From 681d679767aee9acdbde26be31b746696c634493b2149b6fa0eb0db3a8490686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Wed, 31 Oct 2018 11:23:21 +0000 Subject: [PATCH] Accepting request 645709 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to version 7.62.0 Changes: * multiplex: enable by default * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled * setopt: add CURLOPT_DOH_URL * curl: --doh-url added * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size * imap: change from "FETCH" to "UID FETCH" * configure: add option to disable automatic OpenSSL config loading * upkeep: add a connection upkeep API: curl_easy_upkeep() * URL-API: added five new functions * vtls: MesaLink is a new TLS backend Bugfixes: * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] * CVE-2018-16840: use-after-free in handle close [bsc#1113029] * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated * Curl_dedotdotify(): always nul terminate returned string * Curl_follow: Always free the passed new URL * Curl_http2_done: fix memleak in error path * Curl_retry_request: fix memory leak * Curl_saferealloc: Fixed typo in docblock * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output * GnutTLS: TLS 1.3 support * SECURITY-PROCESS: mention the bountygraph program * VS projects: add USE_IPV6: * certs: generate tests certs with sha256 digest algorithm * checksrc: enable strict mode and warnings * checksrc: handle zero scoped ignore commands * cmake: Backport to work with CMake 3.0 again OBS-URL: https://build.opensuse.org/request/show/645709 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=235 --- curl-7.61.1.tar.gz | 3 - curl-7.61.1.tar.gz.asc | 11 -- curl-7.62.0.tar.gz | 3 + curl-7.62.0.tar.gz.asc | 11 ++ curl-disabled-redirect-protocol-message.patch | 32 ++--- curl-mini.changes | 120 ++++++++++++++++++ curl-mini.spec | 4 +- curl-use_OPENSSL_config.patch | 12 +- curl.changes | 120 ++++++++++++++++++ curl.spec | 4 +- 10 files changed, 282 insertions(+), 38 deletions(-) delete mode 100644 curl-7.61.1.tar.gz delete mode 100644 curl-7.61.1.tar.gz.asc create mode 100644 curl-7.62.0.tar.gz create mode 100644 curl-7.62.0.tar.gz.asc diff --git a/curl-7.61.1.tar.gz b/curl-7.61.1.tar.gz deleted file mode 100644 index d840f06..0000000 --- a/curl-7.61.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eaa812e9a871ea10dbe8e1d3f8f12a64a8e3e62aeab18cb23742e2f1727458ae -size 3986062 diff --git a/curl-7.61.1.tar.gz.asc b/curl-7.61.1.tar.gz.asc deleted file mode 100644 index 7ca0b38..0000000 --- a/curl-7.61.1.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce -EsIhWgf/THAQX5B2B5icUfPheWyv+laMcHU1FS3RgzYu/ImIT2DqiL8kNtSebNkf -pcZzpWmOB3OBrWJSrhkMkLUfbiWksPKgLUGSc6W4BQxkLZ9wyH/oxkfgxrzDo4a2 -TeQTmON38uICPsRtGZwWTVRu4ppHTUAAfNjrigP4LmxaLYdmtQaggF7MUnhzmJFB -F+1Hba6N/Qxe0PLTAF4X0Kk5wqmk5pA3lhI0mfBtvJ8uoSzGvOsddNXrmMco9qzR -st3SAd8d7i5QyNjavYptDc0sMGof0WRelezE5EvEu54xQvTI/16CkbsVe0rvgJNz -8YmRMg4KnoY7R9qy3i11rulgBUpyVA== -=3S8D ------END PGP SIGNATURE----- diff --git a/curl-7.62.0.tar.gz b/curl-7.62.0.tar.gz new file mode 100644 index 0000000..30ea571 --- /dev/null +++ b/curl-7.62.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55ccd5b5209f8cc53d4250e2a9fd87e6f67dd323ae8bd7d06b072cfcbb7836cb +size 4045208 diff --git a/curl-7.62.0.tar.gz.asc b/curl-7.62.0.tar.gz.asc new file mode 100644 index 0000000..a336e76 --- /dev/null +++ b/curl-7.62.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5sACgkQXMkI/bce +EsKCDQf/R6zItdEu4ZcmrfsQQcMBpwfHJgqJa2G5ozy3ztNSbENHpuvNU+YYGGdv +G+YdTWhY9WFnYUkU02U/hT5AmwXqK7u/X65cJIEkAJddIimNjHwhmfhdsxalNAfo +brdRicnj2J0cEcbCCnNKHnqxigQXshn68s1O1IRDrsUU2YtkLvp/jzbbU6K5vDUI +93sOjVkb/sLb2/slgIQaAL/NzxSFPCP0Oo1PzVA1Nbaogd9yiHQPmLt8k9DnzduX +bChxjufO0vGSeCjHCTPepHMQ/7Q+ZyKiW/+VjbsMTyswkbQoGFNiCj+UFa25bmlH +iJl0KCaGIWOVhGoQ/ln8fONNgcXvZA== +=ATDv +-----END PGP SIGNATURE----- diff --git a/curl-disabled-redirect-protocol-message.patch b/curl-disabled-redirect-protocol-message.patch index 0e4b149..0653c98 100644 --- a/curl-disabled-redirect-protocol-message.patch +++ b/curl-disabled-redirect-protocol-message.patch @@ -1,18 +1,20 @@ ---- a/lib/url.c -+++ a/lib/url.c -@@ -1955,9 +1955,13 @@ static CURLcode findprotocol(struct Curl_easy *data, - /* it is allowed for "normal" request, now do an extra check if this is - the result of a redirect */ - if(data->state.this_is_a_follow && -- !(data->set.redir_protocols & p->protocol)) -+ !(data->set.redir_protocols & p->protocol)) { - /* nope, get out */ -- break; -+ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, -+ protostr); +Index: curl-7.62.0/lib/url.c +=================================================================== +--- curl-7.62.0.orig/lib/url.c ++++ curl-7.62.0/lib/url.c +@@ -1976,9 +1976,13 @@ static CURLcode findprotocol(struct Curl + /* it is allowed for "normal" request, now do an extra check if this is + the result of a redirect */ + if(data->state.this_is_a_follow && +- !(data->set.redir_protocols & p->protocol)) ++ !(data->set.redir_protocols & p->protocol)) { + /* nope, get out */ +- ; ++ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, ++ protostr); + -+ return CURLE_UNSUPPORTED_PROTOCOL; -+ } - ++ return CURLE_UNSUPPORTED_PROTOCOL; ++ } + else { /* Perform setup complement if some. */ conn->handler = conn->given = p; diff --git a/curl-mini.changes b/curl-mini.changes index 4234839..58276ee 100644 --- a/curl-mini.changes +++ b/curl-mini.changes @@ -1,3 +1,123 @@ +------------------------------------------------------------------- +Wed Oct 31 09:23:37 UTC 2018 - Pedro Monreal Gonzalez + +- Update to version 7.62.0 + Changes: + * multiplex: enable by default + * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled + * setopt: add CURLOPT_DOH_URL + * curl: --doh-url added + * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size + * imap: change from "FETCH" to "UID FETCH" + * configure: add option to disable automatic OpenSSL config loading + * upkeep: add a connection upkeep API: curl_easy_upkeep() + * URL-API: added five new functions + * vtls: MesaLink is a new TLS backend + Bugfixes: + * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] + * CVE-2018-16840: use-after-free in handle close [bsc#1113029] + * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] + * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated + * Curl_dedotdotify(): always nul terminate returned string + * Curl_follow: Always free the passed new URL + * Curl_http2_done: fix memleak in error path + * Curl_retry_request: fix memory leak + * Curl_saferealloc: Fixed typo in docblock + * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + * GnutTLS: TLS 1.3 support + * SECURITY-PROCESS: mention the bountygraph program + * VS projects: add USE_IPV6: + * certs: generate tests certs with sha256 digest algorithm + * checksrc: enable strict mode and warnings + * checksrc: handle zero scoped ignore commands + * cmake: Backport to work with CMake 3.0 again + * cmake: Improve config installation + * cmake: add support for transitive ZLIB target + * cmake: disable -Wpedantic-ms-format + * cmake: don't require OpenSSL if USE_OPENSSL=OFF + * cmake: fixed path used in generation of docs/tests + * cmake: remove unused *SOCKLEN_T variables + * cmake: suppress MSVC warning C4127 for libtest + * cmake: test and set missed defines during configuration + * config: Remove unused SIZEOF_VOIDP + * configure: force-use -lpthreads on HPUX + * configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T + * configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE + * cookies: Remove redundant expired check + * cookies: fix leak when writing cookies to file + * curl-config.in: remove dependency on bc + * curl.1: --ipv6 mutexes ipv4 (fixed typo) + * curl: update the documentation of --tlsv1.0 + * curl_multi_wait: call getsock before figuring out timeout + * curl_ntlm_wb: check aprintf() return codes + * data-binary.d: clarify default content-type is x-www-form-urlencoded + * docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers + * docs/CIPHERS: fix the TLS 1.3 cipher names + * docs/CIPHERS: mention the colon separation for OpenSSL + * docs/examples: URL updates + * docs: add "see also" links for SSL options + * example/asiohiper: insert warning comment about its status + * example/htmltidy: fix include paths of tidy libraries + * examples/http2-pushinmemory: receive HTTP/2 pushed files in memory + * examples/parseurl.c: show off the URL API + * examples: Fix memory leaks from realloc errors + * examples: do not wait when no transfers are running + * ftp: include command in Curl_ftpsend sendbuffer + * gskit: make sure to terminate version string + * gtls: Values stored to but never read + * hostip: fix check on Curl_shuffle_addr return value + * http2: fix memory leaks on error-path + * http: fix memleak in rewind error path + * krb5: fix memory leak in krb_auth + * memory: add missing curl_printf header + * memory: ensure to check allocation results + * multi: Fix error handling in the SENDPROTOCONNECT state + * multi: fix memory leak in content encoding related error path + * multi: make the closure handle "inherit" CURLOPT_NOSIGNAL + * netrc: free temporary strings if memory allocation fails + * nss: try to connect even if libnssckbi.so fails to load + * ntlm_wb: Fix memory leaks in ntlm_wb_response + * ntlm_wb: bail out if the response gets overly large + * openssl: assume engine support in 0.9.8 or later + * openssl: enable TLS 1.3 post-handshake auth + * openssl: fix gcc8 warning + * openssl: load built-in engines too + * openssl: make 'done' a proper boolean + * openssl: output the correct cipher list on TLS 1.3 error + * openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer + * openssl: show "proper" version number for libressl builds + * pipelining: deprecated + * rand: add comment to skip a clang-tidy false positive + * rtmp: fix for compiling with lwIP + * runtests: ignore disabled even when ranges are given + * schannel: unified error code handling + * sendf: Fix whitespace in infof/failf concatenation + * ssh: free the session on init failures + * ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code + * system.h: use proper setting with Sun C++ as well + * test1299: use single quotes around asterisk + * test1452: mark as flaky + * test1651: unit test Curl_extract_certinfo() + * test320: strip out more HTML when comparing + * tests/negtelnetserver.py: fix Python2-ism in neg TELNET server + * tests: add unit tests for url.c + * tool_cb_hdr: handle failure of rename() + * travis: add a "make tidy" build that runs clang-tidy + * travis: add build for "configure --disable-verbose" + * travis: bump the Secure Transport build to use xcode + * travis: make distcheck scan for BOM markers + * unit1300: fix stack-use-after-scope AddressSanitizer warning + * urldata: Fix "connecting" comment + * urlglob: improve error message on bad globs + * vtls: fix ssl version "or later" behavior change for many backends + * x509asn1: Fix SAN IP address verification + * x509asn1: always check return code from getASN1Element() + * x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert + * x509asn1: suppress left shift on signed value +- Rebased patches after update: + * curl-disabled-redirect-protocol-message.patch + * curl-use_OPENSSL_config.patch + ------------------------------------------------------------------- Wed Sep 5 07:12:59 UTC 2018 - Karol Babioch diff --git a/curl-mini.spec b/curl-mini.spec index fef418b..7de41c1 100644 --- a/curl-mini.spec +++ b/curl-mini.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.61.1 +Version: 7.62.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl diff --git a/curl-use_OPENSSL_config.patch b/curl-use_OPENSSL_config.patch index a1350ec..28a5f93 100644 --- a/curl-use_OPENSSL_config.patch +++ b/curl-use_OPENSSL_config.patch @@ -1,10 +1,10 @@ This basically reverts https://github.com/curl/curl/commit/7d2f61f66ab4e047fc9aefc2effc1ac6d340a66a -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 80e9bf940..ba227891f 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -925,26 +925,12 @@ static int Curl_ossl_init(void) +Index: curl-7.62.0/lib/vtls/openssl.c +=================================================================== +--- curl-7.62.0.orig/lib/vtls/openssl.c ++++ curl-7.62.0/lib/vtls/openssl.c +@@ -982,28 +982,12 @@ static int Curl_ossl_init(void) ENGINE_load_builtin_engines(); #endif @@ -20,9 +20,11 @@ index 80e9bf940..ba227891f 100644 -#define CONF_MFLAGS_DEFAULT_SECTION 0x0 -#endif - +-#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG - CONF_modules_load_file(NULL, NULL, - CONF_MFLAGS_DEFAULT_SECTION| - CONF_MFLAGS_IGNORE_MISSING_FILE); +-#endif - #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) diff --git a/curl.changes b/curl.changes index 4234839..58276ee 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,123 @@ +------------------------------------------------------------------- +Wed Oct 31 09:23:37 UTC 2018 - Pedro Monreal Gonzalez + +- Update to version 7.62.0 + Changes: + * multiplex: enable by default + * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled + * setopt: add CURLOPT_DOH_URL + * curl: --doh-url added + * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size + * imap: change from "FETCH" to "UID FETCH" + * configure: add option to disable automatic OpenSSL config loading + * upkeep: add a connection upkeep API: curl_easy_upkeep() + * URL-API: added five new functions + * vtls: MesaLink is a new TLS backend + Bugfixes: + * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] + * CVE-2018-16840: use-after-free in handle close [bsc#1113029] + * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] + * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated + * Curl_dedotdotify(): always nul terminate returned string + * Curl_follow: Always free the passed new URL + * Curl_http2_done: fix memleak in error path + * Curl_retry_request: fix memory leak + * Curl_saferealloc: Fixed typo in docblock + * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + * GnutTLS: TLS 1.3 support + * SECURITY-PROCESS: mention the bountygraph program + * VS projects: add USE_IPV6: + * certs: generate tests certs with sha256 digest algorithm + * checksrc: enable strict mode and warnings + * checksrc: handle zero scoped ignore commands + * cmake: Backport to work with CMake 3.0 again + * cmake: Improve config installation + * cmake: add support for transitive ZLIB target + * cmake: disable -Wpedantic-ms-format + * cmake: don't require OpenSSL if USE_OPENSSL=OFF + * cmake: fixed path used in generation of docs/tests + * cmake: remove unused *SOCKLEN_T variables + * cmake: suppress MSVC warning C4127 for libtest + * cmake: test and set missed defines during configuration + * config: Remove unused SIZEOF_VOIDP + * configure: force-use -lpthreads on HPUX + * configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T + * configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE + * cookies: Remove redundant expired check + * cookies: fix leak when writing cookies to file + * curl-config.in: remove dependency on bc + * curl.1: --ipv6 mutexes ipv4 (fixed typo) + * curl: update the documentation of --tlsv1.0 + * curl_multi_wait: call getsock before figuring out timeout + * curl_ntlm_wb: check aprintf() return codes + * data-binary.d: clarify default content-type is x-www-form-urlencoded + * docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers + * docs/CIPHERS: fix the TLS 1.3 cipher names + * docs/CIPHERS: mention the colon separation for OpenSSL + * docs/examples: URL updates + * docs: add "see also" links for SSL options + * example/asiohiper: insert warning comment about its status + * example/htmltidy: fix include paths of tidy libraries + * examples/http2-pushinmemory: receive HTTP/2 pushed files in memory + * examples/parseurl.c: show off the URL API + * examples: Fix memory leaks from realloc errors + * examples: do not wait when no transfers are running + * ftp: include command in Curl_ftpsend sendbuffer + * gskit: make sure to terminate version string + * gtls: Values stored to but never read + * hostip: fix check on Curl_shuffle_addr return value + * http2: fix memory leaks on error-path + * http: fix memleak in rewind error path + * krb5: fix memory leak in krb_auth + * memory: add missing curl_printf header + * memory: ensure to check allocation results + * multi: Fix error handling in the SENDPROTOCONNECT state + * multi: fix memory leak in content encoding related error path + * multi: make the closure handle "inherit" CURLOPT_NOSIGNAL + * netrc: free temporary strings if memory allocation fails + * nss: try to connect even if libnssckbi.so fails to load + * ntlm_wb: Fix memory leaks in ntlm_wb_response + * ntlm_wb: bail out if the response gets overly large + * openssl: assume engine support in 0.9.8 or later + * openssl: enable TLS 1.3 post-handshake auth + * openssl: fix gcc8 warning + * openssl: load built-in engines too + * openssl: make 'done' a proper boolean + * openssl: output the correct cipher list on TLS 1.3 error + * openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer + * openssl: show "proper" version number for libressl builds + * pipelining: deprecated + * rand: add comment to skip a clang-tidy false positive + * rtmp: fix for compiling with lwIP + * runtests: ignore disabled even when ranges are given + * schannel: unified error code handling + * sendf: Fix whitespace in infof/failf concatenation + * ssh: free the session on init failures + * ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code + * system.h: use proper setting with Sun C++ as well + * test1299: use single quotes around asterisk + * test1452: mark as flaky + * test1651: unit test Curl_extract_certinfo() + * test320: strip out more HTML when comparing + * tests/negtelnetserver.py: fix Python2-ism in neg TELNET server + * tests: add unit tests for url.c + * tool_cb_hdr: handle failure of rename() + * travis: add a "make tidy" build that runs clang-tidy + * travis: add build for "configure --disable-verbose" + * travis: bump the Secure Transport build to use xcode + * travis: make distcheck scan for BOM markers + * unit1300: fix stack-use-after-scope AddressSanitizer warning + * urldata: Fix "connecting" comment + * urlglob: improve error message on bad globs + * vtls: fix ssl version "or later" behavior change for many backends + * x509asn1: Fix SAN IP address verification + * x509asn1: always check return code from getASN1Element() + * x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert + * x509asn1: suppress left shift on signed value +- Rebased patches after update: + * curl-disabled-redirect-protocol-message.patch + * curl-use_OPENSSL_config.patch + ------------------------------------------------------------------- Wed Sep 5 07:12:59 UTC 2018 - Karol Babioch diff --git a/curl.spec b/curl.spec index 674acb5..7d2a949 100644 --- a/curl.spec +++ b/curl.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.61.1 +Version: 7.62.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl