Accepting request 1066797 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1066797
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=182

curl-7.87.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ee5f1a1955b0ed413435ef79db28b834ea5f0fb7c8cfb1ce47175cc3bee08fff
-size 2547932

curl-7.87.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmOisGkACgkQXMkI/bce
-EsKLAAf/WdvGEmSBxxwitr1Rum4jYt95082FWrRR/C6bhGtMI/K2DE8gpmywONQ8
-NsM0p91wu/sgXG5+mnkyZsD3e5d4ykpGzYBVJS81dcXnKKdCko35p6vZC+gmxy+p
-MGeYyOalhWCvubCCOeATownD70u4qNgl+8qGBWCes33OyEfyeVjXyNVQWqQU1vpP
-ZY54egD3dyVIWF7r61Fdi1zZEeHo3zF6RQwV1alnezqSBcvZFQDHKBIGwl3h9cUk
-iImyEoNvuWs0IVbPlBw7A4WtlW7shLAICyI9hVdmPBmeAbBGmdFum+RhBgSkzUnp
-XbveJQQzTnI6pg7BeFYUNUA4ZuhWIQ==
-=h6dJ
------END PGP SIGNATURE-----

curl-7.88.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1dae31b2a7c1fe269de99c0c31bb488346aab3459b5ffca909d6938249ae415f
+size 2581032

curl-7.88.1.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmPzIdAACgkQXMkI/bce
+EsLgMgf9HwAPLRXj1ARTSFffsrf5eWiRpTO8dY2wVSPPAn7DXZyT5TP/+6tPJ2vf
+THbU/LzV1MH2Tyf4uWMHfPSpVsDH9MchVtqn3abXumuqczf14FTNKqsDXL/OMbkn
+9XV7qh3UOx3NuMR5TYc91fZMwo36TEYSrzU/X6cqv/e4fXNm6fX/shXQ75MJ6hic
+7rk/ilRX+L6Y43x3h0U6oBaICcLNnplJBazBY81y3EHbFmvdyDd41nik1TWgqNYL
+jIZ9LK6iUAav54/B9DxcDIKBAS0ZHMmnl1xth/KkTry1MWFi2jHJxAYccC7wTjgO
+bDNgD0z3z9mJ2rw/IALYBFBZQ3ed1A==
+=Z5N5
+-----END PGP SIGNATURE-----

curl.changes

@@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Mon Feb 20 10:35:11 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Update to 7.88.1:
+  * Bugfix release
+- Drop upstreamed patch:
+  * curl-fix-uninitialized-value-in-tests.patch
+
+-------------------------------------------------------------------
+Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
+  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
+  * Security fixes:
+    - CVE-2023-23914: HSTS ignored on multiple requests
+    - CVE-2023-23915: HSTS amnesia with --parallel
+    - CVE-2023-23916: HTTP multi-header compression denial of service
+  * Changes:
+    - curl.h: add CURL_HTTP_VERSION_3ONLY
+    - share: add sharing of HSTS cache among handles
+    - src: add --http3-only
+    - tool_operate: share HSTS between handles
+    - urlapi: add CURLU_PUNYCODE
+    - writeout: add %{certs} and %{num_certs}
+  * Bugfixes:
+    - cf-socket: keep sockaddr local in the socket filters
+    - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
+    - curl.h: allow up to 10M buffer size
+    - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
+    - curl/websockets.h: extend the websocket frame struct
+    - curl: output warning at --verbose output for debug-enabled version
+    - curl_free.3: fix return type of `curl_free`
+    - curl_log: for failf/infof and debug logging implementations
+    - dict: URL decode the entire path always
+    - docs/DEPRECATE.md: deprecate gskit
+    - easyoptions: fix header printing in generation script
+    - haxproxy: send before TLS handhshake
+    - hsts.d: explain hsts more
+    - hsts: handle adding the same host name again
+    - HTTP/[23]: continue upload when state.drain is set
+    - http: decode transfer encoding first
+    - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
+    - http_proxy: do not assign data->req.p.http use local copy
+    - lib: connect/h2/h3 refactor
+    - libssh2: try sha2 algos for hostkey methods
+    - md4: fix build with GnuTLS + OpenSSL v1
+    - ngtcp2: replace removed define and stop using removed function
+    - noproxy: support for space-separated names is deprecated
+    - nss: implement data_pending method
+    - openldap: fix missing sasl symbols at build in specific configs
+    - openssl: adapt to boringssl's error code type
+    - openssl: don't ignore CA paths when using Windows CA store (redux)
+    - openssl: don't log raw record headers
+    - openssl: make the BIO_METHOD a local variable in the connection filter
+    - openssl: only use CA_BLOB if verifying peer
+    - openssl: remove attached easy handles from SSL instances
+    - openssl: store the CA after first send (ClientHello)
+    - setopt: use >, not >=, when checking if uarg is larger than uint-max
+    - smb: return error on upload without size
+    - socketpair: allow localhost MITM sniffers
+    - strdup: name it Curl_strdup
+    - tool_getparam: fix hiding of command line secrets
+    - tool_operate: fix error codes on bad URL & OOM
+    - tool_operate: repair --rate
+    - transfer: break the read loop when RECV is cleared
+    - typecheck: accept expressions for option/info parameters
+    - urlapi: avoid Curl_dyn_addf() for hex outputs
+    - urlapi: skip path checks if path is just "/"
+    - urlapi: skip the extra dedotdot alloc if no dot in path
+    - urldata: cease storing TLS auth type
+    - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
+    - urldata: make set.http200aliases conditional on HTTP being present
+    - urldata: move the cookefilelist to the 'set' struct
+    - urldata: remove unused struct fields, made more conditional
+    - vquic: stabilization and improvements
+    - vtls: fix hostname handling in filters
+    - vtls: manage current easy handle in nested cfilter calls
+    - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
+  * Rebase libcurl-ocloexec.patch
+  * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
+    - runtests: fix "uninitialized value $port"
+    - Add curl-fix-uninitialized-value-in-tests.patch
+
 -------------------------------------------------------------------
 Wed Dec 21 08:19:23 UTC 2022 - David Anes <david.anes@suse.com>
 

curl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package curl
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.87.0
+Version:        7.88.1
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

libcurl-ocloexec.patch

@@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-7.87.0/lib/file.c
+Index: curl-7.88.0/lib/file.c
 ===================================================================
---- curl-7.87.0.orig/lib/file.c
-+++ curl-7.87.0/lib/file.c
+--- curl-7.88.0.orig/lib/file.c
++++ curl-7.88.0/lib/file.c
 @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
      }
    }
@@ -29,10 +29,10 @@ Index: curl-7.87.0/lib/file.c
    if(fd < 0) {
      failf(data, "Can't open %s for writing", file->path);
      return CURLE_WRITE_ERROR;
-Index: curl-7.87.0/lib/if2ip.c
+Index: curl-7.88.0/lib/if2ip.c
 ===================================================================
---- curl-7.87.0.orig/lib/if2ip.c
-+++ curl-7.87.0/lib/if2ip.c
+--- curl-7.88.0.orig/lib/if2ip.c
++++ curl-7.88.0/lib/if2ip.c
 @@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
@@ -42,26 +42,11 @@ Index: curl-7.87.0/lib/if2ip.c
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-7.87.0/lib/connect.c
+Index: curl-7.88.0/configure.ac
 ===================================================================
---- curl-7.87.0.orig/lib/connect.c
-+++ curl-7.87.0/lib/connect.c
-@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d
-   }
-   else
-     /* opensocket callback not set, so simply create the socket now */
--    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+    *sockfd = socket(addr->family,
-+                     addr->socktype|SOCK_CLOEXEC,
-+                     addr->protocol);
- 
-   if(*sockfd == CURL_SOCKET_BAD)
-     /* no socket, no connection */
-Index: curl-7.87.0/configure.ac
-===================================================================
---- curl-7.87.0.orig/configure.ac
-+++ curl-7.87.0/configure.ac
-@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-7.88.0.orig/configure.ac
++++ curl-7.88.0/configure.ac
+@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -70,10 +55,10 @@ Index: curl-7.87.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-7.87.0/lib/hostip.c
+Index: curl-7.88.0/lib/hostip.c
 ===================================================================
---- curl-7.87.0.orig/lib/hostip.c
-+++ curl-7.87.0/lib/hostip.c
+--- curl-7.88.0.orig/lib/hostip.c
++++ curl-7.88.0/lib/hostip.c
 @@ -48,6 +48,7 @@
  #include <signal.h>
  #endif
@@ -91,3 +76,18 @@ Index: curl-7.87.0/lib/hostip.c
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we can't get/use one */
        ipv6_works = 0;
+Index: curl-7.88.0/lib/cf-socket.c
+===================================================================
+--- curl-7.88.0.orig/lib/cf-socket.c
++++ curl-7.88.0/lib/cf-socket.c
+@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
+   }
+   else {
+     /* opensocket callback not set, so simply create the socket now */
+-    *sockfd = socket(addr->family, addr->socktype, addr->protocol);
++    *sockfd = socket(addr->family,
++                     addr->socktype|SOCK_CLOEXEC,
++                     addr->protocol);
+     if(!*sockfd && addr->socktype == SOCK_DGRAM) {
+       /* This is icky and seems, at least, to happen on macOS:
+        * we get sockfd == 0 and if called again, we get a valid one > 0.