Accepting request 907429 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 7.78.0:
  [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
  [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
  * Changes:
    - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
    - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
    - hostip: make 'localhost' return fixed values
    - mbedtls: add support for cert and key blob options
    - metalink: remove all support for it
    - mqtt: add support for username and password
  * Bugfixes:
    - ares: always store IPv6 addresses first
    - c-hyper: abort CONNECT response reading early on non 2xx responses
    - c-hyper: add support for transfer-encoding in the request
    - c-hyper: bail on too long response headers
    - c-hyper: clear NTLM auth buffer when request is issued
    - c-hyper: fix NTLM on closed connection tested with test159
    - conncache: lowercase the hash key for better match
    - curl_multibyte: Remove local encoding fallbacks
    - Curl_ntlm_core_mk_nt_hash: fix OOM in error path
    - Curl_ssl_getsessionid: fail if no session cache exists
    - easy: during upkeep, attach Curl_easy to connections in the cache
    - gnutls: set the preferred TLS versions in correct order
    - hsts: ignore numberical IP address hosts
    - HSTS: not experimental anymore
    - http2: init recvbuf struct for pushed streams
    - http: fix crash in rate-limited upload
    - http: make the haproxy support work with unix domain sockets
    - http_proxy: deal with non-200 CONNECT response with Hyper
    - lib: don't compare fd to FD_SETSIZE when using poll

OBS-URL: https://build.opensuse.org/request/show/907429
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=300

curl-7.77.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0f64582c54282f31c0de9f0a1a596b182776bd4df9a4c4a2a41bbeb54f62594b
-size 2439336

curl-7.77.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmCt6IwACgkQXMkI/bce
-EsJd+Af/YCvzoV76IFh2aJpoi74XOglG327GQWnJRAt6VooIXvBPddundYOSepAw
-OQbReLSQgzmWIICjp4GnV/+gkNodpqJPB1uFHo8AHEBsiVJBTNO7c/mGirQlp5TM
-f5xGP8cf1OxwDJ6PBAHAYl4s71t6CWm0C2nf8x24ROlDsO85lz+yFCg1665IbZvp
-PFSfeIGHwyUoZesBmBFznm5KI5yc+Yn9gxsq3ujPYMvjMH7KFdw7zQu3SzYjT1+w
-bHqVul6+SC8laHuIqZfKnvrjLJMcIhe0vADoyV0/P64ZJ/4X2tGBrpxtXUJJ9S9C
-Cif/PNjYIGKg9Mk8odMjXzo8EcVFGA==
-=+IKy
------END PGP SIGNATURE-----

curl-7.78.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:be42766d5664a739c3974ee3dfbbcbe978a4ccb1fe628bb1d9b59ac79e445fb5
+size 2440640

curl-7.78.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmD3wwYACgkQXMkI/bce
+EsIFMggAt5xxRun4gxld2xZB0shI8fDhjGwMK+uQNpDnnt509j/UZ9+yfDra3Stl
+BHeQXSnTE6y4dKfXIkq4q3sSX2XZUuFRLHMhzH99FsY6bxgOSnZi/iIZv/RLLXTX
+NGlDR93OfsYg9UNkZVeZlFo9262f6rz7P5EsHa4HlCS0xpvLCU7q2dtkDu8SQSW1
+sQiEZOhsyXoiqqrLAgTIP9psHt6dE7qoYh1hS6b+7S9d87MSkL5MEnHukFkemlzC
+7d9cYD9Bah1LfAaYunvzPuC9FoF6gonGPrw3tLECdl2P9PpnrGeV1Z/Nhmu0d5mN
+E2A1BXBqLs8UVo4vUbiNLk0gB3TmHg==
+=yVDK
+-----END PGP SIGNATURE-----

curl.changes

@@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Wed Jul 21 06:50:22 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 7.78.0:
+  [bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
+  [bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
+  * Changes:
+    - curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
+    - CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
+    - hostip: make 'localhost' return fixed values
+    - mbedtls: add support for cert and key blob options
+    - metalink: remove all support for it
+    - mqtt: add support for username and password
+  * Bugfixes:
+    - ares: always store IPv6 addresses first
+    - c-hyper: abort CONNECT response reading early on non 2xx responses
+    - c-hyper: add support for transfer-encoding in the request
+    - c-hyper: bail on too long response headers
+    - c-hyper: clear NTLM auth buffer when request is issued
+    - c-hyper: fix NTLM on closed connection tested with test159
+    - conncache: lowercase the hash key for better match
+    - curl_multibyte: Remove local encoding fallbacks
+    - Curl_ntlm_core_mk_nt_hash: fix OOM in error path
+    - Curl_ssl_getsessionid: fail if no session cache exists
+    - easy: during upkeep, attach Curl_easy to connections in the cache
+    - gnutls: set the preferred TLS versions in correct order
+    - hsts: ignore numberical IP address hosts
+    - HSTS: not experimental anymore
+    - http2: init recvbuf struct for pushed streams
+    - http: fix crash in rate-limited upload
+    - http: make the haproxy support work with unix domain sockets
+    - http_proxy: deal with non-200 CONNECT response with Hyper
+    - lib: don't compare fd to FD_SETSIZE when using poll
+    - lib: fix compiler warnings with CURL_DISABLE_NETRC
+    - lib: fix type of len passed to *printf's %*s
+    - lib: more %u for port and int for %*s fixes
+    - lib: use %u instead of %ld for port number printf
+    - libssh2: limit time a disconnect can take to 1 second
+    - mqtt: detect illegal and too large file size
+    - msnprintf: return number of printed characters excluding null byte
+    - multi: add scan-build-6 work-around in curl_multi_fdset
+    - multi: alter transfer timeout ordering
+    - multi: do not switch off connect_only flag when closing
+    - multi: fix crash in curl_multi_wait / curl_multi_poll
+    - ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
+    - openssl: avoid static variable for seed flag
+    - openssl: don't remove session id entry in disassociate
+    - socketpair: fix potential hangs
+    - socks4: scan for the IPv4 address in resolve results
+    - ssl: read pending close notify alert before closing the connection
+    - telnet: fix option parser to not send uninitialized contents
+    - TLS: prevent shutdown loops to get stuck
+    - vtls: exit addsessionid if no cache is inited
+    - vtls: fix connection reuse checks for issuer cert and case sensitivity
+
 -------------------------------------------------------------------
 Wed May 26 07:47:00 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
 

curl.spec

@@ -21,7 +21,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.77.0
+Version:        7.78.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -44,7 +44,8 @@ BuildRequires:  openldap2-devel
 BuildRequires:  pkgconfig(krb5)
 BuildRequires:  pkgconfig(libbrotlidec)
 BuildRequires:  pkgconfig(libidn2)
-BuildRequires:  pkgconfig(libmetalink)
+# Disable metalink [bsc#1188218, CVE-2021-22923][bsc#1188219, CVE-2021-22924]
+# BuildRequires:  pkgconfig(libmetalink)
 BuildRequires:  pkgconfig(libnghttp2)
 BuildRequires:  pkgconfig(libpsl)
 BuildRequires:  pkgconfig(libssh)
@@ -124,7 +125,6 @@ sed -i 's/\(link_all_deplibs=\)unknown/\1no/' configure
     --with-gssapi=$(krb5-config --prefix) \
     --with-libidn2 \
     --with-libssh \
-    --with-libmetalink \
     --enable-hidden-symbols \
     --disable-static \
     --enable-threaded-resolver