From c3baa6d82e5cbdbf7290386d4e03d2b7cf8c68c3bca9667819244d5a752601c1 Mon Sep 17 00:00:00 2001 From: David Anes Date: Mon, 27 Jun 2022 15:29:40 +0000 Subject: [PATCH 1/2] Accepting request 985355 from home:david.anes:branches:devel:libraries:c_c++ - Update to 7.84.0: * Security fixes: - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service * Changes: - curl: add --rate to set max request rate per time unit - curl: deprecate --random-file and --egd-file - curl_version_info: add CURL_VERSION_THREADSAFE - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl - lib: make curl_global_init() threadsafe when possible - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - opts: deprecate RANDOM_FILE and EGDSOCKET - socks: support unix sockets for socks proxy * Bugfixes: - aws-sigv4: fix potentional NULL pointer arithmetic - bindlocal: don't use a random port if port number would wrap - c-hyper: mark status line as status for Curl_client_write() - ci: avoid `cmake -Hpath` - CI: bump FreeBSD 13.0 to 13.1 - ci: update github actions - cmake: add libpsl support - cmake: do not add libcurl.rc to the static libcurl library - cmake: enable curl.rc for all Windows targets - cmake: fix detecting libidn2 - cmake: support adding a suffix to the OS value - configure: skip libidn2 detection when winidn is used - configure: use the SED value to invoke sed - configure: warn about rustls being experimental OBS-URL: https://build.opensuse.org/request/show/985355 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=314 --- curl-7.83.1.tar.xz | 3 - curl-7.83.1.tar.xz.asc | 11 ---- curl-7.84.0.tar.xz | 3 + curl-7.84.0.tar.xz.asc | 11 ++++ curl.changes | 143 +++++++++++++++++++++++++++++++++++++++++ curl.spec | 2 +- 6 files changed, 158 insertions(+), 15 deletions(-) delete mode 100644 curl-7.83.1.tar.xz delete mode 100644 curl-7.83.1.tar.xz.asc create mode 100644 curl-7.84.0.tar.xz create mode 100644 curl-7.84.0.tar.xz.asc diff --git a/curl-7.83.1.tar.xz b/curl-7.83.1.tar.xz deleted file mode 100644 index 6f62ee3..0000000 --- a/curl-7.83.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4 -size 2474940 diff --git a/curl-7.83.1.tar.xz.asc b/curl-7.83.1.tar.xz.asc deleted file mode 100644 index ccf52f7..0000000 --- a/curl-7.83.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmJ7VmgACgkQXMkI/bce -EsIa0AgAtFdypCmQsOZ8FYXMjbXoVO6K76fTRwkAIZEn+s/vvmBhTkmGEyZTGg0k -CV9ohHn7bLJcc0Y1eQbrZNjOKJmKF2TINaDuQ7YJGoLVm7PmmoA5TGdVVG2yMGah -pW8PPmiQFNCBuAgqwCEJ3/1XAgU0nn8KVi3R0it40Z07OrXozaMXpox7kd6HNOuV -fogzCtmWyKl4+bo5BJ/6Vno89juLciyM7SZfeMuonCwmSP8mMufY0NBAsamySJ63 -BEMJR/3TKaam6UBsBDiG2+LOaWaFoF9rwIKg9kifldWBoeEioQENrbk0xg1T0LvT -JDyoX8lCqfFJPJSNzloolHEpvmx5iw== -=XcGf ------END PGP SIGNATURE----- diff --git a/curl-7.84.0.tar.xz b/curl-7.84.0.tar.xz new file mode 100644 index 0000000..1002b6a --- /dev/null +++ b/curl-7.84.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8 +size 2477944 diff --git a/curl-7.84.0.tar.xz.asc b/curl-7.84.0.tar.xz.asc new file mode 100644 index 0000000..bd39fcc --- /dev/null +++ b/curl-7.84.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmK5SoUACgkQXMkI/bce +EsKDNQgAhJOD5v9j8Njhb09goLU4rHW4qCQjfhmWPEHyWqFSw4WUaBpZkNR5SzIO +wpEGgCbxbpmsfQuGeguc100hESCCjHlZlUcNDfCF0YoWt+cRKvCyR278GcqLJajH +DL5kXeq8QCkL9o1M7lmNfJn5Dmd7CcU+ALryKz6O1T7vYeZZzAYA9zZ5D0NORsil +F9n1ZjwI6r7m+S73qkI5+7LQHgtP5EkwJODVorEhmZPZAPldMxCv3yn3HwSmtzaq +JbYKsHrDh1BFCo1auSpK4LBKWBOIpYCqW0jvwnsShw72dgYGHR9uu/YMgDz18OeS +hWWVocRxW2GW+Y3dBi1PF9an3/J0nQ== +=Oe40 +-----END PGP SIGNATURE----- diff --git a/curl.changes b/curl.changes index e89f7d4..1eb9dc5 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,146 @@ +------------------------------------------------------------------- +Mon Jun 27 14:36:10 UTC 2022 - David Anes + +- Update to 7.84.0: + * Security fixes: + - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification + - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions + - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service + - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service + * Changes: + - curl: add --rate to set max request rate per time unit + - curl: deprecate --random-file and --egd-file + - curl_version_info: add CURL_VERSION_THREADSAFE + - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl + - lib: make curl_global_init() threadsafe when possible + - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION + - opts: deprecate RANDOM_FILE and EGDSOCKET + - socks: support unix sockets for socks proxy + * Bugfixes: + - aws-sigv4: fix potentional NULL pointer arithmetic + - bindlocal: don't use a random port if port number would wrap + - c-hyper: mark status line as status for Curl_client_write() + - ci: avoid `cmake -Hpath` + - CI: bump FreeBSD 13.0 to 13.1 + - ci: update github actions + - cmake: add libpsl support + - cmake: do not add libcurl.rc to the static libcurl library + - cmake: enable curl.rc for all Windows targets + - cmake: fix detecting libidn2 + - cmake: support adding a suffix to the OS value + - configure: skip libidn2 detection when winidn is used + - configure: use the SED value to invoke sed + - configure: warn about rustls being experimental + - content_encoding: return error on too many compression steps + - cookie: address secure domain overlay + - cookie: apply limits + - copyright.pl: parse and use .reuse/dep5 for skips + - copyright: make repository REUSE compliant + - curl.1: add a few see also --tls-max + - curl.1: mention exit code zero too + - curl: re-enable --no-remote-name + - curl_easy_pause.3: remove explanation of progress function + - curl_getdate.3: document that some illegal dates pass through + - Curl_parsenetrc: don't access local pwbuf outside of scope + - curl_url_set.3: clarify by default using known schemes only + - CURLOPT_ALTSVC.3: document the file format + - CURLOPT_FILETIME.3: fix the protocols this works with + - CURLOPT_HTTPHEADER.3: improve comment in example + - CURLOPT_NETRC.3: document the .netrc file format + - CURLOPT_PORT.3: We discourage using this option + - CURLOPT_RANGE.3: remove ranged upload advice + - digest: added detection of more syntax error in server headers + - digest: tolerate missing "realm" + - digest: unquote realm and nonce before processing + - DISABLED: disable 1021 for hyper again + - docs/cmdline-opts: add copyright and license identifier to each file + - docs/CONTRIBUTE.md: document the 'needs-votes' concept + - docs: clarify data replacement policy for MIME API + - doh: remove UNITTEST macro definition + - examples/crawler.c: use the curl license + - examples: remove fopen.c and rtsp.c + - FAQ: Clarify Windows double quote usage + - fopen: add Curl_fopen() for better overwriting of files + - ftp: restore protocol state after http proxy CONNECT + - ftp: when failing to do a secure GSSAPI login, fail hard + - GHA/hyper: enable debug in the build + - gssapi: improve handling of errors from gss_display_status + - gssapi: initialize gss_buffer_desc strings + - headers api: remove EXPERIMENTAL tag + - http2: always debug print stream id in decimal with %u + - http2: reject overly many push-promise headers + - http: restore header folding behavior + - hyper: use 'alt-used' + - krb5: return error properly on decode errors + - lib: make more protocol specific struct fields #ifdefed + - libcurl-security.3: add "Secrets in memory" + - libcurl-security.3: document CRLF header injection + - libssh: skip the fake-close when libssh does the right thing + - links: update dead links to the curl-wiki + - log2changes: do not indent empty lines [ci skip] + - macos9: remove partial support + - Makefile.am: fix portability issues + - Makefile.m32: delete obsolete options, improve -On [ci skip] + - Makefile.m32: delete two obsolete OpenSSL options [ci skip] + - Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] + - max-time.d: clarify max-time sets max transfer time + - mprintf: ignore clang non-literal format string + - netrc: check %USERPROFILE% as well on Windows + - netrc: support quoted strings + - ngtcp2: allow curl to send larger UDP datagrams + - ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types + - ngtcp2: enable Linux GSO + - ngtcp2: extend QUIC transport parameters buffer + - ngtcp2: fix alert_read_func return value + - ngtcp2: fix typo in preprocessor condition + - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data + - ngtcp2: send appropriate connection close error code + - ngtcp2: support boringssl crypto backend + - ngtcp2: use helper funcs to simplify TLS handshake integration + - ntlm: provide a fixed fake host name + - projects: fix third-party SSL library build paths for Visual Studio + - quic: add Curl_quic_idle + - quiche: support ca-fallback + - rand: stop detecting /dev/urandom in cross-builds + - remote-name.d: mention --output-dir + - runtests.pl: add the --repeat parameter to the --help output + - runtests: fix skipping tests not done event-based + - runtests: skip starting the ssh server if user name is lacking + - scripts/copyright.pl: fix the exclusion to not ignore man pages + - sectransp: check for a function defined when __BLOCKS__ is undefined + - select: return error from "lethal" poll/select errors + - server/sws: support spaces in the HTTP request path + - speed-limit/time.d: mention these affect transfers in either direction + - strcase: some optimisations + - test 2081: add a valid reply for the second request + - test 675: add missing CR so the test passes when run through Privoxy + - test414: add the '--resolve' keyword + - test681: verify --no-remote-name + - tests 266, 116 and 1540: add a small write delay + - tests/data/test1501: kill ftp server after slow LIST response + - tests/getpart: fix getpartattr to work with "data" and "data2" + - tests/server/sws.c: change the HTTP writedelay unit to milliseconds + - test{440,441,493,977}: add "HTTP proxy" keywords + - tool_getparam: fix --parallel-max maximum value constraint + - tool_operate: make sure --fail-with-body works with --retry + - transfer: fix potential NULL pointer dereference + - transfer: maintain --path-as-is after redirects + - transfer: upload performance; avoid tiny send + - url: free old conn better on reuse + - url: remove redundant #ifdefs in allocate_conn() + - url: URL encode the path when extracted, if spaces were set + - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts + - urlapi: support CURLU_URLENCODE for curl_url_get() + - urldata: reduce size of a few struct fields + - urldata: remove three unused booleans from struct UserDefined + - urldata: store tcp_keepidle and tcp_keepintvl as ints + - version: allow stricmp() for sorting the feature list + - vtls: make curl_global_sslset thread-safe + - wolfssh.h: removed + - wolfssl: correct the failf() message when a handle can't be made + - wolfSSL: explicitly use compatibility layer + - x509asn1: mark msnprintf return as unchecked + ------------------------------------------------------------------- Wed May 11 07:11:50 UTC 2022 - David Anes diff --git a/curl.spec b/curl.spec index 8be82f7..1c4f1b7 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.83.1 +Version: 7.84.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl From 2485d02a9631c6c2cca7e0bdc5b1d85206dcc5562e3aefe9240ca427e274f4a4 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sun, 24 Jul 2022 19:39:09 +0000 Subject: [PATCH 2/2] Accepting request 990903 from home:dirkmueller:Factory - add tests-for-32bit.patch to fix testsuite on 32bit platforms OBS-URL: https://build.opensuse.org/request/show/990903 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=315 --- curl.changes | 5 +++++ curl.spec | 1 + tests-for-32bit.patch | 30 ++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 tests-for-32bit.patch diff --git a/curl.changes b/curl.changes index 1eb9dc5..41d2a5e 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Jul 24 19:37:01 UTC 2022 - Dirk Müller + +- add tests-for-32bit.patch to fix testsuite on 32bit platforms + ------------------------------------------------------------------- Mon Jun 27 14:36:10 UTC 2022 - David Anes diff --git a/curl.spec b/curl.spec index 1c4f1b7..c3c5248 100644 --- a/curl.spec +++ b/curl.spec @@ -35,6 +35,7 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch +Patch4: https://github.com/curl/curl/commit/0484127805dc2cb7c743b67e017a725b5369227d.patch#/tests-for-32bit.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} diff --git a/tests-for-32bit.patch b/tests-for-32bit.patch new file mode 100644 index 0000000..a9bc906 --- /dev/null +++ b/tests-for-32bit.patch @@ -0,0 +1,30 @@ +From 0484127805dc2cb7c743b67e017a725b5369227d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 17 Jul 2022 23:48:22 +0200 +Subject: [PATCH] lib3026: reduce the number of threads to 100 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Down from 1000, to make it run and work in more systems. + +Fixes #9172 +Reported-by: Érico Nogueira Rolim +Closes #9173 +--- + tests/libtest/lib3026.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c +index 43fe33529e1f0..496a23f3cabd6 100644 +--- a/tests/libtest/lib3026.c ++++ b/tests/libtest/lib3026.c +@@ -30,7 +30,7 @@ + #include + #include + +-#define NUM_THREADS 1000 ++#define NUM_THREADS 100 + + static void *run_thread(void *ptr) + {