- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816]
[bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818]
Changes:
* auth: add support for RFC7616 - HTTP Digest access authentication
* share: add support for sharing the connection cache
* HTTP: implement Brotli content encoding
Bugfixes:
* CVE-2017-8816: NTLM buffer overflow via integer overflow
* CVE-2017-8817: FTP wildcard out of bounds read
* CVE-2017-8818: SSL out of buffer access
* curl_mime_filedata.3: fix typos
* libtest: Add required test libraries for lib1552 and lib1553
* fix time diffs for systems using unsigned time_t
* ftplistparser: memory leak fix: free temporary memory always
* multi: allow table handle sizes to be overridden
* wildcards: don't use with non-supported protocols
* curl_fnmatch: return error on illegal wildcard pattern
* transfer: Fix chunked-encoding upload too early exit
* resolvers: only include anything if needed
* setopt: fix CURLOPT_SSH_AUTH_TYPES option read
* Curl_timeleft: change return type to timediff_t
* cmake: Export libcurl and curl targets to use by other cmake projects
* curl: in -F option arg, comma is a delimiter for files only
* curl: improved ";type=" handling in -F option arguments
* timeval: use mach_absolute_time() on MacOS
* curlx: the timeval functions are no longer provided as curlx_*
* mkhelp.pl: do not generate comment with current date
* memdebug: use send/recv signature for curl_dosend/curl_dorecv
* cookie: avoid NULL dereference
* url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
OBS-URL: https://build.opensuse.org/request/show/546402
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=210
- Update to version 7.56.1 [bsc#1063824]
Bugfixes:
* imap: if a FETCH response has no size, don't call write
callback [CVE-2017-1000257]
* ftp: UBsan fixup 'pointer index expression overflowed
* failf: skip the sprintf() if there are no consumers
* fuzzer: move to using external curl-fuzzer
* lib/Makefile.m32: allow customizing dll suffixes
* docs: fix typo in curl_mime_data_cb man page
* darwinssl: add support for TLSv1.3
* build: fix --disable-crypto-auth
* openssl: fix build without HAVE_OPAQUE_EVP_PKEY
* strtoofft: Remove extraneous null check
* multi_cleanup: call DONE on handles that never got that
* tests: added flaky keyword to tests 587 and 644
* pingpong: return error when trying to send without connection
* remove_handle: call multi_done() first, then clear dns cache pointer
* mime: be tolerant about setting the same header list twice in a part
* mime: improve unbinding top multipart from easy handle
* mime: avoid resetting a part's encoder when part's contents change
* mime: refuse to add subparts to one of their own descendants
* RTSP: avoid integer overflow on funny RTSP responses
* curl: don't pass semicolons when parsing Content-Disposition
* openssl: enable PKCS12 support for !BoringSSL
* FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
* CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
* CURLOPT_XFERINFODATA.3: fix duplicate see also
* test298: verify --ftp-method nowcwd with URL encoded path
* FTP: URL decode path for dir listing in nocwd mode
* smtp_done: fix memory leak on send failure
OBS-URL: https://build.opensuse.org/request/show/535940
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=208
- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254]
Changes:
* curl: enable compression for SCP/SFTP with --compressed-ssh
* libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
* vtls: added dynamic changing SSL backend with curl_global_sslset()
* new MIME API, curl_mime_init() and friends
* openssl: initial SSLKEYLOGFILE implementation
Security fixes:
* CVE-2017-1000254 FTP PWD response parser out of bounds read
Bugfixes:
* FTP: zero terminate the entry path even on bad input
* examples/ftpuploadresume.c: use portable code
* runtests: match keywords case insensitively
* strtoofft: reduce integer overflow risks globally
* zsh.pl: produce a working completion script again
* cmake: remove dead code for CURL_DISABLE_RTMP
* progress: Track total times following redirects
* configure: fix --disable-threaded-resolver
* configure: fix clang version detection
* darwinssi: fix error: variable length array used
* configure: check for __builtin_available() availability
* http_proxy: fix build error for CURL_DOES_CONVERSIONS
* examples/ftpuploadresume: checksrc compliance
* ftp: fix CWD when doing multicwd then nocwd on same connection
* system.h: remove all CURL_SIZEOF_* defines
* http: Don't wait on CONNECT when there is no proxy
* system.h: check for __ppc__ as well
* http2_recv: return error better on fatal h2 errors
* tftp: fix memory leak on too long filename
* system.h: fix build for hppa
OBS-URL: https://build.opensuse.org/request/show/532977
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=206
- Upstream fix to build libcurl man3 pages
* Added patch curl-man3.patch
- Disabled test1425 that fails in i586 architecture
* Added patch curl-disable-test1427-i586.patch
- Update to 7.55.0
Changes:
* curl: allow --header and --proxy-header read from file
* getinfo: provide sizes as curl_off_t
* curl: prevent binary output spewed to terminal
* curl: added --request-target
* curl: added --socks5-{basic,gssapi}: control socks5 auth
* libcurl: added CURLOPT_REQUEST_TARGET
* libcurl: added CURLOPT_SOCKS5_AUTH
Bugfixes:
* Security Fixes:
- glob: do not parse after a strtoul() overflow range
(CVE-2017-1000101, bsc#1051643)
- tftp: reject file name lengths that don't fit
(CVE-2017-1000100, bsc#1051644)
- file: output the correct buffer to the user
(CVE-2017-1000099, bsc#1051645)
* includes: remove curl/curlbuild.h and curl/curlrules.h
* dist: make the hugehelp.c not get regenerated unnecessarily
* timers: store internal time stamps as time_t instead of doubles
* progress: let "current speed" be UL + DL speeds combined
* http-proxy: do the HTTP CONNECT process entirely non-blocking
* lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
* fuzz: bring oss-fuzz initial code converted to C89
OBS-URL: https://build.opensuse.org/request/show/515937
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=201
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
* openssl: fix memory leak in servercert
* curl: set a 100K buffer size by default
* nss: do not leak PKCS #11 slot while loading a key
* nss: load libnssckbi.so if no other trust is specified
* curl: use utimes instead of obsolescent utime when available
* url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
* CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
* curl: non-boolean command line args reject --no- prefixes
* telnet: Write full buffer instead of byte-by-byte
* curl: remove --environment and tool_writeenv.c
* curl: generate the --help output
* curl.1: clarify --config
* curl.1: mention --oauth2-bearer's argument
* ssh: fix memory leak in disconnect due to timeout
* redirect: store the "would redirect to" URL when max redirs is reached
* file: make speedcheck use current time for checks
* urlglob: fix division by zero
- Update to 7.54.1
Changes:
* curl now shows release date in --version output
Bugfixes:
* Fixes CVE-2017-9502: default protocol drive letter
buffer overflow bsc#1044243
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=193
