From 88cdf1703b3cce521c04cb016b59378652474fb5312385e1789b2ef946680b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Tue, 12 Nov 2024 15:39:22 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main curl revision 9c988e5f1d3c61b002b390b177a443f4 --- curl-8.11.0.tar.xz | 3 + curl-8.11.0.tar.xz.asc | 11 +++ curl-8.9.1.tar.xz | 3 - curl-8.9.1.tar.xz.asc | 11 --- curl-secure-getenv.patch | 28 ++++---- curl-sigpipe.patch | 32 --------- curl.changes | 149 +++++++++++++++++++++++++++++++++++++++ curl.spec | 6 +- 8 files changed, 179 insertions(+), 64 deletions(-) create mode 100644 curl-8.11.0.tar.xz create mode 100644 curl-8.11.0.tar.xz.asc delete mode 100644 curl-8.9.1.tar.xz delete mode 100644 curl-8.9.1.tar.xz.asc delete mode 100644 curl-sigpipe.patch diff --git a/curl-8.11.0.tar.xz b/curl-8.11.0.tar.xz new file mode 100644 index 0000000..2c9db78 --- /dev/null +++ b/curl-8.11.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:db59cf0d671ca6e7f5c2c5ec177084a33a79e04c97e71cf183a5cdea235054eb +size 2750684 diff --git a/curl-8.11.0.tar.xz.asc b/curl-8.11.0.tar.xz.asc new file mode 100644 index 0000000..cf691aa --- /dev/null +++ b/curl-8.11.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmcrFoYACgkQXMkI/bce +EsIHCAf/fcpnxxtl7XTgSXF3V2tntKZJskiiTuXsJtBCJoDWiOOjrM3gnafXC3Bt +CcncdGHIubKuUTc+JeuQowr6e+oXWPX5k45SF35U9n1EvWgF/s8uxAF8vJdDQme9 +z30M6UjMkEB7tbADUt1Q7Dyh8ZWWsFC5emekYnMQVDvzmad76Z3o4ZeQAly7xUhd +V++5Il3Ql44nyMeTDTlHOuOc3jiA5rCmoLr4mMbRqAO8wF+Y2KCDYd5BaNvXZOln +snEM496m3p0S1sliiEnRwDeccepUpkAyHPQgESS/ATCIvFZb4/MDrLSc5HSr5K+8 +MNYxBV03wmfR5QUqihbH8KXZKpYDnw== +=9DLI +-----END PGP SIGNATURE----- diff --git a/curl-8.9.1.tar.xz b/curl-8.9.1.tar.xz deleted file mode 100644 index 807d384..0000000 --- a/curl-8.9.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f292f6cc051d5bbabf725ef85d432dfeacc8711dd717ea97612ae590643801e5 -size 2782364 diff --git a/curl-8.9.1.tar.xz.asc b/curl-8.9.1.tar.xz.asc deleted file mode 100644 index bda8785..0000000 --- a/curl-8.9.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmap30kACgkQXMkI/bce -EsKX+wf/brccw5rGTAbmjj7WGBfbAmwrSsDexTXRiEBXT/+qhkWIplN6wdtsZ86I -tUraaapoyvRKLa3Wxlv9fSF/xXji+5lhO/W9pfWxwZNeSZFiOgKcK/Li4Fx0c7t4 -WpxkAbRvbJreA40BR32qSgnNNjKU5QX/ivf67B1EFL71kgsCW/QczB6mcuxszlkN -ro39Jb8hDtnAD3hHXrTEaW3lOEgf/Jo/a1Zii3+W3OkW+uZHwzUoqe+HLGHYM2vW -Q3hBVQaEWmNIwArA73s/kOiFATLthUTvSJO56ebLQJFHJf61cwqSsg2o07i5SqEc -QlKzV/h7ydbBWdHiSTpCMxue7tLUZw== -=EiUG ------END PGP SIGNATURE----- diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch index c751b12..c3186c5 100644 --- a/curl-secure-getenv.patch +++ b/curl-secure-getenv.patch @@ -1,7 +1,7 @@ -Index: curl-8.5.0/lib/getenv.c +Index: curl-8.11.0/lib/getenv.c =================================================================== ---- curl-8.5.0.orig/lib/getenv.c -+++ curl-8.5.0/lib/getenv.c +--- curl-8.11.0.orig/lib/getenv.c ++++ curl-8.11.0/lib/getenv.c @@ -29,6 +29,14 @@ #include "memdebug.h" @@ -16,26 +16,26 @@ Index: curl-8.5.0/lib/getenv.c + static char *GetEnv(const char *variable) { - #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \ + #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_UWP) || \ @@ -69,7 +77,7 @@ static char *GetEnv(const char *variable /* else rc is bytes needed, try again */ } #else - char *env = getenv(variable); + char *env = secure_getenv(variable); - return (env && env[0])?strdup(env):NULL; + return (env && env[0]) ? strdup(env) : NULL; #endif } -Index: curl-8.5.0/configure.ac +Index: curl-8.11.0/configure.ac =================================================================== ---- curl-8.5.0.orig/configure.ac -+++ curl-8.5.0/configure.ac -@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy - ac_configure_args="$ac_configure_args --enable-curldebug" - fi +--- curl-8.11.0.orig/configure.ac ++++ curl-8.11.0/configure.ac +@@ -5370,6 +5370,8 @@ fi + + CURL_PREPARE_CONFIGUREHELP_PM +AC_CHECK_FUNCS([__secure_getenv secure_getenv]) + - AC_CONFIG_FILES([Makefile \ - docs/Makefile \ - docs/examples/Makefile \ + AC_CONFIG_FILES([\ + Makefile \ + docs/Makefile \ diff --git a/curl-sigpipe.patch b/curl-sigpipe.patch deleted file mode 100644 index ba0187a..0000000 --- a/curl-sigpipe.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 5 Aug 2024 00:17:17 +0200 -Subject: [PATCH] sigpipe: init the struct so that first apply ignores - -Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after -init ignores the signal (unless CURLOPT_NOSIGNAL) is set. - -I have read the existing code multiple times now and I think it gets the -initial state reversed this missing to ignore. - -Regression from 17e6f06ea37136c36d27 - -Reported-by: Rasmus Thomsen -Fixes #14344 -Closes #14390 ---- - lib/sigpipe.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/sigpipe.h b/lib/sigpipe.h -index b91a2f51333956..d78afd905d3414 100644 ---- a/lib/sigpipe.h -+++ b/lib/sigpipe.h -@@ -39,6 +39,7 @@ struct sigpipe_ignore { - static void sigpipe_init(struct sigpipe_ignore *ig) - { - memset(ig, 0, sizeof(*ig)); -+ ig->no_signal = TRUE; - } - - /* diff --git a/curl.changes b/curl.changes index 036d04b..ec274c5 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,152 @@ +------------------------------------------------------------------- +Wed Nov 6 08:43:16 UTC 2024 - Pedro Monreal + +- Update to 8.11.0: + * Security fixes: [bsc#1232528, CVE-2024-9681] + * curl: HSTS subdomain overwrites parent cache entry + * Changes: + - curl: --create-dirs works for --dump-header as well + - gtls: Add P12 format support + - ipfs: add options to disable + - TLS: TLSv1.3 earlydata support for curl + - WebSockets: make support official (non-experimental) + * Bugfixes: + - build: clarify CA embed is for curl tool, mark default, improve summary + - build: show if CA bundle to embed was found + - build: tidy up and improve versioned-symbols options + - cmake/FindNGTCP2: use library path as hint for finding crypto module + - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled + - cmake: rename LDAP dependency config variables to match Find modules + - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection + - cmake: use OpenSSL for LDAP detection only if available + - curl: add build options for safe/no CA bundle search (Windows) + - curl: detect ECH support dynamically, not at build time + - curl_addrinfo: support operating systems with only getaddrinfo(3) + - ftp: fix 0-length last write on upload from stdin + - gnutls: use session cache for QUIC + - hsts: improve subdomain handling + - hsts: support "implied LWS" properly around max-age + - http2: auto reset stream on server eos + - json.md: cli-option '--json' is an alias of '--data-binary' + - lib: move curl_path.[ch] into vssh/ + - lib: remove function pointer typecasts for hmac/sha256/md5 + - libssh.c: handle EGAINS during proto-connect correctly + - libssh2: use the filename buffer when getting the homedir + - multi.c: warn/assert on stall only without timer + - negotiate: conditional check around GSS & SSL specific code + - netrc: cache the netrc file in memory + - ngtcp2: do not loop on recv + - ngtcp2: set max window size to 10x of initial (128KB) + - openssl quic: populate x509 store before handshake + - openssl: extend the OpenSSL error messages + - openssl: improve retries on shutdown + - quic: use send/recvmmsg when available + - schannel: fix TLS cert verification by IP SAN + - schannel: ignore error on recv beyond close notify + - select: use poll() if existing, avoid poll() with no sockets + - sendf: add condition to max-filesize check + - server/mqttd: fix two memory leaks + - setopt: return error for bad input to CURLOPT_RTSP_REQUEST + - setopt_cptr: make overflow check only done when needed + - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED + - tool: support --show-headers AND --remote-header-name + - tool_operate: make --skip-existing work for --parallel + - url: connection reuse on h3 connections + - url: use same credentials on redirect + - urlapi: normalize the IPv6 address + - version: say quictls in MSH3 builds + - vquic: fix compiler warning with gcc + MUSL + - vquic: recv_mmsg, use fewer, but larger buffers + - vtls: convert Curl_pin_peer_pubkey to use dynbuf + - vtls: convert pubkey_pem_to_der to use dynbuf + * Rebase curl-secure-getenv.patch + +------------------------------------------------------------------- +Tue Sep 24 09:42:35 UTC 2024 - Pedro Monreal + +- Update to 8.10.1: + * Bugfixes: + - autotools: fix `--with-ca-embed` build rule + - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync + - cmake: fix MSH3 to appear on the feature list + - connect: store connection info when really done + - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a + - http2: when uploading data from stdin, fix eos forwarding + - http: make max-filesize check not count ignored bodies + - lib: fix AF_INET6 use outside of USE_IPV6 + - multi: check that the multi handle is valid in curl_multi_assign + - QUIC: on connect, keep on trying on draining server + - request: correctly reset the eos_sent flag + - setopt: remove superfluous use of ternary expressions + - singleuse: drop `Curl_memrchr()` for no-HTTP builds + - tool_cb_wrt: use "curl_response" if no file name in URL + - transfer: fix sendrecv() without interim poll + - vtls: fix `Curl_ssl_conn_config_match` doc param + +------------------------------------------------------------------- +Wed Sep 11 06:36:42 UTC 2024 - Pedro Monreal + +- Update to version 8.10.0: + * Security fixes: + - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS + * Changes: + - curl: make --rate accept "number of units" + - curl: make --show-headers the same as --include + - curl: support --dump-header % to direct to stderr + - curl: support embedding a CA bundle and --dump-ca-embed + - curl: support repeated use of the verbose option; -vv etc + - curl: use libuv for parallel transfers with --test-event + - vtls: stop offering alpn http/1.1 for http2-prior-knowledge + * Bugfixes: + - curl: allow 500MB data URL encode strings + - curl: warn on unsupported SSL options + - Curl_rand_bytes to control env override + - curl_sha512_256: fix symbol collisions with nettle library + - dist: fix reproducible build from release tarball + - http2: fix GOAWAY message sent to server + - http2: improve rate limiting of downloads + - INSTALL.md: MultiSSL and QUIC are mutually exclusive + - lib: add eos flag to send methods + - lib: make SSPI global symbols use Curl_ prefix + - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name + - lib: remove the final strncpy() calls + - lib: remove use of RANDOM_FILE + - Makefile.mk: fixup enabling libidn2 + - max-filesize.md: mention zero disables the limit + - mime: avoid inifite loop in client reader + - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks + - openssl quic: fix memory leak + - openssl: certinfo errors now fail correctly + - openssl: fix the data race when sharing an SSL session between threads + - openssl: improve shutdown handling + - POP3: fix multi-line responses + - pop3: use the protocol handler ->write_resp + - progress: ratelimit/progress tweaks + - rand: only provide weak random when needed + - sectransp: fix setting tls version + - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values + - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL + - sigpipe: init the struct so that first apply ignores + - smb: convert superflous assign into assert + - smtp: add tracing feature + - spnego_gssapi: implement TLS channel bindings for openssl + - src: delete `curlx_m*printf()` aliases + - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build) + - tool_operhlp: fix "potentially uninitialized local variable 'pc' used" + - tool_paramhlp: bump maximum post data size in memory to 16GB + - transfer: skip EOS read when download done + - url: fix connection reuse for HTTP/2 upgrades + - urlapi: verify URL *decoded* hostname when set + - urldata: introduce `data->mid`, a unique identifier inside a multi + - vtls: add SSLSUPP_CIPHER_LIST + - vtls: fix static function name collisions between TLS backends + - vtls: init ssl peer only once + - websocket: introduce blocking sends + - ws: flags to opcodes should ignore CURLWS_CONT flag + - x509asn1: raise size limit for x509 certification information + * Remove curl-sigpipe.patch upstream + * Rebase curl-secure-getenv.patch + ------------------------------------------------------------------- Mon Aug 12 08:41:26 UTC 2024 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 5ad327d..cb95508 100644 --- a/curl.spec +++ b/curl.spec @@ -29,7 +29,7 @@ %endif Name: curl%{?psuffix} -Version: 8.9.1 +Version: 8.11.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -43,8 +43,6 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch -#PATCH-FIX-UPSTREAM sigpipe: init the struct so that first apply ignores -Patch4: curl-sigpipe.patch BuildRequires: groff BuildRequires: libtool BuildRequires: pkgconfig @@ -228,7 +226,7 @@ popd %if !%{with mini} %files -%doc README RELEASE-NOTES CHANGES +%doc README RELEASE-NOTES CHANGES.md %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md} %{_bindir}/curl %{_mandir}/man1/curl.1%{?ext_man}