Accepting request 730075 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
  * Changes:
    - CURLINFO_RETRY_AFTER: parse the Retry-After header value
    - HTTP3: initial (experimental still not working) support
    - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
    - curl: support parallel transfers with -Z
    - curl_multi_poll: a sister to curl_multi_wait() that waits more
    - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 
  * Bugfixes:
    - CVE-2019-5481: FTP-KRB double-free
    - CVE-2019-5482: TFTP small blocksize heap buffer overflow
    - CMake: remove needless newlines at end of gss variables
    - CMake: use platform dependent name for dlopen() library
    - CURLINFO docs: mention that in redirects times are added
    - CURLOPT_ALTSVC.3: use a "" file name to not load from a file
    - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
    - CURLOPT_HEADERFUNCTION.3: clarify
    - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
    - CURLOPT_READFUNCTION.3: provide inline example
    - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
    - Curl_addr2string: take an addrlen argument too
    - Curl_fillreadbuffer: avoid double-free trailer buf on error
    - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
    - alt-svc: add protocol version selection masking
    - alt-svc: fix removal of expired cache entry
    - alt-svc: make it use h3-22 with ngtcp2 as well
    - alt-svc: more liberal ALPN name parsing
    - alt-svc: send Alt-Used: in redirected requests
    - alt-svc: with quiche, use the quiche h3 alpn string
    - asyn-thread: create a socketpair to wait on

OBS-URL: https://build.opensuse.org/request/show/730075
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=260

curl-7.65.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f2d98854813948d157f6a91236ae34ca4a1b4cb302617cebad263d79b0235fea
-size 2392472

curl-7.65.3.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl0xj7oACgkQXMkI/bce
-EsKYbgf9G41o5x73tc+2TOGt2QmJ7ukyHmd5Vq7XTSNdNU5dJ41Z3qh9Jm72x62i
-b4kJMjWyoL2j031ml5JevycpMpNa1v784UlPW2tzzL2B7v6vcA4xknJRLWlPlcTJ
-HOgub6r7g/zhOpdAeJh8o4jkBLUyN+S/HOyHLWcvdWDnhqUAmpZfIqtd8kjqzDul
-XAkdj7MxWqKZ3wXWwlpp4j81jpfOj7KCC/ZpxlJ0KfefgYEzV23O2hcJzw57jqTy
-SQZc39uTQOjbZPlBXJD55QeVISCwe53pn55aWQll90XfE3XRapuYZdiL8wLwtl/L
-tjugTKjfoy9qqOGH5YB/4kHqoSJqow==
-=Itbi
------END PGP SIGNATURE-----

curl-7.66.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dbb48088193016d079b97c5c3efde8efa56ada2ebf336e8a97d04eb8e2ed98c1
+size 2414840

curl-7.66.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl14i4AACgkQXMkI/bce
+EsJwgwf/WauX31s687pdOgpPE4ymPuxIrdVl+NovWdOBdQQfIA0c/4lu4onJYPAT
+K6wq86me5y8fj/Q3ymqQ3H1EcJE2vTHPx/w+zEHNsEILtBMFHdm84CJzhdLlI1GC
+9iBkjVKk/2s0tBOdC3HuskYLY2y02dHACvTvDJjx42nK4IbsdjoamVdMa7vep1TG
+abmLRNHkOHKjioYWi0N04c5H5YDpdWOOjFY+EPO+m+YQuJlYkgw90nlmOaqiLcHL
+3zGCMNXb209wxuNEVKenlhPQ/3FQZ9+8a4b6mMqBX7PDwhDiZLhqIJgVseWdw1r0
+Qm2suW4eUtlC2DTqTMtusG7EMN8pag==
+=pFLb
+-----END PGP SIGNATURE-----

curl-mini.changes

@@ -1,3 +1,89 @@
+-------------------------------------------------------------------
+Wed Sep 11 08:17:06 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
+  * Changes:
+    - CURLINFO_RETRY_AFTER: parse the Retry-After header value
+    - HTTP3: initial (experimental still not working) support
+    - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
+    - curl: support parallel transfers with -Z
+    - curl_multi_poll: a sister to curl_multi_wait() that waits more
+    - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 
+  * Bugfixes:
+    - CVE-2019-5481: FTP-KRB double-free
+    - CVE-2019-5482: TFTP small blocksize heap buffer overflow
+    - CMake: remove needless newlines at end of gss variables
+    - CMake: use platform dependent name for dlopen() library
+    - CURLINFO docs: mention that in redirects times are added
+    - CURLOPT_ALTSVC.3: use a "" file name to not load from a file
+    - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
+    - CURLOPT_HEADERFUNCTION.3: clarify
+    - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
+    - CURLOPT_READFUNCTION.3: provide inline example
+    - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
+    - Curl_addr2string: take an addrlen argument too
+    - Curl_fillreadbuffer: avoid double-free trailer buf on error
+    - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
+    - alt-svc: add protocol version selection masking
+    - alt-svc: fix removal of expired cache entry
+    - alt-svc: make it use h3-22 with ngtcp2 as well
+    - alt-svc: more liberal ALPN name parsing
+    - alt-svc: send Alt-Used: in redirected requests
+    - alt-svc: with quiche, use the quiche h3 alpn string
+    - asyn-thread: create a socketpair to wait on
+    - cleanup: move functions out of url.c and make them static
+    - cleanup: remove the 'numsocks' argument used in many places
+    - configure: avoid undefined check_for_ca_bundle
+    - curl.h: add CURL_HTTP_VERSION_3 to the version enum
+    - curl: cap the maximum allowed values for retry time arguments
+    - curl: handle a libcurl build without netrc support
+    - curl: make use of CURLINFO_RETRY_AFTER when retrying
+    - curl: use CURLINFO_PROTOCOL to check for HTTP(s)
+    - curl_global_init_mem.3: mention it was added in 7.12.0
+    - curl_version: bump string buffer size to 250
+    - curl_version_info.3: mentioned ALTSVC and HTTP3
+    - curl_version_info: offer quic (and h3) library info
+    - curl_version_info: provide nghttp2 details
+    - defines: avoid underscore-prefixed defines
+    - docs/ALTSVC: remove what works and the experimental explanation
+    - docs/EXPERIMENTAL: explain what it means and what's experimental now
+    - docs/MANUAL.md: converted to markdown from plain text
+    - docs/examples/curlx: fix errors
+    - docs: s/curl_debug/curl_dbg_debug in comments and docs
+    - easy: resize receive buffer on easy handle reset
+    - examples: Avoid reserved names in hiperfifo examples
+    - examples: add http3.c, altsvc.c and http3-present.c
+    - http09: disable HTTP/0.9 by default in both tool and library
+    - http2: when marked for closure and wanted to close == OK
+    - http2_recv: trigger another read when the last data is returned
+    - http: fix use of credentials from URL when using HTTP proxy
+    - http_negotiate: improve handling of gss_init_sec_context() failures
+    - md4: Use our own MD4 when no crypto libraries are available
+    - multi: call detach_connection before Curl_disconnect
+    - nss: use TLSv1.3 as default if supported
+    - openssl: build warning free with boringssl
+    - openssl: use SSL_CTX_set__proto_version() when available
+    - plan9: add support for running on Plan 9
+    - progress: reset download/uploaded counter between transfers
+    - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
+    - scp: fix directory name length used in memcpy
+    - smb: init *msg to NULL in smb_send_and_recv()
+    - smtp: check for and bail out on too short EHLO response
+    - source: remove names from source comments
+    - spnego_sspi: add typecast to fix build warning
+    - src/makefile: fix uncompressed hugehelp.c generation
+    - ssh-libssh: do not specify O_APPEND when not in append mode
+    - ssh: move code into vssh for SSH backends
+    - sspi: fix memory leaks
+    - tests: Replace outdated test case numbering documentation
+    - tftp: return error when packet is too small for options
+    - timediff: make it 64 bit (if possible) even with 32 bit time_t
+    - travis: reduce number of torture tests in 'coverage'
+    - url: make use of new HTTP version if alt-svc has one
+    - urlapi: verify the IPv6 numerical address
+    - urldata: avoid 'generic', use dedicated pointers
+    - vauth: Use CURLE_AUTH_ERROR for auth function errors 
+
 -------------------------------------------------------------------
 Fri Jul 19 13:51:15 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

curl-mini.spec

@@ -29,7 +29,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl-mini
-Version:        7.65.3
+Version:        7.66.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl

curl.changes

@@ -1,3 +1,89 @@
+-------------------------------------------------------------------
+Wed Sep 11 08:17:06 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
+  * Changes:
+    - CURLINFO_RETRY_AFTER: parse the Retry-After header value
+    - HTTP3: initial (experimental still not working) support
+    - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
+    - curl: support parallel transfers with -Z
+    - curl_multi_poll: a sister to curl_multi_wait() that waits more
+    - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 
+  * Bugfixes:
+    - CVE-2019-5481: FTP-KRB double-free
+    - CVE-2019-5482: TFTP small blocksize heap buffer overflow
+    - CMake: remove needless newlines at end of gss variables
+    - CMake: use platform dependent name for dlopen() library
+    - CURLINFO docs: mention that in redirects times are added
+    - CURLOPT_ALTSVC.3: use a "" file name to not load from a file
+    - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
+    - CURLOPT_HEADERFUNCTION.3: clarify
+    - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
+    - CURLOPT_READFUNCTION.3: provide inline example
+    - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
+    - Curl_addr2string: take an addrlen argument too
+    - Curl_fillreadbuffer: avoid double-free trailer buf on error
+    - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
+    - alt-svc: add protocol version selection masking
+    - alt-svc: fix removal of expired cache entry
+    - alt-svc: make it use h3-22 with ngtcp2 as well
+    - alt-svc: more liberal ALPN name parsing
+    - alt-svc: send Alt-Used: in redirected requests
+    - alt-svc: with quiche, use the quiche h3 alpn string
+    - asyn-thread: create a socketpair to wait on
+    - cleanup: move functions out of url.c and make them static
+    - cleanup: remove the 'numsocks' argument used in many places
+    - configure: avoid undefined check_for_ca_bundle
+    - curl.h: add CURL_HTTP_VERSION_3 to the version enum
+    - curl: cap the maximum allowed values for retry time arguments
+    - curl: handle a libcurl build without netrc support
+    - curl: make use of CURLINFO_RETRY_AFTER when retrying
+    - curl: use CURLINFO_PROTOCOL to check for HTTP(s)
+    - curl_global_init_mem.3: mention it was added in 7.12.0
+    - curl_version: bump string buffer size to 250
+    - curl_version_info.3: mentioned ALTSVC and HTTP3
+    - curl_version_info: offer quic (and h3) library info
+    - curl_version_info: provide nghttp2 details
+    - defines: avoid underscore-prefixed defines
+    - docs/ALTSVC: remove what works and the experimental explanation
+    - docs/EXPERIMENTAL: explain what it means and what's experimental now
+    - docs/MANUAL.md: converted to markdown from plain text
+    - docs/examples/curlx: fix errors
+    - docs: s/curl_debug/curl_dbg_debug in comments and docs
+    - easy: resize receive buffer on easy handle reset
+    - examples: Avoid reserved names in hiperfifo examples
+    - examples: add http3.c, altsvc.c and http3-present.c
+    - http09: disable HTTP/0.9 by default in both tool and library
+    - http2: when marked for closure and wanted to close == OK
+    - http2_recv: trigger another read when the last data is returned
+    - http: fix use of credentials from URL when using HTTP proxy
+    - http_negotiate: improve handling of gss_init_sec_context() failures
+    - md4: Use our own MD4 when no crypto libraries are available
+    - multi: call detach_connection before Curl_disconnect
+    - nss: use TLSv1.3 as default if supported
+    - openssl: build warning free with boringssl
+    - openssl: use SSL_CTX_set__proto_version() when available
+    - plan9: add support for running on Plan 9
+    - progress: reset download/uploaded counter between transfers
+    - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
+    - scp: fix directory name length used in memcpy
+    - smb: init *msg to NULL in smb_send_and_recv()
+    - smtp: check for and bail out on too short EHLO response
+    - source: remove names from source comments
+    - spnego_sspi: add typecast to fix build warning
+    - src/makefile: fix uncompressed hugehelp.c generation
+    - ssh-libssh: do not specify O_APPEND when not in append mode
+    - ssh: move code into vssh for SSH backends
+    - sspi: fix memory leaks
+    - tests: Replace outdated test case numbering documentation
+    - tftp: return error when packet is too small for options
+    - timediff: make it 64 bit (if possible) even with 32 bit time_t
+    - travis: reduce number of torture tests in 'coverage'
+    - url: make use of new HTTP version if alt-svc has one
+    - urlapi: verify the IPv6 numerical address
+    - urldata: avoid 'generic', use dedicated pointers
+    - vauth: Use CURLE_AUTH_ERROR for auth function errors 
+
 -------------------------------------------------------------------
 Fri Jul 19 13:51:15 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

curl.spec

@@ -27,7 +27,7 @@
 # need ssl always for python-pycurl
 %bcond_without openssl
 Name:           curl
-Version:        7.65.3
+Version:        7.66.0
 Release:        0
 Summary:        A Tool for Transferring Data from URLs
 License:        curl