diff --git a/curl-7.86.0.tar.xz b/curl-7.86.0.tar.xz deleted file mode 100644 index 0be61c4..0000000 --- a/curl-7.86.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2d61116e5f485581f6d59865377df4463f2e788677ac43222b496d4e49fb627b -size 2518356 diff --git a/curl-7.86.0.tar.xz.asc b/curl-7.86.0.tar.xz.asc deleted file mode 100644 index f8af8f0..0000000 --- a/curl-7.86.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmNY0SQACgkQXMkI/bce -EsL3Cgf/Ru1crW1U4Hrtc8yw2TwWD+H7jm5VTOqQ96JYvApMihrAjh1uMNjCZSSI -8yzx7E/dVSdY96yQfSdO7M+4eG39oFRvaaKvajf0f1yjUAvc1/zDCfKsjuguttwZ -QaEl/0Gx72cvtLd2NuHxEL4cDr8xa7BExFG0JKF7x4InC6zyrz4k4oOKnWmDZeAE -4HyjPzz4oHfQpVJvXyzsLBc5P06tmBnjIBjHzwjqLeToww0uFdd7uvUfvjGBYUYY -I++pgtgeBPuVAbP+68k9mYkFfWu+SfWqaP/RItXFa8u0SR2oZOtgFGSmy1zDbUqr -HXur6+I4t5RTqvjU8tHk4LMXvpkaJQ== -=R4m5 ------END PGP SIGNATURE----- diff --git a/curl-7.87.0.tar.xz b/curl-7.87.0.tar.xz new file mode 100644 index 0000000..29739ad --- /dev/null +++ b/curl-7.87.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff +size 2547932 diff --git a/curl-7.87.0.tar.xz.asc b/curl-7.87.0.tar.xz.asc new file mode 100644 index 0000000..a308db6 --- /dev/null +++ b/curl-7.87.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmOisGkACgkQXMkI/bce +EsKLAAf/WdvGEmSBxxwitr1Rum4jYt95082FWrRR/C6bhGtMI/K2DE8gpmywONQ8 +NsM0p91wu/sgXG5+mnkyZsD3e5d4ykpGzYBVJS81dcXnKKdCko35p6vZC+gmxy+p +MGeYyOalhWCvubCCOeATownD70u4qNgl+8qGBWCes33OyEfyeVjXyNVQWqQU1vpP +ZY54egD3dyVIWF7r61Fdi1zZEeHo3zF6RQwV1alnezqSBcvZFQDHKBIGwl3h9cUk +iImyEoNvuWs0IVbPlBw7A4WtlW7shLAICyI9hVdmPBmeAbBGmdFum+RhBgSkzUnp +XbveJQQzTnI6pg7BeFYUNUA4ZuhWIQ== +=h6dJ +-----END PGP SIGNATURE----- diff --git a/curl.changes b/curl.changes index e8a5147..78944b2 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,173 @@ +------------------------------------------------------------------- +Wed Dec 21 08:19:23 UTC 2022 - David Anes + +- Update to 7.87.0: + * Security fixes: + - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN + - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free + * Changes + - curl: add --url-query + - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit + - lib: add CURL_WRITEFUNC_ERROR to signal write callback error + - openssl: reduce CA certificate bundle reparsing by caching + - version: add a feature names array to curl_version_info_data + * Bugfixes + - altsvc: fix rejection of negative port numbers + - aws_sigv4: consult x-%s-content-sha256 for payload hash + - aws_sigv4: fix typos in aws_sigv4.c + - base64: better alloc size + - base64: encode without using snprintf + - base64: faster base64 decoding + - build: assume assert.h is always available + - build: assume errno.h is always available + - c-hyper: CONNECT respones are not server responses + - c-hyper: fix multi-request mechanism + - CI: Change FreeBSD image from 12.3 to 12.4 + - CI: LGTM.com will be shut down in December 2022 + - ci: Remove zuul fuzzing job as it's superseded by CIFuzz + - cmake: check for cross-compile, not for toolchain + - CMake: fix build with `CURL_USE_GSSAPI` + - cmake: really enable warnings with clang + - cmake: set the soname on the shared library + - cmdline-opts/gen.pl: fix the linkifier + - cmdline-opts/page-footer: remove long option nroff formatting + - config-mac: define HAVE_SYS_IOCTL_H + - config-mac: fix typo: size_T -> size_t + - config-mac: remove HAVE_SYS_SELECT_H + - config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW + - configure: require fork for NTLM-WB + - contributors.sh: actually use $CURLWWW instead of just setting it + - cookie: compare cookie prefixes case insensitively + - cookie: expire cookies at once when max-age is negative + - cookie: open cookie jar as a binary file + - curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS + - curl-rustls.m4: on macOS, rustls also needs the Security framework + - curl.h: include on SerenityOS + - curl.h: name all public function parameters + - curl.h: reword comment to not use deprecated option + - curl: override the numeric locale and set "C" by force + - curl: timeout in the read callback + - curl_endian: remove Curl_write64_le from header + - curl_get_line: allow last line without newline char + - curl_path: do not add '/' if homedir ends with one + - curl_url_get.3: remove spurious backtick + - curl_url_set.3: document CURLU_DISALLOW_USER + - curl_url_set.3: fix typo + - CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE + - CURLOPT_COOKIEFILE.3: advice => advise + - CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example + - CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw" + - CURLOPT_POST.3: Explain setting to 0 changes request type + - docs/curl_ws_send: Fixed typo in websocket docs + - docs/EARLY-RELEASE.md: how to determine an early release + - docs/examples: spell correction ('Retrieve') + - docs/INSTALL.md: expand on static builds + - docs/WEBSOCKET.md: explain the URL use + - docs: add missing parameters for --retry flag + - docs: add more "SEE ALSO" links to CA related pages + - docs: explain the noproxy CIDR notation support + - docs: extend the dump-header documentation + - docs: remove performance note in CURLOPT_SSL_VERIFYPEER + - examples/10-at-a-time: fix possible skipped final transfers + - examples: update descriptions + - ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH + - gen.pl: do not generate CURLHELP bitmask lines > 79 characters + - GHA: clarify workflows permissions, set least possible privilege + - GHA: NSS use clang instead of clang-9 + - gnutls: use common gnutls init and verify code for ngtcp2 + - headers: add endif comments + - HTTP-COOKIES.md: mention that http://localhost is a secure context + - HTTP-COOKIES.md: update the 6265bis link to draft-11 + - http: do not send PROXY more than once + - http: fix the ::1 comparison for IPv6 localhost for cookies + - http: set 'this_is_a_follow' in the Location: logic + - http: use the IDN decoded name in HSTS checks + - hyper: classify headers as CONNECT and 1XX + - hyper: fix handling of hyper_task's when reusing the same address + - idn: remove Curl_win32_ascii_to_idn + - INSTALL: update operating systems and CPU archs + - KNOWN_BUGS: remove eight entries + - lib1560: add some basic IDN host name tests + - lib: connection filters (cfilter) addition to curl: + - lib: feature deprecation warnings in gcc >= 4.3 + - lib: fix some type mismatches and remove unneeded typecasts + - lib: parse numbers with fixed known base 10 + - lib: remove bad set.opt_no_body assignments + - lib: rewind BEFORE request instead of AFTER previous + - lib: sync guard for Curl_getaddrinfo_ex() definition and use + - lib: use size_t or int etc instead of longs + - libcurl-errors.3: remove duplicate word + - libssh2: return error when ssh_hostkeyfunc returns error + - limit-rate.d: see also --rate + - log2changes.pl: wrap long lines at 80 columns + - Makefile.mk: address minor issues + - Makefile.mk: improve a GNU Make hack + - Makefile.mk: portable Makefile.m32 + - maketgz: set the right version in lib/libcurl.plist + - mime: relax easy/mime structures binding + - misc: Fix incorrect spelling + - misc: remove duplicated include files + - misc: typo and grammar fixes + - negtelnetserver.py: have it call its close() method + - netrc.d: provide mutext info + - netware: remove leftover traces + - noproxy: also match with adjacent comma + - noproxy: guard against empty hostnames in noproxy check + - noproxy: tailmatch like in 7.85.0 and earlier + - nroff-scan.pl: detect double highlights + - ntlm: improve comment for encrypt_des + - ntlm: silence ubsan warning about copying from null target_info pointer + - openssl/mbedtls: use %d for outputing port with failf (int) + - openssl: prefix errors with '[lib]/[version]: ' + - os400: use platform socklen_t in Curl_getnameinfo_a + - page-header: grammar improvement (display transfer rate) + - proxy: refactor haproxy protocol handling as connection filter + - README.md: remove badges and xmas-tree garnish + - rtsp: fix RTSP auth + - runtests: --no-debuginfod now disables DEBUGINFOD_URLS + - runtests: do CRLF replacements per section only + - scripts/checksrc.pl: detect duplicated include files + - sendf: change Curl_read_plain to wrap Curl_recv_plain + - sendf: remove unnecessary if condition + - setup: do not require __MRC__ defined for Mac OS 9 builds + - smb/telnet: do not free the protocol struct in *_done() + - socks: fix username max size is 255 (0xFF) + - spellcheck.words: remove 'github' as an accepted word + - ssl-reqd.d: clarify that this is for upgrading connections only + - strcase: use curl_str(n)equal for case insensitive matches + - styled-output.d: this option does not work on Windows + - system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS + - system.h: support 64-bit curl_off_t for NonStop 32-bit + - test1421: fix typo + - test3026: reduce runtime in legacy mingw builds + - tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+ + - tests: add authorityInfoAccess to generated certs + - tests: add HTTP/3 test case, custom location for proper nghttpx + - tls: backends use connection filters for IO, enabling HTTPS-proxy + - tool: determine the correct fopen option for -D + - tool_cfgable: free the ssl_ec_curves on exit + - tool_cfgable: make socks5_gssapi_nec a boolean + - tool_formparse: avoid clobbering on function params + - tool_getparam: make --no-get work as the opposite of --get + - tool_operate: provide better errmsg for -G with bad URL + - tool_operate: when aborting, make sure there is a non-NULL error buffer + - tool_paramhlp: free the proto strings on exit + - url: move back the IDN conversion of proxy names + - urlapi: reject more bad letters from the host name: &+() + - urldata: change port num storage to int and unsigned short + - vms: remove SIZEOF_SHORT + - vtls: fix build without proxy support + - vtls: localization of state data in filters + - WEBSOCKET.md: fix broken link + - Websocket: fixes for partial frames and buffer updates + - websockets: fix handling of partial frames + - windows: fail early with a missing windres in autotools + - windows: fix linking .rc to shared curl with autotools + - winidn: drop WANT_IDN_PROTOTYPES + - ws: if no connection is around, return error + - ws: return CURLE_NOT_BUILT_IN when websockets not built in + - x509asn1: avoid freeing unallocated pointers + ------------------------------------------------------------------- Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos diff --git a/curl.spec b/curl.spec index 2109a1d..5b21571 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.86.0 +Version: 7.87.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index d9d5759..d5b6970 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -7,11 +7,11 @@ To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. -Index: curl-7.85.0/lib/file.c +Index: curl-7.87.0/lib/file.c =================================================================== ---- curl-7.85.0.orig/lib/file.c -+++ curl-7.85.0/lib/file.c -@@ -222,7 +222,7 @@ static CURLcode file_connect(struct Curl +--- curl-7.87.0.orig/lib/file.c ++++ curl-7.87.0/lib/file.c +@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl } } #else @@ -20,7 +20,7 @@ Index: curl-7.85.0/lib/file.c file->path = real_path; #endif #endif -@@ -307,7 +307,7 @@ static CURLcode file_upload(struct Curl_ +@@ -318,7 +318,7 @@ static CURLcode file_upload(struct Curl_ else mode = MODE_DEFAULT|O_TRUNC; @@ -29,10 +29,10 @@ Index: curl-7.85.0/lib/file.c if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-7.85.0/lib/if2ip.c +Index: curl-7.87.0/lib/if2ip.c =================================================================== ---- curl-7.85.0.orig/lib/if2ip.c -+++ curl-7.85.0/lib/if2ip.c +--- curl-7.87.0.orig/lib/if2ip.c ++++ curl-7.87.0/lib/if2ip.c @@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,11 +42,11 @@ Index: curl-7.85.0/lib/if2ip.c if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-7.85.0/lib/connect.c +Index: curl-7.87.0/lib/connect.c =================================================================== ---- curl-7.85.0.orig/lib/connect.c -+++ curl-7.85.0/lib/connect.c -@@ -1651,7 +1651,9 @@ CURLcode Curl_socket(struct Curl_easy *d +--- curl-7.87.0.orig/lib/connect.c ++++ curl-7.87.0/lib/connect.c +@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d } else /* opensocket callback not set, so simply create the socket now */ @@ -57,11 +57,11 @@ Index: curl-7.85.0/lib/connect.c if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */ -Index: curl-7.85.0/configure.ac +Index: curl-7.87.0/configure.ac =================================================================== ---- curl-7.85.0.orig/configure.ac -+++ curl-7.85.0/configure.ac -@@ -335,6 +335,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-7.87.0.orig/configure.ac ++++ curl-7.87.0/configure.ac +@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -70,20 +70,19 @@ Index: curl-7.85.0/configure.ac dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-7.85.0/lib/hostip.c +Index: curl-7.87.0/lib/hostip.c =================================================================== ---- curl-7.85.0.orig/lib/hostip.c -+++ curl-7.85.0/lib/hostip.c -@@ -51,7 +51,7 @@ - #ifdef HAVE_PROCESS_H - #include +--- curl-7.87.0.orig/lib/hostip.c ++++ curl-7.87.0/lib/hostip.c +@@ -48,6 +48,7 @@ + #include #endif -- + +#include #include "urldata.h" #include "sendf.h" #include "hostip.h" -@@ -551,7 +551,7 @@ bool Curl_ipv6works(struct Curl_easy *da +@@ -576,7 +577,7 @@ bool Curl_ipv6works(struct Curl_easy *da else { int ipv6_works = -1; /* probe to see if we have a working IPv6 stack */