Accepting request 438231 from devel:libraries:c_c++

- Update to 7.51.0 Changes: * nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST * New option: CURLOPT_KEEP_SENDING_ON_ERROR Bugfixes: * CVE-2016-8615: cookie injection for other servers * CVE-2016-8616: case insensitive password comparison * CVE-2016-8617: OOB write via unchecked multiplication * CVE-2016-8618: double-free in curl_maprintf * CVE-2016-8619: double-free in krb5 code * CVE-2016-8620: glob parser write/read out of bounds * CVE-2016-8621: curl_getdate read out of bounds * CVE-2016-8622: URL unescape heap overflow via integer truncation * CVE-2016-8623: Use-after-free via shared cookies * CVE-2016-8624: invalid URL parsing with '#' * CVE-2016-8625: IDNA 2003 makes curl use wrong host * openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 * http: accept "Transfer-Encoding: chunked" for HTTP/2 as well * LICENSE-MIXING.md: update with mbedTLS dual licensing * examples/imap-append: Set size of data to be uploaded * test2048: fix url * darwinssl: disable RC4 cipher-suite support * CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting * openssl: don’t call CRYTPO_cleanup_all_ex_data * libressl: fix version output * easy: Reset all statistical session info in curl_easy_reset * curl_global_cleanup.3: don't unload the lib with sub threads running * dist: add CurlSymbolHiding.cmake to the tarball * docs: Remove that --proto is just used for initial retrieval OBS-URL: https://build.opensuse.org/request/show/438231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=119
2016-11-03 11:56:25 +00:00 · 2016-11-03 11:56:25 +00:00 · d2d9f6e931
commit d2d9f6e931
parent 3fbf179fb6 c7dbf5559a
7 changed files with 102 additions and 31 deletions
--- a/curl-7.50.3.tar.lzma
+++ b/curl-7.50.3.tar.lzma
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8c5457e2ecfc38d7e1103bf5e0f87895222340200de9ceefd300c3420698f5ea
-size 6003154
--- a/curl-7.50.3.tar.lzma.asc
+++ b/curl-7.50.3.tar.lzma.asc
@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEcBAABCgAGBQJX2OcWAAoJEFzJCP23HhLCOUkH/A+cGespPSg0Z8DH8P+VGBf2
-r4kKlx+BktOFmD9v35EGTUpLAmJ7rH573kOXXTuu4uBLN5P05Vy2Y6Pb3RJkutJA
-uXPg0tvIyopGWKSEPEsffk83YkunKr0DaCfILM2XyMZpAEvS6hUf+RZmSTOqNn8Y
-Yn6zO1FnhG/407w1T63eFovbfbjo4Qwh+CYkfLhzj9niGEEinocUqkni4F1AH1vj
-W1iCLCEa13bcBU1lw1AuPPYz8S5hAeOmZB2PQUj/Qa9rQq5iAfwfCuVAU8u/mVo1
-0LFzwh7/iV0a73GXL1KaCJ1MkiDgZwoSdtjLm+k0hcpOJR0NwU4TjLC7EyXEBrI=
-=s7H5
-----END PGP SIGNATURE-----
--- a/curl-7.51.0.tar.lzma
+++ b/curl-7.51.0.tar.lzma
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9eef5f6bbb972ffc631f4c76cfe93161bf5186926133c77267b24f5191700518
+size 2061223
--- a/curl-7.51.0.tar.lzma.asc
+++ b/curl-7.51.0.tar.lzma.asc
@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf
+JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO
+FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk
+nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1
+IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i
+Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI=
+=v+YR
+-----END PGP SIGNATURE-----
--- a/curl.changes
+++ b/curl.changes
@ -1,3 +1,74 @@
+-------------------------------------------------------------------
+Wed Nov  2 07:15:44 UTC 2016 - idonmez@suse.com
+
+- Update to 7.51.0
+  Changes:
+  * nss: additional cipher suites are now accepted by
+    CURLOPT_SSL_CIPHER_LIST
+  * New option: CURLOPT_KEEP_SENDING_ON_ERROR 
+  Bugfixes:
+  * CVE-2016-8615: cookie injection for other servers
+  * CVE-2016-8616: case insensitive password comparison
+  * CVE-2016-8617: OOB write via unchecked multiplication
+  * CVE-2016-8618: double-free in curl_maprintf
+  * CVE-2016-8619: double-free in krb5 code
+  * CVE-2016-8620: glob parser write/read out of bounds
+  * CVE-2016-8621: curl_getdate read out of bounds
+  * CVE-2016-8622: URL unescape heap overflow via integer truncation
+  * CVE-2016-8623: Use-after-free via shared cookies
+  * CVE-2016-8624: invalid URL parsing with '#'
+  * CVE-2016-8625: IDNA 2003 makes curl use wrong host
+  * openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
+  * http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
+  * LICENSE-MIXING.md: update with mbedTLS dual licensing
+  * examples/imap-append: Set size of data to be uploaded
+  * test2048: fix url
+  * darwinssl: disable RC4 cipher-suite support
+  * CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
+  * openssl: don’t call CRYTPO_cleanup_all_ex_data
+  * libressl: fix version output
+  * easy: Reset all statistical session info in curl_easy_reset
+  * curl_global_cleanup.3: don't unload the lib with sub threads running
+  * dist: add CurlSymbolHiding.cmake to the tarball
+  * docs: Remove that --proto is just used for initial retrieval
+  * configure: Fixed builds with libssh2 in a custom location
+  * curl.1: --trace supports % for sending to stderr!
+  * cookies: same domain handling changed to match browser behavior
+  * formpost: trying to attach a directory no longer crashes
+  * CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
+  * formpost: avoid silent snprintf() truncation
+  * ftp: fix Curl_ftpsendf
+  * mprintf: return error on too many arguments
+  * smb: properly check incoming packet boundaries
+  * GIT-INFO: remove the Mac 10.1-specific details
+  * resolve: add error message when resolving using SIGALRM
+  * cmake: add nghttp2 support
+  * dist: remove PDF and HTML converted docs from the releases
+  * configure: disable poll() in macOS builds
+  * vtls: only re-use session-ids using the same scheme
+  * pipelining: skip to-be-closed connections when pipelining
+  * win: fix Universal Windows Platform build
+  * curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
+  * maketgz: make it support "only" generating version info
+  * Curl_socket_check: add extra check to avoid integer overflow
+  * gopher: properly return error for poll failures
+  * curl: set INTERLEAVEDATA too
+  * polarssl: clear thread array at init
+  * polarssl: fix unaligned SSL session-id lock
+  * polarssl: reduce #ifdef madness with a macro
+  * curl_multi_add_handle: set timeouts in closure handles
+  * configure: set min version flags for builds on mac
+  * INSTALL: converted to markdown => INSTALL.md
+  * curl_multi_remove_handle: fix a double-free
+  * multi: fix inifinte loop in curl_multi_cleanup()
+  * nss: fix tight loop in non-blocking TLS handhsake over proxy
+  * mk-ca-bundle: Change URL retrieval to HTTPS-only by default
+  * mbedtls: stop using deprecated include file
+  * docs: fix req->data in multi-uv example
+  * configure: Fix test syntax for monotonic clock_gettime
+  * CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
+- Refresh libcurl-ocloexec.patch
+
 -------------------------------------------------------------------
 Wed Sep 14 07:13:02 UTC 2016 - idonmez@suse.com

--- a/curl.spec
+++ b/curl.spec
@ -20,7 +20,7 @@
 %bcond_with mozilla_nss
 %bcond_without testsuite
 Name:           curl
-Version:        7.50.3
+Version:        7.51.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        BSD-3-Clause and MIT
--- a/libcurl-ocloexec.patch
+++ b/libcurl-ocloexec.patch
@ -9,9 +9,9 @@ compile time is not enough.

 Index: lib/file.c
 ===================================================================
--- lib/file.c.orig	2016-07-21 00:31:36.000000000 +0200
-+++ lib/file.c	2016-07-21 11:39:54.121170539 +0200
-@@ -241,7 +241,7 @@ static CURLcode file_connect(struct conn
+--- lib/file.c.orig
+++ lib/file.c
+@@ -242,7 +242,7 @@ static CURLcode file_connect(struct conn
     return CURLE_URL_MALFORMAT;
   }
 
@ -20,7 +20,7 @@ Index: lib/file.c
   file->path = real_path;
 #endif
   file->freepath = real_path; /* free this when done */
-@@ -337,7 +337,7 @@ static CURLcode file_upload(struct conne
+@@ -338,7 +338,7 @@ static CURLcode file_upload(struct conne
   else
     mode = MODE_DEFAULT|O_TRUNC;
 
@ -31,18 +31,18 @@ Index: lib/file.c
     return CURLE_WRITE_ERROR;
 Index: lib/formdata.c
 ===================================================================
--- lib/formdata.c.orig	2016-07-21 00:31:36.000000000 +0200
-+++ lib/formdata.c	2016-07-21 11:39:54.121170539 +0200
-@@ -1290,7 +1290,7 @@ CURLcode Curl_getformdata(struct Curl_ea
+--- lib/formdata.c.orig
+++ lib/formdata.c
+@@ -1306,7 +1306,7 @@ CURLcode Curl_getformdata(struct Curl_ea
         FILE *fileread;
 
-         fileread = strequal("-", file->contents)?
+         fileread = !strcmp("-", file->contents)?
 -          stdin:fopen(file->contents, "rb"); /* binary read for win32  */
 +          stdin:fopen(file->contents, "rbe"); /* binary read for win32  */
 
         /*
          * VMS: This only allows for stream files on VMS.  Stream files are
-@@ -1450,7 +1450,7 @@ static size_t readfromfile(struct Form *
+@@ -1466,7 +1466,7 @@ static size_t readfromfile(struct Form *
   else {
     if(!form->fp) {
       /* this file hasn't yet been opened */
@ -53,8 +53,8 @@ Index: lib/formdata.c
     }
 Index: lib/hostip6.c
 ===================================================================
--- lib/hostip6.c.orig	2016-07-21 00:31:36.000000000 +0200
-+++ lib/hostip6.c	2016-07-21 11:39:54.121170539 +0200
+--- lib/hostip6.c.orig
+++ lib/hostip6.c
@@ -39,7 +39,7 @@
 #ifdef HAVE_PROCESS_H
 #include <process.h>
@ -75,8 +75,8 @@ Index: lib/hostip6.c
       ipv6_works = 0;
 Index: lib/if2ip.c
 ===================================================================
--- lib/if2ip.c.orig	2016-06-27 16:11:14.000000000 +0200
-+++ lib/if2ip.c	2016-07-21 11:39:54.121170539 +0200
+--- lib/if2ip.c.orig
+++ lib/if2ip.c
@@ -223,7 +223,7 @@ if2ip_result_t Curl_if2ip(int af, unsign
   if(len >= sizeof(req.ifr_name))
     return IF2IP_NOT_FOUND;
@ -88,8 +88,8 @@ Index: lib/if2ip.c
 
 Index: lib/connect.c
 ===================================================================
--- lib/connect.c.orig	2016-07-21 00:31:36.000000000 +0200
-+++ lib/connect.c	2016-07-21 11:39:54.121170539 +0200
+--- lib/connect.c.orig
+++ lib/connect.c
@@ -1351,7 +1351,7 @@ CURLcode Curl_socket(struct connectdata
                                     (struct curl_sockaddr *)addr);
   else
@ -101,8 +101,8 @@ Index: lib/connect.c
     /* no socket, no connection */
 Index: configure.ac
 ===================================================================
--- configure.ac.orig	2016-07-21 00:31:36.000000000 +0200
-+++ configure.ac	2016-07-21 11:39:54.125170603 +0200
+--- configure.ac.orig
+++ configure.ac
@@ -185,6 +185,7 @@ AC_CANONICAL_HOST
 dnl Get system canonical name
 AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])