Accepting request 1116809 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 8.4.0:
  * Security fixes:
    - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545]
    - cookie injection with none file [bsc#1215889, CVE-2023-38546]
  * Changes:
    - curl: add support for the IPFS protocols via HTTP gateway
    - curl_multi_get_handles: get easy handles from a multi handle
    - mingw: delete support for legacy mingw.org toolchain
  * Bugfixes:
    - base64: also build for curl
    - cf-socket: simulate slow/blocked receives in debug
    - configure: check for the capath by default
    - connect: expire the timeout when trying next
    - connect: only start the happy eyeballs timer when needed
    - cookie: do not store the expire or max-age strings
    - cookie: remove unnecessary struct fields
    - cookie: set ->running in cookie_init even if data is NULL
    - create-dirs.d: clarify it also uses --output-dirs
    - http2: refused stream handling for retry
    - http: h1/h2 proxy unification
    - http: use per-request counter to check too large headers
    - idn: if idn2_check_version returns NULL, return error
    - lib: enable hmac for digest as well
    - lib: let the max filesize option stop too big transfers too
    - lib: move handling of 'data->req.writer_stack' into Curl_client_write()
    - lib: provide and use Curl_hexencode
    - lib: use wrapper for curl_mime_data fseek callback
    - libssh2: fix error message on failed pubkey-from-file
    - libssh: cap SFTP packet size sent
    - MQTT: improve receive of ACKs

OBS-URL: https://build.opensuse.org/request/show/1116809
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=346

curl-8.3.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:376d627767d6c4f05105ab6d497b0d9aba7111770dd9d995225478209c37ea63
-size 2641764

curl-8.3.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUBVMsACgkQXMkI/bce
-EsLSqAf/Su2NkC5/WveXmP4ShKJ/fqO8nJO+YqPo0TOF9o+15iMQY6Y4D0TY4J7F
-EL4s2BCJ3N+mQatyy8vftBIXSBWJE+f/ulCzIpfptx2vA5m1F6rPxpoWgiuaD/xw
-QYaOHoIzIGsPZ9LKse/VWCwJdzvK6Sq731v4YKFr9O3l0f+F++zc04ACq8lJH205
-KYuLKJZfDOjlaozC9uhblpHpf2qgskSvSi5FmzTFlABLcFA4gYTJ3f7dKF0yvMQ2
-SEZm+zN1UTwRHeLU3mP6RCyUvle/8zkZf6+vfJ78OXS7OTt+BcNyHSJOwSl9dmE1
-outJHEDrtt3RU6IDhAFEIT1zL3ifng==
-=xYP1
------END PGP SIGNATURE-----

curl-8.4.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
+size 2658376

curl-8.4.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmUmNUkACgkQXMkI/bce
+EsIiwQgAjbpDysDBbuhdQekitabLu9vEk5rIk1wAM1cYLGKgEU+8oDIUTa1HFJCV
+zb9fGNdnOpwYHOGiOiX5rec4cHcZrL/w92ctP9kgTY97VU3puESn2JO4abVuLtD6
+lPfzIsSFnvYoawWKWLp8Vkia87r+Au9ZiUhM2NPiuZuBleWhk1RWSWoTN8FalK4x
+pa/aUumd3niCfv5xdQ9fn//CrVJTKc7S18IC+vdlVYM3UgYVghRihTglEEg/7KAj
+Hy73sgU2LtQUuuyL42K942bbKd92/OGvCDbPu3CZ8zL0TXHSFmcbMZrl90RPSCXE
+qJiuih+EQxYKh3CGZxNftSI4iV7aag==
+=wuw5
+-----END PGP SIGNATURE-----

curl.changes

@@ -1,3 +1,55 @@
+-------------------------------------------------------------------
+Wed Oct 11 06:33:28 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 8.4.0:
+  * Security fixes:
+    - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545]
+    - cookie injection with none file [bsc#1215889, CVE-2023-38546]
+  * Changes:
+    - curl: add support for the IPFS protocols via HTTP gateway
+    - curl_multi_get_handles: get easy handles from a multi handle
+    - mingw: delete support for legacy mingw.org toolchain
+  * Bugfixes:
+    - base64: also build for curl
+    - cf-socket: simulate slow/blocked receives in debug
+    - configure: check for the capath by default
+    - connect: expire the timeout when trying next
+    - connect: only start the happy eyeballs timer when needed
+    - cookie: do not store the expire or max-age strings
+    - cookie: remove unnecessary struct fields
+    - cookie: set ->running in cookie_init even if data is NULL
+    - create-dirs.d: clarify it also uses --output-dirs
+    - http2: refused stream handling for retry
+    - http: h1/h2 proxy unification
+    - http: use per-request counter to check too large headers
+    - idn: if idn2_check_version returns NULL, return error
+    - lib: enable hmac for digest as well
+    - lib: let the max filesize option stop too big transfers too
+    - lib: move handling of 'data->req.writer_stack' into Curl_client_write()
+    - lib: provide and use Curl_hexencode
+    - lib: use wrapper for curl_mime_data fseek callback
+    - libssh2: fix error message on failed pubkey-from-file
+    - libssh: cap SFTP packet size sent
+    - MQTT: improve receive of ACKs
+    - multi: do CURLM_CALL_MULTI_PERFORM at two more places
+    - multi: round the timeout up to prevent early wakeups
+    - openssl: improve ssl shutdown handling
+    - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
+    - pytest: exclude test_03_goaway in CI runs due to timing dependency
+    - quic: set ciphers/curves the same way regular TLS does
+    - quiche: fix build error with --with-ca-fallback
+    - socks: return error if hostname too long for remote resolve
+    - tftpd: always use curl's own tftp.h
+    - tool_getparam: accept variable expansion on file names too
+    - upload-file.d: describe the file name slash/backslash handling
+    - url: fall back to http/https proxy env-variable if ws/wss not set
+    - url: fix netrc info message
+    - wolfssh: do cleanup in Curl_ssh_cleanup
+    - wolfssl: allow capath with CURLOPT_CAINFO_BLOB
+    - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
+    - wolfssl: ignore errors in CA path
+  * Rebase libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Wed Sep 13 06:45:33 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        8.3.0
+Version:        8.4.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

libcurl-ocloexec.patch

@@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.
 
 
-Index: curl-8.0.0/lib/file.c
+Index: curl-8.4.0/lib/file.c
 ===================================================================
---- curl-8.0.0.orig/lib/file.c
-+++ curl-8.0.0/lib/file.c
+--- curl-8.4.0.orig/lib/file.c
++++ curl-8.4.0/lib/file.c
 @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
      }
    }
@@ -29,11 +29,11 @@ Index: curl-8.0.0/lib/file.c
    if(fd < 0) {
      failf(data, "Can't open %s for writing", file->path);
      return CURLE_WRITE_ERROR;
-Index: curl-8.0.0/lib/if2ip.c
+Index: curl-8.4.0/lib/if2ip.c
 ===================================================================
---- curl-8.0.0.orig/lib/if2ip.c
-+++ curl-8.0.0/lib/if2ip.c
-@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
+--- curl-8.4.0.orig/lib/if2ip.c
++++ curl-8.4.0/lib/if2ip.c
+@@ -208,7 +208,7 @@ if2ip_result_t Curl_if2ip(int af,
    if(len >= sizeof(req.ifr_name))
      return IF2IP_NOT_FOUND;
  
@@ -42,11 +42,11 @@ Index: curl-8.0.0/lib/if2ip.c
    if(CURL_SOCKET_BAD == dummy)
      return IF2IP_NOT_FOUND;
  
-Index: curl-8.0.0/configure.ac
+Index: curl-8.4.0/configure.ac
 ===================================================================
---- curl-8.0.0.orig/configure.ac
-+++ curl-8.0.0/configure.ac
-@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-8.4.0.orig/configure.ac
++++ curl-8.4.0/configure.ac
+@@ -428,6 +428,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
  # Silence warning: ar: 'u' modifier ignored since 'D' is the default
  AC_SUBST(AR_FLAGS, [cr])
  
@@ -55,19 +55,19 @@ Index: curl-8.0.0/configure.ac
  dnl This defines _ALL_SOURCE for AIX
  CURL_CHECK_AIX_ALL_SOURCE
  
-Index: curl-8.0.0/lib/hostip.c
+Index: curl-8.4.0/lib/hostip.c
 ===================================================================
---- curl-8.0.0.orig/lib/hostip.c
-+++ curl-8.0.0/lib/hostip.c
-@@ -48,6 +48,7 @@
+--- curl-8.4.0.orig/lib/hostip.c
++++ curl-8.4.0/lib/hostip.c
+@@ -44,6 +44,7 @@
+ #include <setjmp.h>
  #include <signal.h>
- #endif
  
 +#include <fcntl.h>
  #include "urldata.h"
  #include "sendf.h"
  #include "hostip.h"
-@@ -582,7 +583,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -609,7 +610,7 @@ bool Curl_ipv6works(struct Curl_easy *da
    else {
      int ipv6_works = -1;
      /* probe to see if we have a working IPv6 stack */
@@ -76,11 +76,11 @@ Index: curl-8.0.0/lib/hostip.c
      if(s == CURL_SOCKET_BAD)
        /* an IPv6 address was requested but we can't get/use one */
        ipv6_works = 0;
-Index: curl-8.0.0/lib/cf-socket.c
+Index: curl-8.4.0/lib/cf-socket.c
 ===================================================================
---- curl-8.0.0.orig/lib/cf-socket.c
-+++ curl-8.0.0/lib/cf-socket.c
-@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
+--- curl-8.4.0.orig/lib/cf-socket.c
++++ curl-8.4.0/lib/cf-socket.c
+@@ -274,7 +274,9 @@ static CURLcode socket_open(struct Curl_
    }
    else {
      /* opensocket callback not set, so simply create the socket now */