From 2412b5ba5090c2ce3680c15a73e424ec27d17d4340e01f3c0cb9f34210d8ea2b Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 22 May 2019 17:50:36 +0000 Subject: [PATCH] Accepting request 704763 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] * Changes: - CURLOPT_DNS_USE_GLOBAL_CACHE: removed - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - pipelining: removed * Bugfixes: - CVE-2019-5435: Integer overflows in curl_url_set - CVE-2019-5436: tftp: use the current blksize for recvfrom() - --config: clarify that initial : and = might need quoting - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk - CURLOPT_ADDRESS_SCOPE: fix range check and more - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE - CURL_MAX_INPUT_LENGTH: largest acceptable string input size - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - OS400/ccsidcurl: replace use of Curl_vsetopt - OpenSSL: Report -fips in version if OpenSSL is built with FIPS - WRITEFUNCTION: add missing set_in_callback around callback - altsvc: Fix building with cookies disabled - auth: Rename the various authentication clean up functions - base64: build conditionally if there are users - cmake: avoid linking executable for some tests with cmake 3.6+ - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - cmake: set SSL_BACKENDS - configure: avoid unportable '==' test(1) operator - configure: error out if OpenSSL wasn't detected when asked for - configure: fix default location for fish completions - cookie: Guard against possible NULL ptr deref - curl: make code work with protocol-disabled libcurl - curl: report error for "--no-" on non-boolean options OBS-URL: https://build.opensuse.org/request/show/704763 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=253 --- curl-7.64.1.tar.xz | 3 -- curl-7.64.1.tar.xz.asc | 11 ----- curl-7.65.0.tar.xz | 3 ++ curl-7.65.0.tar.xz.asc | 11 +++++ curl-mini.changes | 101 +++++++++++++++++++++++++++++++++++++++++ curl-mini.spec | 8 ++-- curl.changes | 101 +++++++++++++++++++++++++++++++++++++++++ curl.spec | 8 ++-- 8 files changed, 224 insertions(+), 22 deletions(-) delete mode 100644 curl-7.64.1.tar.xz delete mode 100644 curl-7.64.1.tar.xz.asc create mode 100644 curl-7.65.0.tar.xz create mode 100644 curl-7.65.0.tar.xz.asc diff --git a/curl-7.64.1.tar.xz b/curl-7.64.1.tar.xz deleted file mode 100644 index 6043169..0000000 --- a/curl-7.64.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9252332a7f871ce37bfa7f78bdd0a0e3924d8187cc27cb57c76c9474a7168fb3 -size 2385360 diff --git a/curl-7.64.1.tar.xz.asc b/curl-7.64.1.tar.xz.asc deleted file mode 100644 index 0f723ce..0000000 --- a/curl-7.64.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlybHwMACgkQXMkI/bce -EsIlxQf+LUj/zeWzTgxXIFgtfba+RKb66RpWhgzKLBpiGFQjhckILFJ+Li625SE3 -9fCrIslGuY2S4G6fRH1qEIZVglpA185sTeY241/JK788ftJFFQd2GtM/+Ysrla5h -zc2wD3amDXcROWI+QIl/dBy7xRnW8TSTMu2sEPLarsNtXK9EC+h/WIkeYW1amMf2 -a8vRFwXFZ7OrEiq7A0avvmbrQVgIIGP/zyz44ZN00PPgLm40c1rngHGBJJzEMVSS -ClZ+wUQ+AyamL3Ls9a+V3SF3IuVrFInjv5Y1OshPULaqL2VxPsCVw67sCVouePMS -J0u3GZPsE+sVbx7cHCfZFdSnutFBKQ== -=WUio ------END PGP SIGNATURE----- diff --git a/curl-7.65.0.tar.xz b/curl-7.65.0.tar.xz new file mode 100644 index 0000000..2dddbfb --- /dev/null +++ b/curl-7.65.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7766d263929404f693905b5e5222aa0f2bdf8c66ab4b8758f0c0820a42b966cd +size 2392324 diff --git a/curl-7.65.0.tar.xz.asc b/curl-7.65.0.tar.xz.asc new file mode 100644 index 0000000..fe0b24d --- /dev/null +++ b/curl-7.65.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlzk438ACgkQXMkI/bce +EsITWggAgk129Kxp4Br7Nn2+vyygKwv3dDEm87wJVuQka8gT2pZ9ZVQ6rEX9j0sR +RETf8KrEbSlOBgl2EJpgToL5kgiMCweTXced3VY2szVVibenBa2Zd9MpSl5Sf7hH +axinhdvEPNH+w8WuprEqZh+d/T5grAxChPJz4bLqKQI5fw5T3IuMfYTjZqx8DkOt +4FekihWCr6N/nW9BFOz8H19GFtotYSwoPvQJ+RmB7+Zt7ruHjRgyINCgxbWPvs4P +eZNWykqQ9FaXLSoJQYjLvEx0smye0bxSu3EIYBeL60fiFWJaSHQPyfBgC3JC+dD6 +ufxhEk814I4XzPaRFTLjgzjmTqRMPw== +=4VIp +-----END PGP SIGNATURE----- diff --git a/curl-mini.changes b/curl-mini.changes index 6d2f0ff..a37aee9 100644 --- a/curl-mini.changes +++ b/curl-mini.changes @@ -1,3 +1,104 @@ +------------------------------------------------------------------- +Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] + * Changes: + - CURLOPT_DNS_USE_GLOBAL_CACHE: removed + - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse + - pipelining: removed + * Bugfixes: + - CVE-2019-5435: Integer overflows in curl_url_set + - CVE-2019-5436: tftp: use the current blksize for recvfrom() + - --config: clarify that initial : and = might need quoting + - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk + - CURLOPT_ADDRESS_SCOPE: fix range check and more + - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE + - CURL_MAX_INPUT_LENGTH: largest acceptable string input size + - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + - OS400/ccsidcurl: replace use of Curl_vsetopt + - OpenSSL: Report -fips in version if OpenSSL is built with FIPS + - WRITEFUNCTION: add missing set_in_callback around callback + - altsvc: Fix building with cookies disabled + - auth: Rename the various authentication clean up functions + - base64: build conditionally if there are users + - cmake: avoid linking executable for some tests with cmake 3.6+ + - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + - cmake: set SSL_BACKENDS + - configure: avoid unportable '==' test(1) operator + - configure: error out if OpenSSL wasn't detected when asked for + - configure: fix default location for fish completions + - cookie: Guard against possible NULL ptr deref + - curl: make code work with protocol-disabled libcurl + - curl: report error for "--no-" on non-boolean options + - curlver.h: use parenthesis in CURL_VERSION_BITS macro + - docs/INSTALL: fix broken link + - doh: acknowledge CURL_DISABLE_DOH + - doh: disable DOH for the cases it doesn't work + - examples: remove unused variables + - ftplistparser: fix LGTM alert "Empty block without comment" + - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS + - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + - http: acknowledge CURL_DISABLE_HTTP_AUTH + - http: mark bundle as not for multiuse on < HTTP/2 response + - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + - http_negotiate: do not treat failure of gss_init_sec_context() as fatal + - http_ntlm: Corrected the name of the include guard + - http_ntlm_wb: Handle auth for only a single request + - http_ntlm_wb: Return the correct error on receiving an empty auth message + - lib509: add missing include for strdup + - lib557: initialize variables + - mbedtls: enable use of EC keys + - mime: acknowledge CURL_DISABLE_MIME + - multi: improved HTTP_1_1_REQUIRED handling + - netrc: acknowledge CURL_DISABLE_NETRC + - nss: allow fifos and character devices for certificates + - nss: provide more specific error messages on failed init + - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup + - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + - openssl: mark connection for close on TLS close_notify + - openvms: Remove pre-processor for SecureTransport + - parse_proxy: use the URL parser API + - parsedate: disabled on CURL_DISABLE_PARSEDATE + - pingpong: disable more when no pingpong protocols are enabled + - polarssl_threadlock: remove conditionally unused code + - progress: acknowledge CURL_DISABLE_PROGRESS_METER + - proxy: acknowledge DISABLE_PROXY more + - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries + - revert "multi: support verbose conncache closure handle" + - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + - sasl: only enable if there's a protocol enabled using it + - singleipconnect: show port in the verbose "Trying ..." message + - socks5: user name and passwords must be shorter than 256 + - socks: fix error message + - socksd: new SOCKS 4+5 server for tests + - spnego_gssapi: fix return code on gss_init_sec_context() failure + - ssh-libssh: remove unused variable + - ssh: define USE_SSH if SSH is enabled (any backend) + - ssh: move variable declaration to where it's used + - test1002: correct the name + - test2100: Fix typos in test description + - tests: Run global cleanup at end of tests + - tests: make Impacket (SMB server) Python 3 compatible + - tool_cb_wrt: fix bad-function-cast warning + - tool_formparse: remove redundant assignment + - tool_help: Warn if curl and libcurl versions do not match + - tool_help: include for strcasecmp + - url: always clone the CUROPT_CURLU handle + - url: convert the zone id from a IPv6 URL to correct scope id + - urlapi: add CURLUPART_ZONEID to set and get + - urlapi: increase supported scheme length to 40 bytes + - urlapi: require a non-zero host name length when parsing URL + - urlapi: stricter CURLUPART_PORT parsing + - urlapi: strip off zone id from numerical IPv6 addresses + - urlapi: urlencode characters above 0x7f correctly + - vauth/cleartext: update the PLAIN login to match RFC 4616 + - vauth/oauth2: Fix OAUTHBEARER token generation + - vauth: Fix incorrect function description for Curl_auth_user_contains_domain + - vtls: fix potential ssl_buffer stack overflow + - wildcard: disable from build when FTP isn't present + - xattr: skip unittest on unsupported platforms + ------------------------------------------------------------------- Tue Apr 9 12:11:46 UTC 2019 - Pedro Monreal Gonzalez diff --git a/curl-mini.spec b/curl-mini.spec index d79f209..c3d8b31 100644 --- a/curl-mini.spec +++ b/curl-mini.spec @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.64.1 +Version: 7.65.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -204,15 +204,15 @@ popd %files %doc README RELEASE-NOTES -%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} +%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %dir %{_datadir}/fish/ -%dir %{_datadir}/fish/completions/ -%{_datadir}/fish/completions/curl.fish +%dir %{_datadir}/fish/vendor_completions.d/ +%{_datadir}/fish/vendor_completions.d/curl.fish %files -n libcurl4%{?mini} %license COPYING diff --git a/curl.changes b/curl.changes index 6d2f0ff..a37aee9 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,104 @@ +------------------------------------------------------------------- +Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] + * Changes: + - CURLOPT_DNS_USE_GLOBAL_CACHE: removed + - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse + - pipelining: removed + * Bugfixes: + - CVE-2019-5435: Integer overflows in curl_url_set + - CVE-2019-5436: tftp: use the current blksize for recvfrom() + - --config: clarify that initial : and = might need quoting + - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk + - CURLOPT_ADDRESS_SCOPE: fix range check and more + - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE + - CURL_MAX_INPUT_LENGTH: largest acceptable string input size + - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + - OS400/ccsidcurl: replace use of Curl_vsetopt + - OpenSSL: Report -fips in version if OpenSSL is built with FIPS + - WRITEFUNCTION: add missing set_in_callback around callback + - altsvc: Fix building with cookies disabled + - auth: Rename the various authentication clean up functions + - base64: build conditionally if there are users + - cmake: avoid linking executable for some tests with cmake 3.6+ + - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + - cmake: set SSL_BACKENDS + - configure: avoid unportable '==' test(1) operator + - configure: error out if OpenSSL wasn't detected when asked for + - configure: fix default location for fish completions + - cookie: Guard against possible NULL ptr deref + - curl: make code work with protocol-disabled libcurl + - curl: report error for "--no-" on non-boolean options + - curlver.h: use parenthesis in CURL_VERSION_BITS macro + - docs/INSTALL: fix broken link + - doh: acknowledge CURL_DISABLE_DOH + - doh: disable DOH for the cases it doesn't work + - examples: remove unused variables + - ftplistparser: fix LGTM alert "Empty block without comment" + - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS + - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + - http: acknowledge CURL_DISABLE_HTTP_AUTH + - http: mark bundle as not for multiuse on < HTTP/2 response + - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + - http_negotiate: do not treat failure of gss_init_sec_context() as fatal + - http_ntlm: Corrected the name of the include guard + - http_ntlm_wb: Handle auth for only a single request + - http_ntlm_wb: Return the correct error on receiving an empty auth message + - lib509: add missing include for strdup + - lib557: initialize variables + - mbedtls: enable use of EC keys + - mime: acknowledge CURL_DISABLE_MIME + - multi: improved HTTP_1_1_REQUIRED handling + - netrc: acknowledge CURL_DISABLE_NETRC + - nss: allow fifos and character devices for certificates + - nss: provide more specific error messages on failed init + - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup + - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + - openssl: mark connection for close on TLS close_notify + - openvms: Remove pre-processor for SecureTransport + - parse_proxy: use the URL parser API + - parsedate: disabled on CURL_DISABLE_PARSEDATE + - pingpong: disable more when no pingpong protocols are enabled + - polarssl_threadlock: remove conditionally unused code + - progress: acknowledge CURL_DISABLE_PROGRESS_METER + - proxy: acknowledge DISABLE_PROXY more + - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries + - revert "multi: support verbose conncache closure handle" + - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + - sasl: only enable if there's a protocol enabled using it + - singleipconnect: show port in the verbose "Trying ..." message + - socks5: user name and passwords must be shorter than 256 + - socks: fix error message + - socksd: new SOCKS 4+5 server for tests + - spnego_gssapi: fix return code on gss_init_sec_context() failure + - ssh-libssh: remove unused variable + - ssh: define USE_SSH if SSH is enabled (any backend) + - ssh: move variable declaration to where it's used + - test1002: correct the name + - test2100: Fix typos in test description + - tests: Run global cleanup at end of tests + - tests: make Impacket (SMB server) Python 3 compatible + - tool_cb_wrt: fix bad-function-cast warning + - tool_formparse: remove redundant assignment + - tool_help: Warn if curl and libcurl versions do not match + - tool_help: include for strcasecmp + - url: always clone the CUROPT_CURLU handle + - url: convert the zone id from a IPv6 URL to correct scope id + - urlapi: add CURLUPART_ZONEID to set and get + - urlapi: increase supported scheme length to 40 bytes + - urlapi: require a non-zero host name length when parsing URL + - urlapi: stricter CURLUPART_PORT parsing + - urlapi: strip off zone id from numerical IPv6 addresses + - urlapi: urlencode characters above 0x7f correctly + - vauth/cleartext: update the PLAIN login to match RFC 4616 + - vauth/oauth2: Fix OAUTHBEARER token generation + - vauth: Fix incorrect function description for Curl_auth_user_contains_domain + - vtls: fix potential ssl_buffer stack overflow + - wildcard: disable from build when FTP isn't present + - xattr: skip unittest on unsupported platforms + ------------------------------------------------------------------- Tue Apr 9 12:11:46 UTC 2019 - Pedro Monreal Gonzalez diff --git a/curl.spec b/curl.spec index 94e5059..48fe775 100644 --- a/curl.spec +++ b/curl.spec @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.64.1 +Version: 7.65.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -202,15 +202,15 @@ popd %files %doc README RELEASE-NOTES -%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} +%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %dir %{_datadir}/fish/ -%dir %{_datadir}/fish/completions/ -%{_datadir}/fish/completions/curl.fish +%dir %{_datadir}/fish/vendor_completions.d/ +%{_datadir}/fish/vendor_completions.d/curl.fish %files -n libcurl4%{?mini} %license COPYING