From ad1aae24530849c98503e55e6ab396b2c7f910273431f286a93f7958ccdeb3fa Mon Sep 17 00:00:00 2001 From: David Anes Date: Wed, 16 Nov 2022 08:43:02 +0000 Subject: [PATCH] Accepting request 1035938 from home:luc14n0:branches:devel:libraries:c_c++ Add 1.50.0 as the minimum libnghttp2 build requirement version as a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts. OBS-URL: https://build.opensuse.org/request/show/1035938 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=323 --- curl.changes | 16 ++++++++++++++++ curl.spec | 12 +++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/curl.changes b/curl.changes index 25fbcce..e8a5147 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Nov 16 03:09:27 UTC 2022 - Luciano Santos + +- Add 1.50.0 as the minimum libnghttp2 build requirement version as + a bandaid. Curl's 7.86.0 release introduces the use of + nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, + introduced by nghttp2 1.50.0 release, without introducing a check + for the function/right version in their build scripts. This will + make Zypper/cURL unusable in some corner cases where users + installing something that requires libcurl4 before doing full + system upgrade, thus updating the cURL stack, but not + libnghttp2's. Background: boo#1204983, Factory mailing list + threadd: + "? broken dependency in curl and/or *zyp* ?", and forums thread: + Curl-is-broken-after-an-update-which-subsequently-breaks-zypper. + ------------------------------------------------------------------- Wed Oct 26 07:51:51 UTC 2022 - Pedro Monreal diff --git a/curl.spec b/curl.spec index c5135f5..2109a1d 100644 --- a/curl.spec +++ b/curl.spec @@ -46,7 +46,17 @@ BuildRequires: pkgconfig(libbrotlidec) BuildRequires: pkgconfig(libidn2) # Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188217, CVE-2021-22922] # BuildRequires: pkgconfig(libmetalink) -BuildRequires: pkgconfig(libnghttp2) +# +# The 7.86.0 cURL release introduced the use of +# nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, +# a function introduced by the 1.50.0 nghttp2 release. +# +# This is a bandaid, as cURL didn't provide a function/version check +# in their build scripts. Without this some users my end up with a broken +# Zypper/cURL if they have a libnghttp2 < 1.50.0 yet in their system, +# and do some Zypper transaction that updates cURL, but not libnghttp2. +# +BuildRequires: pkgconfig(libnghttp2) >= 1.50.0 BuildRequires: pkgconfig(libpsl) BuildRequires: pkgconfig(libssh) BuildRequires: pkgconfig(libzstd)