Accepting request 704820 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/704820
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/curl?expand=0&rev=146

curl-7.64.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9252332a7f871ce37bfa7f78bdd0a0e3924d8187cc27cb57c76c9474a7168fb3
-size 2385360

curl-7.64.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlybHwMACgkQXMkI/bce
-EsIlxQf+LUj/zeWzTgxXIFgtfba+RKb66RpWhgzKLBpiGFQjhckILFJ+Li625SE3
-9fCrIslGuY2S4G6fRH1qEIZVglpA185sTeY241/JK788ftJFFQd2GtM/+Ysrla5h
-zc2wD3amDXcROWI+QIl/dBy7xRnW8TSTMu2sEPLarsNtXK9EC+h/WIkeYW1amMf2
-a8vRFwXFZ7OrEiq7A0avvmbrQVgIIGP/zyz44ZN00PPgLm40c1rngHGBJJzEMVSS
-ClZ+wUQ+AyamL3Ls9a+V3SF3IuVrFInjv5Y1OshPULaqL2VxPsCVw67sCVouePMS
-J0u3GZPsE+sVbx7cHCfZFdSnutFBKQ==
-=WUio
------END PGP SIGNATURE-----

curl-7.65.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7766d263929404f693905b5e5222aa0f2bdf8c66ab4b8758f0c0820a42b966cd
+size 2392324

curl-7.65.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlzk438ACgkQXMkI/bce
+EsITWggAgk129Kxp4Br7Nn2+vyygKwv3dDEm87wJVuQka8gT2pZ9ZVQ6rEX9j0sR
+RETf8KrEbSlOBgl2EJpgToL5kgiMCweTXced3VY2szVVibenBa2Zd9MpSl5Sf7hH
+axinhdvEPNH+w8WuprEqZh+d/T5grAxChPJz4bLqKQI5fw5T3IuMfYTjZqx8DkOt
+4FekihWCr6N/nW9BFOz8H19GFtotYSwoPvQJ+RmB7+Zt7ruHjRgyINCgxbWPvs4P
+eZNWykqQ9FaXLSoJQYjLvEx0smye0bxSu3EIYBeL60fiFWJaSHQPyfBgC3JC+dD6
+ufxhEk814I4XzPaRFTLjgzjmTqRMPw==
+=4VIp
+-----END PGP SIGNATURE-----

curl-mini.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
+  * Changes:
+    - CURLOPT_DNS_USE_GLOBAL_CACHE: removed
+    - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
+    - pipelining: removed 
+  * Bugfixes:
+    - CVE-2019-5435: Integer overflows in curl_url_set
+    - CVE-2019-5436: tftp: use the current blksize for recvfrom()
+    - --config: clarify that initial : and = might need quoting
+    - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
+    - CURLOPT_ADDRESS_SCOPE: fix range check and more
+    - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
+    - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
+    - CURL_MAX_INPUT_LENGTH: largest acceptable string input size
+    - Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
+    - OS400/ccsidcurl: replace use of Curl_vsetopt
+    - OpenSSL: Report -fips in version if OpenSSL is built with FIPS
+    - WRITEFUNCTION: add missing set_in_callback around callback
+    - altsvc: Fix building with cookies disabled
+    - auth: Rename the various authentication clean up functions
+    - base64: build conditionally if there are users
+    - cmake: avoid linking executable for some tests with cmake 3.6+
+    - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
+    - cmake: set SSL_BACKENDS
+    - configure: avoid unportable '==' test(1) operator
+    - configure: error out if OpenSSL wasn't detected when asked for
+    - configure: fix default location for fish completions
+    - cookie: Guard against possible NULL ptr deref
+    - curl: make code work with protocol-disabled libcurl
+    - curl: report error for "--no-" on non-boolean options
+    - curlver.h: use parenthesis in CURL_VERSION_BITS macro
+    - docs/INSTALL: fix broken link
+    - doh: acknowledge CURL_DISABLE_DOH
+    - doh: disable DOH for the cases it doesn't work
+    - examples: remove unused variables
+    - ftplistparser: fix LGTM alert "Empty block without comment"
+    - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
+    - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
+    - http: acknowledge CURL_DISABLE_HTTP_AUTH
+    - http: mark bundle as not for multiuse on < HTTP/2 response
+    - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
+    - http_negotiate: do not treat failure of gss_init_sec_context() as fatal
+    - http_ntlm: Corrected the name of the include guard
+    - http_ntlm_wb: Handle auth for only a single request
+    - http_ntlm_wb: Return the correct error on receiving an empty auth message
+    - lib509: add missing include for strdup
+    - lib557: initialize variables
+    - mbedtls: enable use of EC keys
+    - mime: acknowledge CURL_DISABLE_MIME
+    - multi: improved HTTP_1_1_REQUIRED handling
+    - netrc: acknowledge CURL_DISABLE_NETRC
+    - nss: allow fifos and character devices for certificates
+    - nss: provide more specific error messages on failed init
+    - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
+    - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
+    - openssl: mark connection for close on TLS close_notify
+    - openvms: Remove pre-processor for SecureTransport
+    - parse_proxy: use the URL parser API
+    - parsedate: disabled on CURL_DISABLE_PARSEDATE
+    - pingpong: disable more when no pingpong protocols are enabled
+    - polarssl_threadlock: remove conditionally unused code
+    - progress: acknowledge CURL_DISABLE_PROGRESS_METER
+    - proxy: acknowledge DISABLE_PROXY more
+    - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
+    - revert "multi: support verbose conncache closure handle"
+    - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
+    - sasl: only enable if there's a protocol enabled using it
+    - singleipconnect: show port in the verbose "Trying ..." message
+    - socks5: user name and passwords must be shorter than 256
+    - socks: fix error message
+    - socksd: new SOCKS 4+5 server for tests
+    - spnego_gssapi: fix return code on gss_init_sec_context() failure
+    - ssh-libssh: remove unused variable
+    - ssh: define USE_SSH if SSH is enabled (any backend)
+    - ssh: move variable declaration to where it's used
+    - test1002: correct the name
+    - test2100: Fix typos in test description
+    - tests: Run global cleanup at end of tests
+    - tests: make Impacket (SMB server) Python 3 compatible
+    - tool_cb_wrt: fix bad-function-cast warning
+    - tool_formparse: remove redundant assignment
+    - tool_help: Warn if curl and libcurl versions do not match
+    - tool_help: include for strcasecmp
+    - url: always clone the CUROPT_CURLU handle
+    - url: convert the zone id from a IPv6 URL to correct scope id
+    - urlapi: add CURLUPART_ZONEID to set and get
+    - urlapi: increase supported scheme length to 40 bytes
+    - urlapi: require a non-zero host name length when parsing URL
+    - urlapi: stricter CURLUPART_PORT parsing
+    - urlapi: strip off zone id from numerical IPv6 addresses
+    - urlapi: urlencode characters above 0x7f correctly
+    - vauth/cleartext: update the PLAIN login to match RFC 4616
+    - vauth/oauth2: Fix OAUTHBEARER token generation
+    - vauth: Fix incorrect function description for Curl_auth_user_contains_domain
+    - vtls: fix potential ssl_buffer stack overflow
+    - wildcard: disable from build when FTP isn't present
+    - xattr: skip unittest on unsupported platforms 
+
 -------------------------------------------------------------------
 Tue Apr  9 12:11:46 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

curl-mini.spec

@@ -29,7 +29,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.64.1
+Version:        7.65.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -204,15 +204,15 @@ popd
 
 %files
 %doc README RELEASE-NOTES
-%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting}
+%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting}
 %{_bindir}/curl
 %{_datadir}/zsh/site-functions/_curl
 %{_mandir}/man1/curl.1%{ext_man}
 %dir %{_datadir}/zsh
 %dir %{_datadir}/zsh/site-functions
 %dir %{_datadir}/fish/
-%dir %{_datadir}/fish/completions/
-%{_datadir}/fish/completions/curl.fish
+%dir %{_datadir}/fish/vendor_completions.d/
+%{_datadir}/fish/vendor_completions.d/curl.fish
 
 %files -n libcurl4%{?mini}
 %license COPYING

curl.changes

@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
+  * Changes:
+    - CURLOPT_DNS_USE_GLOBAL_CACHE: removed
+    - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
+    - pipelining: removed 
+  * Bugfixes:
+    - CVE-2019-5435: Integer overflows in curl_url_set
+    - CVE-2019-5436: tftp: use the current blksize for recvfrom()
+    - --config: clarify that initial : and = might need quoting
+    - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
+    - CURLOPT_ADDRESS_SCOPE: fix range check and more
+    - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
+    - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
+    - CURL_MAX_INPUT_LENGTH: largest acceptable string input size
+    - Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
+    - OS400/ccsidcurl: replace use of Curl_vsetopt
+    - OpenSSL: Report -fips in version if OpenSSL is built with FIPS
+    - WRITEFUNCTION: add missing set_in_callback around callback
+    - altsvc: Fix building with cookies disabled
+    - auth: Rename the various authentication clean up functions
+    - base64: build conditionally if there are users
+    - cmake: avoid linking executable for some tests with cmake 3.6+
+    - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
+    - cmake: set SSL_BACKENDS
+    - configure: avoid unportable '==' test(1) operator
+    - configure: error out if OpenSSL wasn't detected when asked for
+    - configure: fix default location for fish completions
+    - cookie: Guard against possible NULL ptr deref
+    - curl: make code work with protocol-disabled libcurl
+    - curl: report error for "--no-" on non-boolean options
+    - curlver.h: use parenthesis in CURL_VERSION_BITS macro
+    - docs/INSTALL: fix broken link
+    - doh: acknowledge CURL_DISABLE_DOH
+    - doh: disable DOH for the cases it doesn't work
+    - examples: remove unused variables
+    - ftplistparser: fix LGTM alert "Empty block without comment"
+    - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
+    - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
+    - http: acknowledge CURL_DISABLE_HTTP_AUTH
+    - http: mark bundle as not for multiuse on < HTTP/2 response
+    - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
+    - http_negotiate: do not treat failure of gss_init_sec_context() as fatal
+    - http_ntlm: Corrected the name of the include guard
+    - http_ntlm_wb: Handle auth for only a single request
+    - http_ntlm_wb: Return the correct error on receiving an empty auth message
+    - lib509: add missing include for strdup
+    - lib557: initialize variables
+    - mbedtls: enable use of EC keys
+    - mime: acknowledge CURL_DISABLE_MIME
+    - multi: improved HTTP_1_1_REQUIRED handling
+    - netrc: acknowledge CURL_DISABLE_NETRC
+    - nss: allow fifos and character devices for certificates
+    - nss: provide more specific error messages on failed init
+    - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
+    - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
+    - openssl: mark connection for close on TLS close_notify
+    - openvms: Remove pre-processor for SecureTransport
+    - parse_proxy: use the URL parser API
+    - parsedate: disabled on CURL_DISABLE_PARSEDATE
+    - pingpong: disable more when no pingpong protocols are enabled
+    - polarssl_threadlock: remove conditionally unused code
+    - progress: acknowledge CURL_DISABLE_PROGRESS_METER
+    - proxy: acknowledge DISABLE_PROXY more
+    - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
+    - revert "multi: support verbose conncache closure handle"
+    - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
+    - sasl: only enable if there's a protocol enabled using it
+    - singleipconnect: show port in the verbose "Trying ..." message
+    - socks5: user name and passwords must be shorter than 256
+    - socks: fix error message
+    - socksd: new SOCKS 4+5 server for tests
+    - spnego_gssapi: fix return code on gss_init_sec_context() failure
+    - ssh-libssh: remove unused variable
+    - ssh: define USE_SSH if SSH is enabled (any backend)
+    - ssh: move variable declaration to where it's used
+    - test1002: correct the name
+    - test2100: Fix typos in test description
+    - tests: Run global cleanup at end of tests
+    - tests: make Impacket (SMB server) Python 3 compatible
+    - tool_cb_wrt: fix bad-function-cast warning
+    - tool_formparse: remove redundant assignment
+    - tool_help: Warn if curl and libcurl versions do not match
+    - tool_help: include for strcasecmp
+    - url: always clone the CUROPT_CURLU handle
+    - url: convert the zone id from a IPv6 URL to correct scope id
+    - urlapi: add CURLUPART_ZONEID to set and get
+    - urlapi: increase supported scheme length to 40 bytes
+    - urlapi: require a non-zero host name length when parsing URL
+    - urlapi: stricter CURLUPART_PORT parsing
+    - urlapi: strip off zone id from numerical IPv6 addresses
+    - urlapi: urlencode characters above 0x7f correctly
+    - vauth/cleartext: update the PLAIN login to match RFC 4616
+    - vauth/oauth2: Fix OAUTHBEARER token generation
+    - vauth: Fix incorrect function description for Curl_auth_user_contains_domain
+    - vtls: fix potential ssl_buffer stack overflow
+    - wildcard: disable from build when FTP isn't present
+    - xattr: skip unittest on unsupported platforms 
+
 -------------------------------------------------------------------
 Tue Apr  9 12:11:46 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

curl.spec

@@ -27,7 +27,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.64.1
+Version:        7.65.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl
@@ -202,15 +202,15 @@ popd
 
 %files
 %doc README RELEASE-NOTES
-%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting}
+%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting}
 %{_bindir}/curl
 %{_datadir}/zsh/site-functions/_curl
 %{_mandir}/man1/curl.1%{ext_man}
 %dir %{_datadir}/zsh
 %dir %{_datadir}/zsh/site-functions
 %dir %{_datadir}/fish/
-%dir %{_datadir}/fish/completions/
-%{_datadir}/fish/completions/curl.fish
+%dir %{_datadir}/fish/vendor_completions.d/
+%{_datadir}/fish/vendor_completions.d/curl.fish
 
 %files -n libcurl4%{?mini}
 %license COPYING