Sync from SUSE:SLFO:Main curl revision 9c988e5f1d3c61b002b390b177a443f4

curl-8.11.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmcrFoYACgkQXMkI/bce
+EsIHCAf/fcpnxxtl7XTgSXF3V2tntKZJskiiTuXsJtBCJoDWiOOjrM3gnafXC3Bt
+CcncdGHIubKuUTc+JeuQowr6e+oXWPX5k45SF35U9n1EvWgF/s8uxAF8vJdDQme9
+z30M6UjMkEB7tbADUt1Q7Dyh8ZWWsFC5emekYnMQVDvzmad76Z3o4ZeQAly7xUhd
+V++5Il3Ql44nyMeTDTlHOuOc3jiA5rCmoLr4mMbRqAO8wF+Y2KCDYd5BaNvXZOln
+snEM496m3p0S1sliiEnRwDeccepUpkAyHPQgESS/ATCIvFZb4/MDrLSc5HSr5K+8
+MNYxBV03wmfR5QUqihbH8KXZKpYDnw==
+=9DLI
+-----END PGP SIGNATURE-----

curl-8.9.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmap30kACgkQXMkI/bce
-EsKX+wf/brccw5rGTAbmjj7WGBfbAmwrSsDexTXRiEBXT/+qhkWIplN6wdtsZ86I
-tUraaapoyvRKLa3Wxlv9fSF/xXji+5lhO/W9pfWxwZNeSZFiOgKcK/Li4Fx0c7t4
-WpxkAbRvbJreA40BR32qSgnNNjKU5QX/ivf67B1EFL71kgsCW/QczB6mcuxszlkN
-ro39Jb8hDtnAD3hHXrTEaW3lOEgf/Jo/a1Zii3+W3OkW+uZHwzUoqe+HLGHYM2vW
-Q3hBVQaEWmNIwArA73s/kOiFATLthUTvSJO56ebLQJFHJf61cwqSsg2o07i5SqEc
-QlKzV/h7ydbBWdHiSTpCMxue7tLUZw==
-=EiUG
------END PGP SIGNATURE-----

curl-secure-getenv.patch

@@ -1,7 +1,7 @@
-Index: curl-8.5.0/lib/getenv.c
+Index: curl-8.11.0/lib/getenv.c
 ===================================================================
---- curl-8.5.0.orig/lib/getenv.c
+--- curl-8.11.0.orig/lib/getenv.c
-+++ curl-8.5.0/lib/getenv.c
++++ curl-8.11.0/lib/getenv.c
 @@ -29,6 +29,14 @@
  
  #include "memdebug.h"
@@ -16,26 +16,26 @@ Index: curl-8.5.0/lib/getenv.c
 +
  static char *GetEnv(const char *variable)
  {
- #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \
+ #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_UWP) || \
 @@ -69,7 +77,7 @@ static char *GetEnv(const char *variable
      /* else rc is bytes needed, try again */
    }
  #else
 -  char *env = getenv(variable);
 +  char *env = secure_getenv(variable);
-   return (env && env[0])?strdup(env):NULL;
+   return (env && env[0]) ? strdup(env) : NULL;
  #endif
  }
-Index: curl-8.5.0/configure.ac
+Index: curl-8.11.0/configure.ac
 ===================================================================
---- curl-8.5.0.orig/configure.ac
+--- curl-8.11.0.orig/configure.ac
-+++ curl-8.5.0/configure.ac
++++ curl-8.11.0/configure.ac
-@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy
+@@ -5370,6 +5370,8 @@ fi
-   ac_configure_args="$ac_configure_args --enable-curldebug"
+ 
- fi
+ CURL_PREPARE_CONFIGUREHELP_PM
  
 +AC_CHECK_FUNCS([__secure_getenv secure_getenv])
 +
- AC_CONFIG_FILES([Makefile \
+ AC_CONFIG_FILES([\
+   Makefile \
    docs/Makefile \
-            docs/examples/Makefile \

curl-sigpipe.patch

@@ -1,32 +0,0 @@
-From 3eec5afbd0b6377eca893c392569b2faf094d970 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 5 Aug 2024 00:17:17 +0200
-Subject: [PATCH] sigpipe: init the struct so that first apply ignores
-
-Initializes 'no_signal' to TRUE, so that a call to sigpipe_apply() after
-init ignores the signal (unless CURLOPT_NOSIGNAL) is set.
-
-I have read the existing code multiple times now and I think it gets the
-initial state reversed this missing to ignore.
-
-Regression from 17e6f06ea37136c36d27
-
-Reported-by: Rasmus Thomsen
-Fixes #14344
-Closes #14390
----
- lib/sigpipe.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/sigpipe.h b/lib/sigpipe.h
-index b91a2f51333956..d78afd905d3414 100644
---- a/lib/sigpipe.h
-+++ b/lib/sigpipe.h
-@@ -39,6 +39,7 @@ struct sigpipe_ignore {
- static void sigpipe_init(struct sigpipe_ignore *ig)
- {
-   memset(ig, 0, sizeof(*ig));
-+  ig->no_signal = TRUE;
- }
- 
- /*

curl.changes

@@ -1,3 +1,152 @@
+-------------------------------------------------------------------
+Wed Nov  6 08:43:16 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.11.0:
+  * Security fixes: [bsc#1232528, CVE-2024-9681]
+    *  curl: HSTS subdomain overwrites parent cache entry
+  * Changes:
+    - curl: --create-dirs works for --dump-header as well
+    - gtls: Add P12 format support
+    - ipfs: add options to disable
+    - TLS: TLSv1.3 earlydata support for curl
+    - WebSockets: make support official (non-experimental)
+  * Bugfixes:
+    - build: clarify CA embed is for curl tool, mark default, improve summary
+    - build: show if CA bundle to embed was found
+    - build: tidy up and improve versioned-symbols options
+    - cmake/FindNGTCP2: use library path as hint for finding crypto module
+    - cmake: disable default OpenSSL if BearSSL, GnuTLS or Rustls is enabled
+    - cmake: rename LDAP dependency config variables to match Find modules
+    - cmake: replace 'check_include_file_concat()' for LDAP and GSS detection
+    - cmake: use OpenSSL for LDAP detection only if available
+    - curl: add build options for safe/no CA bundle search (Windows)
+    - curl: detect ECH support dynamically, not at build time
+    - curl_addrinfo: support operating systems with only getaddrinfo(3)
+    - ftp: fix 0-length last write on upload from stdin
+    - gnutls: use session cache for QUIC
+    - hsts: improve subdomain handling
+    - hsts: support "implied LWS" properly around max-age
+    - http2: auto reset stream on server eos
+    - json.md: cli-option '--json' is an alias of '--data-binary'
+    - lib: move curl_path.[ch] into vssh/
+    - lib: remove function pointer typecasts for hmac/sha256/md5
+    - libssh.c: handle EGAINS during proto-connect correctly
+    - libssh2: use the filename buffer when getting the homedir
+    - multi.c: warn/assert on stall only without timer
+    - negotiate: conditional check around GSS & SSL specific code
+    - netrc: cache the netrc file in memory
+    - ngtcp2: do not loop on recv
+    - ngtcp2: set max window size to 10x of initial (128KB)
+    - openssl quic: populate x509 store before handshake
+    - openssl: extend the OpenSSL error messages
+    - openssl: improve retries on shutdown
+    - quic: use send/recvmmsg when available
+    - schannel: fix TLS cert verification by IP SAN
+    - schannel: ignore error on recv beyond close notify
+    - select: use poll() if existing, avoid poll() with no sockets
+    - sendf: add condition to max-filesize check
+    - server/mqttd: fix two memory leaks
+    - setopt: return error for bad input to CURLOPT_RTSP_REQUEST
+    - setopt_cptr: make overflow check only done when needed
+    - tls: avoid abusing CURLE_SSL_ENGINE_INITFAILED
+    - tool: support --show-headers AND --remote-header-name
+    - tool_operate: make --skip-existing work for --parallel
+    - url: connection reuse on h3 connections
+    - url: use same credentials on redirect
+    - urlapi: normalize the IPv6 address
+    - version: say quictls in MSH3 builds
+    - vquic: fix compiler warning with gcc + MUSL
+    - vquic: recv_mmsg, use fewer, but larger buffers
+    - vtls: convert Curl_pin_peer_pubkey to use dynbuf
+    - vtls: convert pubkey_pem_to_der to use dynbuf
+  * Rebase curl-secure-getenv.patch
+
+-------------------------------------------------------------------
+Tue Sep 24 09:42:35 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.10.1:
+  * Bugfixes:
+    - autotools: fix `--with-ca-embed` build rule
+    - cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
+    - cmake: fix MSH3 to appear on the feature list
+    - connect: store connection info when really done
+    - FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
+    - http2: when uploading data from stdin, fix eos forwarding
+    - http: make max-filesize check not count ignored bodies
+    - lib: fix AF_INET6 use outside of USE_IPV6
+    - multi: check that the multi handle is valid in curl_multi_assign
+    - QUIC: on connect, keep on trying on draining server
+    - request: correctly reset the eos_sent flag
+    - setopt: remove superfluous use of ternary expressions
+    - singleuse: drop `Curl_memrchr()` for no-HTTP builds
+    - tool_cb_wrt: use "curl_response" if no file name in URL
+    - transfer: fix sendrecv() without interim poll
+    - vtls: fix `Curl_ssl_conn_config_match` doc param
+
+-------------------------------------------------------------------
+Wed Sep 11 06:36:42 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 8.10.0:
+  * Security fixes:
+    - [bsc#1230093, CVE-2024-8096] curl: OCSP stapling bypass with GnuTLS
+  * Changes:
+    - curl: make --rate accept "number of units"
+    - curl: make --show-headers the same as --include
+    - curl: support --dump-header % to direct to stderr
+    - curl: support embedding a CA bundle and --dump-ca-embed
+    - curl: support repeated use of the verbose option; -vv etc
+    - curl: use libuv for parallel transfers with --test-event
+    - vtls: stop offering alpn http/1.1 for http2-prior-knowledge
+  * Bugfixes:
+    - curl: allow 500MB data URL encode strings
+    - curl: warn on unsupported SSL options
+    - Curl_rand_bytes to control env override
+    - curl_sha512_256: fix symbol collisions with nettle library
+    - dist: fix reproducible build from release tarball
+    - http2: fix GOAWAY message sent to server
+    - http2: improve rate limiting of downloads
+    - INSTALL.md: MultiSSL and QUIC are mutually exclusive
+    - lib: add eos flag to send methods
+    - lib: make SSPI global symbols use Curl_ prefix
+    - lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
+    - lib: remove the final strncpy() calls
+    - lib: remove use of RANDOM_FILE
+    - Makefile.mk: fixup enabling libidn2
+    - max-filesize.md: mention zero disables the limit
+    - mime: avoid inifite loop in client reader
+    - ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
+    - openssl quic: fix memory leak
+    - openssl: certinfo errors now fail correctly
+    - openssl: fix the data race when sharing an SSL session between threads
+    - openssl: improve shutdown handling
+    - POP3: fix multi-line responses
+    - pop3: use the protocol handler ->write_resp
+    - progress: ratelimit/progress tweaks
+    - rand: only provide weak random when needed
+    - sectransp: fix setting tls version
+    - setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
+    - sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
+    - sigpipe: init the struct so that first apply ignores
+    - smb: convert superflous assign into assert
+    - smtp: add tracing feature
+    - spnego_gssapi: implement TLS channel bindings for openssl
+    - src: delete `curlx_m*printf()` aliases
+    - ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
+    - tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
+    - tool_paramhlp: bump maximum post data size in memory to 16GB
+    - transfer: skip EOS read when download done
+    - url: fix connection reuse for HTTP/2 upgrades
+    - urlapi: verify URL *decoded* hostname when set
+    - urldata: introduce `data->mid`, a unique identifier inside a multi
+    - vtls: add SSLSUPP_CIPHER_LIST
+    - vtls: fix static function name collisions between TLS backends
+    - vtls: init ssl peer only once
+    - websocket: introduce blocking sends
+    - ws: flags to opcodes should ignore CURLWS_CONT flag
+    - x509asn1: raise size limit for x509 certification information
+  * Remove curl-sigpipe.patch upstream
+  * Rebase curl-secure-getenv.patch
+
 -------------------------------------------------------------------
 Mon Aug 12 08:41:26 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -29,7 +29,7 @@
 %endif
 
 Name:           curl%{?psuffix}
-Version:        8.9.1
+Version:        8.11.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -43,8 +43,6 @@ Patch1:         dont-mess-with-rpmoptflags.patch
 Patch2:         curl-secure-getenv.patch
 #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch3:         curl-disabled-redirect-protocol-message.patch
-#PATCH-FIX-UPSTREAM sigpipe: init the struct so that first apply ignores
-Patch4:         curl-sigpipe.patch
 BuildRequires:  groff
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -228,7 +226,7 @@ popd
 
 %if !%{with mini}
 %files
-%doc README RELEASE-NOTES CHANGES
+%doc README RELEASE-NOTES CHANGES.md
 %doc docs/{BUGS.md,FAQ,FEATURES.md,TODO,TheArtOfHttpScripting.md}
 %{_bindir}/curl
 %{_mandir}/man1/curl.1%{?ext_man}