From ec4ab9ef11c43c45b44c2e33238db03e69054a438eb47322581578644bc91cd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 6 Feb 2019 13:10:47 +0000 Subject: [PATCH] Accepting request 672083 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - update to version 7.64.0 [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822] [bcs#1123378, CVE-2019-3823] * Changes: - cookies: leave secure cookies alone - hostip: support wildcard hosts - http: Implement trailing headers for chunked transfers - http: added options for allowing HTTP/0.9 responses - timeval: Use high resolution timestamps on Windows * Bugfixes: - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow - CVE-2019-3823: SMTP end-of-response out-of-bounds read - FAQ: remove mention of sourceforge for github - OS400: handle memory error in list conversion - OS400: upgrade ILE/RPG binding. - README: add codacy code quality badge - Revert http_negotiate: do not close connection - THANKS: added several missing names from year <= 2000 - build: make 'tidy' target work for metalink builds - cmake: added checks for variadic macros - cmake: updated check for HAVE_POLL_FINE to match autotools - cmake: use lowercase for function name like the rest of the code - configure: detect xlclang separately from clang - configure: fix recv/send/select detection on Android - configure: rewrite --enable-code-coverage - conncache_unlock: avoid indirection by changing input argument type - cookie: fix comment typo - cookies: allow secure override when done over HTTPS - cookies: extend domain checks to non psl builds OBS-URL: https://build.opensuse.org/request/show/672083 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=244 --- curl-7.63.0.tar.gz | 3 -- curl-7.63.0.tar.gz.asc | 11 ------ curl-7.64.0.tar.xz | 3 ++ curl-7.64.0.tar.xz.asc | 11 ++++++ curl-mini.changes | 90 ++++++++++++++++++++++++++++++++++++++++++ curl-mini.spec | 6 +-- curl.changes | 90 ++++++++++++++++++++++++++++++++++++++++++ curl.spec | 6 +-- 8 files changed, 200 insertions(+), 20 deletions(-) delete mode 100644 curl-7.63.0.tar.gz delete mode 100644 curl-7.63.0.tar.gz.asc create mode 100644 curl-7.64.0.tar.xz create mode 100644 curl-7.64.0.tar.xz.asc diff --git a/curl-7.63.0.tar.gz b/curl-7.63.0.tar.gz deleted file mode 100644 index e799d15..0000000 --- a/curl-7.63.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d483b89062832e211c887d7cf1b65c902d591b48c11fe7d174af781681580b41 -size 4024015 diff --git a/curl-7.63.0.tar.gz.asc b/curl-7.63.0.tar.gz.asc deleted file mode 100644 index 38e3fb1..0000000 --- a/curl-7.63.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlwQtYEACgkQXMkI/bce -EsJ4wgf/b5RDCOKc1yMOF3CRcbY1kh9odMEbORsOYh3QPgVsPEggakaOtifyJPGC -PtxqvWuj34aQHnDglYQnH0gi5Vjc76kdbC2JzskOD5NO1KnlpIDbhq+YL3umPq0/ -pO6uT8nk8+qhv28MNrAa4mscBJFPH6Y5vMQc7y+ri6DXJHtH+i9v9CjUUVyy3Ap3 -LuSKfToHLYS+zYeQHeAJIgK3q1FAayKyNYm6sGFF9fo2XnzWKV8/E2mhjwwq2mhO -/Z4uKdcIf9ITzD+d8Hsge3k6A9pWSJ1gyRsueicrhi9a+ZHmZZ9u/D3q03LJ+did -RvJhrQHTAqI95WfYM8+LwnoLJ8QisQ== -=iIBA ------END PGP SIGNATURE----- diff --git a/curl-7.64.0.tar.xz b/curl-7.64.0.tar.xz new file mode 100644 index 0000000..8269c87 --- /dev/null +++ b/curl-7.64.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f2f13fa34d44aa29cb444077ad7dc4dc6d189584ad552e0aaeb06e608af6001 +size 2398904 diff --git a/curl-7.64.0.tar.xz.asc b/curl-7.64.0.tar.xz.asc new file mode 100644 index 0000000..1f04aa7 --- /dev/null +++ b/curl-7.64.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce +EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8 +eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ +AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko +ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH +Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm +PvTO6aAopZk+sX9VemdSQzx/4ysT3w== +=HOlc +-----END PGP SIGNATURE----- diff --git a/curl-mini.changes b/curl-mini.changes index bc3fb6e..0ae9103 100644 --- a/curl-mini.changes +++ b/curl-mini.changes @@ -1,3 +1,93 @@ +------------------------------------------------------------------- +Wed Feb 6 09:16:58 UTC 2019 - Pedro Monreal Gonzalez + +- update to version 7.64.0 + [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822] + [bcs#1123378, CVE-2019-3823] + * Changes: + - cookies: leave secure cookies alone + - hostip: support wildcard hosts + - http: Implement trailing headers for chunked transfers + - http: added options for allowing HTTP/0.9 responses + - timeval: Use high resolution timestamps on Windows + * Bugfixes: + - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read + - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow + - CVE-2019-3823: SMTP end-of-response out-of-bounds read + - FAQ: remove mention of sourceforge for github + - OS400: handle memory error in list conversion + - OS400: upgrade ILE/RPG binding. + - README: add codacy code quality badge + - Revert http_negotiate: do not close connection + - THANKS: added several missing names from year <= 2000 + - build: make 'tidy' target work for metalink builds + - cmake: added checks for variadic macros + - cmake: updated check for HAVE_POLL_FINE to match autotools + - cmake: use lowercase for function name like the rest of the code + - configure: detect xlclang separately from clang + - configure: fix recv/send/select detection on Android + - configure: rewrite --enable-code-coverage + - conncache_unlock: avoid indirection by changing input argument type + - cookie: fix comment typo + - cookies: allow secure override when done over HTTPS + - cookies: extend domain checks to non psl builds + - cookies: skip custom cookies when redirecting cross-site + - curl --xattr: strip credentials from any URL that is stored + - curl -J: refuse to append to the destination file + - curl/urlapi.h: include "curl.h" first + - curl_multi_remove_handle() don't block terminating c-ares requests + - darwinssl: accept setting max-tls with default min-tls + - disconnect: separate connections and easy handles better + - disconnect: set conn->data for protocol disconnect + - docs/version.d: mention MultiSSL + - docs: fix the --tls-max description + - docs: use $(INSTALL_DATA) to install man page + - docs: use meaningless port number in CURLOPT_LOCALPORT example + - gopher: always include the entire gopher-path in request + - http2: clear pause stream id if it gets closed + - if2ip: remove unused function Curl_if_is_interface_name + - libssh: do not let libssh create socket + - libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh + - libssh: free sftp_canonicalize_path() data correctly + - libtest/stub_gssapi: use "real" snprintf + - mbedtls: use VERIFYHOST + - multi: multiplexing improvements + - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time + - ntlm: fix NTMLv2 compliance + - ntlm_sspi: add support for channel binding + - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated + - openssl: fix the SSL_get_tlsext_status_ocsp_resp call + - openvms: fix OpenSSL discovery on VAX + - openvms: fix typos in documentation + - os400: add a missing closing bracket + - os400: fix extra parameter syntax error + - pingpong: change default response timeout to 120 seconds + - pingpong: ignore regular timeout in disconnect phase + - printf: fix format specifiers + - runtests.pl: Fix perl call to include srcdir + - schannel: fix compiler warning + - schannel: preserve original certificate path parameter + - schannel: stop calling it "winssl" + - sigpipe: if mbedTLS is used, ignore SIGPIPE + - smb: fix incorrect path in request if connection reused + - ssh: log the libssh2 error message when ssh session startup fails + - test1558: verify CURLINFO_PROTOCOL on file:// transfer + - test1561: improve test name + - test1653: make it survive torture tests + - tests: allow tests to pass by 2037-02-12 + - tests: move objnames-* from lib into tests + - timediff: fix math for unsigned time_t + - timeval: Disable MSVC Analyzer GetTickCount warning + - tool_cb_prg: avoid integer overflow + - travis: added cmake build for osx + - urlapi: Fix port parsing of eol colon + - urlapi: distinguish possibly empty query + - urlapi: fix parsing ipv6 with zone index + - urldata: rename easy_conn to just conn + - winbuild: conditionally use /DZLIB_WINAPI + - wolfssl: fix memory-leak in threaded use + - spnego_sspi: add support for channel binding + ------------------------------------------------------------------- Mon Jan 28 18:47:00 UTC 2019 - Jan Engelhardt diff --git a/curl-mini.spec b/curl-mini.spec index 96704c6..efb65e3 100644 --- a/curl-mini.spec +++ b/curl-mini.spec @@ -29,14 +29,14 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.63.0 +Version: 7.64.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities Url: https://curl.haxx.se/ -Source: https://curl.haxx.se/download/curl-%{version}.tar.gz -Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc +Source: https://curl.haxx.se/download/curl-%{version}.tar.xz +Source2: https://curl.haxx.se/download/curl-%{version}.tar.xz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch diff --git a/curl.changes b/curl.changes index bc3fb6e..0ae9103 100644 --- a/curl.changes +++ b/curl.changes @@ -1,3 +1,93 @@ +------------------------------------------------------------------- +Wed Feb 6 09:16:58 UTC 2019 - Pedro Monreal Gonzalez + +- update to version 7.64.0 + [bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822] + [bcs#1123378, CVE-2019-3823] + * Changes: + - cookies: leave secure cookies alone + - hostip: support wildcard hosts + - http: Implement trailing headers for chunked transfers + - http: added options for allowing HTTP/0.9 responses + - timeval: Use high resolution timestamps on Windows + * Bugfixes: + - CVE-2018-16890: NTLM type-2 out-of-bounds buffer read + - CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow + - CVE-2019-3823: SMTP end-of-response out-of-bounds read + - FAQ: remove mention of sourceforge for github + - OS400: handle memory error in list conversion + - OS400: upgrade ILE/RPG binding. + - README: add codacy code quality badge + - Revert http_negotiate: do not close connection + - THANKS: added several missing names from year <= 2000 + - build: make 'tidy' target work for metalink builds + - cmake: added checks for variadic macros + - cmake: updated check for HAVE_POLL_FINE to match autotools + - cmake: use lowercase for function name like the rest of the code + - configure: detect xlclang separately from clang + - configure: fix recv/send/select detection on Android + - configure: rewrite --enable-code-coverage + - conncache_unlock: avoid indirection by changing input argument type + - cookie: fix comment typo + - cookies: allow secure override when done over HTTPS + - cookies: extend domain checks to non psl builds + - cookies: skip custom cookies when redirecting cross-site + - curl --xattr: strip credentials from any URL that is stored + - curl -J: refuse to append to the destination file + - curl/urlapi.h: include "curl.h" first + - curl_multi_remove_handle() don't block terminating c-ares requests + - darwinssl: accept setting max-tls with default min-tls + - disconnect: separate connections and easy handles better + - disconnect: set conn->data for protocol disconnect + - docs/version.d: mention MultiSSL + - docs: fix the --tls-max description + - docs: use $(INSTALL_DATA) to install man page + - docs: use meaningless port number in CURLOPT_LOCALPORT example + - gopher: always include the entire gopher-path in request + - http2: clear pause stream id if it gets closed + - if2ip: remove unused function Curl_if_is_interface_name + - libssh: do not let libssh create socket + - libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh + - libssh: free sftp_canonicalize_path() data correctly + - libtest/stub_gssapi: use "real" snprintf + - mbedtls: use VERIFYHOST + - multi: multiplexing improvements + - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time + - ntlm: fix NTMLv2 compliance + - ntlm_sspi: add support for channel binding + - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated + - openssl: fix the SSL_get_tlsext_status_ocsp_resp call + - openvms: fix OpenSSL discovery on VAX + - openvms: fix typos in documentation + - os400: add a missing closing bracket + - os400: fix extra parameter syntax error + - pingpong: change default response timeout to 120 seconds + - pingpong: ignore regular timeout in disconnect phase + - printf: fix format specifiers + - runtests.pl: Fix perl call to include srcdir + - schannel: fix compiler warning + - schannel: preserve original certificate path parameter + - schannel: stop calling it "winssl" + - sigpipe: if mbedTLS is used, ignore SIGPIPE + - smb: fix incorrect path in request if connection reused + - ssh: log the libssh2 error message when ssh session startup fails + - test1558: verify CURLINFO_PROTOCOL on file:// transfer + - test1561: improve test name + - test1653: make it survive torture tests + - tests: allow tests to pass by 2037-02-12 + - tests: move objnames-* from lib into tests + - timediff: fix math for unsigned time_t + - timeval: Disable MSVC Analyzer GetTickCount warning + - tool_cb_prg: avoid integer overflow + - travis: added cmake build for osx + - urlapi: Fix port parsing of eol colon + - urlapi: distinguish possibly empty query + - urlapi: fix parsing ipv6 with zone index + - urldata: rename easy_conn to just conn + - winbuild: conditionally use /DZLIB_WINAPI + - wolfssl: fix memory-leak in threaded use + - spnego_sspi: add support for channel binding + ------------------------------------------------------------------- Mon Jan 28 18:47:00 UTC 2019 - Jan Engelhardt diff --git a/curl.spec b/curl.spec index 63e2a3f..f8a63ea 100644 --- a/curl.spec +++ b/curl.spec @@ -27,14 +27,14 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.63.0 +Version: 7.64.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl Group: Productivity/Networking/Web/Utilities Url: https://curl.haxx.se/ -Source: https://curl.haxx.se/download/curl-%{version}.tar.gz -Source2: https://curl.haxx.se/download/curl-%{version}.tar.gz.asc +Source: https://curl.haxx.se/download/curl-%{version}.tar.xz +Source2: https://curl.haxx.se/download/curl-%{version}.tar.xz.asc Source3: baselibs.conf Source4: https://daniel.haxx.se/mykey.asc#/curl.keyring Patch0: libcurl-ocloexec.patch