Commit Graph

248 Commits

Author SHA256 Message Date
3516f333d0 Accepting request 1175748 from home:dimstar:Factory
- Add split-provides for libcurl-devel -> libcurl-devel-doc.

See https://en.opensuse.org/openSUSE:Upgrade_dependencies_explanation#Splitting_off_a_sub-package

OBS-URL: https://build.opensuse.org/request/show/1175748
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=362
2024-05-22 12:07:31 +00:00
1baae7ac50 Accepting request 1175379 from home:jengelh:branches:devel:libraries:c_c++
- Spin documentation off to libcurl-devel-doc, this saves buildroots
  495 files and time (mandb is run in %posttrans).

OBS-URL: https://build.opensuse.org/request/show/1175379
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=361
2024-05-21 14:27:56 +00:00
73125545f4 Accepting request 1163135 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.7.1:
  * Fixed empty tool_hugehelp.c file
- Update to 8.7.0:
  * Security fixes:
    - [bsc#1221665, CVE-2024-2004] Usage of disabled protocol
    - [bsc#1221667, CVE-2024-2398] HTTP/2 push headers memory-leak
    - [bsc#1221666, CVE-2024-2379] QUIC certificate check bypass with wolfSSL
    - [bsc#1221668, CVE-2024-2466] TLS certificate check bypass with mbedTLS
  * Changes:
    - configure: add --disable-docs flag
    - CURLINFO_USED_PROXY: return bool whether the proxy was used
    - digest: support SHA-512/256
  * Bugfixes:
    - asyn-thread: use wakeup_close to close the read descriptor
    - bufq: writing into a softlimit queue cannot be partial
    - cmake: add USE_OPENSSL_QUIC support
    - cookie: if psl fails, reject the cookie
    - curl: exit on config file parser errors
    - digest: add check for hashing error
    - docs/libcurl: add TLS backend info for all TLS options
    - file: use xfer buf for file:// transfers
    - ftp: do lineend conversions in client writer
    - ftp: fix socket wait activity in ftp_domore_getsock
    - http2: memory errors in the push callbacks are fatal
    - http2: push headers better cleanup
    - libssh/libssh2: return error on too big range
    - OpenSSL QUIC: adapt to v3.3.x
    - setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
    - setopt: fix disabling all protocols
    - sha512_256: add support for GnuTLS and OpenSSL

OBS-URL: https://build.opensuse.org/request/show/1163135
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=359
2024-03-27 19:18:25 +00:00
6e41d11b09 Accepting request 1157132 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
* Upstream commit: https://github.com/curl/curl/commit/744dcf22

OBS-URL: https://build.opensuse.org/request/show/1157132
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=357
2024-03-12 09:15:05 +00:00
25658f4bf7 Accepting request 1157127 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Remove the nghttp2 version requirement as a version guard around
  the nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
  function was added in curl 8.0.1.
  * Upstream commit: https://github.com/bch/curl/commit/fb2472b9

OBS-URL: https://build.opensuse.org/request/show/1157127
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=356
2024-03-12 09:00:58 +00:00
612554bc4d Accepting request 1145417 from home:favogt:branches:devel:libraries:c_c++
- Add patch to fix various TLS related issues including FTP over SSL
  transmission timeouts:
  * 0001-vtls-revert-receive-max-buffer-add-test-case.patch
- Switch to %autosetup

Now with workaround for https://github.com/curl/curl/issues/12914.

OBS-URL: https://build.opensuse.org/request/show/1145417
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=354
2024-02-12 09:49:54 +00:00
David Anes
ce6f51d0bc Accepting request 1142991 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.6.0: [bsc#1219149, CVE-2024-0853]
  * Security fixes:
    - CVE-2024-0853: OCSP verification bypass with TLS session reuse
  * Changes:
    - add CURLE_TOO_LARGE, CURLINFO_QUEUE_TIME_T
  * Bugfixes:
    - altsvc: free 'as' when returning error
    - asyn-ares: with modern c-ares, use its default timeout
    - cf-socket: show errno in tcpkeepalive error messages
    - cmdline-opts: update availability for the *-ca-native options
    - configure: when enabling QUIC, check that TLS supports QUIC
    - content_encoding: change return code to typedef'ed enum
    - curl: show ipfs and ipns as supported "protocols"
    - CURLINFO_REFERER.3: clarify that it is the *request* header
    - dist: add tests/errorcodes.pl to the tarball
    - gen.pl: support ## for doing .IP in table-like lists
    - GHA: bump ngtcp2, gnutls, mod_h2, quiche
    - hostip: return error immediately when Curl_ip2addr() fails
    - http3/quiche: fix result code on a stream reset
    - http3: initial support for OpenSSL 3.2 QUIC stack
    - http: check for "Host:" case insensitively
    - http: fix off-by-one error in request method length check
    - http: only act on 101 responses when they are HTTP/1.1
    - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
    - lib: error out on multissl + http3
    - lib: fix variable undeclared error caused by `infof` changes
    - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
    - lib: strndup/memdup instead of malloc, memcpy and null-terminate
    - libssh2: use `libssh2_session_callback_set2()` with v1.11.1
    - ngtcp2: put h3 at the front of alpn

OBS-URL: https://build.opensuse.org/request/show/1142991
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=352
2024-01-31 12:17:58 +00:00
030555bd2f Accepting request 1137148 from home:bobbie424242:branches:openSUSE:Factory
Added curl-adjust-pollset-fix.patch to fix broken MPD http streaming:
https://github.com/curl/curl/issues/12632

OBS-URL: https://build.opensuse.org/request/show/1137148
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=350
2024-01-08 09:05:39 +00:00
358aba2f66 Accepting request 1131465 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.5.0:
  * Security fixes:
    - [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
    - [bsc#1217574, CVE-2023-46219] HSTS long file name clears contents
  * Changes:
    - gnutls: support CURLSSLOPT_NATIVE_CA
    - HTTP3: ngtcp2 builds are no longer experimental
  * Bugfixes:
    - asyn-thread: use pipe instead of socketpair for IPC when available
    - cmake: fix OpenSSL quic detection in quiche builds
    - conncache: use the closure handle when disconnecting surplus connections
    - content_encoding: make Curl_all_content_encodings allocless
    - cookie: lowercase the domain names before PSL checks
    - Curl_http_body: cleanup properly when Curl_getformdata errors
    - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
    - doh: provide better return code for responses w/o addresses
    - doh: use PIPEWAIT when HTTP/2 is attempted
    - duphandle: also free 'outcurl->cookies' in error path
    - duphandle: make dupset() not return with pointers to old alloced data
    - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
    - easy: in duphandle, init the cookies for the new handle
    - easy_lock: add a pthread_mutex_t fallback
    - fopen: create new file using old file's mode
    - fopen: create short(er) temporary file name
    - getenv: PlayStation doesn't have getenv()
    - hostip: show the list of IPs when resolving is done
    - hsts: skip single-dot hostname
    - HTTP/2, HTTP/3: handle detach of onoing transfers
    - http: allow longer HTTP/2 request method names
    - hyper: temporarily remove HTTP/2 support
    - IPFS: fix IPFS_PATH and file parsing
    - multi: during ratelimit multi_getsock should return no sockets
    - multi: use pipe instead of socketpair to *wakeup()
    - ngtcp2: fix races in stream handling
    - ntlm_wb: use pipe instead of socketpair when possible
    - openssl: avoid BN_num_bits() NULL pointer derefs
    - openssl: fix building with v3 `no-deprecated` + add CI test
    - openssl: fix infof() to avoid compiler warning for %s with null
    - openssl: identify the "quictls" backend correctly
    - openssl: include SIG and KEM algorithms in verbose
    - openssl: two multi pointer checks should probably rather be asserts
    - openssl: when a session-ID is reused, skip OCSP stapling
    - quic: make eyeballers connect retries stop at weird replies
    - quic: manage connection idle timeouts
    - setopt: check CURLOPT_TFTP_BLKSIZE range on set
    - socks: better buffer size checks for socks4a user and hostname
    - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
    - tool: fix --capath when proxy support is disabled
    - tool_getparam: limit --rate to be smaller than number of ms
    - transfer: abort pause send when connection is marked for closing
    - transfer: avoid calling the read callback again after EOF
    - transfer: only reset the FTP wildcard engine in CLEAR state
    - url: don't touch the multi handle when closing internal handles
    - urlapi: avoid null deref if setting blank host to url encode
    - urlapi: skip appending NULL pointer query
    - urlapi: when URL encoding the fragment, pass in the right length
    - vtls: cleanup SSL config management
    - vtls: consistently use typedef names for OpenSSL structs
    - vtls: late clone of connection ssl config
    - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
  * Rebase curl-secure-getenv.patch
  * Add curl-tests-errorcodes.patch

OBS-URL: https://build.opensuse.org/request/show/1131465
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=348
2023-12-06 17:31:56 +00:00
a18af43f06 Accepting request 1116809 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.4.0:
  * Security fixes:
    - SOCKS5 heap buffer overflow [bsc#1215888, CVE-2023-38545]
    - cookie injection with none file [bsc#1215889, CVE-2023-38546]
  * Changes:
    - curl: add support for the IPFS protocols via HTTP gateway
    - curl_multi_get_handles: get easy handles from a multi handle
    - mingw: delete support for legacy mingw.org toolchain
  * Bugfixes:
    - base64: also build for curl
    - cf-socket: simulate slow/blocked receives in debug
    - configure: check for the capath by default
    - connect: expire the timeout when trying next
    - connect: only start the happy eyeballs timer when needed
    - cookie: do not store the expire or max-age strings
    - cookie: remove unnecessary struct fields
    - cookie: set ->running in cookie_init even if data is NULL
    - create-dirs.d: clarify it also uses --output-dirs
    - http2: refused stream handling for retry
    - http: h1/h2 proxy unification
    - http: use per-request counter to check too large headers
    - idn: if idn2_check_version returns NULL, return error
    - lib: enable hmac for digest as well
    - lib: let the max filesize option stop too big transfers too
    - lib: move handling of 'data->req.writer_stack' into Curl_client_write()
    - lib: provide and use Curl_hexencode
    - lib: use wrapper for curl_mime_data fseek callback
    - libssh2: fix error message on failed pubkey-from-file
    - libssh: cap SFTP packet size sent
    - MQTT: improve receive of ACKs

OBS-URL: https://build.opensuse.org/request/show/1116809
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=346
2023-10-11 07:00:14 +00:00
c2052591a4 Accepting request 1110820 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.3.0: [bsc#1215026, CVE-2023-38039]
  * Changes:
    - curl: make %output{} in -w specify a file to write to
    - gskit: remove
    - lib: --disable-bindlocal builds curl without local binding support
    - nss: remove support for this TLS library
    - tool: add "variable" support
    - trace: make tracing available in non-debug builds
    - url: change default value for CURLOPT_MAXREDIRS to 30
    - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
  * Bugfixes:
    - altsvc: accept and parse IPv6 addresses in response headers
    - asyn-ares: reduce timeout to 2000ms
    - aws-sigv4: canonicalize the query
    - aws-sigv4: fix having date header twice in some cases
    - aws-sigv4: handle no-value user header entries
    - c-hyper: adjust the hyper to curlcode conversion
    - c-hyper: fix memory leaks in `Curl_http`
    - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
    - cf-socket: log successful interface bind
    - cmake: add GnuTLS option
    - cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
    - cmake: detect `SSL_set0_wbio` in OpenSSL
    - configure: trust pkg-config when it's used for zlib
    - configure: use the pkg-config --libs-only-l flag for libssh2
    - connect: stop halving the remaining timeout when less than 600 ms left
    - crypto: ensure crypto initialization works
    - digest: Use hostname to generate spn instead of realm
    - ftp: fix temp write of ipv6 address
    - headers: accept leading whitespaces on first response header

OBS-URL: https://build.opensuse.org/request/show/1110820
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=344
2023-09-13 07:24:13 +00:00
0affaeb7d2 Accepting request 1101172 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.2.1:
  * Bugfixes:
    - cfilters: rename close/connect functions to avoid clashes
    - ciphers.d: put URL in first column
    - cmake: add 'libcurlu'/'libcurltool' for unit tests
    - cmake: update ngtcp2 detection
    - configure: check for nghttp2_session_get_stream_local_window_size
    - docs: mark two TLS options for TLS, not SSL
    - docs: provide more see also for cipher options
    - hostip: return IPv6 first for localhost resolves
    - http2: fix regression on upload EOF handling
    - http: VLH, very large header test and fixes
    - libcurl-errors.3: add CURLUE_OK
    - os400: correct EXPECTED_STRING_LASTZEROTERMINATED
    - quiche: fix lookup of transfer at multi
    - quiche: fix segfault and other things
    - rustls: update rustls-ffi 0.10.0
    - socks: print ipv6 address within brackets
    - src/mkhelp: strip off escape sequences
    - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
    - transfer: do not clear the credentials on redirect to absolute URL
    - unittest: remove unneeded *_LDADD
    - websocket: rename arguments/variables to match docs

OBS-URL: https://build.opensuse.org/request/show/1101172
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=342
2023-07-28 09:15:05 +00:00
4425a855f3 Accepting request 1099398 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.2.0 [bsc#1213237, CVE-2023-32001]
  * Security fix:
    - CVE-2023-32001: fopen race condition
  * Changes:
    - curl: add --ca-native and --proxy-ca-native
    - curl: add --trace-ids
    - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
    - haproxy: add --haproxy-clientip flag to set client IPs
    - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID 
  * Bugfixes:
    - cf-socket: don't bypass fclosesocket callback if cancelled before connect
    - cf-socket: skip getpeername()/getsockname for TFTP
    - curl: count uploaded data to stop at the originally given size
    - curl: return error when asked to use an unsupported HTTP version
    - http2: fix crash in handling stream weights
    - http2: send HEADER & DATA together if possible
    - http3/ngtcp2: upload EAGAIN handling
    - http: rectify the outgoing Cookie: header field size check
    - hyper: fix EOF handling on input
    - imap: Provide method to disable SASL if it is advertised
    - libssh2: provide error message when setting host key type fails
    - libssh2: use custom memory functions
    - ngtcp2: assigning timeout, but value is overwritten before used
    - quiche: avoid NULL deref in debug logging
    - sectransp: fix EOF handling
    - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
    - timeval: use CLOCK_MONOTONIC_RAW if available
    - tls13-ciphers.d: include Schannel
    - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
    - tool_operate: allow cookie lines up to 8200 bytes

OBS-URL: https://build.opensuse.org/request/show/1099398
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=340
2023-07-19 07:19:58 +00:00
a23bbbdc87 Accepting request 1089769 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.1.2:
  * Bugfixes:
    - configure: quote the assignments for run-compiler
    - configure: without pkg-config and no custom path, use -lnghttp2
    - curl: cache the --trace-time value for a second
    - http2: fix EOF handling on uploads with auth negotiation
    - http3: send EOF indicator early as possible
    - lib1560: verify more scheme guessing
    - lib: remove unused functions, make single-use static
    - libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
    - libssh: when keyboard-interactive auth fails, try password
    - misc: fix spelling mistakes
    - page-header: mention curl version and how to figure out current release
    - page-header: minor wording polish in the URL segment
    - scripts/singleuse.pl: add more API calls
    - urlapi: remove superfluous host name check

OBS-URL: https://build.opensuse.org/request/show/1089769
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=338
2023-05-30 09:24:37 +00:00
c6f9420987 Accepting request 1088597 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.1.1:
  * Bugfixes:
    - cf-socket: completely remove the disabled
      USE_RECV_BEFORE_SEND_WORKAROUND
    - checksrc: disallow spaces before labels
    - curl_easy_getinfo: clarify on return data types
    - docs: document that curl_url_cleanup(NULL) is a safe no-op
    - hostip: move easy_lock.h include above curl_memory.h
    - http2: double http request parser max line length
    - http2: increase stream window size to 10 MB
    - lib: rename struct 'http_req' to 'httpreq'
    - ngtcp2: proper handling of uint64_t when adjusting send buffer
    - sectransp.c: make the code c89 compatible
    - select: avoid returning an error on EINTR from select() or poll()
    - url: provide better error message when URLs fail to parse
    - urlapi: allow numerical parts in the host name

OBS-URL: https://build.opensuse.org/request/show/1088597
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=336
2023-05-23 10:38:02 +00:00
ffa320e2d1 Accepting request 1087550 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
* Security fixes:
    - UAF in SSH sha256 fingerprint [bsc#1211230, CVE-2023-28319]
    - siglongjmp race condition [bsc#1211231, CVE-2023-28320]
    - IDN wildcard match [bsc#1211232, CVE-2023-28321]
    - POST-after-PUT confusion [bsc#1211233, CVE-2023-28322]
    - See also: https://curl.se/docs/security.html
    - See full changelog here: https://curl.se/changes.html#8_1_0

OBS-URL: https://build.opensuse.org/request/show/1087550
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=334
2023-05-17 11:44:39 +00:00
acc7ff54e6 Accepting request 1087532 from home:david.anes:branches:devel:libraries:c_c++
- Update to 8.1.0:
  * Changes:
    - curl: add --proxy-http2
    - CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
    - hostip: refuse to resolve the .onion TLD
    - tool_writeout: add URL component variables  
  * Bugfixes:
    - Many bugfixes. See full changelog here: https://curl.se/changes.html#8_1_0

OBS-URL: https://build.opensuse.org/request/show/1087532
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=333
2023-05-17 11:31:06 +00:00
1175ea57d1 Accepting request 1073488 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.0.1:
  * Bugfixes:
    - fix crash in curl_easy_cleanup

OBS-URL: https://build.opensuse.org/request/show/1073488
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=331
2023-03-21 09:00:32 +00:00
4a9f41fa87 Accepting request 1073050 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 8.0.0:
  * Security fixes:
    - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
    - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
    - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
    - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
    - HSTS double-free [bsc#1209213, CVE-2023-27537]
    - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
  * Changes:
    - build: remove support for curl_off_t < 8 bytes 
  * Bugfixes:
    - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
    - BINDINGS: add Fortran binding
    - cf-socket: use port 80 when resolving name for local bind
    - cookie: don't load cookies again when flushing
    - curl_path: create the new path with dynbuf
    - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
    - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
    - ftp: active mode with SSL, add the filter
    - hostip: avoid sscanf and extra buffer copies
    - http2: fix for http2-prior-knowledge when reusing connections
    - http2: fix handling of RST and GOAWAY to recognize partial transfers
    - http: don't send 100-continue for short PUT requests
    - http: fix unix domain socket use in https connects
    - libssh: use dynbuf instead of realloc
    - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
    - sectransp: make read_cert() use a dynbuf when loading
    - telnet: only accept option arguments in ascii
    - telnet: parse telnet options without sscanf
    - url: fix the SSH connection reuse check

OBS-URL: https://build.opensuse.org/request/show/1073050
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=330
2023-03-20 08:30:14 +00:00
4e4d9e6376 Accepting request 1066794 from home:Guillaume_G:branches:devel:libraries:c_c++
- Update to 7.88.1:
  * Bugfix release
- Drop upstreamed patch:
  * curl-fix-uninitialized-value-in-tests.patch

OBS-URL: https://build.opensuse.org/request/show/1066794
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=328
2023-02-20 11:03:09 +00:00
bee35a323f Accepting request 1066056 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
  [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
  * Security fixes:
    - CVE-2023-23914: HSTS ignored on multiple requests
    - CVE-2023-23915: HSTS amnesia with --parallel
    - CVE-2023-23916: HTTP multi-header compression denial of service
  * Changes:
    - curl.h: add CURL_HTTP_VERSION_3ONLY
    - share: add sharing of HSTS cache among handles
    - src: add --http3-only
    - tool_operate: share HSTS between handles
    - urlapi: add CURLU_PUNYCODE
    - writeout: add %{certs} and %{num_certs}
  * Bugfixes:
    - cf-socket: keep sockaddr local in the socket filters
    - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
    - curl.h: allow up to 10M buffer size
    - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
    - curl/websockets.h: extend the websocket frame struct
    - curl: output warning at --verbose output for debug-enabled version
    - curl_free.3: fix return type of `curl_free`
    - curl_log: for failf/infof and debug logging implementations
    - dict: URL decode the entire path always
    - docs/DEPRECATE.md: deprecate gskit
    - easyoptions: fix header printing in generation script
    - haxproxy: send before TLS handhshake
    - hsts.d: explain hsts more
    - hsts: handle adding the same host name again
    - HTTP/[23]: continue upload when state.drain is set
    - http: decode transfer encoding first

OBS-URL: https://build.opensuse.org/request/show/1066056
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=327
2023-02-15 21:29:29 +00:00
David Anes
2c31e47564 Accepting request 1044030 from home:david.anes:branches:devel:libraries:c_c++
- Update to 7.87.0: 
  * Security fixes:
    - CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
    - CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
  * Changes
    - curl: add --url-query
    - CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
    - lib: add CURL_WRITEFUNC_ERROR to signal write callback error
    - openssl: reduce CA certificate bundle reparsing by caching
    - version: add a feature names array to curl_version_info_data 
  * Bugfixes
    - altsvc: fix rejection of negative port numbers
    - aws_sigv4: consult x-%s-content-sha256 for payload hash
    - aws_sigv4: fix typos in aws_sigv4.c
    - base64: better alloc size
    - base64: encode without using snprintf
    - base64: faster base64 decoding
    - build: assume assert.h is always available
    - build: assume errno.h is always available
    - c-hyper: CONNECT respones are not server responses
    - c-hyper: fix multi-request mechanism
    - CI: Change FreeBSD image from 12.3 to 12.4
    - CI: LGTM.com will be shut down in December 2022
    - ci: Remove zuul fuzzing job as it's superseded by CIFuzz
    - cmake: check for cross-compile, not for toolchain
    - CMake: fix build with `CURL_USE_GSSAPI`
    - cmake: really enable warnings with clang
    - cmake: set the soname on the shared library
    - cmdline-opts/gen.pl: fix the linkifier
    - cmdline-opts/page-footer: remove long option nroff formatting

OBS-URL: https://build.opensuse.org/request/show/1044030
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=325
2022-12-21 09:09:08 +00:00
David Anes
ad1aae2453 Accepting request 1035938 from home:luc14n0:branches:devel:libraries:c_c++
Add 1.50.0 as the minimum libnghttp2 build requirement version as
  a bandaid. Curl's 7.86.0 release introduces the use of nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation, introduced by nghttp2 1.50.0 release, without introducing a check for the function/right version in their build scripts.

OBS-URL: https://build.opensuse.org/request/show/1035938
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=323
2022-11-16 08:43:02 +00:00
abfeb2c0ec Accepting request 1031305 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.86.0:
  * Security fixes:
    - POST following PUT confusion [bsc#1204383, CVE-2022-32221]
    - .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
    - HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
    - HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
  * Changes:
    - NPN: remove support for and use of
    - Websockets: initial support
  * Bugfixes:
    - altsvc: reject bad port numbers
    - autotools: reduce brute-force when detecting recv/send arg list
    - aws_sigv4: fix header computation
    - cli tool: do not use disabled protocols
    - connect: change verbose IPv6 address:port to [address]:port
    - connect: fix builds without AF_INET6
    - connect: fix Curl_updateconninfo for TRNSPRT_UNIX
    - connect: fix the wrong error message on connect failures
    - content_encoding: use writer struct subclasses for different encodings
    - cookie: reject cookie names or content with TAB characters
    - curl/add_file_name_to_url: use the libcurl URL parser
    - curl/get_url_file_name: use libcurl URL parser
    - curl: warn for --ssl use, considered insecure
    - docs/libcurl/symbols-in-versions: add several missing symbols
    - ftp: ignore a 550 response to MDTM
    - functypes: provide the recv and send arg and return types
    - getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
    - header: define public API functions as extern c
    - headers: reset the requests counter at transfer start
    - hostip: guard PF_INET6 use

OBS-URL: https://build.opensuse.org/request/show/1031305
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=321
2022-10-26 09:49:48 +00:00
881171ebca Accepting request 1008961 from home:vulyanov:branches:Virtualization
- Update connection info when using UNIX socket as endpoint
  connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch

OBS-URL: https://build.opensuse.org/request/show/1008961
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=319
2022-10-10 08:08:34 +00:00
c9f82120ba Accepting request 1000420 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.85.0:
  * Security fixes: [bsc#1202593, CVE-2022-35252]
    - control code in cookie denial of service
  * Changes:
    - quic: add support via wolfSSL
    - schannel: Add TLS 1.3 support
    - setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
  * Bugfixes:
    - asyn-thread: fix socket leak on OOM
    - asyn-thread: make getaddrinfo_complete return CURLcode
    - base64: base64url encoding has no padding
    - configure: fix broken m4 syntax in TLS options
    - configure: if asked to use TLS, fail if no TLS lib was detected
    - connect: add quic connection information
    - connect: set socktype/protocol correctly
    - cookie: reject cookies with "control bytes"
    - cookie: treat a blank domain in Set-Cookie: as non-existing
    - curl: output warning when a cookie is dropped due to size
    - Curl_close: call Curl_resolver_cancel to avoid memory-leak
    - digest: fix memory leak, fix not quoted 'opaque'
    - digest: fix missing increment of 'nc' value for auth-int
    - digest: pass over leading spaces in qop values
    - digest: reject broken header with session protocol but without qop
    - doh: use https protocol by default
    - easy_lock.h: include sched.h if available to fix build
    - easy_lock.h: use __asm__ instead of asm to fix build
    - easy_lock: switch to using atomic_int instead of bool
    - ftp: use a correct expire ID for timer expiry
    - h2h3: fix overriding the 'TE: Trailers' header
    - hostip: resolve *.localhost to 127.0.0.1/::1

OBS-URL: https://build.opensuse.org/request/show/1000420
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=317
2022-08-31 11:55:07 +00:00
2485d02a96 Accepting request 990903 from home:dirkmueller:Factory
- add tests-for-32bit.patch to fix testsuite on 32bit platforms

OBS-URL: https://build.opensuse.org/request/show/990903
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=315
2022-07-24 19:39:09 +00:00
David Anes
c3baa6d82e Accepting request 985355 from home:david.anes:branches:devel:libraries:c_c++
- Update to 7.84.0:
  * Security fixes:
    - (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
    - (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
    - (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
    - (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
  * Changes:
    - curl: add --rate to set max request rate per time unit
    - curl: deprecate --random-file and --egd-file
    - curl_version_info: add CURL_VERSION_THREADSAFE
    - CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
    - lib: make curl_global_init() threadsafe when possible
    - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
    - opts: deprecate RANDOM_FILE and EGDSOCKET
    - socks: support unix sockets for socks proxy 
  * Bugfixes:
    - aws-sigv4: fix potentional NULL pointer arithmetic
    - bindlocal: don't use a random port if port number would wrap
    - c-hyper: mark status line as status for Curl_client_write()
    - ci: avoid `cmake -Hpath`
    - CI: bump FreeBSD 13.0 to 13.1
    - ci: update github actions
    - cmake: add libpsl support
    - cmake: do not add libcurl.rc to the static libcurl library
    - cmake: enable curl.rc for all Windows targets
    - cmake: fix detecting libidn2
    - cmake: support adding a suffix to the OS value
    - configure: skip libidn2 detection when winidn is used
    - configure: use the SED value to invoke sed
    - configure: warn about rustls being experimental

OBS-URL: https://build.opensuse.org/request/show/985355
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=314
2022-06-27 15:29:40 +00:00
David Anes
d14347c3d1 Accepting request 976221 from home:david.anes:branches:devel:libraries:c_c++
- Update to 7.83.1:
  * Security fixes:
    - (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot 
    - (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
    - (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
    - (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
    - (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
    - (bsc#1199220, CVE-2022-27778) removes wrong file on error
  * Bugfixes:
    - altsvc: fix host name matching for trailing dots
    - cirrus: Update to FreeBSD 12.3
    - cirrus: Use pip for Python packages on FreeBSD
    - conn: fix typo 'connnection' -> 'connection' in two function names
    - cookies: make bad_domain() not consider a trailing dot fine
    - curl: free resource in error path
    - curl: guard against size_t wraparound in no-clobber code
    - CURLOPT_DOH_URL.3: mention the known bug
    - CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
    - CURLOPT_SSH_AUTH_TYPES.3: fix the default
    - data/test376: set a proper name
    - GHA/mbedtls: enabled nghttp2 in the build
    - gha: build msh3
    - gskit: fixed bogus setsockopt calls
    - gskit: remove unused function set_callback
    - hsts: ignore trailing dots when comparing hosts names
    - HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
    - http: move Curl_allow_auth_to_host()
    - http_proxy/hyper: handle closed connections
    - hyper: fix test 357
    - Makefile: fix "make ca-firefox"

OBS-URL: https://build.opensuse.org/request/show/976221
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=312
2022-05-11 08:03:48 +00:00
73128f1a05 Accepting request 973058 from home:david.anes:branches:devel:libraries:c_c++
- Patches rework:
  * Refreshed all patches as -p1.
  * Use autopatch macro.
  * Renamed: 
    - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
  * Removed (already upstream):
    - curl-fix-verifyhost.patch
- Update to 7.83.0:
  * Security fixes:
    - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
    - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
    - (bsc#1198608, CVE-2022-27774) Credential leak on redirect
    - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
  * Changes:
    - curl: add %header{name} experimental support in -w handling
    - curl: add %{header_json} experimental support in -w handling
    - curl: add --no-clobber
    - curl: add --remove-on-error
    - header api: add curl_easy_header and curl_easy_nextheader
    - msh3: add support for QUIC and HTTP/3 using msh3 
  * Bugfixes:
    - appveyor: add Cygwin build
    - appveyor: only add MSYS2 to PATH where required
    - BearSSL: add CURLOPT_SSL_CIPHER_LIST support
    - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
    - BINDINGS.md: add Hollywood binding
    - CI: Do not use buildconf. Instead, just use: autoreconf -fi
    - CI: install Python package impacket to run SMB test 1451
    - configure.ac: move -pthread CFLAGS setting back where it used to be
    - configure: bump the copyright year range int the generated output

OBS-URL: https://build.opensuse.org/request/show/973058
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310
2022-04-27 09:43:43 +00:00
f208095dfb Accepting request 961109 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Fix: openssl: fix CN check error code
  * Add curl-fix-verifyhost.patch

OBS-URL: https://build.opensuse.org/request/show/961109
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=308
2022-03-11 17:48:51 +00:00
fe8fb266fc Accepting request 960571 from home:jengelh:branches:devel:libraries:c_c++
Curate changelog.
Highlight what's immediately user-visible. Trim e.g.
 - everything related to build procedure, does not affect the user
 - everything non-Linux
 - everything non-openssl

OBS-URL: https://build.opensuse.org/request/show/960571
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=307
2022-03-11 16:35:24 +00:00
5bdc7bb95b Accepting request 959799 from home:polslinux:branches:devel:libraries:c_c++
- Update to 7.82.0:
  * curl: add --json
  * mesalink: remove support 
  * bearssl: fix connect error on expired cert and no verify
  * bearssl: fix EXC_BAD_ACCESS on incomplete CA cert
  * bearssl: fix session resumption (session id)
  * build: enable -Warith-conversion
  * build: fix -Wenum-conversion handling
  * build: fix ngtcp2 crypto library detection
  * checkprefix: remove strlen calls
  * checksrc: fix typo in comment
  * cmdline-opts/gen.pl: fix option matching to improve references
  * config.d: Clarify _curlrc filename is still valid on Windows
  * curl tool: erase some more sensitive command line arguments
  * curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval
  * curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE
  * curl-openssl: fix SRP check for OpenSSL 3.0
  * curl-openssl: remove the OpenSSL headers and library versions check
  * curl.h: fix typo
  * curl: remove "separators" (when using globbed URLs)
  * curl_getdate.3: remove pointless .PP line
  * curl_multi_socket.3: remove callback and typical usage descriptions
  * curl_url_set.3: mention when CURLU_ALLOW_SPACE was added
  * CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples
  * CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment
  * CURLOPT_RESOLVE.3: change example port to 443
  * CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment
  * CURLOPT_XFERINFOFUNCTION.3: fix typo in example
  * CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released"
  * des: fix compile break for OpenSSL without DES

OBS-URL: https://build.opensuse.org/request/show/959799
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=306
2022-03-08 13:14:24 +00:00
5914d9e419 Accepting request 945157 from home:dirkmueller:Factory
- update to 7.81.0:
  * mime: use percent-escaping for multipart form field and file names
  * asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
  * azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
  * BINDINGS: add cURL client for PostgreSQL
  * BINDINGS: add one from Everything curl and update a link
  * checksrc: detect more kinds of NULL comparisons we avoid
  * CI: build examples for additional code verification
  * CI: bump job to use mbedtls 3.1.0
  * cmake: don't set _USRDLL on a static Windows build
  * cmake: prevent dev warning due to mismatched arg
  * cmake: private identifiers use CURL_ instead of CMAKE_ prefix
  * config.d: update documentation to match the path search
  * configure: add -lm to configure for rustls build.
  * configure: better diagnostics if hyper is built wrong
  * configure: don't enable TLS when --without-* flags are used
  * configure: fix runtime-lib detection on macOS
  * curl.1: require "see also" for every documented option
  * curl: improve error message for --head with -J
  * curl_easy_cleanup.3: remove from multi handle first
  * curl_easy_escape.3: call curl_easy_cleanup in example
  * curl_easy_unescape.3: call curl_easy_cleanup in example
  * curl_multi_init.3: fix EXAMPLE formatting
  * curl_multi_perform/socket_action.3: clarify what errors mean
  * curl_share_setopt.3: split out options into their own manpages
  * CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
  * digest: compute user:realm:pass digest w/o userhash
  * docs/checksrc: Add documentation for STRERROR
  * docs/cmdline-opts: do not say "protocols: all"
  * docs/examples: workaround broken -Wno-pedantic-ms-format

OBS-URL: https://build.opensuse.org/request/show/945157
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=305
2022-01-10 09:11:10 +00:00
e97fe00771 Accepting request 931828 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.80.0:
  * Changes:
    - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
    - CURLOPT_PREREQFUNCTION: add new callback
    - libssh2: add SHA256 fingerprint support
    - urlapi: add curl_url_strerror()
  * Bugfixes:
    - aws-sigv4: make signature work when post data is binary
    - c-hyper: don't abort CONNECT responses early when auth-in-progress
    - c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
    - cmake: add CURL_ENABLE_SSL option
    - cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
    - configure.ac: replace krb5-config with pkg-config
    - configure: when hyper is selected, deselect nghttp2
    - curl-confopts.m4: remove --enable/disable-hidden-symbols
    - curl-openssl.m4: modify library order for openssl linking
    - curl_ntlm_core: use OpenSSL only if DES is available
    - Curl_updateconninfo: store addresses for QUIC connections too
    - ftp: make the MKD retry to retry once per directory
    - http: fix Basic auth with empty name field in URL
    - http: reject HTTP response codes < 100
    - http: remove assert that breaks hyper
    - http: set content length earlier
    - imap: display quota information
    - libssh2: Get the version at runtime if possible
    - md5: fix compilation with OpenSSL 3.0 API
    - ngtcp2: advertise h3 as well as h3-29
    - ngtcp2: compile with the latest nghttp3
    - ngtcp2: use latest QUIC TLS RFC9001
    - NTLM: use DES_set_key_unchecked with OpenSSL

OBS-URL: https://build.opensuse.org/request/show/931828
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=304
2021-11-19 08:25:50 +00:00
a05c4a5cbc Accepting request 921012 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.79.1:
  * Bugfixes:
    - Curl_http2_setup: don't change connection data on repeat invokes
    - curl_multi_fdset: make FD_SET() not operate on sockets out of range
    - dist: provide lib/.checksrc in the tarball
    - FAQ: add GOPHERS + curl works on data, not files
    - hsts: CURLSTS_FAIL from hsts read callback should fail transfer
    - hsts: handle unlimited expiry
    - http: fix the broken >3 digit response code detection
    - strerror: use sys_errlist instead of strerror on Windows
    - test1184: disable: https://github.com/curl/curl/issues/7725
    - tests/sshserver.pl: make it work with openssh-8.7p1

OBS-URL: https://build.opensuse.org/request/show/921012
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=303
2021-09-24 13:46:57 +00:00
da230172cc Accepting request 919261 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Temporarily disable flaky test 1184
  * See https://github.com/curl/curl/issues/7725

OBS-URL: https://build.opensuse.org/request/show/919261
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=302
2021-09-15 15:41:06 +00:00
1afbf91ed8 Accepting request 919068 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
  [bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
  * Changes:
    - bearssl: support CURLOPT_CAINFO_BLOB
    - http: consider cookies over localhost to be secure
    - secure transport: support CURLINFO_CERTINFO
  * Bugfixes:
    - CVE-2021-22945: clear the leftovers pointer when sending succeeds
    - CVE-2021-22946: do not ignore --ssl-reqd
    - CVE-2021-22947: reject STARTTLS server response pipelining
    - auth: do not append zero-terminator to authorisation id in kerberos
    - auth: properly handle byte order in kerberos security message
    - auth: use sasl authzid option in kerberos
    - auth: we do not support a security layer after kerberos authentication
    - c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
    - c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
    - c-hyper: initial step for 100-continue support
    - c-hyper: initial support for "dumping" 1xx HTTP responses
    - curl-openssl.m4: show correct output for OpenSSL v3
    - docs/MQTT: update state of username/password support
    - docs: the security list is reached at security at curl.se now
    - getparameter: fix the --local-port number parser
    - hostip: Make Curl_ipv6works function independent of getaddrinfo
    - http_proxy: fix the User-Agent inclusion in CONNECT
    - http_proxy: fix user-agent and custom headers for CONNECT with hyper
    - http_proxy: only wait for writable socket while sending request
    - mailing lists: move from cool.haxx.se to lists.haxx.se
    - mbedtls: avoid using a large buffer on the stack
    - mbedTLS: initial 3.0.0 support
    - ngtcp2: remove the acked_crypto_offset struct field init

OBS-URL: https://build.opensuse.org/request/show/919068
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=301
2021-09-15 08:46:22 +00:00
b3548a3228 Accepting request 907429 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.78.0:
  [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
  [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
  * Changes:
    - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
    - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
    - hostip: make 'localhost' return fixed values
    - mbedtls: add support for cert and key blob options
    - metalink: remove all support for it
    - mqtt: add support for username and password
  * Bugfixes:
    - ares: always store IPv6 addresses first
    - c-hyper: abort CONNECT response reading early on non 2xx responses
    - c-hyper: add support for transfer-encoding in the request
    - c-hyper: bail on too long response headers
    - c-hyper: clear NTLM auth buffer when request is issued
    - c-hyper: fix NTLM on closed connection tested with test159
    - conncache: lowercase the hash key for better match
    - curl_multibyte: Remove local encoding fallbacks
    - Curl_ntlm_core_mk_nt_hash: fix OOM in error path
    - Curl_ssl_getsessionid: fail if no session cache exists
    - easy: during upkeep, attach Curl_easy to connections in the cache
    - gnutls: set the preferred TLS versions in correct order
    - hsts: ignore numberical IP address hosts
    - HSTS: not experimental anymore
    - http2: init recvbuf struct for pushed streams
    - http: fix crash in rate-limited upload
    - http: make the haproxy support work with unix domain sockets
    - http_proxy: deal with non-200 CONNECT response with Hyper
    - lib: don't compare fd to FD_SETSIZE when using poll

OBS-URL: https://build.opensuse.org/request/show/907429
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=300
2021-07-21 07:38:07 +00:00
1ac72d6f7d Accepting request 895500 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
  [bsc#1186115, bsc#1185579, CVE-2021-22901]
  * Security fixes:
    - CVE-2021-22297: schannel cipher selection surprise
    - CVE-2021-22298: TELNET stack contents disclosure
    - CVE-2021-22901: TLS session caching disaster
  * Changes:
    - configure: make the TLS library choice(s) explicit
    - curl: ignore options asking for SSLv2 or SSLv3
    - hsts: enable by default
    - SSL: support in-memory CA certs for some backends
    - vtls: refuse setting any SSL version 
  * Bugfixes:
    - configure: provide --with-openssl, deprecate --with-ssl
    - cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
    - curl: include libmetalink version in --version output
    - data_pending: check only SECONDARY socket for FTP(S) transfers
    - gnutls: don't allow TLS 1.3 for versions that don't support it
    - gnutls: make setting only the MAX TLS allowed version work
    - http2: fix resource leaks in set_transfer_url() and push_promise()
    - http: limit the initial send amount to used upload buffer size
    - rustls: only return CURLE_AGAIN when TLS session is fully drained
    - rustls: use ALPN
    - schannel: Disable auto credentials; add an option to enable it
    - schannel: Support strong crypto option
    - sectransp: allow cipher name to be specified
    - sockfilt: avoid getting stuck waiting for writable socket

OBS-URL: https://build.opensuse.org/request/show/895500
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=298
2021-05-28 08:58:36 +00:00
c7f22ba641 Accepting request 888337 from home:dirkmueller:Factory
- update to 7.76.1:
  - ngtcp2: Use ALPN h3-29 for now
  - TODO: remove 18.22 --fail-with-body

OBS-URL: https://build.opensuse.org/request/show/888337
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=296
2021-04-26 08:24:36 +00:00
2d844b09a9 Accepting request 882316 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.76.0
  * Security fixes:
    - [bsc#1183933, CVE-2021-22876]: strip credentials from the
	    auto-referer header field
    - [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
	    Curl_ssl_get/addsessionid()
  * Changes:
    - cookies: Support multiple -b parameters
    - curl: add --fail-with-body
    - doh: add options to disable ssl verification
    - http: add support to read and store the referrer header
    - sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
    - vtls: initial implementation of rustls backend
  * Bugfixes:
    - CVE-2021-22876: strip credentials from the auto-referer header field
    - CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
    - c-hyper: support automatic content-encoding
    - configure: only add OpenSSL paths if they are defined
    - configure: provide Largefile feature for curl-config
    - curl: set CURLOPT_NEW_FILE_PERMS if requested
    - doh: Fix sharing user's resolve list with DOH handles
    - doh: Inherit CURLOPT_STDERR from user's easy handle
    - dynbuf: bump the max HTTP request to 1MB
    - ftp: add 'list_only' to the transfer state struct
    - ftp: add 'prefer_ascii' to the transfer state struct
    - ftp: allow SIZE to fail when doing (resumed) upload
    - ftp: avoid SIZE when asking for a TYPE A file
    - ftp: fix memory leak in ftp_done
    - ftp: never set data->set.ftp_append outside setopt
    - gnutls: assume nettle crypto support

OBS-URL: https://build.opensuse.org/request/show/882316
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=294
2021-04-03 13:31:06 +00:00
98afeb4ad0 Accepting request 876802 from home:elvigia:branches:devel:libraries:c_c++
- Harden build, enable full RELRO
- Never allow undefined symbols anywhere.

OBS-URL: https://build.opensuse.org/request/show/876802
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=292
2021-03-05 07:59:37 +00:00
5e99168233 Accepting request 869220 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.75.0
  * Changes:
    - curl: add --create-file-mode [mode]
    - curl: add new variables to --write-out
    - dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
    - gopher: implement secure gopher protocol
    - http: add Hyper as new optional HTTP backend
    - http: introduce AWS HTTP v4 Signature support 
  * Bugfixes:
    - cmake: Add an option to disable libidn2
    - cmake: enable gophers correctly in curl-config
    - cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
    - digest_sspi: Show InitializeSecurityContext errors in verbose mode
    - getinfo: build with disabled HTTP support
    - http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
    - http_proxy: Fix CONNECT chunked encoding race condition
    - httpauth: make multi-request auth work with custom port
    - lib: pass in 'struct Curl_easy *' to most functions
    - lib: remove Curl_ prefix from many static functions
    - lib: save a bit of space with some structure packing
    - libssh: avoid plain free() of libssh-memory
    - mime: make sure setting MIMEPOST to NULL resets properly
    - multi_runsingle: bail out early on data->conn == NULL
    - ngtcp2: Fix http3 upload stall
    - ngtcp2: Fix stack buffer overflow
    - openssl: lowercase the hostname before using it for SNI
    - socks: use the download buffer instead
    - speedcheck: exclude paused transfers
    - tooĺ_writeout: fix the -w time output units
    - url: if IDNA conversion fails, fallback to Transitional

OBS-URL: https://build.opensuse.org/request/show/869220
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=291
2021-02-04 14:43:03 +00:00
58aa3f944e Accepting request 856926 from home:elvigia:branches:devel:libraries:c_c++
- Enable zstd and brotli support

OBS-URL: https://build.opensuse.org/request/show/856926
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=289
2020-12-21 18:23:18 +00:00
4faea07c93 Accepting request 856452 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.74.0 
  * Changes:
    hsts: add experimental support for Strict-Transport-Security
  * Bugfixes:
    - Inferior OCSP verification  [bsc#1179593, CVE-2020-8286]
    - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285]
    - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284]
    - Revert "multi: implement wait using winsock events"
    - openssl: free mem_buf in error path
    - ntlm: avoid malloc(0) on zero length user and domain
    - ngtcp2: use the minimal version of QUIC supported by ngtcp2
    - ngtcp2: advertise h3 ALPN unconditionally
    - file: avoid duplicated code sequence
    - openssl: guard against OOM on context creation
    - docs: document the 8MB input string limit for curl_easy_escape
      and curl_easy_setopt()
    - hsts: add read/write callbacks
    - hsts: add support for Strict-Transport-Security
    - alt-svc: enable by default
    - checksrc: warn on empty line before open brace
    - connect: repair build without ipv6 availability
    - curl.se: new home
    - ftp: retry getpeername for FTP with TCP_FASTOPEN
    - gnutls: fix memory leaks (certfields memory wasn't released)
    - http: pass correct header size to debug callback for chunked post
    - libssh2: fix transport over HTTPS proxy
    - openssl: guard against OOM on context creation
    - openssl: use OPENSSL_init_ssl() with >= 1.1.0
    - Revert "multi: implement wait using winsock events"
    - socks: check for DNS entries with the right port number

OBS-URL: https://build.opensuse.org/request/show/856452
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=288
2020-12-19 18:24:38 +00:00
2871dab525 Accepting request 841883 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.73.0
  * Changes:
    - curl: add --output-dir
    - curl: support XDG_CONFIG_HOME to find .curlrc
    - curl: update --help with categories
    - curl_easy_option_*: new API for meta-data about easy options
    - CURLE_PROXY: new error code
    - mqtt: enable by default
    - sftp: add new quote commands 'atime' and 'mtime'
    - ssh: add the option CURLKHSTAT_FINE_REPLACE
    - tls: add CURLOPT_SSL_EC_CURVES and --curves 
  * Bugfixes:
    - base64: also build for smtp, pop3 and imap
    - cleanups: avoid curl_ on local variables
    - configure: let --enable-debug set -Wenum-conversion with gcc >= 10
    - conn: check for connection being dead before reuse
    - curl: in retry output don't call all problems "transient"
    - curl: make checkpasswd, file2memory, file2string and
            glob_match_url use dynbuf
    - curl: retry delays in parallel mode no longer sleeps blocking
    - curl: use curlx_dynbuf for realloc when loading config files
    - curl:parallel_transfers: make sure retry readds the transfer
    - curl_get_line: build only if cookies or alt-svc are enabled
    - Curl_pgrsTime - return new time to avoid timeout integer overflow
    - Curl_send: return error when pre_receive_plain can't malloc
    - dynbuf: make sure Curl_dyn_tail() zero terminates
    - etag: save and use the full received contents
    - ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
    - ftp: avoid risk of reading uninitialized integers
    - ftp: get rid of the PPSENDF macro

OBS-URL: https://build.opensuse.org/request/show/841883
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=286
2020-10-19 09:58:55 +00:00
2907952dc5 Accepting request 827742 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.72.0 [bsc#1175109, CVE-2020-8231]
  * Changes:
    - content_encoding: add zstd decoding support
    - CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
    - CURLINFO_EFFECTIVE_METHOD: added
  * Bugfixes:
    - CVE-2020-8231: libcurl: wrong connect-only connection
    - curl-config: ignore REQUIRE_LIB_DEPS in --libs output
    - curl: improve the existing file check with -J
    - curl_multi_setopt: fix compiler warning "result is always false"
    - curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
    - docs: Add video link to docs/CONTRIBUTE.md
    - docs: clarify MAX_SEND/RECV_SPEED functionality
    - ftp: don't do ssl_shutdown instead of ssl_close
    - ftpserver: don't verify SMTP MAIL FROM names
    - getinfo: reset retry-after value in initinfo
    - gnutls: repair the build with 'CURL_DISABLE_PROXY'
    - gtls: survive not being able to get name/issuer
    - h2: repair trailer handling
    - http2: close the http2 connection when no more requests may be sent
    - http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
    - libssh2: s/ssherr/sftperr/
    - mprintf: Fix dollar string handling
    - mprintf: Fix stack overflows
    - multi_remove_handle: close unused connect-only connections
    - ngtcp2: adapt to error code rename
    - ngtcp2: adjust to recent sockaddr updates
    - ngtcp2: update to modified qlog callback prototype
    - ntlm: free target_info before (re-)malloc
    - page-header: provide protocol details in the curl.1 man page

OBS-URL: https://build.opensuse.org/request/show/827742
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=284
2020-08-19 08:14:43 +00:00
b3d54ca4de Accepting request 818117 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.71.1
  * Bugfixes:
    - Curl_inet_ntop: always check the return code
    - CURLOPT_READFUNCTION.3: provide the upload data size up front
    - escape: make the URL decode able to reject only %00-bytes
    - escape: zero length input should return a zero length output
    - examples/multithread.c: call curl_global_cleanup()
    - http2: set the correct URL in pushed transfers
    - http: fix proxy auth with blank password
    - mbedtls: fix build with disabled proxy support
    - ngtcp2: sync with current master
    - Revert "multi: implement wait using winsock events"
    - sendf: improve the message on client write errors
    - terminology: call them null-terminated strings
    - tool_cb_hdr: Fix etag warning output and return code
    - url: allow user + password to contain "control codes" for HTTP(S)
    - vtls: compare cert blob when finding a connection to reuse

OBS-URL: https://build.opensuse.org/request/show/818117
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=282
2020-07-01 13:36:26 +00:00
1c8143ff31 Accepting request 816791 from home:pmonrealgonzalez:branches:devel:libraries:c_c++
- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177]
  * Changes:
    - CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
    - setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
    - setopt: support certificate options in memory with struct curl_blob
    - tool: Add option --retry-all-errors to retry on any error 
  * Bugfixes:
    - *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
    - altsvc: bump to h3-29
    - altsvc: fix 'dsthost' may be used uninitialized in this function
    - altsvc: fix parser for lines ending with CRLF
    - altsvc: remove the num field from the altsvc struct
    - asyn-*: remove support for never-used NULL entry pointers
    - azure: use matrix strategy to avoid configuration redundancy
    - build: disable more code/data when built without proxy support
    - buildconf: remove -print from the find command that removes files
    - checksrc: enhance the ASTERISKSPACE and update code accordingly
    - cirrus: disable SFTP and SCP tests
    - CMake: add ENABLE_ALT_SVC option
    - CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
    - CMake: add libssh build support
    - configure: fix pthread check with static boringssl
    - configure: for wolfSSL, check for the DES func needed for NTLM
    - configure: only strip first -L from LDFLAGS
    - configure: repair the check if argv can be written to
    - configure: the wolfssh backend does not provide SCP
    - connect: improve happy eyeballs handling
    - connect: make happy eyeballs work for QUIC (again)
    - curl: remove -J "informational" written on stdout
    - Curl_addrinfo: use one malloc instead of three

OBS-URL: https://build.opensuse.org/request/show/816791
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=280
2020-06-24 08:59:17 +00:00