Accepting request 623481 from home:pgajdos

- Update to version 7.62.0 [bsc#1099793, CVE-2018-0500] Changes: * getinfo: add microsecond precise timers for seven intervals * curl: show headers in bold, switch off with --no-styled-output * httpauth: add support for Bearer tokens * Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS * curl: --tls13-ciphers and --proxy-tls13-ciphers * Add CURLOPT_DISALLOW_USERNAME_IN_URL * curl: --disallow-username-in-url Bugfixes: * CVE-2018-0500: smtp: fix SMTP send buffer overflow * schannel: disable client cert option if APIs not available * schannel: disable manual verify if APIs not available * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags * openssl: acknowledge --tls-max for default version too * stub_gssapi: fix 'unused parameter' warnings * examples/progressfunc: make it build on both new and old libcurls * docs: mention it is HA Proxy protocol "version 1" * curl_fnmatch: only allow two asterisks for matching * docs: clarify CURLOPT_HTTPGET * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE * configure: do compile-time SIZEOF checks instead of run-time * checksrc: make sure sizeof() is used *with* parentheses * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit * schannel: make CAinfo parsing resilient to CR/LF * tftp: make sure error is zero terminated before printfing it * http resume: skip body if http code 416 (range error) is ignored * configure: add basic test of --with-ssl prefix * cmake: set -d postfix for debug builds OBS-URL: https://build.opensuse.org/request/show/623481 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=227
2018-07-17 14:51:01 +00:00 · 2018-07-17 14:51:01 +00:00 · cbfaaab1ef
commit cbfaaab1ef
parent 26a26de5f7
9 changed files with 262 additions and 41 deletions
--- a/curl-7.60.0.tar.gz
+++ b/curl-7.60.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e9c37986337743f37fd14fe8737f246e97aec94b39d1b71e8a5973f72a9fc4f5
-size 3949173
--- a/curl-7.60.0.tar.gz.asc
+++ b/curl-7.60.0.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlr7zUoACgkQXMkI/bce
-EsK4MAgArnvqXIdhdoXJ8iUGQgS1HOA7R2ug+KE35FdkhGeApkNgnmLkhzsPYqqF
-nnwh75ZDVfHxxKtFs8xo6bH3zwFoek/fL+uVdNOzChGccFFV1HNphZuUqh8Mrr1A
-tRW7FqjrfrD61dhd/arizHNbj/oo1B2ySJByFuqwW8zO9whLNX9PgtulZ9fk0D6O
-P4p560qKhRSm3lw+n1ANAwnkf316EGC57fqKxF+09i/ZLXObS1PqvFArQWnL2H3P
-ZfloOnVIAKnRAVO+FSOW/B7OzG3E7jKsmzOSzbKsVkXKAD4m+2FOqCcJYe0pgnJW
-R4n3So9hnEVnqclaCa7hP+CkmdqHew==
-=3Ago
-----END PGP SIGNATURE-----
--- a/curl-7.61.0.tar.gz
+++ b/curl-7.61.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:64141f0db4945268a21b490d58806b97c615d3d0c75bf8c335bbe0efd13b45b5
+size 3964862
--- a/curl-7.61.0.tar.gz.asc
+++ b/curl-7.61.0.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAltFnUEACgkQXMkI/bce
+EsKFUQgAml2m2W8qyDgxFApYfsd+OJYO8yx1/ogKJJrUK8SRZYPfR0aCb9klNkQu
+FwwFos2B/nkxm898CBro5Lo3XiBmF3HL3schTJodb1lPP9It76yUD9J5EedrSosj
+A+HzV3cPM53/pG/RUF3NhNZnye4JHwSxC92UffpMZ/HVDOhWbrJKFZLbl+lkcM2A
+xMkzVDwdW6Zztze/2O3ZSvftwUoYM7u73/NQjRnhllWn/dXkc3obB2vVFfq7n0/o
+zLZMoOWCbBp0Isj/sPQpUh12Q2W8KEDKm81m1IDaF0eJeA2lI3owIXsskXnqV02u
+a4vLBlaRK9cSsnNPclZEix9G4I4RfA==
+=Ygjy
+-----END PGP SIGNATURE-----
--- a/curl-mini.changes
+++ b/curl-mini.changes
@ -1,3 +1,112 @@
+-------------------------------------------------------------------
+Tue Jul 17 13:56:05 UTC 2018 - pgajdos@suse.com
+
+- Update to version 7.62.0
+  [bsc#1099793, CVE-2018-0500]
+  Changes:
+   * getinfo: add microsecond precise timers for seven intervals
+   * curl: show headers in bold, switch off with --no-styled-output
+   * httpauth: add support for Bearer tokens 
+   * Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
+   * curl: --tls13-ciphers and --proxy-tls13-ciphers
+   * Add CURLOPT_DISALLOW_USERNAME_IN_URL
+   * curl: --disallow-username-in-url 
+  Bugfixes:
+   * CVE-2018-0500: smtp: fix SMTP send buffer overflow 
+   * schannel: disable client cert option if APIs not available
+   * schannel: disable manual verify if APIs not available
+   * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
+   * openssl: acknowledge --tls-max for default version too 
+   * stub_gssapi: fix 'unused parameter' warnings
+   * examples/progressfunc: make it build on both new and old libcurls
+   * docs: mention it is HA Proxy protocol "version 1"
+   * curl_fnmatch: only allow two asterisks for matching  
+   * docs: clarify CURLOPT_HTTPGET 
+   * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
+   * configure: do compile-time SIZEOF checks instead of run-time
+   * checksrc: make sure sizeof() is used *with* parentheses 
+   * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
+   * schannel: make CAinfo parsing resilient to CR/LF 
+   * tftp: make sure error is zero terminated before printfing it
+   * http resume: skip body if http code 416 (range error) is ignored
+   * configure: add basic test of --with-ssl prefix 
+   * cmake: set -d postfix for debug builds
+   * multi: provide a socket to wait for in Curl_protocol_getsock
+   * content_encoding: handle zlib versions too old for Z_BLOCK
+   * winbuild: only delete OUTFILE if it exists
+   * winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
+   * schannel: add failf calls for client certificate failures
+   * cmake: Fix the test for fsetxattr and strerror_r
+   * curl.1: Fix cmdline-opts reference errors 
+   * cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
+   * cmake: check for getpwuid_r 
+   * configure: fix ssh2 linking when built with a static mbedtls
+   * psl: use latest psl and refresh it periodically
+   * fnmatch: insist on escaped bracket to match 
+   * KNOWN_BUGS: restore text regarding #2101 
+   * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib 
+   * configure: override AR_FLAGS to silence warning 
+   * os400: implement mime api EBCDIC wrappers
+   * curl.rc: embed manifest for correct Windows version detection
+   * strictness: correct {infof, failf} format specifiers
+   * tests: update .gitignore for libtests
+   * configure: check for declaration of getpwuid_r
+   * fnmatch: use the system one if available
+   * CURLOPT_RESOLVE: always purge old entry first
+   * multi: remove a potentially bad DEBUGF()
+   * curl_addrinfo: use same #ifdef conditions in source as header
+   * build: remove the Borland specific makefiles
+   * axTLS: not considered fit for use
+   * cmdline-opts/cert-type.d: mention "p12" as a recognized type
+   * system.h: add support for IBM xlc C compiler
+   * tests/libtest: Add lib1521 to nodist_SOURCES
+   * mk-ca-bundle.pl: leave certificate name untouched
+   * boringssl + schannel: undef X509_NAME in lib/schannel.h
+   * openssl: assume engine support in 1.0.1 or later
+   * cppcheck: fix warnings
+   * test 46: make test pass after year 2025
+   * schannel: support selecting ciphers
+   * Curl_debug: remove dead printhost code
+   * test 1455: unflakified
+   * Curl_init_do: handle NULL connection pointer passed in
+   * progress: remove a set of unused defines
+   * mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
+   * GOVERNANCE.md: explains how this project is run
+   * configure: use pkg-config for c-ares detection
+   * configure: enhance ability to build with static openssl
+   * maketgz: fix sed issues on OSX
+   * multi: fix memory leak when stopped during name resolve
+   * CURLOPT_INTERFACE.3: interface names not supported on Windows
+   * url: fix dangling conn->data pointer
+   * cmake: allow multiple SSL backends
+   * system.h: fix for gcc on 32 bit OpenServer
+   * ConnectionExists: make sure conn->data is set when "taking" a connection
+   * multi: fix crash due to dangling entry in connect-pending list
+   * CURLOPT_SSL_VERIFYPEER.3: Add performance note
+   * netrc: use a larger buffer to support longer passwords
+   * url: check Curl_conncache_add_conn return code
+   * configure: Add dependent libraries after crypto
+   * easy_perform: faster local name resolves by using *multi_timeout()
+   * getnameinfo: not used, removed all configure checks
+   * travis: add a build using the synchronous name resolver
+   * CURLINFO_TLS_SSL_PTR.3: improve the example
+   * openssl: allow TLS 1.3 by default
+   * openssl: make the requested TLS version the *minimum* wanted
+   * openssl: Remove some dead code
+   * telnet: fix clang warnings
+   * DEPRECATE: new doc describing planned item removals
+   * example/crawler.c: simple crawler based on libxml2
+   * libssh: goto DISCONNECT state on error, not SESSION_FREE
+   * CMake: Remove unused functions
+   * darwinssl: allow High Sierra users to build the code using GCC
+   * scripts: include _curl as part of CLEANFILES
+   * examples: fix -Wformat warnings
+   * curl_setup: include <winerror.h> before <windows.h>
+   * schannel: make more cipher options conditional
+   * CMake: remove redundant and old end-of-block syntax
+   * post303.d: clarify that this is an RFC violation
+- refreshed libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Fri May 18 11:47:00 UTC 2018 - vcizek@suse.com

--- a/curl-mini.spec
+++ b/curl-mini.spec
@ -29,7 +29,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.60.0
+Version:        7.61.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@ -45,6 +45,7 @@ Patch2:         curl-secure-getenv.patch
 Patch3:         ignore_runtests_failure.patch
 # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled
 Patch4:         curl-disabled-redirect-protocol-message.patch
+Patch5:         curl-use_OPENSSL_config.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:       libcurl4%{?mini} = %{version}
@ -117,13 +118,14 @@ user interaction or any kind of interactivity.

 %prep
 %setup -q -n curl-%{version}
-%patch0
+%patch0 -p1
 %patch1
 %patch2
 %ifarch ppc ppc64 ppc64le
 %patch3 -p1
 %endif
 %patch4 -p1
+%patch5 -p1

 %build
 # curl complains if macro definition is contained in CFLAGS
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,112 @@
+-------------------------------------------------------------------
+Tue Jul 17 13:56:05 UTC 2018 - pgajdos@suse.com
+
+- Update to version 7.62.0
+  [bsc#1099793, CVE-2018-0500]
+  Changes:
+   * getinfo: add microsecond precise timers for seven intervals
+   * curl: show headers in bold, switch off with --no-styled-output
+   * httpauth: add support for Bearer tokens 
+   * Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
+   * curl: --tls13-ciphers and --proxy-tls13-ciphers
+   * Add CURLOPT_DISALLOW_USERNAME_IN_URL
+   * curl: --disallow-username-in-url 
+  Bugfixes:
+   * CVE-2018-0500: smtp: fix SMTP send buffer overflow 
+   * schannel: disable client cert option if APIs not available
+   * schannel: disable manual verify if APIs not available
+   * tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
+   * openssl: acknowledge --tls-max for default version too 
+   * stub_gssapi: fix 'unused parameter' warnings
+   * examples/progressfunc: make it build on both new and old libcurls
+   * docs: mention it is HA Proxy protocol "version 1"
+   * curl_fnmatch: only allow two asterisks for matching  
+   * docs: clarify CURLOPT_HTTPGET 
+   * configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
+   * configure: do compile-time SIZEOF checks instead of run-time
+   * checksrc: make sure sizeof() is used *with* parentheses 
+   * CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
+   * schannel: make CAinfo parsing resilient to CR/LF 
+   * tftp: make sure error is zero terminated before printfing it
+   * http resume: skip body if http code 416 (range error) is ignored
+   * configure: add basic test of --with-ssl prefix 
+   * cmake: set -d postfix for debug builds
+   * multi: provide a socket to wait for in Curl_protocol_getsock
+   * content_encoding: handle zlib versions too old for Z_BLOCK
+   * winbuild: only delete OUTFILE if it exists
+   * winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
+   * schannel: add failf calls for client certificate failures
+   * cmake: Fix the test for fsetxattr and strerror_r
+   * curl.1: Fix cmdline-opts reference errors 
+   * cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
+   * cmake: check for getpwuid_r 
+   * configure: fix ssh2 linking when built with a static mbedtls
+   * psl: use latest psl and refresh it periodically
+   * fnmatch: insist on escaped bracket to match 
+   * KNOWN_BUGS: restore text regarding #2101 
+   * INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib 
+   * configure: override AR_FLAGS to silence warning 
+   * os400: implement mime api EBCDIC wrappers
+   * curl.rc: embed manifest for correct Windows version detection
+   * strictness: correct {infof, failf} format specifiers
+   * tests: update .gitignore for libtests
+   * configure: check for declaration of getpwuid_r
+   * fnmatch: use the system one if available
+   * CURLOPT_RESOLVE: always purge old entry first
+   * multi: remove a potentially bad DEBUGF()
+   * curl_addrinfo: use same #ifdef conditions in source as header
+   * build: remove the Borland specific makefiles
+   * axTLS: not considered fit for use
+   * cmdline-opts/cert-type.d: mention "p12" as a recognized type
+   * system.h: add support for IBM xlc C compiler
+   * tests/libtest: Add lib1521 to nodist_SOURCES
+   * mk-ca-bundle.pl: leave certificate name untouched
+   * boringssl + schannel: undef X509_NAME in lib/schannel.h
+   * openssl: assume engine support in 1.0.1 or later
+   * cppcheck: fix warnings
+   * test 46: make test pass after year 2025
+   * schannel: support selecting ciphers
+   * Curl_debug: remove dead printhost code
+   * test 1455: unflakified
+   * Curl_init_do: handle NULL connection pointer passed in
+   * progress: remove a set of unused defines
+   * mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
+   * GOVERNANCE.md: explains how this project is run
+   * configure: use pkg-config for c-ares detection
+   * configure: enhance ability to build with static openssl
+   * maketgz: fix sed issues on OSX
+   * multi: fix memory leak when stopped during name resolve
+   * CURLOPT_INTERFACE.3: interface names not supported on Windows
+   * url: fix dangling conn->data pointer
+   * cmake: allow multiple SSL backends
+   * system.h: fix for gcc on 32 bit OpenServer
+   * ConnectionExists: make sure conn->data is set when "taking" a connection
+   * multi: fix crash due to dangling entry in connect-pending list
+   * CURLOPT_SSL_VERIFYPEER.3: Add performance note
+   * netrc: use a larger buffer to support longer passwords
+   * url: check Curl_conncache_add_conn return code
+   * configure: Add dependent libraries after crypto
+   * easy_perform: faster local name resolves by using *multi_timeout()
+   * getnameinfo: not used, removed all configure checks
+   * travis: add a build using the synchronous name resolver
+   * CURLINFO_TLS_SSL_PTR.3: improve the example
+   * openssl: allow TLS 1.3 by default
+   * openssl: make the requested TLS version the *minimum* wanted
+   * openssl: Remove some dead code
+   * telnet: fix clang warnings
+   * DEPRECATE: new doc describing planned item removals
+   * example/crawler.c: simple crawler based on libxml2
+   * libssh: goto DISCONNECT state on error, not SESSION_FREE
+   * CMake: Remove unused functions
+   * darwinssl: allow High Sierra users to build the code using GCC
+   * scripts: include _curl as part of CLEANFILES
+   * examples: fix -Wformat warnings
+   * curl_setup: include <winerror.h> before <windows.h>
+   * schannel: make more cipher options conditional
+   * CMake: remove redundant and old end-of-block syntax
+   * post303.d: clarify that this is an RFC violation
+- refreshed libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Fri May 18 11:47:00 UTC 2018 - vcizek@suse.com

--- a/curl.spec
+++ b/curl.spec
@ -27,7 +27,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.60.0
+Version:        7.61.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@ -116,7 +116,7 @@ user interaction or any kind of interactivity.

 %prep
 %setup -q -n curl-%{version}
-%patch0
+%patch0 -p1
 %patch1
 %patch2
 %ifarch ppc ppc64 ppc64le
--- a/libcurl-ocloexec.patch
+++ b/libcurl-ocloexec.patch
@ -7,10 +7,10 @@ To make it portable you have to test O_CLOEXEC support at *runtime*
 compile time is not enough.


-Index: lib/file.c
+Index: curl-7.61.0/lib/file.c
 ===================================================================
--- lib/file.c.orig
-+++ lib/file.c
+--- curl-7.61.0.orig/lib/file.c	2018-07-09 08:42:12.000000000 +0200
+++ curl-7.61.0/lib/file.c	2018-07-17 15:47:25.259601877 +0200
@@ -190,7 +190,7 @@ static CURLcode file_connect(struct conn
     return CURLE_URL_MALFORMAT;
   }
@ -20,7 +20,7 @@ Index: lib/file.c
   file->path = real_path;
 #endif
   file->freepath = real_path; /* free this when done */
-@@ -285,7 +285,7 @@ static CURLcode file_upload(struct conne
+@@ -283,7 +283,7 @@ static CURLcode file_upload(struct conne
   else
     mode = MODE_DEFAULT|O_TRUNC;
 
@ -29,10 +29,10 @@ Index: lib/file.c
   if(fd < 0) {
     failf(data, "Can't open %s for writing", file->path);
     return CURLE_WRITE_ERROR;
-Index: lib/hostip6.c
+Index: curl-7.61.0/lib/hostip6.c
 ===================================================================
--- lib/hostip6.c.orig
-+++ lib/hostip6.c
+--- curl-7.61.0.orig/lib/hostip6.c	2018-07-09 08:42:12.000000000 +0200
+++ curl-7.61.0/lib/hostip6.c	2018-07-17 15:47:25.259601877 +0200
@@ -44,7 +44,7 @@
 #ifdef HAVE_PROCESS_H
 #include <process.h>
@ -42,7 +42,7 @@ Index: lib/hostip6.c
 #include "urldata.h"
 #include "sendf.h"
 #include "hostip.h"
-@@ -103,7 +103,7 @@ bool Curl_ipv6works(void)
+@@ -70,7 +70,7 @@ bool Curl_ipv6works(void)
   static int ipv6_works = -1;
   if(-1 == ipv6_works) {
     /* probe to see if we have a working IPv6 stack */
@ -51,10 +51,10 @@ Index: lib/hostip6.c
     if(s == CURL_SOCKET_BAD)
       /* an IPv6 address was requested but we can't get/use one */
       ipv6_works = 0;
-Index: lib/if2ip.c
+Index: curl-7.61.0/lib/if2ip.c
 ===================================================================
--- lib/if2ip.c.orig
-+++ lib/if2ip.c
+--- curl-7.61.0.orig/lib/if2ip.c	2018-05-07 10:20:04.000000000 +0200
+++ curl-7.61.0/lib/if2ip.c	2018-07-17 15:47:25.259601877 +0200
@@ -225,7 +225,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
   if(len >= sizeof(req.ifr_name))
     return IF2IP_NOT_FOUND;
@ -64,11 +64,11 @@ Index: lib/if2ip.c
   if(CURL_SOCKET_BAD == dummy)
     return IF2IP_NOT_FOUND;
 
-Index: lib/connect.c
+Index: curl-7.61.0/lib/connect.c
 ===================================================================
--- lib/connect.c.orig
-+++ lib/connect.c
-@@ -1389,7 +1389,7 @@ CURLcode Curl_socket(struct connectdata
+--- curl-7.61.0.orig/lib/connect.c	2018-07-09 08:42:12.000000000 +0200
+++ curl-7.61.0/lib/connect.c	2018-07-17 15:47:25.259601877 +0200
+@@ -1387,7 +1387,7 @@ CURLcode Curl_socket(struct connectdata
   }
   else
     /* opensocket callback not set, so simply create the socket now */
@ -77,15 +77,16 @@ Index: lib/connect.c
 
   if(*sockfd == CURL_SOCKET_BAD)
     /* no socket, no connection */
-Index: configure.ac
+Index: curl-7.61.0/configure.ac
 ===================================================================
--- configure.ac.orig
-+++ configure.ac
-@@ -188,6 +188,7 @@ AC_CANONICAL_HOST
- dnl Get system canonical name
- AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])
+--- curl-7.61.0.orig/configure.ac	2018-07-17 15:47:25.263601899 +0200
+++ curl-7.61.0/configure.ac	2018-07-17 15:49:06.252122189 +0200
+@@ -191,6 +191,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+ # Silence warning: ar: 'u' modifier ignored since 'D' is the default
+ AC_SUBST(AR_FLAGS, [cr])
 
 +AC_USE_SYSTEM_EXTENSIONS
- dnl Checks for programs.
- 
+
 dnl This defines _ALL_SOURCE for AIX
+ CURL_CHECK_AIX_ALL_SOURCE
+