From d943312f64f93e0a6c7762e0846c070752eeef47f1b0cedf2e45dc696f0b63fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 11 Sep 2019 10:51:15 +0000 Subject: [PATCH] Accepting request 730075 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] * Changes: - CURLINFO_RETRY_AFTER: parse the Retry-After header value - HTTP3: initial (experimental still not working) support - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - curl: support parallel transfers with -Z - curl_multi_poll: a sister to curl_multi_wait() that waits more - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID * Bugfixes: - CVE-2019-5481: FTP-KRB double-free - CVE-2019-5482: TFTP small blocksize heap buffer overflow - CMake: remove needless newlines at end of gss variables - CMake: use platform dependent name for dlopen() library - CURLINFO docs: mention that in redirects times are added - CURLOPT_ALTSVC.3: use a "" file name to not load from a file - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - CURLOPT_HEADERFUNCTION.3: clarify - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - CURLOPT_READFUNCTION.3: provide inline example - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - Curl_addr2string: take an addrlen argument too - Curl_fillreadbuffer: avoid double-free trailer buf on error - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - alt-svc: add protocol version selection masking - alt-svc: fix removal of expired cache entry - alt-svc: make it use h3-22 with ngtcp2 as well - alt-svc: more liberal ALPN name parsing - alt-svc: send Alt-Used: in redirected requests - alt-svc: with quiche, use the quiche h3 alpn string - asyn-thread: create a socketpair to wait on OBS-URL: https://build.opensuse.org/request/show/730075 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=260 --- curl-7.65.3.tar.xz | 3 -- curl-7.65.3.tar.xz.asc | 11 ------ curl-7.66.0.tar.xz | 3 ++ curl-7.66.0.tar.xz.asc | 11 ++++++ curl-mini.changes | 86 ++++++++++++++++++++++++++++++++++++++++++ curl-mini.spec | 2 +- curl.changes | 86 ++++++++++++++++++++++++++++++++++++++++++ curl.spec | 2 +- 8 files changed, 188 insertions(+), 16 deletions(-) delete mode 100644 curl-7.65.3.tar.xz delete mode 100644 curl-7.65.3.tar.xz.asc create mode 100644 curl-7.66.0.tar.xz create mode 100644 curl-7.66.0.tar.xz.asc diff --git a/curl-7.65.3.tar.xz b/curl-7.65.3.tar.xz deleted file mode 100644 index 46d9387..0000000 --- a/curl-7.65.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f2d98854813948d157f6a91236ae34ca4a1b4cb302617cebad263d79b0235fea -size 2392472 diff --git a/curl-7.65.3.tar.xz.asc b/curl-7.65.3.tar.xz.asc deleted file mode 100644 index 1280928..0000000 --- a/curl-7.65.3.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce -EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i -b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ -HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul -XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy -SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L -tjugTKjfoy9qqOGH5YB/4kHqoSJqow== -=Itbi ------END PGP SIGNATURE----- diff --git a/curl-7.66.0.tar.xz b/curl-7.66.0.tar.xz new file mode 100644 index 0000000..8088bac --- /dev/null +++ b/curl-7.66.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dbb48088193016d079b97c5c3efde8efa56ada2ebf336e8a97d04eb8e2ed98c1 +size 2414840 diff --git a/curl-7.66.0.tar.xz.asc b/curl-7.66.0.tar.xz.asc new file mode 100644 index 0000000..d2cfc0c --- /dev/null +++ b/curl-7.66.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce +EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT +K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC +9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG +abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL +3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0 +Qm2suW4eUtlC2DTqTMtusG7EMN8pag== +=pFLb +-----END PGP SIGNATURE----- diff --git a/curl-mini.changes b/curl-mini.changes index 6b9b623..8c9ee84 100644 --- a/curl-mini.changes +++ b/curl-mini.changes @@ -1,3 +1,89 @@ +------------------------------------------------------------------- +Wed Sep 11 08:17:06 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] + * Changes: + - CURLINFO_RETRY_AFTER: parse the Retry-After header value + - HTTP3: initial (experimental still not working) support + - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + - curl: support parallel transfers with -Z + - curl_multi_poll: a sister to curl_multi_wait() that waits more + - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID + * Bugfixes: + - CVE-2019-5481: FTP-KRB double-free + - CVE-2019-5482: TFTP small blocksize heap buffer overflow + - CMake: remove needless newlines at end of gss variables + - CMake: use platform dependent name for dlopen() library + - CURLINFO docs: mention that in redirects times are added + - CURLOPT_ALTSVC.3: use a "" file name to not load from a file + - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + - CURLOPT_HEADERFUNCTION.3: clarify + - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly + - CURLOPT_READFUNCTION.3: provide inline example + - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 + - Curl_addr2string: take an addrlen argument too + - Curl_fillreadbuffer: avoid double-free trailer buf on error + - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown + - alt-svc: add protocol version selection masking + - alt-svc: fix removal of expired cache entry + - alt-svc: make it use h3-22 with ngtcp2 as well + - alt-svc: more liberal ALPN name parsing + - alt-svc: send Alt-Used: in redirected requests + - alt-svc: with quiche, use the quiche h3 alpn string + - asyn-thread: create a socketpair to wait on + - cleanup: move functions out of url.c and make them static + - cleanup: remove the 'numsocks' argument used in many places + - configure: avoid undefined check_for_ca_bundle + - curl.h: add CURL_HTTP_VERSION_3 to the version enum + - curl: cap the maximum allowed values for retry time arguments + - curl: handle a libcurl build without netrc support + - curl: make use of CURLINFO_RETRY_AFTER when retrying + - curl: use CURLINFO_PROTOCOL to check for HTTP(s) + - curl_global_init_mem.3: mention it was added in 7.12.0 + - curl_version: bump string buffer size to 250 + - curl_version_info.3: mentioned ALTSVC and HTTP3 + - curl_version_info: offer quic (and h3) library info + - curl_version_info: provide nghttp2 details + - defines: avoid underscore-prefixed defines + - docs/ALTSVC: remove what works and the experimental explanation + - docs/EXPERIMENTAL: explain what it means and what's experimental now + - docs/MANUAL.md: converted to markdown from plain text + - docs/examples/curlx: fix errors + - docs: s/curl_debug/curl_dbg_debug in comments and docs + - easy: resize receive buffer on easy handle reset + - examples: Avoid reserved names in hiperfifo examples + - examples: add http3.c, altsvc.c and http3-present.c + - http09: disable HTTP/0.9 by default in both tool and library + - http2: when marked for closure and wanted to close == OK + - http2_recv: trigger another read when the last data is returned + - http: fix use of credentials from URL when using HTTP proxy + - http_negotiate: improve handling of gss_init_sec_context() failures + - md4: Use our own MD4 when no crypto libraries are available + - multi: call detach_connection before Curl_disconnect + - nss: use TLSv1.3 as default if supported + - openssl: build warning free with boringssl + - openssl: use SSL_CTX_set__proto_version() when available + - plan9: add support for running on Plan 9 + - progress: reset download/uploaded counter between transfers + - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp + - scp: fix directory name length used in memcpy + - smb: init *msg to NULL in smb_send_and_recv() + - smtp: check for and bail out on too short EHLO response + - source: remove names from source comments + - spnego_sspi: add typecast to fix build warning + - src/makefile: fix uncompressed hugehelp.c generation + - ssh-libssh: do not specify O_APPEND when not in append mode + - ssh: move code into vssh for SSH backends + - sspi: fix memory leaks + - tests: Replace outdated test case numbering documentation + - tftp: return error when packet is too small for options + - timediff: make it 64 bit (if possible) even with 32 bit time_t + - travis: reduce number of torture tests in 'coverage' + - url: make use of new HTTP version if alt-svc has one + - urlapi: verify the IPv6 numerical address + - urldata: avoid 'generic', use dedicated pointers + - vauth: Use CURLE_AUTH_ERROR for auth function errors + ------------------------------------------------------------------- Fri Jul 19 13:51:15 UTC 2019 - Pedro Monreal Gonzalez diff --git a/curl-mini.spec b/curl-mini.spec index 0fa7429..63e7c18 100644 --- a/curl-mini.spec +++ b/curl-mini.spec @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.65.3 +Version: 7.66.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl diff --git a/curl.changes b/curl.changes index 6b9b623..8c9ee84 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,89 @@ +------------------------------------------------------------------- +Wed Sep 11 08:17:06 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481] + * Changes: + - CURLINFO_RETRY_AFTER: parse the Retry-After header value + - HTTP3: initial (experimental still not working) support + - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + - curl: support parallel transfers with -Z + - curl_multi_poll: a sister to curl_multi_wait() that waits more + - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID + * Bugfixes: + - CVE-2019-5481: FTP-KRB double-free + - CVE-2019-5482: TFTP small blocksize heap buffer overflow + - CMake: remove needless newlines at end of gss variables + - CMake: use platform dependent name for dlopen() library + - CURLINFO docs: mention that in redirects times are added + - CURLOPT_ALTSVC.3: use a "" file name to not load from a file + - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + - CURLOPT_HEADERFUNCTION.3: clarify + - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly + - CURLOPT_READFUNCTION.3: provide inline example + - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 + - Curl_addr2string: take an addrlen argument too + - Curl_fillreadbuffer: avoid double-free trailer buf on error + - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown + - alt-svc: add protocol version selection masking + - alt-svc: fix removal of expired cache entry + - alt-svc: make it use h3-22 with ngtcp2 as well + - alt-svc: more liberal ALPN name parsing + - alt-svc: send Alt-Used: in redirected requests + - alt-svc: with quiche, use the quiche h3 alpn string + - asyn-thread: create a socketpair to wait on + - cleanup: move functions out of url.c and make them static + - cleanup: remove the 'numsocks' argument used in many places + - configure: avoid undefined check_for_ca_bundle + - curl.h: add CURL_HTTP_VERSION_3 to the version enum + - curl: cap the maximum allowed values for retry time arguments + - curl: handle a libcurl build without netrc support + - curl: make use of CURLINFO_RETRY_AFTER when retrying + - curl: use CURLINFO_PROTOCOL to check for HTTP(s) + - curl_global_init_mem.3: mention it was added in 7.12.0 + - curl_version: bump string buffer size to 250 + - curl_version_info.3: mentioned ALTSVC and HTTP3 + - curl_version_info: offer quic (and h3) library info + - curl_version_info: provide nghttp2 details + - defines: avoid underscore-prefixed defines + - docs/ALTSVC: remove what works and the experimental explanation + - docs/EXPERIMENTAL: explain what it means and what's experimental now + - docs/MANUAL.md: converted to markdown from plain text + - docs/examples/curlx: fix errors + - docs: s/curl_debug/curl_dbg_debug in comments and docs + - easy: resize receive buffer on easy handle reset + - examples: Avoid reserved names in hiperfifo examples + - examples: add http3.c, altsvc.c and http3-present.c + - http09: disable HTTP/0.9 by default in both tool and library + - http2: when marked for closure and wanted to close == OK + - http2_recv: trigger another read when the last data is returned + - http: fix use of credentials from URL when using HTTP proxy + - http_negotiate: improve handling of gss_init_sec_context() failures + - md4: Use our own MD4 when no crypto libraries are available + - multi: call detach_connection before Curl_disconnect + - nss: use TLSv1.3 as default if supported + - openssl: build warning free with boringssl + - openssl: use SSL_CTX_set__proto_version() when available + - plan9: add support for running on Plan 9 + - progress: reset download/uploaded counter between transfers + - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp + - scp: fix directory name length used in memcpy + - smb: init *msg to NULL in smb_send_and_recv() + - smtp: check for and bail out on too short EHLO response + - source: remove names from source comments + - spnego_sspi: add typecast to fix build warning + - src/makefile: fix uncompressed hugehelp.c generation + - ssh-libssh: do not specify O_APPEND when not in append mode + - ssh: move code into vssh for SSH backends + - sspi: fix memory leaks + - tests: Replace outdated test case numbering documentation + - tftp: return error when packet is too small for options + - timediff: make it 64 bit (if possible) even with 32 bit time_t + - travis: reduce number of torture tests in 'coverage' + - url: make use of new HTTP version if alt-svc has one + - urlapi: verify the IPv6 numerical address + - urldata: avoid 'generic', use dedicated pointers + - vauth: Use CURLE_AUTH_ERROR for auth function errors + ------------------------------------------------------------------- Fri Jul 19 13:51:15 UTC 2019 - Pedro Monreal Gonzalez diff --git a/curl.spec b/curl.spec index b33220b..2cc5bd6 100644 --- a/curl.spec +++ b/curl.spec @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.65.3 +Version: 7.66.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl