Accepting request 672083 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- update to version 7.64.0
  [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
  [bcs#1123378, CVE-2019-3823]
  * Changes:
    - cookies: leave secure cookies alone
    - hostip: support wildcard hosts
    - http: Implement trailing headers for chunked transfers
    - http: added options for allowing HTTP/0.9 responses
    - timeval: Use high resolution timestamps on Windows 
  * Bugfixes:
    - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
    - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
    - CVE-2019-3823: SMTP end-of-response out-of-bounds read
    - FAQ: remove mention of sourceforge for github
    - OS400: handle memory error in list conversion
    - OS400: upgrade ILE/RPG binding.
    - README: add codacy code quality badge
    - Revert http_negotiate: do not close connection
    - THANKS: added several missing names from year <= 2000
    - build: make 'tidy' target work for metalink builds
    - cmake: added checks for variadic macros
    - cmake: updated check for HAVE_POLL_FINE to match autotools
    - cmake: use lowercase for function name like the rest of the code
    - configure: detect xlclang separately from clang
    - configure: fix recv/send/select detection on Android
    - configure: rewrite --enable-code-coverage
    - conncache_unlock: avoid indirection by changing input argument type
    - cookie: fix comment typo
    - cookies: allow secure override when done over HTTPS
    - cookies: extend domain checks to non psl builds

OBS-URL: https://build.opensuse.org/request/show/672083
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=244

curl-7.63.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d483b89062832e211c887d7cf1b65c902d591b48c11fe7d174af781681580b41
-size 4024015

curl-7.63.0.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlwQtYEACgkQXMkI/bce
-EsJ4wgf/b5RDCOKc1yMOF3CRcbY1kh9odMEbORsOYh3QPgVsPEggakaOtifyJPGC
-PtxqvWuj34aQHnDglYQnH0gi5Vjc76kdbC2JzskOD5NO1KnlpIDbhq+YL3umPq0/
-pO6uT8nk8+qhv28MNrAa4mscBJFPH6Y5vMQc7y+ri6DXJHtH+i9v9CjUUVyy3Ap3
-LuSKfToHLYS+zYeQHeAJIgK3q1FAayKyNYm6sGFF9fo2XnzWKV8/E2mhjwwq2mhO
-/Z4uKdcIf9ITzD+d8Hsge3k6A9pWSJ1gyRsueicrhi9a+ZHmZZ9u/D3q03LJ+did
-RvJhrQHTAqI95WfYM8+LwnoLJ8QisQ==
-=iIBA
------END PGP SIGNATURE-----

curl-7.64.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f2f13fa34d44aa29cb444077ad7dc4dc6d189584ad552e0aaeb06e608af6001
+size 2398904

curl-7.64.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce
+EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8
+eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ
+AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko
+ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH
+Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm
+PvTO6aAopZk+sX9VemdSQzx/4ysT3w==
+=HOlc
+-----END PGP SIGNATURE-----

curl-mini.changes

@@ -1,3 +1,93 @@
+-------------------------------------------------------------------
+Wed Feb  6 09:16:58 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- update to version 7.64.0
+  [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
+  [bcs#1123378, CVE-2019-3823]
+  * Changes:
+    - cookies: leave secure cookies alone
+    - hostip: support wildcard hosts
+    - http: Implement trailing headers for chunked transfers
+    - http: added options for allowing HTTP/0.9 responses
+    - timeval: Use high resolution timestamps on Windows 
+  * Bugfixes:
+    - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
+    - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
+    - CVE-2019-3823: SMTP end-of-response out-of-bounds read
+    - FAQ: remove mention of sourceforge for github
+    - OS400: handle memory error in list conversion
+    - OS400: upgrade ILE/RPG binding.
+    - README: add codacy code quality badge
+    - Revert http_negotiate: do not close connection
+    - THANKS: added several missing names from year <= 2000
+    - build: make 'tidy' target work for metalink builds
+    - cmake: added checks for variadic macros
+    - cmake: updated check for HAVE_POLL_FINE to match autotools
+    - cmake: use lowercase for function name like the rest of the code
+    - configure: detect xlclang separately from clang
+    - configure: fix recv/send/select detection on Android
+    - configure: rewrite --enable-code-coverage
+    - conncache_unlock: avoid indirection by changing input argument type
+    - cookie: fix comment typo
+    - cookies: allow secure override when done over HTTPS
+    - cookies: extend domain checks to non psl builds
+    - cookies: skip custom cookies when redirecting cross-site
+    - curl --xattr: strip credentials from any URL that is stored
+    - curl -J: refuse to append to the destination file
+    - curl/urlapi.h: include "curl.h" first
+    - curl_multi_remove_handle() don't block terminating c-ares requests
+    - darwinssl: accept setting max-tls with default min-tls
+    - disconnect: separate connections and easy handles better
+    - disconnect: set conn->data for protocol disconnect
+    - docs/version.d: mention MultiSSL
+    - docs: fix the --tls-max description
+    - docs: use $(INSTALL_DATA) to install man page
+    - docs: use meaningless port number in CURLOPT_LOCALPORT example
+    - gopher: always include the entire gopher-path in request
+    - http2: clear pause stream id if it gets closed
+    - if2ip: remove unused function Curl_if_is_interface_name
+    - libssh: do not let libssh create socket
+    - libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
+    - libssh: free sftp_canonicalize_path() data correctly
+    - libtest/stub_gssapi: use "real" snprintf
+    - mbedtls: use VERIFYHOST
+    - multi: multiplexing improvements
+    - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
+    - ntlm: fix NTMLv2 compliance
+    - ntlm_sspi: add support for channel binding
+    - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
+    - openssl: fix the SSL_get_tlsext_status_ocsp_resp call
+    - openvms: fix OpenSSL discovery on VAX
+    - openvms: fix typos in documentation
+    - os400: add a missing closing bracket
+    - os400: fix extra parameter syntax error
+    - pingpong: change default response timeout to 120 seconds
+    - pingpong: ignore regular timeout in disconnect phase
+    - printf: fix format specifiers
+    - runtests.pl: Fix perl call to include srcdir
+    - schannel: fix compiler warning
+    - schannel: preserve original certificate path parameter
+    - schannel: stop calling it "winssl"
+    - sigpipe: if mbedTLS is used, ignore SIGPIPE
+    - smb: fix incorrect path in request if connection reused
+    - ssh: log the libssh2 error message when ssh session startup fails
+    - test1558: verify CURLINFO_PROTOCOL on file:// transfer
+    - test1561: improve test name
+    - test1653: make it survive torture tests
+    - tests: allow tests to pass by 2037-02-12
+    - tests: move objnames-* from lib into tests
+    - timediff: fix math for unsigned time_t
+    - timeval: Disable MSVC Analyzer GetTickCount warning
+    - tool_cb_prg: avoid integer overflow
+    - travis: added cmake build for osx
+    - urlapi: Fix port parsing of eol colon
+    - urlapi: distinguish possibly empty query
+    - urlapi: fix parsing ipv6 with zone index
+    - urldata: rename easy_conn to just conn
+    - winbuild: conditionally use /DZLIB_WINAPI
+    - wolfssl: fix memory-leak in threaded use
+    - spnego_sspi: add support for channel binding 
+
 -------------------------------------------------------------------
 Mon Jan 28 18:47:00 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

curl-mini.spec

@@ -29,14 +29,14 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.63.0
+Version:        7.64.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
 Group:          Productivity/Networking/Web/Utilities
 Url:            https://curl.haxx.se/
-Source:         https://curl.haxx.se/download/curl-%{version}.tar.gz
+Source:         https://curl.haxx.se/download/curl-%{version}.tar.xz
-Source2:        https://curl.haxx.se/download/curl-%{version}.tar.gz.asc
+Source2:        https://curl.haxx.se/download/curl-%{version}.tar.xz.asc
 Source3:        baselibs.conf
 Source4:        https://daniel.haxx.se/mykey.asc#/curl.keyring
 Patch0:         libcurl-ocloexec.patch

curl.changes

@@ -1,3 +1,93 @@
+-------------------------------------------------------------------
+Wed Feb  6 09:16:58 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- update to version 7.64.0
+  [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
+  [bcs#1123378, CVE-2019-3823]
+  * Changes:
+    - cookies: leave secure cookies alone
+    - hostip: support wildcard hosts
+    - http: Implement trailing headers for chunked transfers
+    - http: added options for allowing HTTP/0.9 responses
+    - timeval: Use high resolution timestamps on Windows 
+  * Bugfixes:
+    - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
+    - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
+    - CVE-2019-3823: SMTP end-of-response out-of-bounds read
+    - FAQ: remove mention of sourceforge for github
+    - OS400: handle memory error in list conversion
+    - OS400: upgrade ILE/RPG binding.
+    - README: add codacy code quality badge
+    - Revert http_negotiate: do not close connection
+    - THANKS: added several missing names from year <= 2000
+    - build: make 'tidy' target work for metalink builds
+    - cmake: added checks for variadic macros
+    - cmake: updated check for HAVE_POLL_FINE to match autotools
+    - cmake: use lowercase for function name like the rest of the code
+    - configure: detect xlclang separately from clang
+    - configure: fix recv/send/select detection on Android
+    - configure: rewrite --enable-code-coverage
+    - conncache_unlock: avoid indirection by changing input argument type
+    - cookie: fix comment typo
+    - cookies: allow secure override when done over HTTPS
+    - cookies: extend domain checks to non psl builds
+    - cookies: skip custom cookies when redirecting cross-site
+    - curl --xattr: strip credentials from any URL that is stored
+    - curl -J: refuse to append to the destination file
+    - curl/urlapi.h: include "curl.h" first
+    - curl_multi_remove_handle() don't block terminating c-ares requests
+    - darwinssl: accept setting max-tls with default min-tls
+    - disconnect: separate connections and easy handles better
+    - disconnect: set conn->data for protocol disconnect
+    - docs/version.d: mention MultiSSL
+    - docs: fix the --tls-max description
+    - docs: use $(INSTALL_DATA) to install man page
+    - docs: use meaningless port number in CURLOPT_LOCALPORT example
+    - gopher: always include the entire gopher-path in request
+    - http2: clear pause stream id if it gets closed
+    - if2ip: remove unused function Curl_if_is_interface_name
+    - libssh: do not let libssh create socket
+    - libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
+    - libssh: free sftp_canonicalize_path() data correctly
+    - libtest/stub_gssapi: use "real" snprintf
+    - mbedtls: use VERIFYHOST
+    - multi: multiplexing improvements
+    - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
+    - ntlm: fix NTMLv2 compliance
+    - ntlm_sspi: add support for channel binding
+    - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
+    - openssl: fix the SSL_get_tlsext_status_ocsp_resp call
+    - openvms: fix OpenSSL discovery on VAX
+    - openvms: fix typos in documentation
+    - os400: add a missing closing bracket
+    - os400: fix extra parameter syntax error
+    - pingpong: change default response timeout to 120 seconds
+    - pingpong: ignore regular timeout in disconnect phase
+    - printf: fix format specifiers
+    - runtests.pl: Fix perl call to include srcdir
+    - schannel: fix compiler warning
+    - schannel: preserve original certificate path parameter
+    - schannel: stop calling it "winssl"
+    - sigpipe: if mbedTLS is used, ignore SIGPIPE
+    - smb: fix incorrect path in request if connection reused
+    - ssh: log the libssh2 error message when ssh session startup fails
+    - test1558: verify CURLINFO_PROTOCOL on file:// transfer
+    - test1561: improve test name
+    - test1653: make it survive torture tests
+    - tests: allow tests to pass by 2037-02-12
+    - tests: move objnames-* from lib into tests
+    - timediff: fix math for unsigned time_t
+    - timeval: Disable MSVC Analyzer GetTickCount warning
+    - tool_cb_prg: avoid integer overflow
+    - travis: added cmake build for osx
+    - urlapi: Fix port parsing of eol colon
+    - urlapi: distinguish possibly empty query
+    - urlapi: fix parsing ipv6 with zone index
+    - urldata: rename easy_conn to just conn
+    - winbuild: conditionally use /DZLIB_WINAPI
+    - wolfssl: fix memory-leak in threaded use
+    - spnego_sspi: add support for channel binding 
+
 -------------------------------------------------------------------
 Mon Jan 28 18:47:00 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

curl.spec

@@ -27,14 +27,14 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.63.0
+Version:        7.64.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
 Group:          Productivity/Networking/Web/Utilities
 Url:            https://curl.haxx.se/
-Source:         https://curl.haxx.se/download/curl-%{version}.tar.gz
+Source:         https://curl.haxx.se/download/curl-%{version}.tar.xz
-Source2:        https://curl.haxx.se/download/curl-%{version}.tar.gz.asc
+Source2:        https://curl.haxx.se/download/curl-%{version}.tar.xz.asc
 Source3:        baselibs.conf
 Source4:        https://daniel.haxx.se/mykey.asc#/curl.keyring
 Patch0:         libcurl-ocloexec.patch