with more than one question mark in source URL + * fixed debug build crash with -d + * generates a fine AIX Toolbox RPM spec + * treat FTP AUTH failures properly + * TFTP transfers could trash data + * -d + -G combo crash + +------------------------------------------------------------------- +Wed Jun 14 17:36:10 CEST 2006 - mmarek@suse.cz + +- fixed syntax error in configure + +------------------------------------------------------------------- +Sun May 28 16:16:33 CEST 2006 - cthiel@suse.de + +- update to version 7.15.3, changes & fixes for this version: + * added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD + * TFTP Packet Buffer Overflow Vulnerability (CVE-2006-1061) + * properly detecting problems with sending the FTP command USER + * wrong error message shown when certificate verification failed + * multi-part formpost with multi interface crash + * the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged + * "SSL: couldn't set callback" is now treated as a less serious problem + * Interix build fix + * fixed curl "hang" when out of file handles at start + * prevent FTP uploads to URLs with trailing slash + +- changes & fixes in 7.15.2 + * Support for SOCKS4 proxies (added --socks4) + * CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET added + * CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE (--local-port) added + * Dropped support for the LPRT ftp command + * Gopher is now officially abandoned as a protocol (lib)curl tries to + support + * curl_global_init() and curl_global_cleanup() are now using a refcount so + that it is now legal to call them multiple times. See updated info for + details + * two bugs concerning using curl_multi_remove_handle() before the transfer + was complete + * multi-pass authentication and compressed content + * minor format string mistake in the GSS/Negotiate code + * cached DNS entries could remain in the cache too long + * improved GnuTLS check in configure + * re-used FTP connections when the second request didn't do a transfer + * plain --limit-rate [num] means bytes + * re-creating a dead connection is no longer counted internally as a + followed redirect and thus prevents a weird error that would occur if a + FTP connection died on an attempted re-use + * Try PASV after failing to connect to the port the EPSV response + contained + * -P [IP] with non-local address with ipv6-enabled curl + * -P [hostname] with ipv6-disabled curl + * libcurl.m4 was updated + * configure no longer warns if the current path contains a space + * test suite kill race condition + * FTP_SKIP_PASV_IP and FTP_USE_EPSV when doing FTP over HTTP proxy + * Doing a second request with FTP on the same bath path, would make + libcurl confuse what current working directory it had + * FTP over HTTP proxy now sends the second CONNECT properly + * numerous compiler warnings and build quirks for various compilers have + been addressed + * supports name and passwords up to 255 bytes long, embedded in URLs + * the HTTP_ONLY define disables the TFTP support + +- removed curl-7.15.1-CVE-2006-1061.patch, included upstream +- removed curl-7.15.1-aliasing.patch + +------------------------------------------------------------------- +Tue Mar 14 12:35:53 CET 2006 - mmarek@suse.cz + +- fix buffer overflow in TFTP code + [#157874] (CVE-2006-1061.patch) + +------------------------------------------------------------------- +Wed Feb 15 02:53:15 CET 2006 - ro@suse.de + +- added libidn-devel to requires of devel package + +------------------------------------------------------------------- +Mon Feb 13 16:32:40 CET 2006 - mmarek@suse.cz + +- build with libidn support + [#150313] + +------------------------------------------------------------------- +Fri Jan 27 01:07:37 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 23 17:20:59 CET 2006 - mmarek@suse.cz + +- fallback to PASV if some firewall doesn't let an EPSV connection + trough + +------------------------------------------------------------------- +Thu Jan 12 15:45:18 CET 2006 - mmarek@suse.cz + +- build with -fstack-protector +- add dependency on curl = %%{version} to curl-devel + +------------------------------------------------------------------- +Tue Jan 10 15:24:29 CET 2006 - mmarek@suse.cz + +- remove non-existent path /usr/ssl, which caused -L/usr/ssl/lib to + appeared in curl-config output +- use make -j + +------------------------------------------------------------------- +Tue Dec 13 13:23:13 CET 2005 - mmarek@suse.cz + +- updated to 7.15.1, fixing previous vulnerabilities + +------------------------------------------------------------------- +Thu Oct 13 16:00:00 CEST 2005 - mmarek@suse.cz + +- fix stack buffer overflow in lib/http_ntlm.c [#128065] + +------------------------------------------------------------------- +Mon Oct 10 14:20:12 CEST 2005 - mmarek@suse.cz + +- updated to 7.14.1 +- updated curl-7.14.1-aliasing.patch + +------------------------------------------------------------------- +Mon Jun 20 16:38:34 CEST 2005 - anicka@suse.cz + +- update to 7.14.0 +- remove obsolete patch curl-ntlm.patch + +------------------------------------------------------------------- +Tue Apr 12 16:37:59 CEST 2005 - tcrhak@suse.cz + +- packaged curl-ca-bundle.crt (bug #64301) + +------------------------------------------------------------------- +Thu Feb 24 10:07:13 CET 2005 - meissner@suse.de + +- enable make test. fixed test 241 to use ::1 directly. + +------------------------------------------------------------------- +Tue Feb 22 10:46:21 CET 2005 - mcihar@suse.cz + +- fix buffer overflow in NTLM (bug #65752) + +------------------------------------------------------------------- +Tue Feb 8 18:36:38 CET 2005 - mcihar@suse.cz + +- update to 7.13.0 + +------------------------------------------------------------------- +Wed Aug 11 11:31:07 CEST 2004 - tcrhak@suse.cz + +- update to 7.12.0 + +------------------------------------------------------------------- +Wed Apr 28 19:57:41 CEST 2004 - tcrhak@suse.cz + +- strict aliasing fix + +------------------------------------------------------------------- +Tue Mar 16 17:31:01 CET 2004 - tcrhak@suse.cz + +- fix for lfs for in transfer.c (bug #36040) + +------------------------------------------------------------------- +Wed Feb 25 19:29:05 CET 2004 - tcrhak@suse.cz + +- ignore leading slashes of url-path in URLs like + ftp://user@name//url-path, i.e don't change to the + root directory (RFC 1738, bug #34471) + +------------------------------------------------------------------- +Tue Feb 10 17:39:28 CET 2004 - tcrhak@suse.cz + +- update to version 7.11.0 + +------------------------------------------------------------------- +Sat Jan 10 16:13:21 CET 2004 - adrian@suse.de + +- add %defattr and %run_ldconfig + +------------------------------------------------------------------- +Wed Nov 05 16:20:21 CET 2003 - tcrhak@suse.cz + +- added large file support, patch lfs [bug #32411] + +------------------------------------------------------------------- +Thu Sep 04 17:48:46 CEST 2003 - tcrhak@suse.cz + +- require zlib-devel, openssl-devel and glibc-devel in curl-devel [bug #29881] + +------------------------------------------------------------------- +Fri Aug 08 09:39:30 CEST 2003 - tcrhak@suse.cz + +- terminate array of directory components by NULL (bug #28351, patch dirs) + +------------------------------------------------------------------- +Wed Jul 23 19:36:56 CEST 2003 - tcrhak@suse.cz + +- update to version 7.10.5 + +------------------------------------------------------------------- +Tue Jun 3 01:24:42 CEST 2003 - ro@suse.de + +- remove unpackaged files from buildroot + +------------------------------------------------------------------- +Wed Nov 27 17:27:13 CET 2002 - tcrhak@suse.cz + +- update to version 7.10.2 +- moved curl-config.1.gz to the devel subpackage [bug #21966] + +------------------------------------------------------------------- +Sat Jul 13 17:25:58 CEST 2002 - tcrhak@suse.cz + +- update to version 7.9.8 +- added automake + +------------------------------------------------------------------- +Fri Jan 18 17:45:31 CET 2002 - tcrhak@suse.cz + +- used macros %{_lib} and %{_libdir} +- update to 7.9.2 + +------------------------------------------------------------------- +Fri Oct 19 08:38:40 CEST 2001 - ro@suse.de + +- do not pack shared library into both, main and devel package + +------------------------------------------------------------------- +Mon Oct 8 11:35:52 CEST 2001 - tcrhak@suse.cz + +- update to version 7.9 + +------------------------------------------------------------------- +Fri Sep 21 11:46:09 CEST 2001 - adostal@suse.cz + +- fix manual in man.patch + +------------------------------------------------------------------- +Tue Aug 21 16:10:10 CEST 2001 - adostal@suse.cz + +- update to version 7.8.1 + +------------------------------------------------------------------- +Wed Jul 18 10:21:13 CEST 2001 - adostal@suse.cz + +- files devel fixed + +------------------------------------------------------------------- +Mon Jul 2 17:51:34 CEST 2001 - adostal@suse.cz + +- update to version 7.8 + +------------------------------------------------------------------- +Wed Jun 13 17:33:41 CEST 2001 - ro@suse.de + +- fixed to compile with new autoconf + +------------------------------------------------------------------- +Mon Apr 9 14:39:03 CEST 2001 - cihlar@suse.cz + +- update to version 7.7.1 + +------------------------------------------------------------------- +Tue Mar 6 10:03:05 CET 2001 - cihlar@suse.cz + +- update to version 7.6.1 + +------------------------------------------------------------------- +Wed Jan 3 09:13:15 CET 2001 - cihlar@suse.cz + +- fixed Provides and Obsoletes also for curl-devel + +------------------------------------------------------------------- +Tue Dec 19 07:16:38 CET 2000 - cihlar@suse.cz + +- fixed name +- added Obsoletes: curl_ssl + +------------------------------------------------------------------- +Mon Dec 18 15:13:25 CET 2000 - cihlar@suse.cz + +- changed to ssl support + +------------------------------------------------------------------- +Thu Nov 16 14:25:18 CET 2000 - cihlar@suse.cz + +- renamed curldev -> curl-devel +- update to version 7.4.2 + +------------------------------------------------------------------- +Tue Oct 17 09:16:16 CEST 2000 - cihlar@suse.cz + +- update to version 7.4.1 - security bug fixed + +------------------------------------------------------------------- +Wed Aug 30 09:34:32 CEST 2000 - cihlar@suse.cz + +- package created + diff --git a/curl.keyring b/curl.keyring new file mode 100644 index 0000000..0c77721 --- /dev/null +++ b/curl.keyring @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD +AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv +jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb +XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz +7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM +wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ +dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT +rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t +FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 +OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx +5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h +zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O +poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA +Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d +6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 +tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu +c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 +svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ +Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv ++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh +Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg +rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL +y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP +BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ +0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf +09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG +6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 +67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H +a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr +LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK +nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb +0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb +2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC +OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ +PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC +8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 +/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e +8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk +bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 +IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN +2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ +L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD +/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 +UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb +9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh +TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k +IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ +AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ +eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 +sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI +c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND +KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j +4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S +wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv +BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF +PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu +gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 +ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb +j/qx4ytjt5uxt6Jm6IXV9cry8i6x +=Phs/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/curl.spec b/curl.spec new file mode 100644 index 0000000..430df90 --- /dev/null +++ b/curl.spec @@ -0,0 +1,195 @@ +# +# spec file for package curl +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%bcond_without testsuite +%bcond_with mozilla_nss +# need ssl always for python-pycurl +%bcond_without openssl +Name: curl +Version: 8.6.0 +Release: 0 +Summary: A Tool for Transferring Data from URLs +License: curl +URL: https://curl.se +Source: https://curl.se/download/curl-%{version}.tar.xz +Source2: https://curl.se/download/curl-%{version}.tar.xz.asc +Source3: baselibs.conf +Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring +Patch0: libcurl-ocloexec.patch +Patch1: dont-mess-with-rpmoptflags.patch +Patch2: curl-secure-getenv.patch +#PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled +Patch3: curl-disabled-redirect-protocol-message.patch +BuildRequires: libtool +BuildRequires: pkgconfig +Requires: libcurl4 = %{version} +BuildRequires: groff +BuildRequires: lzma +BuildRequires: openldap2-devel +BuildRequires: pkgconfig(krb5) +BuildRequires: pkgconfig(libbrotlidec) +BuildRequires: pkgconfig(libidn2) +# Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] +# BuildRequires: pkgconfig(libmetalink) +# +# The 7.86.0 cURL release introduced the use of +# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, +# a function introduced by the 1.50.0 nghttp2 release. +# +# This is a bandaid, as cURL didn't provide a function/version check +# in their build scripts. Without this some users my end up with a broken +# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system, +# and do some Zypper transaction that updates cURL, but not libnghttp2. +# +BuildRequires: pkgconfig(libnghttp2) >= 1.50.0 +BuildRequires: pkgconfig(libpsl) +BuildRequires: pkgconfig(libssh) +BuildRequires: pkgconfig(libzstd) +BuildRequires: pkgconfig(zlib) +%if %{with openssl} +BuildRequires: pkgconfig(libssl) +%endif +%if %{with mozilla_nss} +BuildRequires: mozilla-nss-devel +%endif +#BuildRequires: openssh +%if 0%{?_with_stunnel:1} +# used by the testsuite +BuildRequires: stunnel +%endif + +%description +Curl is a client to get documents and files from or send documents to a +server using any of the supported protocols (HTTP, HTTPS, FTP, FTPS, +TFTP, DICT, TELNET, LDAP, or FILE). The command is designed to work +without user interaction or any kind of interactivity. + +%package -n libcurl4 +Summary: Library for transferring data from URLs + +%description -n libcurl4 +The cURL shared library for accessing data using different +network protocols. + +%package -n libcurl-devel +Summary: Development files for the curl library +Requires: glibc-devel +Requires: libcurl4 = %{version} +Provides: curl-devel = %{version} +Obsoletes: curl-devel < %{version} + +%description -n libcurl-devel +Curl is a client to get documents and files from or send documents to a +server using any of the supported protocols (HTTP, HTTPS, FTP, GOPHER, +DICT, TELNET, LDAP, or FILE). The command is designed to work without +user interaction or any kind of interactivity. + +%prep +%setup -q -n curl-%{version} +%autopatch -p1 + +%build +# curl complains if macro definition is contained in CFLAGS +# see m4/xc-val-flgs.m4 +CPPFLAGS="-D_FORTIFY_SOURCE=2" +CFLAGS=$(echo "%{optflags}" | sed -e 's/-D_FORTIFY_SOURCE=2//') +export CPPFLAGS +export CFLAGS="$CFLAGS -fPIE" +export LDFLAGS="$LDFLAGS -Wl,-z,defs,-z,now,-z,relro -pie" +autoreconf -fiv +# local hack to make curl-config --libs stop printing libraries it depends on +# (currently, libtool sets link_all_deplibs=(yes|unknown) everywhere, +# will hopefully change in the future) +sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure +%configure \ + --enable-ipv6 \ +%if %{with openssl} + --with-openssl \ + --with-ca-fallback \ + --without-ca-path \ + --without-ca-bundle \ +%else + --without-openssl \ +%if %{with mozilla_nss} + --with-nss \ +%endif +%endif + --with-gssapi=$(krb5-config --prefix) \ + --with-libidn2 \ + --with-libssh \ + --enable-symbol-hiding \ + --disable-static \ + --enable-threaded-resolver + +# if this fails, the above sed hack did not work +./libtool --config | grep -q link_all_deplibs=no +# enable-hidden-symbols needs gcc4 and causes that curl exports only its API +%make_build + +%if %{with testsuite} +%check +pushd tests +%make_build + +find -type f -name "*.pl" -exec sed -i 's|#!.*/usr/bin/env perl|#!/usr/bin/perl|' "{}" + +find -type f -name "*.py" -exec sed -i 's|#!.*/usr/bin/env python.*|#!/usr/bin/python3|' "{}" + + +perl ./runtests.pl -a -v -p '!flaky' || exit +popd +%endif + +%install +%make_install +rm -f %{buildroot}%{_libdir}/libcurl.la +install -Dm 0644 docs/libcurl/libcurl.m4 %{buildroot}%{_datadir}/aclocal/libcurl.m4 +pushd scripts +%make_install +popd + +%post -n libcurl4 -p /sbin/ldconfig +%postun -n libcurl4 -p /sbin/ldconfig + +%files +%doc README RELEASE-NOTES CHANGES +%doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md} +%{_bindir}/curl +%{_datadir}/zsh/site-functions/_curl +%{_mandir}/man1/curl.1%{?ext_man} +%{_mandir}/man1/mk-ca-bundle.1%{?ext_man} +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%dir %{_datadir}/fish/ +%dir %{_datadir}/fish/vendor_completions.d/ +%{_datadir}/fish/vendor_completions.d/curl.fish + +%files -n libcurl4 +%license COPYING +%{_libdir}/libcurl.so.4* + +%files -n libcurl-devel +%{_bindir}/curl-config +%{_includedir}/curl +%dir %{_datadir}/aclocal/ +%{_datadir}/aclocal/libcurl.m4 +%{_libdir}/libcurl.so +%{_libdir}/pkgconfig/libcurl.pc +%{_mandir}/man1/curl-config.1%{?ext_man} +%{_mandir}/man3/* +%doc docs/libcurl/symbols-in-versions + +%changelog diff --git a/dont-mess-with-rpmoptflags.patch b/dont-mess-with-rpmoptflags.patch new file mode 100644 index 0000000..e3f80d2 --- /dev/null +++ b/dont-mess-with-rpmoptflags.patch @@ -0,0 +1,15 @@ +Index: curl-8.6.0/configure.ac +=================================================================== +--- curl-8.6.0.orig/configure.ac ++++ curl-8.6.0/configure.ac +@@ -506,10 +506,6 @@ dnl ************************************ + + CURL_CHECK_COMPILER + CURL_CHECK_NATIVE_WINDOWS +-CURL_SET_COMPILER_BASIC_OPTS +-CURL_SET_COMPILER_DEBUG_OPTS +-CURL_SET_COMPILER_OPTIMIZE_OPTS +-CURL_SET_COMPILER_WARNING_OPTS + + if test "$compiler_id" = "INTEL_UNIX_C"; then + # diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch new file mode 100644 index 0000000..d41a046 --- /dev/null +++ b/libcurl-ocloexec.patch @@ -0,0 +1,93 @@ +Open library file descriptors with O_CLOEXEC +This patch is non-portable, it needs linux 2.6.23 and glibc 2.7 +or later, different combinations (old linux, new glibc and vice-versa) +will result in a crash. + +To make it portable you have to test O_CLOEXEC support at *runtime* +compile time is not enough. + + +Index: curl-8.4.0/lib/file.c +=================================================================== +--- curl-8.4.0.orig/lib/file.c ++++ curl-8.4.0/lib/file.c +@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl + } + } + #else +- fd = open_readonly(real_path, O_RDONLY); ++ fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC); + file->path = real_path; + #endif + #endif +@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_ + else + mode = MODE_DEFAULT|O_TRUNC; + +- fd = open(file->path, mode, data->set.new_file_perms); ++ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms); + if(fd < 0) { + failf(data, "Can't open %s for writing", file->path); + return CURLE_WRITE_ERROR; +Index: curl-8.4.0/lib/if2ip.c +=================================================================== +--- curl-8.4.0.orig/lib/if2ip.c ++++ curl-8.4.0/lib/if2ip.c +@@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af, + if(len >= sizeof(req.ifr_name)) + return IF2IP_NOT_FOUND; + +- dummy = socket(AF_INET, SOCK_STREAM, 0); ++ dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0); + if(CURL_SOCKET_BAD == dummy) + return IF2IP_NOT_FOUND; + +Index: curl-8.4.0/configure.ac +=================================================================== +--- curl-8.4.0.orig/configure.ac ++++ curl-8.4.0/configure.ac +@@ -428,6 +428,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m + # Silence warning: ar: 'u' modifier ignored since 'D' is the default + AC_SUBST(AR_FLAGS, [cr]) + ++AC_USE_SYSTEM_EXTENSIONS ++ + dnl This defines _ALL_SOURCE for AIX + CURL_CHECK_AIX_ALL_SOURCE + +Index: curl-8.4.0/lib/hostip.c +=================================================================== +--- curl-8.4.0.orig/lib/hostip.c ++++ curl-8.4.0/lib/hostip.c +@@ -44,6 +44,7 @@ + #include + #include + ++#include + #include "urldata.h" + #include "sendf.h" + #include "hostip.h" +@@ -609,7 +610,7 @@ bool Curl_ipv6works(struct Curl_easy *da + else { + int ipv6_works = -1; + /* probe to see if we have a working IPv6 stack */ +- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); ++ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0); + if(s == CURL_SOCKET_BAD) + /* an IPv6 address was requested but we can't get/use one */ + ipv6_works = 0; +Index: curl-8.4.0/lib/cf-socket.c +=================================================================== +--- curl-8.4.0.orig/lib/cf-socket.c ++++ curl-8.4.0/lib/cf-socket.c +@@ -274,7 +274,9 @@ static CURLcode socket_open(struct Curl_ + } + else { + /* opensocket callback not set, so simply create the socket now */ +- *sockfd = socket(addr->family, addr->socktype, addr->protocol); ++ *sockfd = socket(addr->family, ++ addr->socktype|SOCK_CLOEXEC, ++ addr->protocol); + } + + if(*sockfd == CURL_SOCKET_BAD)