diff --git a/curl-7.58.0.tar.gz b/curl-7.58.0.tar.gz deleted file mode 100644 index f812e4f..0000000 --- a/curl-7.58.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cc245bf9a1a42a45df491501d97d5593392a03f7b4f07b952793518d97666115 -size 3879728 diff --git a/curl-7.58.0.tar.gz.asc b/curl-7.58.0.tar.gz.asc deleted file mode 100644 index 644afb4..0000000 --- a/curl-7.58.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGoACgkQXMkI/bce -EsIpBAf/YL7L3NkhDMC6TMhGMwuI1gzF8nrQdOv75wb09t6kZ3Lnx3pXcAjLpJlS -TjpP4b7LqAzuSaCC1MH1idXlFxbZExnnRXxQjVL/6kOqO3vyTyUALtA7R8x/aN2z -1Dymcl82SH+nGkMoB9eh9xyOzg4yUGF+zu7CLm8tEANJdvKGwE2qfx+nI557FNV0 -rlW9SwAMH3XUhEo78HGDfqOUYSU/c/LiLXZtBinJPeKmpJzcqgZlw8libSyzWLpe -doMo7nbHdRV12zedhYrwlM0EPi0Fhyb14tlhl8TsSrhXfZoai1r2DaxhWDOXgTvV -cmvsfTaj6N2GHUZFLGB/Bs/ksiMDxg== -=Ebn1 ------END PGP SIGNATURE----- diff --git a/curl-7.59.0.tar.gz b/curl-7.59.0.tar.gz new file mode 100644 index 0000000..5336bd5 --- /dev/null +++ b/curl-7.59.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:099d9c32dc7b8958ca592597c9fabccdf4c08cfb7c114ff1afbbc4c6f13c9e9e +size 3907587 diff --git a/curl-7.59.0.tar.gz.asc b/curl-7.59.0.tar.gz.asc new file mode 100644 index 0000000..1dfcbed --- /dev/null +++ b/curl-7.59.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlqoxTsACgkQXMkI/bce +EsIreAf/UH3RUVhgKPZ/83zR+tK0M3gLZQW4oNcPYqslBFxi8ETDDgzQybbIUmA9 +CWzqB0j5+OsEA7bLFig6qx0VJxJZbrbNF8rMWArWld2bUjIxAbFxh7MYYf6W+yKZ +1EDgzFEdahlCsN2qaRGlq2eBk1qUDNQIDwrn4lI2p6RfbC0InVKUV3eVcZQZZL0F +WBVqLORYEv9Nl9umLKLsw6GDfs4INwyUcbv3muf/SlmgJ5JNIuEyVsZfd21ZFaDm +oN1WK4s+7IL41RUl34stE7idgUry38InR9BD11vpsbLtQA29Sb3s+74osYkaxSI/ +MPltGnxrmhldDYiPGwszWvlCiOJ7YA== +=Di6w +-----END PGP SIGNATURE----- diff --git a/curl-disabled-redirect-protocol-message.patch b/curl-disabled-redirect-protocol-message.patch new file mode 100644 index 0000000..0e4b149 --- /dev/null +++ b/curl-disabled-redirect-protocol-message.patch @@ -0,0 +1,18 @@ +--- a/lib/url.c ++++ a/lib/url.c +@@ -1955,9 +1955,13 @@ static CURLcode findprotocol(struct Curl_easy *data, + /* it is allowed for "normal" request, now do an extra check if this is + the result of a redirect */ + if(data->state.this_is_a_follow && +- !(data->set.redir_protocols & p->protocol)) ++ !(data->set.redir_protocols & p->protocol)) { + /* nope, get out */ +- break; ++ failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, ++ protostr); ++ ++ return CURLE_UNSUPPORTED_PROTOCOL; ++ } + + /* Perform setup complement if some. */ + conn->handler = conn->given = p; diff --git a/curl-mini.changes b/curl-mini.changes index a74f78f..1eb78e1 100644 --- a/curl-mini.changes +++ b/curl-mini.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com + +- Added message about protocol redirection not supported or + disabled to the function findprotocol() [bsc#1076446] + * Added curl-disabled-redirect-protocol-message.patch + +------------------------------------------------------------------- +Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com + +- Update to version 7.59.0 + [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] + [bsc#1084532, CVE-2018-1000122] + Changes: + * curl: add --proxy-pinnedpubkey + * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T + * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry + * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS + * Add new tool option --happy-eyeballs-timeout-ms + * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA + Bugfixes: + * openldap: check ldap_get_attribute_ber() results for NULL before using + * FTP: reject path components with control codes + * readwrite: make sure excess reads don't go beyond buffer end + * lib555: drop text conversion and encode data as ascii codes + * lib517: make variable static to avoid compiler warning + * lib544: sync ascii code data with textual data + * GSKit: restore pinnedpubkey functionality + * darwinssl: Don't import client certificates into Keychain on macOS + * parsedate: fix date parsing for systems with 32 bit long + * openssl: fix pinned public key build error in FIPS mode + * SChannel/WinSSL: Implement public key pinning + * cookies: remove verbose "cookie size:" output + * progress-bar: don't use stderr explicitly, use bar->out + * build: open VC15 projects with VS 2017 + * curl_ctype: private is*() type macros and functions + * configure: set PATH_SEPARATOR to colon for PATH w/o separator + * curl_easy_reset: clear digest auth state + * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + * range: commonize FTP and FILE range handling + * progress-bar docs: update to match implementation + * fnmatch: do not match the empty string with a character set + * fnmatch: accept an alphanum to be followed by a non-alphanum in char set + * build: fix termios issue on android cross-compile + * getdate: return -1 for out of range + * formdata: use the mime-content type function + * openssl: Don't add verify locations when verifypeer==0 + * fnmatch: optimize processing of consecutive *s and ?s pattern characters + * schannel: fix compiler warnings + * content_encoding: Add "none" alias to "identity" + * get_posix_time: only check for overflows if they can happen + * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING + * README: language fix + * sha256: build with OpenSSL < 0.9.8 + * smtp: fix processing of initial dot in data + * --tlsauthtype: works only if libcurl is built with TLS-SRP support + * tests: new tests for http raw mode + * libcurl-security.3: man page discussion security concerns when using libcurl + * curl_gssapi: make sure this file too uses our *printf() + * BINDINGS: fix curb link (and remove ruby-curl-multi) + * nss: use PK11_CreateManagedGenericObject() if available + * travis: add build with iconv enabled + * ssh: add two missing state names + * CURLOPT_HEADERFUNCTION.3: mention folded headers + * http: fix the max header length detection logic + * header callback: don't chop headers into smaller pieces + * CURLOPT_HEADER.3: clarify problems with different data sizes + * curl --version: show PSL if the run-time lib has it enabled + * examples/sftpuploadresume: resume upload via CURLOPT_APPEND + * Return error if called recursively from within callbacks + * sasl: prefer PLAIN mechanism over LOGIN + * winbuild: Use CALL to run batch scripts + * curl_share_setopt.3: connection cache is shared within multi handles + * projects/README: remove reference to dead IDN link/package + * lib655: silence compiler warning + * configure: Fix version check for OpenSSL 1.1.1 + * docs/MANUAL: formfind.pl is not accessible on the site anymore + * unit1307: proper cleanup on OOM to fix torture tests + * curl_ctype: fix macro redefinition warnings + * build: get CFLAGS (including -werror) used for examples and tests + * NO_PROXY: fix for IPv6 numericals in the URL + * krb5: use nondeprecated functions + * http2: mark the connection for close on GOAWAY + * limit-rate: kick in even before "limit" data has been received + * HTTP: allow "header;" to replace an internal header with a blank one + * http2: verbose output new MAX_CONCURRENT_STREAMS values + * SECURITY: distros' max embargo time is 14 days + * curl tool: accept --compressed also if Brotli is enabled and zlib is not + * WolfSSL: adding TLSv1.3 + * checksrc.pl: add -i and -m options + * CURLOPT_COOKIEFILE.3: "-" as file name means stdin + +- Refreshed patch libcurl-ocloexec.patch + ------------------------------------------------------------------- Tue Feb 20 09:48:49 UTC 2018 - tchvatal@suse.com diff --git a/curl-mini.spec b/curl-mini.spec index 36f5280..1d4b04a 100644 --- a/curl-mini.spec +++ b/curl-mini.spec @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.58.0 +Version: 7.59.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -43,6 +43,8 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch +# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled +Patch4: curl-disabled-redirect-protocol-message.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} @@ -121,6 +123,7 @@ user interaction or any kind of interactivity. %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS diff --git a/curl.changes b/curl.changes index a74f78f..1eb78e1 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonzalez@suse.com + +- Added message about protocol redirection not supported or + disabled to the function findprotocol() [bsc#1076446] + * Added curl-disabled-redirect-protocol-message.patch + +------------------------------------------------------------------- +Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonzalez@suse.com + +- Update to version 7.59.0 + [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] + [bsc#1084532, CVE-2018-1000122] + Changes: + * curl: add --proxy-pinnedpubkey + * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T + * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry + * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS + * Add new tool option --happy-eyeballs-timeout-ms + * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA + Bugfixes: + * openldap: check ldap_get_attribute_ber() results for NULL before using + * FTP: reject path components with control codes + * readwrite: make sure excess reads don't go beyond buffer end + * lib555: drop text conversion and encode data as ascii codes + * lib517: make variable static to avoid compiler warning + * lib544: sync ascii code data with textual data + * GSKit: restore pinnedpubkey functionality + * darwinssl: Don't import client certificates into Keychain on macOS + * parsedate: fix date parsing for systems with 32 bit long + * openssl: fix pinned public key build error in FIPS mode + * SChannel/WinSSL: Implement public key pinning + * cookies: remove verbose "cookie size:" output + * progress-bar: don't use stderr explicitly, use bar->out + * build: open VC15 projects with VS 2017 + * curl_ctype: private is*() type macros and functions + * configure: set PATH_SEPARATOR to colon for PATH w/o separator + * curl_easy_reset: clear digest auth state + * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + * range: commonize FTP and FILE range handling + * progress-bar docs: update to match implementation + * fnmatch: do not match the empty string with a character set + * fnmatch: accept an alphanum to be followed by a non-alphanum in char set + * build: fix termios issue on android cross-compile + * getdate: return -1 for out of range + * formdata: use the mime-content type function + * openssl: Don't add verify locations when verifypeer==0 + * fnmatch: optimize processing of consecutive *s and ?s pattern characters + * schannel: fix compiler warnings + * content_encoding: Add "none" alias to "identity" + * get_posix_time: only check for overflows if they can happen + * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING + * README: language fix + * sha256: build with OpenSSL < 0.9.8 + * smtp: fix processing of initial dot in data + * --tlsauthtype: works only if libcurl is built with TLS-SRP support + * tests: new tests for http raw mode + * libcurl-security.3: man page discussion security concerns when using libcurl + * curl_gssapi: make sure this file too uses our *printf() + * BINDINGS: fix curb link (and remove ruby-curl-multi) + * nss: use PK11_CreateManagedGenericObject() if available + * travis: add build with iconv enabled + * ssh: add two missing state names + * CURLOPT_HEADERFUNCTION.3: mention folded headers + * http: fix the max header length detection logic + * header callback: don't chop headers into smaller pieces + * CURLOPT_HEADER.3: clarify problems with different data sizes + * curl --version: show PSL if the run-time lib has it enabled + * examples/sftpuploadresume: resume upload via CURLOPT_APPEND + * Return error if called recursively from within callbacks + * sasl: prefer PLAIN mechanism over LOGIN + * winbuild: Use CALL to run batch scripts + * curl_share_setopt.3: connection cache is shared within multi handles + * projects/README: remove reference to dead IDN link/package + * lib655: silence compiler warning + * configure: Fix version check for OpenSSL 1.1.1 + * docs/MANUAL: formfind.pl is not accessible on the site anymore + * unit1307: proper cleanup on OOM to fix torture tests + * curl_ctype: fix macro redefinition warnings + * build: get CFLAGS (including -werror) used for examples and tests + * NO_PROXY: fix for IPv6 numericals in the URL + * krb5: use nondeprecated functions + * http2: mark the connection for close on GOAWAY + * limit-rate: kick in even before "limit" data has been received + * HTTP: allow "header;" to replace an internal header with a blank one + * http2: verbose output new MAX_CONCURRENT_STREAMS values + * SECURITY: distros' max embargo time is 14 days + * curl tool: accept --compressed also if Brotli is enabled and zlib is not + * WolfSSL: adding TLSv1.3 + * checksrc.pl: add -i and -m options + * CURLOPT_COOKIEFILE.3: "-" as file name means stdin + +- Refreshed patch libcurl-ocloexec.patch + ------------------------------------------------------------------- Tue Feb 20 09:48:49 UTC 2018 - tchvatal@suse.com diff --git a/curl.spec b/curl.spec index 0d996fa..03bb4a5 100644 --- a/curl.spec +++ b/curl.spec @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.58.0 +Version: 7.59.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -41,6 +41,8 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch +# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled +Patch4: curl-disabled-redirect-protocol-message.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} @@ -119,6 +121,7 @@ user interaction or any kind of interactivity. %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS diff --git a/libcurl-ocloexec.patch b/libcurl-ocloexec.patch index b3c1e0d..243e76c 100644 --- a/libcurl-ocloexec.patch +++ b/libcurl-ocloexec.patch @@ -11,7 +11,7 @@ Index: lib/file.c =================================================================== --- lib/file.c.orig +++ lib/file.c -@@ -248,7 +248,7 @@ static CURLcode file_connect(struct conn +@@ -190,7 +190,7 @@ static CURLcode file_connect(struct conn return CURLE_URL_MALFORMAT; } @@ -20,7 +20,7 @@ Index: lib/file.c file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -343,7 +343,7 @@ static CURLcode file_upload(struct conne +@@ -285,7 +285,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -33,7 +33,7 @@ Index: lib/hostip6.c =================================================================== --- lib/hostip6.c.orig +++ lib/hostip6.c -@@ -39,7 +39,7 @@ +@@ -44,7 +44,7 @@ #ifdef HAVE_PROCESS_H #include #endif @@ -68,8 +68,8 @@ Index: lib/connect.c =================================================================== --- lib/connect.c.orig +++ lib/connect.c -@@ -1355,7 +1355,7 @@ CURLcode Curl_socket(struct connectdata - (struct curl_sockaddr *)addr); +@@ -1389,7 +1389,7 @@ CURLcode Curl_socket(struct connectdata + } else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); @@ -81,7 +81,7 @@ Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac -@@ -182,6 +182,7 @@ AC_CANONICAL_HOST +@@ -188,6 +188,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])