Accepting request 1044030 from home:david.anes:branches:devel:libraries:c_c++

- Update to 7.87.0: * Security fixes: - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free * Changes - curl: add --url-query - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit - lib: add CURL_WRITEFUNC_ERROR to signal write callback error - openssl: reduce CA certificate bundle reparsing by caching - version: add a feature names array to curl_version_info_data * Bugfixes - altsvc: fix rejection of negative port numbers - aws_sigv4: consult x-%s-content-sha256 for payload hash - aws_sigv4: fix typos in aws_sigv4.c - base64: better alloc size - base64: encode without using snprintf - base64: faster base64 decoding - build: assume assert.h is always available - build: assume errno.h is always available - c-hyper: CONNECT respones are not server responses - c-hyper: fix multi-request mechanism - CI: Change FreeBSD image from 12.3 to 12.4 - CI: LGTM.com will be shut down in December 2022 - ci: Remove zuul fuzzing job as it's superseded by CIFuzz - cmake: check for cross-compile, not for toolchain - CMake: fix build with `CURL_USE_GSSAPI` - cmake: really enable warnings with clang - cmake: set the soname on the shared library - cmdline-opts/gen.pl: fix the linkifier - cmdline-opts/page-footer: remove long option nroff formatting OBS-URL: https://build.opensuse.org/request/show/1044030 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=325
2022-12-21 09:09:08 +00:00 · 2022-12-21 09:09:08 +00:00 · 2c31e47564
commit 2c31e47564
parent ad1aae2453
7 changed files with 208 additions and 39 deletions
--- a/curl-7.86.0.tar.xz
+++ b/curl-7.86.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2d61116e5f485581f6d59865377df4463f2e788677ac43222b496d4e49fb627b
-size 2518356
--- a/curl-7.86.0.tar.xz.asc
+++ b/curl-7.86.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmNY0SQACgkQXMkI/bce
-EsL3Cgf/Ru1crW1U4Hrtc8yw2TwWD+H7jm5VTOqQ96JYvApMihrAjh1uMNjCZSSI
-8yzx7E/dVSdY96yQfSdO7M+4eG39oFRvaaKvajf0f1yjUAvc1/zDCfKsjuguttwZ
-QaEl/0Gx72cvtLd2NuHxEL4cDr8xa7BExFG0JKF7x4InC6zyrz4k4oOKnWmDZeAE
-4HyjPzz4oHfQpVJvXyzsLBc5P06tmBnjIBjHzwjqLeToww0uFdd7uvUfvjGBYUYY
-I++pgtgeBPuVAbP+68k9mYkFfWu+SfWqaP/RItXFa8u0SR2oZOtgFGSmy1zDbUqr
-HXur6+I4t5RTqvjU8tHk4LMXvpkaJQ==
-=R4m5
-----END PGP SIGNATURE-----
--- a/curl-7.87.0.tar.xz
+++ b/curl-7.87.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff
+size 2547932
--- a/curl-7.87.0.tar.xz.asc
+++ b/curl-7.87.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmOisGkACgkQXMkI/bce
+EsKLAAf/WdvGEmSBxxwitr1Rum4jYt95082FWrRR/C6bhGtMI/K2DE8gpmywONQ8
+NsM0p91wu/sgXG5+mnkyZsD3e5d4ykpGzYBVJS81dcXnKKdCko35p6vZC+gmxy+p
+MGeYyOalhWCvubCCOeATownD70u4qNgl+8qGBWCes33OyEfyeVjXyNVQWqQU1vpP
+ZY54egD3dyVIWF7r61Fdi1zZEeHo3zF6RQwV1alnezqSBcvZFQDHKBIGwl3h9cUk
+iImyEoNvuWs0IVbPlBw7A4WtlW7shLAICyI9hVdmPBmeAbBGmdFum+RhBgSkzUnp
+XbveJQQzTnI6pg7BeFYUNUA4ZuhWIQ==
+=h6dJ
+-----END PGP SIGNATURE-----
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,173 @@
+-------------------------------------------------------------------
+Wed Dec 21 08:19:23 UTC 2022 - David Anes <david.anes@suse.com>
+
+- Update to 7.87.0: 
+  * Security fixes:
+    - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
+    - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
+  * Changes
+    - curl: add --url-query
+    - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
+    - lib: add CURL_WRITEFUNC_ERROR to signal write callback error
+    - openssl: reduce CA certificate bundle reparsing by caching
+    - version: add a feature names array to curl_version_info_data 
+  * Bugfixes
+    - altsvc: fix rejection of negative port numbers
+    - aws_sigv4: consult x-%s-content-sha256 for payload hash
+    - aws_sigv4: fix typos in aws_sigv4.c
+    - base64: better alloc size
+    - base64: encode without using snprintf
+    - base64: faster base64 decoding
+    - build: assume assert.h is always available
+    - build: assume errno.h is always available
+    - c-hyper: CONNECT respones are not server responses
+    - c-hyper: fix multi-request mechanism
+    - CI: Change FreeBSD image from 12.3 to 12.4
+    - CI: LGTM.com will be shut down in December 2022
+    - ci: Remove zuul fuzzing job as it's superseded by CIFuzz
+    - cmake: check for cross-compile, not for toolchain
+    - CMake: fix build with `CURL_USE_GSSAPI`
+    - cmake: really enable warnings with clang
+    - cmake: set the soname on the shared library
+    - cmdline-opts/gen.pl: fix the linkifier
+    - cmdline-opts/page-footer: remove long option nroff formatting
+    - config-mac: define HAVE_SYS_IOCTL_H
+    - config-mac: fix typo: size_T -> size_t
+    - config-mac: remove HAVE_SYS_SELECT_H
+    - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
+    - configure: require fork for NTLM-WB
+    - contributors.sh: actually use $CURLWWW instead of just setting it
+    - cookie: compare cookie prefixes case insensitively
+    - cookie: expire cookies at once when max-age is negative
+    - cookie: open cookie jar as a binary file
+    - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
+    - curl-rustls.m4: on macOS, rustls also needs the Security framework
+    - curl.h: include <sys/select.h> on SerenityOS
+    - curl.h: name all public function parameters
+    - curl.h: reword comment to not use deprecated option
+    - curl: override the numeric locale and set "C" by force
+    - curl: timeout in the read callback
+    - curl_endian: remove Curl_write64_le from header
+    - curl_get_line: allow last line without newline char
+    - curl_path: do not add '/' if homedir ends with one
+    - curl_url_get.3: remove spurious backtick
+    - curl_url_set.3: document CURLU_DISALLOW_USER
+    - curl_url_set.3: fix typo
+    - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
+    - CURLOPT_COOKIEFILE.3: advice => advise
+    - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
+    - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
+    - CURLOPT_POST.3: Explain setting to 0 changes request type
+    - docs/curl_ws_send: Fixed typo in websocket docs
+    - docs/EARLY-RELEASE.md: how to determine an early release
+    - docs/examples: spell correction ('Retrieve')
+    - docs/INSTALL.md: expand on static builds
+    - docs/WEBSOCKET.md: explain the URL use
+    - docs: add missing parameters for --retry flag
+    - docs: add more "SEE ALSO" links to CA related pages
+    - docs: explain the noproxy CIDR notation support
+    - docs: extend the dump-header documentation
+    - docs: remove performance note in CURLOPT_SSL_VERIFYPEER
+    - examples/10-at-a-time: fix possible skipped final transfers
+    - examples: update descriptions
+    - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
+    - gen.pl: do not generate CURLHELP bitmask lines > 79 characters
+    - GHA: clarify workflows permissions, set least possible privilege
+    - GHA: NSS use clang instead of clang-9
+    - gnutls: use common gnutls init and verify code for ngtcp2
+    - headers: add endif comments
+    - HTTP-COOKIES.md: mention that http://localhost is a secure context
+    - HTTP-COOKIES.md: update the 6265bis link to draft-11
+    - http: do not send PROXY more than once
+    - http: fix the ::1 comparison for IPv6 localhost for cookies
+    - http: set 'this_is_a_follow' in the Location: logic
+    - http: use the IDN decoded name in HSTS checks
+    - hyper: classify headers as CONNECT and 1XX
+    - hyper: fix handling of hyper_task's when reusing the same address
+    - idn: remove Curl_win32_ascii_to_idn
+    - INSTALL: update operating systems and CPU archs
+    - KNOWN_BUGS: remove eight entries
+    - lib1560: add some basic IDN host name tests
+    - lib: connection filters (cfilter) addition to curl:
+    - lib: feature deprecation warnings in gcc >= 4.3
+    - lib: fix some type mismatches and remove unneeded typecasts
+    - lib: parse numbers with fixed known base 10
+    - lib: remove bad set.opt_no_body assignments
+    - lib: rewind BEFORE request instead of AFTER previous
+    - lib: sync guard for Curl_getaddrinfo_ex() definition and use
+    - lib: use size_t or int etc instead of longs
+    - libcurl-errors.3: remove duplicate word
+    - libssh2: return error when ssh_hostkeyfunc returns error
+    - limit-rate.d: see also --rate
+    - log2changes.pl: wrap long lines at 80 columns
+    - Makefile.mk: address minor issues
+    - Makefile.mk: improve a GNU Make hack
+    - Makefile.mk: portable Makefile.m32
+    - maketgz: set the right version in lib/libcurl.plist
+    - mime: relax easy/mime structures binding
+    - misc: Fix incorrect spelling
+    - misc: remove duplicated include files
+    - misc: typo and grammar fixes
+    - negtelnetserver.py: have it call its close() method
+    - netrc.d: provide mutext info
+    - netware: remove leftover traces
+    - noproxy: also match with adjacent comma
+    - noproxy: guard against empty hostnames in noproxy check
+    - noproxy: tailmatch like in 7.85.0 and earlier
+    - nroff-scan.pl: detect double highlights
+    - ntlm: improve comment for encrypt_des
+    - ntlm: silence ubsan warning about copying from null target_info pointer
+    - openssl/mbedtls: use %d for outputing port with failf (int)
+    - openssl: prefix errors with '[lib]/[version]: '
+    - os400: use platform socklen_t in Curl_getnameinfo_a
+    - page-header: grammar improvement (display transfer rate)
+    - proxy: refactor haproxy protocol handling as connection filter
+    - README.md: remove badges and xmas-tree garnish
+    - rtsp: fix RTSP auth
+    - runtests: --no-debuginfod now disables DEBUGINFOD_URLS
+    - runtests: do CRLF replacements per section only
+    - scripts/checksrc.pl: detect duplicated include files
+    - sendf: change Curl_read_plain to wrap Curl_recv_plain
+    - sendf: remove unnecessary if condition
+    - setup: do not require __MRC__ defined for Mac OS 9 builds
+    - smb/telnet: do not free the protocol struct in *_done()
+    - socks: fix username max size is 255 (0xFF)
+    - spellcheck.words: remove 'github' as an accepted word
+    - ssl-reqd.d: clarify that this is for upgrading connections only
+    - strcase: use curl_str(n)equal for case insensitive matches
+    - styled-output.d: this option does not work on Windows
+    - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
+    - system.h: support 64-bit curl_off_t for NonStop 32-bit
+    - test1421: fix typo
+    - test3026: reduce runtime in legacy mingw builds
+    - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
+    - tests: add authorityInfoAccess to generated certs
+    - tests: add HTTP/3 test case, custom location for proper nghttpx
+    - tls: backends use connection filters for IO, enabling HTTPS-proxy
+    - tool: determine the correct fopen option for -D
+    - tool_cfgable: free the ssl_ec_curves on exit
+    - tool_cfgable: make socks5_gssapi_nec a boolean
+    - tool_formparse: avoid clobbering on function params
+    - tool_getparam: make --no-get work as the opposite of --get
+    - tool_operate: provide better errmsg for -G with bad URL
+    - tool_operate: when aborting, make sure there is a non-NULL error buffer
+    - tool_paramhlp: free the proto strings on exit
+    - url: move back the IDN conversion of proxy names
+    - urlapi: reject more bad letters from the host name: &+()
+    - urldata: change port num storage to int and unsigned short
+    - vms: remove SIZEOF_SHORT
+    - vtls: fix build without proxy support
+    - vtls: localization of state data in filters
+    - WEBSOCKET.md: fix broken link
+    - Websocket: fixes for partial frames and buffer updates
+    - websockets: fix handling of partial frames
+    - windows: fail early with a missing windres in autotools
+    - windows: fix linking .rc to shared curl with autotools
+    - winidn: drop WANT_IDN_PROTOTYPES
+    - ws: if no connection is around, return error
+    - ws: return CURLE_NOT_BUILT_IN when websockets not built in
+    - x509asn1: avoid freeing unallocated pointers 
+
 -------------------------------------------------------------------
 Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>

--- a/curl.spec
+++ b/curl.spec
@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.86.0
+Version:        7.87.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
--- a/libcurl-ocloexec.patch
+++ b/libcurl-ocloexec.patch
@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.


-Index: curl-7.85.0/lib/file.c
+Index: curl-7.87.0/lib/file.c
 ===================================================================
--- curl-7.85.0.orig/lib/file.c
-+++ curl-7.85.0/lib/file.c
-@@ -222,7 +222,7 @@ static CURLcode file_connect(struct Curl
+--- curl-7.87.0.orig/lib/file.c
+++ curl-7.87.0/lib/file.c
+@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
     }
   }
   #else
@ -20,7 +20,7 @@ Index: curl-7.85.0/lib/file.c
   file->path = real_path;
   #endif
 #endif
-@@ -307,7 +307,7 @@ static CURLcode file_upload(struct Curl_
+@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_
   else
     mode = MODE_DEFAULT|O_TRUNC;
 
@ -29,10 +29,10 @@ Index: curl-7.85.0/lib/file.c
   if(fd < 0) {
     failf(data, "Can't open %s for writing", file->path);
     return CURLE_WRITE_ERROR;
-Index: curl-7.85.0/lib/if2ip.c
+Index: curl-7.87.0/lib/if2ip.c
 ===================================================================
--- curl-7.85.0.orig/lib/if2ip.c
-+++ curl-7.85.0/lib/if2ip.c
+--- curl-7.87.0.orig/lib/if2ip.c
+++ curl-7.87.0/lib/if2ip.c
@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
   if(len >= sizeof(req.ifr_name))
     return IF2IP_NOT_FOUND;
@ -42,11 +42,11 @@ Index: curl-7.85.0/lib/if2ip.c
   if(CURL_SOCKET_BAD == dummy)
     return IF2IP_NOT_FOUND;
 
-Index: curl-7.85.0/lib/connect.c
+Index: curl-7.87.0/lib/connect.c
 ===================================================================
--- curl-7.85.0.orig/lib/connect.c
-+++ curl-7.85.0/lib/connect.c
-@@ -1651,7 +1651,9 @@ CURLcode Curl_socket(struct Curl_easy *d
+--- curl-7.87.0.orig/lib/connect.c
+++ curl-7.87.0/lib/connect.c
+@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d
   }
   else
     /* opensocket callback not set, so simply create the socket now */
@ -57,11 +57,11 @@ Index: curl-7.85.0/lib/connect.c
 
   if(*sockfd == CURL_SOCKET_BAD)
     /* no socket, no connection */
-Index: curl-7.85.0/configure.ac
+Index: curl-7.87.0/configure.ac
 ===================================================================
--- curl-7.85.0.orig/configure.ac
-+++ curl-7.85.0/configure.ac
-@@ -335,6 +335,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-7.87.0.orig/configure.ac
+++ curl-7.87.0/configure.ac
+@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
 # Silence warning: ar: 'u' modifier ignored since 'D' is the default
 AC_SUBST(AR_FLAGS, [cr])
 
@ -70,20 +70,19 @@ Index: curl-7.85.0/configure.ac
 dnl This defines _ALL_SOURCE for AIX
 CURL_CHECK_AIX_ALL_SOURCE
 
-Index: curl-7.85.0/lib/hostip.c
+Index: curl-7.87.0/lib/hostip.c
 ===================================================================
--- curl-7.85.0.orig/lib/hostip.c
-+++ curl-7.85.0/lib/hostip.c
-@@ -51,7 +51,7 @@
- #ifdef HAVE_PROCESS_H
- #include <process.h>
+--- curl-7.87.0.orig/lib/hostip.c
+++ curl-7.87.0/lib/hostip.c
+@@ -48,6 +48,7 @@
+ #include <signal.h>
 #endif
-
+ 
 +#include <fcntl.h>
 #include "urldata.h"
 #include "sendf.h"
 #include "hostip.h"
-@@ -551,7 +551,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -576,7 +577,7 @@ bool Curl_ipv6works(struct Curl_easy *da
   else {
     int ipv6_works = -1;
     /* probe to see if we have a working IPv6 stack */