From abfeb2c0eca1b51f89e8860315b02dd8f260e1703e998687b8c2633ac24c4bea Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 26 Oct 2022 09:49:48 +0000 Subject: [PATCH] Accepting request 1031305 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.86.0: * Security fixes: - POST following PUT confusion [bsc#1204383, CVE-2022-32221] - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916] * Changes: - NPN: remove support for and use of - Websockets: initial support * Bugfixes: - altsvc: reject bad port numbers - autotools: reduce brute-force when detecting recv/send arg list - aws_sigv4: fix header computation - cli tool: do not use disabled protocols - connect: change verbose IPv6 address:port to [address]:port - connect: fix builds without AF_INET6 - connect: fix Curl_updateconninfo for TRNSPRT_UNIX - connect: fix the wrong error message on connect failures - content_encoding: use writer struct subclasses for different encodings - cookie: reject cookie names or content with TAB characters - curl/add_file_name_to_url: use the libcurl URL parser - curl/get_url_file_name: use libcurl URL parser - curl: warn for --ssl use, considered insecure - docs/libcurl/symbols-in-versions: add several missing symbols - ftp: ignore a 550 response to MDTM - functypes: provide the recv and send arg and return types - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - header: define public API functions as extern c - headers: reset the requests counter at transfer start - hostip: guard PF_INET6 use OBS-URL: https://build.opensuse.org/request/show/1031305 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=321 --- ...Curl_updateconninfo-for-TRNSPRT_UNIX.patch | 42 ---------- curl-7.85.0.tar.xz | 3 - curl-7.85.0.tar.xz.asc | 11 --- curl-7.86.0.tar.xz | 3 + curl-7.86.0.tar.xz.asc | 11 +++ curl.changes | 80 +++++++++++++++++++ curl.spec | 5 +- 7 files changed, 96 insertions(+), 59 deletions(-) delete mode 100644 connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch delete mode 100644 curl-7.85.0.tar.xz delete mode 100644 curl-7.85.0.tar.xz.asc create mode 100644 curl-7.86.0.tar.xz create mode 100644 curl-7.86.0.tar.xz.asc diff --git a/connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch b/connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch deleted file mode 100644 index 0aae964..0000000 --- a/connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 4232e1ac84ff4c2f46807b68a93efdbb31ff22a2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 7 Oct 2022 18:10:05 +0200 -Subject: [PATCH] connect: fix Curl_updateconninfo for TRNSPRT_UNIX - -Reported-by: Vasiliy Ulyanov -Fixes #9664 -Closes #9670 ---- - lib/connect.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/lib/connect.c b/lib/connect.c -index c1d8cfd39..9dc14704d 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -762,18 +762,10 @@ void Curl_updateconninfo(struct Curl_easy *data, struct connectdata *conn, - char local_ip[MAX_IPADR_LEN] = ""; - int local_port = -1; - -- if(conn->transport == TRNSPRT_TCP) { -- if(!conn->bits.reuse && !conn->bits.tcp_fastopen) -- Curl_conninfo_remote(data, conn, sockfd); -- Curl_conninfo_local(data, sockfd, local_ip, &local_port); -- } /* end of TCP-only section */ --#ifdef ENABLE_QUIC -- else if(conn->transport == TRNSPRT_QUIC) { -- if(!conn->bits.reuse) -- Curl_conninfo_remote(data, conn, sockfd); -- Curl_conninfo_local(data, sockfd, local_ip, &local_port); -- } --#endif -+ if(!conn->bits.reuse && -+ (conn->transport != TRNSPRT_TCP || !conn->bits.tcp_fastopen)) -+ Curl_conninfo_remote(data, conn, sockfd); -+ Curl_conninfo_local(data, sockfd, local_ip, &local_port); - - /* persist connection info in session handle */ - Curl_persistconninfo(data, conn, local_ip, local_port); --- -2.37.3 - diff --git a/curl-7.85.0.tar.xz b/curl-7.85.0.tar.xz deleted file mode 100644 index 92341d3..0000000 --- a/curl-7.85.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:88b54a6d4b9a48cb4d873c7056dcba997ddd5b7be5a2d537a4acb55c20b04be6 -size 2480648 diff --git a/curl-7.85.0.tar.xz.asc b/curl-7.85.0.tar.xz.asc deleted file mode 100644 index dae7ee7..0000000 --- a/curl-7.85.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmMO/LoACgkQXMkI/bce -EsK14Af+L+0de5NTHNuXkryTcHZ35nGUhBcYJxE1Gyf0Or7IpX0rYsqpE6T1B6gm -/NwJb4yDzCPbtekHBmwhQNNj91p5BCEtOlcwOYaT6rgWiXvCNMtWydmPZWrwg9Pk -zVp+CVNOVoUDI2x2EAZc6IrxagKuvEzy29MFsRmXy/17D5XKkRH0QUJE3XfxorgV -LshtSVlxzlZXmer3jGqCKqyJJc+8du92rggDhs7W8e1JZ6M6ujc9p6LfO+HaW5c+ -RPcLdScjzuOurAKwhWRWYcW3hukHGZ68iZYgfT2B43iLtRiwo2hQlHkt5Jg6WYmi -jKO6tKo1uF+bm7/5PWipWCTjvR8F3g== -=TXWE ------END PGP SIGNATURE----- diff --git a/curl-7.86.0.tar.xz b/curl-7.86.0.tar.xz new file mode 100644 index 0000000..0be61c4 --- /dev/null +++ b/curl-7.86.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d61116e5f485581f6d59865377df4463f2e788677ac43222b496d4e49fb627b +size 2518356 diff --git a/curl-7.86.0.tar.xz.asc b/curl-7.86.0.tar.xz.asc new file mode 100644 index 0000000..f8af8f0 --- /dev/null +++ b/curl-7.86.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmNY0SQACgkQXMkI/bce +EsL3Cgf/Ru1crW1U4Hrtc8yw2TwWD+H7jm5VTOqQ96JYvApMihrAjh1uMNjCZSSI +8yzx7E/dVSdY96yQfSdO7M+4eG39oFRvaaKvajf0f1yjUAvc1/zDCfKsjuguttwZ +QaEl/0Gx72cvtLd2NuHxEL4cDr8xa7BExFG0JKF7x4InC6zyrz4k4oOKnWmDZeAE +4HyjPzz4oHfQpVJvXyzsLBc5P06tmBnjIBjHzwjqLeToww0uFdd7uvUfvjGBYUYY +I++pgtgeBPuVAbP+68k9mYkFfWu+SfWqaP/RItXFa8u0SR2oZOtgFGSmy1zDbUqr +HXur6+I4t5RTqvjU8tHk4LMXvpkaJQ== +=R4m5 +-----END PGP SIGNATURE----- diff --git a/curl.changes b/curl.changes index 17dcddb..25fbcce 100644 --- a/curl.changes +++ b/curl.changes @@ -1,9 +1,89 @@ +------------------------------------------------------------------- +Wed Oct 26 07:51:51 UTC 2022 - Pedro Monreal + +- Update to 7.86.0: + * Security fixes: + - POST following PUT confusion [bsc#1204383, CVE-2022-32221] + - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260] + - HTTP proxy double-free [bsc#1204385, CVE-2022-42915] + - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916] + * Changes: + - NPN: remove support for and use of + - Websockets: initial support + * Bugfixes: + - altsvc: reject bad port numbers + - autotools: reduce brute-force when detecting recv/send arg list + - aws_sigv4: fix header computation + - cli tool: do not use disabled protocols + - connect: change verbose IPv6 address:port to [address]:port + - connect: fix builds without AF_INET6 + - connect: fix Curl_updateconninfo for TRNSPRT_UNIX + - connect: fix the wrong error message on connect failures + - content_encoding: use writer struct subclasses for different encodings + - cookie: reject cookie names or content with TAB characters + - curl/add_file_name_to_url: use the libcurl URL parser + - curl/get_url_file_name: use libcurl URL parser + - curl: warn for --ssl use, considered insecure + - docs/libcurl/symbols-in-versions: add several missing symbols + - ftp: ignore a 550 response to MDTM + - functypes: provide the recv and send arg and return types + - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled + - header: define public API functions as extern c + - headers: reset the requests counter at transfer start + - hostip: guard PF_INET6 use + - hostip: lazily wait to figure out if IPv6 works until needed + - http, vauth: always provide Curl_allow_auth_to_host() functionality + - http2: make nghttp2 less picky about field whitespace + - http: try parsing Retry-After: as a number first + - http_proxy: restore the protocol pointer on error + - lib: add missing limits.h includes + - lib: prepare the incoming of additional protocols + - lib: sanitize conditional exclusion around MIME + - libssh: if sftp_init fails, don't get the sftp error code + - mprintf: reject two kinds of precision for the same argument + - mqtt: return error for too long topic + - netrc: compare user name case sensitively + - netrc: replace fgets with Curl_get_line + - netrc: use the URL-decoded user + - ngtcp2: fix build errors due to changes in ngtcp2 library + - noproxy: support proxies specified using cidr notation + - openssl: make certinfo available for QUIC + - resolve: make forced IPv4 resolve only use A queries + - schannel: ban server ALPN change during recv renegotiation + - schannel: don't reset recv/send function pointers on renegotiation + - schannel: when importing PFX, disable key persistence + - setopt: use the handler table for protocol name to number conversions + - setopt: when POST is set, reset the 'upload' field + - single_transfer: use the libcurl URL parser when appending query parts + - smb: replace CURL_WIN32 with WIN32 + - tool: avoid generating ambiguous escaped characters in --libcurl + - tool_main: exit at once if out of file descriptors + - tool_operate: more transfer cleanup after parallel transfer fail + - tool_operate: prevent over-queuing in parallel mode + - tool_paramhelp: asserts verify maximum sizes for string loading + - tool_xattr: save the original URL, not the final redirected one + - url: a zero-length userinfo part in the URL is still a (blank) user + - url: allow non-HTTPS HSTS-matching for debug builds + - url: rename function due to name-clash in Watt-32 + - url: use IDN decoded names for HSTS checks + - urlapi: detect scheme better when not guessing + - urlapi: fix parsing URL without slash with CURLU_URLENCODE + - urlapi: reject more bad characters from the host name field + * Remove patch upstream: + - connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch + ------------------------------------------------------------------- Sat Oct 8 17:06:50 UTC 2022 - Vasily Ulyanov - Update connection info when using UNIX socket as endpoint connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch +------------------------------------------------------------------- +Fri Sep 30 12:35:59 UTC 2022 - Pedro Monreal + +- Change the deprecated configure option --enable-hidden-symbols + to the new --enable-symbol-hiding. + ------------------------------------------------------------------- Wed Aug 31 07:34:20 UTC 2022 - Pedro Monreal diff --git a/curl.spec b/curl.spec index 5296524..c5135f5 100644 --- a/curl.spec +++ b/curl.spec @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.85.0 +Version: 7.86.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -35,7 +35,6 @@ Patch1: dont-mess-with-rpmoptflags.patch Patch2: curl-secure-getenv.patch #PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch3: curl-disabled-redirect-protocol-message.patch -Patch4: connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4 = %{version} @@ -123,7 +122,7 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure --with-gssapi=$(krb5-config --prefix) \ --with-libidn2 \ --with-libssh \ - --enable-hidden-symbols \ + --enable-symbol-hiding \ --disable-static \ --enable-threaded-resolver