diff --git a/curl.changes b/curl.changes index 25fbcce..e8a5147 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos + +- Add 1.50.0 as the minimum libnghttp2 build requirement version as + a bandaid. Curl's 7.86.0 release introduces the use of + nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, + introduced by nghttp2 1.50.0 release, without introducing a check + for the function/right version in their build scripts. This will + make Zypper/cURL unusable in some corner cases where users + installing something that requires libcurl4 before doing full + system upgrade, thus updating the cURL stack, but not + libnghttp2's. Background: boo#1204983, Factory mailing list + threadd: + "? broken dependency in curl and/or *zyp* ?", and forums thread: + Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. + ------------------------------------------------------------------- Wed Oct 26 07:51:51 UTC 2022 - Pedro Monreal diff --git a/curl.spec b/curl.spec index c5135f5..2109a1d 100644 --- a/curl.spec +++ b/curl.spec @@ -46,7 +46,17 @@ BuildRequires: pkgconfig(libbrotlidec) BuildRequires: pkgconfig(libidn2) # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] # BuildRequires: pkgconfig(libmetalink) -BuildRequires: pkgconfig(libnghttp2) +# +# The 7.86.0 cURL release introduced the use of +# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, +# a function introduced by the 1.50.0 nghttp2 release. +# +# This is a bandaid, as cURL didn't provide a function/version check +# in their build scripts. Without this some users my end up with a broken +# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system, +# and do some Zypper transaction that updates cURL, but not libnghttp2. +# +BuildRequires: pkgconfig(libnghttp2) >= 1.50.0 BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(libzstd)