diff --git a/curl-8.4.0.tar.xz b/curl-8.4.0.tar.xz deleted file mode 100644 index 55f76a5..0000000 --- a/curl-8.4.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d -size 2658376 diff --git a/curl-8.4.0.tar.xz.asc b/curl-8.4.0.tar.xz.asc deleted file mode 100644 index 14d0b0a..0000000 --- a/curl-8.4.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUmNUkACgkQXMkI/bce -EsIiwQgAjbpDysDBbuhdQekitabLu9vEk5rIk1wAM1cYLGKgEU+8oDIUTa1HFJCV -zb9fGNdnOpwYHOGiOiX5rec4cHcZrL/w92ctP9kgTY97VU3puESn2JO4abVuLtD6 -lPfzIsSFnvYoawWKWLp8Vkia87r+Au9ZiUhM2NPiuZuBleWhk1RWSWoTN8FalK4x -pa/aUumd3niCfv5xdQ9fn//CrVJTKc7S18IC+vdlVYM3UgYVghRihTglEEg/7KAj -Hy73sgU2LtQUuuyL42K942bbKd92/OGvCDbPu3CZ8zL0TXHSFmcbMZrl90RPSCXE -qJiuih+EQxYKh3CGZxNftSI4iV7aag== -=wuw5 ------END PGP SIGNATURE----- diff --git a/curl-8.5.0.tar.xz b/curl-8.5.0.tar.xz new file mode 100644 index 0000000..497c78e --- /dev/null +++ b/curl-8.5.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb +size 2658520 diff --git a/curl-8.5.0.tar.xz.asc b/curl-8.5.0.tar.xz.asc new file mode 100644 index 0000000..ef7676b --- /dev/null +++ b/curl-8.5.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmVwH74ACgkQXMkI/bce +EsJTjQgApzxL4B3UzTgozV3zElM2bE1tVeAnWzBvvgBr66n8Avj3qJv0OStRTm5I +GATuiWLFBKHEzrKJbApWiH8nwsKK/ZvlrAe6SyJ5jehK1l51da1LSnI/SkFt7him +EX2R9Eq8HWD5jhiHOYETFZ9U7aqf+OOnrRevzFs+GCcZqn6M4DKXc9gJCc2qgill +y9PfHrxLELJscPCw19fw9Hoo4QkcHKP1oOy4uha4iqDUmnFW9WTexVHAGOTMrJwl +6OZ+5apsaBB7+rambVnyeOx2DfpAsScmaXtaLNIBBDfNbBPkOA3lgmDZr/6KiSP1 +Pr9Y2WDkGKgodo7NeRAHJl/WE+CMmQ== +=XAIZ +-----END PGP SIGNATURE----- diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch index 0de5d7e..c751b12 100644 --- a/curl-secure-getenv.patch +++ b/curl-secure-getenv.patch @@ -1,8 +1,8 @@ -Index: curl-7.82.0/lib/getenv.c +Index: curl-8.5.0/lib/getenv.c =================================================================== ---- curl-7.82.0.orig/lib/getenv.c -+++ curl-7.82.0/lib/getenv.c -@@ -27,6 +27,14 @@ +--- curl-8.5.0.orig/lib/getenv.c ++++ curl-8.5.0/lib/getenv.c +@@ -29,6 +29,14 @@ #include "memdebug.h" @@ -16,8 +16,8 @@ Index: curl-7.82.0/lib/getenv.c + static char *GetEnv(const char *variable) { - #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) -@@ -66,7 +74,7 @@ static char *GetEnv(const char *variable + #if defined(_WIN32_WCE) || defined(CURL_WINDOWS_APP) || \ +@@ -69,7 +77,7 @@ static char *GetEnv(const char *variable /* else rc is bytes needed, try again */ } #else @@ -26,11 +26,11 @@ Index: curl-7.82.0/lib/getenv.c return (env && env[0])?strdup(env):NULL; #endif } -Index: curl-7.82.0/configure.ac +Index: curl-8.5.0/configure.ac =================================================================== ---- curl-7.82.0.orig/configure.ac -+++ curl-7.82.0/configure.ac -@@ -4271,6 +4271,8 @@ if test "x$want_curldebug_assumed" = "xy +--- curl-8.5.0.orig/configure.ac ++++ curl-8.5.0/configure.ac +@@ -4767,6 +4767,8 @@ if test "x$want_curldebug_assumed" = "xy ac_configure_args="$ac_configure_args --enable-curldebug" fi diff --git a/curl-tests-errorcodes.patch b/curl-tests-errorcodes.patch new file mode 100644 index 0000000..cad472d --- /dev/null +++ b/curl-tests-errorcodes.patch @@ -0,0 +1,150 @@ +From da8c1d15782c8161b455a7ee90197c16ae5edb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 6 Dec 2023 09:40:30 +0100 +Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball + +Used by test 1477 + +Reported-by: Xi Ruoyao +Follow-up to 0ca3a4ec9a7 +Fixes #12462 +Closes #12463 +--- + tests/Makefile.am | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +Index: curl-8.5.0/tests/Makefile.am +=================================================================== +--- curl-8.5.0.orig/tests/Makefile.am ++++ curl-8.5.0/tests/Makefile.am +@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html + PDFPAGES = testcurl.pdf runtests.pdf + MANDISTPAGES = runtests.1.dist testcurl.1.dist + +-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ +- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ +- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ +- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ +- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ +- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ +- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ +- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ +- valgrind.supp version-scan.pl check-translatable-options.pl ++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ ++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ ++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ ++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ ++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ ++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ ++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ ++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ ++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ ++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ ++ check-translatable-options.pl errorcodes.pl + + DISTCLEANFILES = configurehelp.pm + +Index: curl-8.5.0/tests/errorcodes.pl +=================================================================== +--- /dev/null ++++ curl-8.5.0/tests/errorcodes.pl +@@ -0,0 +1,99 @@ ++#!/usr/bin/env perl ++#*************************************************************************** ++# _ _ ____ _ ++# Project ___| | | | _ \| | ++# / __| | | | |_) | | ++# | (__| |_| | _ <| |___ ++# \___|\___/|_| \_\_____| ++# ++# Copyright (C) Daniel Stenberg, , et al. ++# ++# This software is licensed as described in the file COPYING, which ++# you should have received as part of this distribution. The terms ++# are also available at https://curl.se/docs/copyright.html. ++# ++# You may opt to use, copy, modify, merge, publish, distribute and/or sell ++# copies of the Software, and permit persons to whom the Software is ++# furnished to do so, under the terms of the COPYING file. ++# ++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++# KIND, either express or implied. ++# ++# SPDX-License-Identifier: curl ++# ++########################################################################### ++ ++# Check that libcurl-errors.3 and the public header files have the same set of ++# error codes. ++ ++use strict; ++use warnings; ++ ++# we may get the dir roots pointed out ++my $root=$ARGV[0] || "."; ++my $manpge = "$root/docs/libcurl/libcurl-errors.3"; ++my $curlh = "$root/include/curl"; ++my $errors=0; ++ ++my @hnames; ++my %wherefrom; ++my @mnames; ++my %manfrom; ++ ++sub scanheader { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { ++ push @hnames, $name; ++ if($wherefrom{$name}) { ++ print STDERR "double: $name\n"; ++ } ++ $wherefrom{$name}="$file:$line"; ++ } ++ } ++ } ++ close(H); ++} ++ ++sub scanmanpage { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ push @mnames, $name; ++ $manfrom{$name}="$file:$line"; ++ } ++ } ++ close(H); ++} ++ ++ ++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; ++my @hfiles = grep { /\.h$/ } readdir($dh); ++closedir $dh; ++ ++for(sort @hfiles) { ++ scanheader("$curlh/$_"); ++} ++scanmanpage($manpge); ++ ++print "Result\n"; ++for my $h (sort @hnames) { ++ if(!$manfrom{$h}) { ++ printf "$h from %s, not in man page\n", $wherefrom{$h}; ++ } ++} ++ ++for my $m (sort @mnames) { ++ if(!$wherefrom{$m}) { ++ printf "$m from %s, not in any header\n", $manfrom{$m}; ++ } ++} diff --git a/curl.changes b/curl.changes index 6870467..b840a47 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Wed Dec 6 09:51:20 UTC 2023 - Pedro Monreal + +- Update to 8.5.0: + * Security fixes: + - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass + - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents + * Changes: + - gnutls: support CURLSSLOPT_NATIVE_CA + - HTTP3: ngtcp2 builds are no longer experimental + * Bugfixes: + - asyn-thread: use pipe instead of socketpair for IPC when available + - cmake: fix OpenSSL quic detection in quiche builds + - conncache: use the closure handle when disconnecting surplus connections + - content_encoding: make Curl_all_content_encodings allocless + - cookie: lowercase the domain names before PSL checks + - Curl_http_body: cleanup properly when Curl_getformdata errors + - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range + - doh: provide better return code for responses w/o addresses + - doh: use PIPEWAIT when HTTP/2 is attempted + - duphandle: also free 'outcurl->cookies' in error path + - duphandle: make dupset() not return with pointers to old alloced data + - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set + - easy: in duphandle, init the cookies for the new handle + - easy_lock: add a pthread_mutex_t fallback + - fopen: create new file using old file's mode + - fopen: create short(er) temporary file name + - getenv: PlayStation doesn't have getenv() + - hostip: show the list of IPs when resolving is done + - hsts: skip single-dot hostname + - HTTP/2, HTTP/3: handle detach of onoing transfers + - http: allow longer HTTP/2 request method names + - hyper: temporarily remove HTTP/2 support + - IPFS: fix IPFS_PATH and file parsing + - multi: during ratelimit multi_getsock should return no sockets + - multi: use pipe instead of socketpair to *wakeup() + - ngtcp2: fix races in stream handling + - ntlm_wb: use pipe instead of socketpair when possible + - openssl: avoid BN_num_bits() NULL pointer derefs + - openssl: fix building with v3 `no-deprecated` + add CI test + - openssl: fix infof() to avoid compiler warning for %s with null + - openssl: identify the "quictls" backend correctly + - openssl: include SIG and KEM algorithms in verbose + - openssl: two multi pointer checks should probably rather be asserts + - openssl: when a session-ID is reused, skip OCSP stapling + - quic: make eyeballers connect retries stop at weird replies + - quic: manage connection idle timeouts + - setopt: check CURLOPT_TFTP_BLKSIZE range on set + - socks: better buffer size checks for socks4a user and hostname + - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice + - tool: fix --capath when proxy support is disabled + - tool_getparam: limit --rate to be smaller than number of ms + - transfer: abort pause send when connection is marked for closing + - transfer: avoid calling the read callback again after EOF + - transfer: only reset the FTP wildcard engine in CLEAR state + - url: don't touch the multi handle when closing internal handles + - urlapi: avoid null deref if setting blank host to url encode + - urlapi: skip appending NULL pointer query + - urlapi: when URL encoding the fragment, pass in the right length + - vtls: cleanup SSL config management + - vtls: consistently use typedef names for OpenSSL structs + - vtls: late clone of connection ssl config + - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0 + * Rebase curl-secure-getenv.patch + * Add curl-tests-errorcodes.patch + ------------------------------------------------------------------- Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal diff --git a/curl.spec b/curl.spec index dba9487..282d54a 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 8.4.0 +Version: 8.5.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -35,6 +35,8 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch +#PATCH-FIX-UPSTREAM dist: add tests/errorcodes.pl to the tarball +Patch4: curl-tests-errorcodes.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version}