Accepting request 610352 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/610352
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=134

curl-7.59.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:099d9c32dc7b8958ca592597c9fabccdf4c08cfb7c114ff1afbbc4c6f13c9e9e
-size 3907587

curl-7.59.0.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTsACgkQXMkI/bce
-EsIreAf/UH3RUVhgKPZ/83zR+tK0M3gLZQW4oNcPYqslBFxi8ETDDgzQybbIUmA9
-CWzqB0j5+OsEA7bLFig6qx0VJxJZbrbNF8rMWArWld2bUjIxAbFxh7MYYf6W+yKZ
-1EDgzFEdahlCsN2qaRGlq2eBk1qUDNQIDwrn4lI2p6RfbC0InVKUV3eVcZQZZL0F
-WBVqLORYEv9Nl9umLKLsw6GDfs4INwyUcbv3muf/SlmgJ5JNIuEyVsZfd21ZFaDm
-oN1WK4s+7IL41RUl34stE7idgUry38InR9BD11vpsbLtQA29Sb3s+74osYkaxSI/
-MPltGnxrmhldDYiPGwszWvlCiOJ7YA==
-=Di6w
------END PGP SIGNATURE-----

curl-7.60.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9c37986337743f37fd14fe8737f246e97aec94b39d1b71e8a5973f72a9fc4f5
+size 3949173

curl-7.60.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce
+EsK4MAgArnvqXIdhdoXJ8iUGQgS1HOA7R2ug+KE35FdkhGeApkNgnmLkhzsPYqqF
+nnwh75ZDVfHxxKtFs8xo6bH3zwFoek/fL+uVdNOzChGccFFV1HNphZuUqh8Mrr1A
+tRW7FqjrfrD61dhd/arizHNbj/oo1B2ySJByFuqwW8zO9whLNX9PgtulZ9fk0D6O
+P4p560qKhRSm3lw+n1ANAwnkf316EGC57fqKxF+09i/ZLXObS1PqvFArQWnL2H3P
+ZfloOnVIAKnRAVO+FSOW/B7OzG3E7jKsmzOSzbKsVkXKAD4m+2FOqCcJYe0pgnJW
+R4n3So9hnEVnqclaCa7hP+CkmdqHew==
+=3Ago
+-----END PGP SIGNATURE-----

curl-mini.changes

@@ -1,3 +1,131 @@
+-------------------------------------------------------------------
+Fri May 18 11:47:00 UTC 2018 - vcizek@suse.com
+
+- Use OPENSSL_config instead of CONF_modules_load_file() to avoid
+  crashes due to openssl engines conflicts (bsc#1086367)
+  * add curl-use_OPENSSL_config.patch
+
+-------------------------------------------------------------------
+Wed May 16 08:41:48 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Update to version 7.60.0
+  [bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301]
+  Changes:
+   * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
+   * Add --haproxy-protocol for the command line tool
+   * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses 
+  Bugfixes:
+   * FTP: shutdown response buffer overflow CVE-2018-1000300
+   * RTSP: bad headers buffer over-read CVE-2018-1000301
+   * FTP: fix typo in recursive callback detection for seeking
+   * test1208: marked flaky
+   * HTTP: make header-less responses still count correct body size
+   * user-agent.d:: mention --proxy-header as well
+   * http2: fixes typo
+   * cleanup: misc typos in strings and comments
+   * rate-limit: use three second window to better handle high speeds
+   * examples/hiperfifo.c: improved
+   * pause: when changing pause state, update socket state
+   * multi: improved pending transfers handling => improved performance
+   * curl_version_info.3: fix ssl_version description
+   * add_handle/easy_perform: clear errorbuffer on start if set
+   * cmake: add support for brotli
+   * parsedate: support UT timezone
+   * vauth/ntlm.h: fix the #ifdef header guard
+   * lib/curl_path.h: added #ifdef header guard
+   * vauth/cleartext: fix integer overflow check
+   * CURLINFO_COOKIELIST.3: made the example not leak memory
+   * cookie.d: mention that "-" as filename means stdin
+   * CURLINFO_SSL_VERIFYRESULT.3: fixed the example
+   * http2: read pending frames (including GOAWAY) in connection-check
+   * timeval: remove compilation warning by casting
+   * cmake: avoid warn-as-error during config checks
+   * travis-ci: enable -Werror for CMake builds
+   * openldap: fix for NULL return from ldap_get_attribute_ber()
+   * threaded resolver: track resolver time and set suitable timeout values
+   * cmake: Add advapi32 as explicit link library for win32
+   * docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
+   * test1148: set a fixed locale for the test
+   * cookies: when reading from a file, only remove_expired once
+   * cookie: store cookies per top-level-domain-specific hash table
+   * openssl: fix build with LibreSSL 2.7
+   * tls: fix mbedTLS 2.7.0 build + handle sha256 failures
+   * openssl: RESTORED verify locations when verifypeer==0
+   * file: restore old behavior for file:////foo/bar URLs
+   * FTP: allow PASV on IPv6 connections when a proxy is being used
+   * build-openssl.bat: allow custom paths for VS and perl
+   * winbuild: make the clean target work without build-type
+   * build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
+   * curl: retry on FTP 4xx, ignore other protocols
+   * configure: detect (and use) sa_family_t
+   * examples/sftpuploadresume: Fix Windows large file seek
+   * build: cleanup to fix clang warnings/errors
+   * winbuild: updated the documentation
+   * lib: silence null-dereference warnings
+   * travis: bump to clang 6 and gcc 7
+   * travis: build libpsl and make builds use it
+   * proxy: show getenv proxy use in verbose output
+   * duphandle: make sure CURLOPT_RESOLVE is duplicated
+   * all: Refactor malloc+memset to use calloc
+   * checksrc: Fix typo
+   * system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
+   * vauth: Fix typo
+   * ssh: show libSSH2 error code when closing fails
+   * test1148: tolerate progress updates better
+   * urldata: make service names unconditional
+   * configure: keep LD_LIBRARY_PATH changes local
+   * ntlm_sspi: fix authentication using Credential Manager
+   * schannel: add client certificate authentication
+   * winbuild: Support custom devel paths for each dependency
+   * schannel: add support for CURLOPT_CAINFO
+   * http2: handle on_begin_headers() called more than once
+   * openssl: support OpenSSL 1.1.1 verbose-mode trace messages
+   * openssl: fix subjectAltName check on non-ASCII platforms
+   * http2: avoid strstr() on data not zero terminated
+   * http2: clear the "drain counter" when a stream is closed
+   * http2: handle GOAWAY properly
+   * tool_help: clarify --max-time unit of time is seconds
+   * curl.1: clarify that options and URLs can be mixed
+   * http2: convert an assert to run-time check
+   * curl_global_sslset: always provide available backends
+   * ftplistparser: keep state between invokes
+   * Curl_memchr: zero length input can't match
+   * examples/sftpuploadresume: typecast fseek argument to long
+   * examples/http2-upload: expand buffer to avoid silly warning
+   * ctype: restore character classification for non-ASCII platforms
+   * mime: avoid NULL pointer dereference risk
+   * cookies: ensure that we have cookies before writing jar
+   * os400.c: fix checksrc warnings
+   * configure: provide --with-wolfssl as an alias for --with-cyassl
+   * cyassl: adapt to libraries without TLS 1.0 support built-in
+   * http2: get rid of another strstr
+   * checksrc: force indentation of lines after an else
+   * cookies: remove unused macro
+   * CURLINFO_PROTOCOL.3: mention the existing defined names
+   * tests: provide 'manual' as a feature to optionally require
+   * travis: enable libssh2 on both macos and Linux
+   * CURLOPT_URL.3: added ENCODING section
+   * wolfssl: Fix non-blocking connect
+   * vtls: don't define MD5_DIGEST_LENGTH for wolfssl
+   * docs: remove extraneous commas in man pages
+   * URL: fix ASCII dependency in strcpy_url and strlen_url
+   * ssh-libssh.c: fix left shift compiler warning
+   * configure: only check for CA bundle for file-using SSL backends
+   * travis: add an mbedtls build
+   * http: don't set the "rewind" flag when not uploading anything
+   * configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
+   * transfer: don't unset writesockfd on setup of multiplexed conns
+   * vtls: use unified "supports" bitfield member in backends
+   * URLs: fix one more http url
+   * travis: add a build using WolfSSL
+   * openssl: change FILE ops to BIO ops
+   * travis: add build using NSS
+   * smb: reject negative file sizes
+   * cookies: accept parameter names as cookie name
+   * http2: getsock fix for uploads
+   * all over: fixed format specifiers
+   * http2: use the correct function pointer typedef 
+
 -------------------------------------------------------------------
 Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com
 

curl-mini.spec

@@ -29,7 +29,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.59.0
+Version:        7.60.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

curl-use_OPENSSL_config.patch

@@ -0,0 +1,36 @@
+This basically reverts  https://github.com/curl/curl/commit/7d2f61f66ab4e047fc9aefc2effc1ac6d340a66a
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 80e9bf940..ba227891f 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -925,26 +925,12 @@ static int Curl_ossl_init(void)
+   ENGINE_load_builtin_engines();
+ #endif
+ 
+-  /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
+-     that function makes an exit() call on wrongly formatted config files
+-     which makes it hard to use in some situations. OPENSSL_config() itself
+-     calls CONF_modules_load_file() and we use that instead and we ignore
+-     its return code! */
+-
+-  /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
+-     0.9.8e */
+-#ifndef CONF_MFLAGS_DEFAULT_SECTION
+-#define CONF_MFLAGS_DEFAULT_SECTION 0x0
+-#endif
+-
+-  CONF_modules_load_file(NULL, NULL,
+-                         CONF_MFLAGS_DEFAULT_SECTION|
+-                         CONF_MFLAGS_IGNORE_MISSING_FILE);
+-
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+     !defined(LIBRESSL_VERSION_NUMBER)
+-  /* OpenSSL 1.1.0+ takes care of initialization itself */
++  OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
+ #else
++  OPENSSL_config(NULL);
++
+   /* Lets get nice error messages */
+   SSL_load_error_strings();
+ 

curl.changes

@@ -1,3 +1,131 @@
+-------------------------------------------------------------------
+Fri May 18 11:47:00 UTC 2018 - vcizek@suse.com
+
+- Use OPENSSL_config instead of CONF_modules_load_file() to avoid
+  crashes due to openssl engines conflicts (bsc#1086367)
+  * add curl-use_OPENSSL_config.patch
+
+-------------------------------------------------------------------
+Wed May 16 08:41:48 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Update to version 7.60.0
+  [bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301]
+  Changes:
+   * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
+   * Add --haproxy-protocol for the command line tool
+   * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses 
+  Bugfixes:
+   * FTP: shutdown response buffer overflow CVE-2018-1000300
+   * RTSP: bad headers buffer over-read CVE-2018-1000301
+   * FTP: fix typo in recursive callback detection for seeking
+   * test1208: marked flaky
+   * HTTP: make header-less responses still count correct body size
+   * user-agent.d:: mention --proxy-header as well
+   * http2: fixes typo
+   * cleanup: misc typos in strings and comments
+   * rate-limit: use three second window to better handle high speeds
+   * examples/hiperfifo.c: improved
+   * pause: when changing pause state, update socket state
+   * multi: improved pending transfers handling => improved performance
+   * curl_version_info.3: fix ssl_version description
+   * add_handle/easy_perform: clear errorbuffer on start if set
+   * cmake: add support for brotli
+   * parsedate: support UT timezone
+   * vauth/ntlm.h: fix the #ifdef header guard
+   * lib/curl_path.h: added #ifdef header guard
+   * vauth/cleartext: fix integer overflow check
+   * CURLINFO_COOKIELIST.3: made the example not leak memory
+   * cookie.d: mention that "-" as filename means stdin
+   * CURLINFO_SSL_VERIFYRESULT.3: fixed the example
+   * http2: read pending frames (including GOAWAY) in connection-check
+   * timeval: remove compilation warning by casting
+   * cmake: avoid warn-as-error during config checks
+   * travis-ci: enable -Werror for CMake builds
+   * openldap: fix for NULL return from ldap_get_attribute_ber()
+   * threaded resolver: track resolver time and set suitable timeout values
+   * cmake: Add advapi32 as explicit link library for win32
+   * docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
+   * test1148: set a fixed locale for the test
+   * cookies: when reading from a file, only remove_expired once
+   * cookie: store cookies per top-level-domain-specific hash table
+   * openssl: fix build with LibreSSL 2.7
+   * tls: fix mbedTLS 2.7.0 build + handle sha256 failures
+   * openssl: RESTORED verify locations when verifypeer==0
+   * file: restore old behavior for file:////foo/bar URLs
+   * FTP: allow PASV on IPv6 connections when a proxy is being used
+   * build-openssl.bat: allow custom paths for VS and perl
+   * winbuild: make the clean target work without build-type
+   * build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
+   * curl: retry on FTP 4xx, ignore other protocols
+   * configure: detect (and use) sa_family_t
+   * examples/sftpuploadresume: Fix Windows large file seek
+   * build: cleanup to fix clang warnings/errors
+   * winbuild: updated the documentation
+   * lib: silence null-dereference warnings
+   * travis: bump to clang 6 and gcc 7
+   * travis: build libpsl and make builds use it
+   * proxy: show getenv proxy use in verbose output
+   * duphandle: make sure CURLOPT_RESOLVE is duplicated
+   * all: Refactor malloc+memset to use calloc
+   * checksrc: Fix typo
+   * system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
+   * vauth: Fix typo
+   * ssh: show libSSH2 error code when closing fails
+   * test1148: tolerate progress updates better
+   * urldata: make service names unconditional
+   * configure: keep LD_LIBRARY_PATH changes local
+   * ntlm_sspi: fix authentication using Credential Manager
+   * schannel: add client certificate authentication
+   * winbuild: Support custom devel paths for each dependency
+   * schannel: add support for CURLOPT_CAINFO
+   * http2: handle on_begin_headers() called more than once
+   * openssl: support OpenSSL 1.1.1 verbose-mode trace messages
+   * openssl: fix subjectAltName check on non-ASCII platforms
+   * http2: avoid strstr() on data not zero terminated
+   * http2: clear the "drain counter" when a stream is closed
+   * http2: handle GOAWAY properly
+   * tool_help: clarify --max-time unit of time is seconds
+   * curl.1: clarify that options and URLs can be mixed
+   * http2: convert an assert to run-time check
+   * curl_global_sslset: always provide available backends
+   * ftplistparser: keep state between invokes
+   * Curl_memchr: zero length input can't match
+   * examples/sftpuploadresume: typecast fseek argument to long
+   * examples/http2-upload: expand buffer to avoid silly warning
+   * ctype: restore character classification for non-ASCII platforms
+   * mime: avoid NULL pointer dereference risk
+   * cookies: ensure that we have cookies before writing jar
+   * os400.c: fix checksrc warnings
+   * configure: provide --with-wolfssl as an alias for --with-cyassl
+   * cyassl: adapt to libraries without TLS 1.0 support built-in
+   * http2: get rid of another strstr
+   * checksrc: force indentation of lines after an else
+   * cookies: remove unused macro
+   * CURLINFO_PROTOCOL.3: mention the existing defined names
+   * tests: provide 'manual' as a feature to optionally require
+   * travis: enable libssh2 on both macos and Linux
+   * CURLOPT_URL.3: added ENCODING section
+   * wolfssl: Fix non-blocking connect
+   * vtls: don't define MD5_DIGEST_LENGTH for wolfssl
+   * docs: remove extraneous commas in man pages
+   * URL: fix ASCII dependency in strcpy_url and strlen_url
+   * ssh-libssh.c: fix left shift compiler warning
+   * configure: only check for CA bundle for file-using SSL backends
+   * travis: add an mbedtls build
+   * http: don't set the "rewind" flag when not uploading anything
+   * configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
+   * transfer: don't unset writesockfd on setup of multiplexed conns
+   * vtls: use unified "supports" bitfield member in backends
+   * URLs: fix one more http url
+   * travis: add a build using WolfSSL
+   * openssl: change FILE ops to BIO ops
+   * travis: add build using NSS
+   * smb: reject negative file sizes
+   * cookies: accept parameter names as cookie name
+   * http2: getsock fix for uploads
+   * all over: fixed format specifiers
+   * http2: use the correct function pointer typedef 
+
 -------------------------------------------------------------------
 Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com
 

curl.spec

@@ -27,7 +27,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.59.0
+Version:        7.60.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -43,6 +43,7 @@ Patch2:         curl-secure-getenv.patch
 Patch3:         ignore_runtests_failure.patch
 # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch4:         curl-disabled-redirect-protocol-message.patch
+Patch5:         curl-use_OPENSSL_config.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4%{?mini} = %{version}
@@ -122,6 +123,7 @@ user interaction or any kind of interactivity.
 %patch3 -p1
 %endif
 %patch4 -p1
+%patch5 -p1
 
 %build
 # curl complains if macro definition is contained in CFLAGS