diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index 9bb4285..7dcfd8f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,2 @@ /curl-[0-9.]*.tar.lzma -/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz -/curl-[0-9.]*.tar.xz.asc -/curl-[0-9]*.[0-9]*.[0-9]*/ -/*.src.rpm diff --git a/0001-curl-7.55.1-zsh-completion.patch b/0001-curl-7.55.1-zsh-completion.patch new file mode 100644 index 0000000..8a37cd4 --- /dev/null +++ b/0001-curl-7.55.1-zsh-completion.patch @@ -0,0 +1,67 @@ +From 918eb4c10b60a58ea6b14bea7b9fbfba4d29598c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 14 Aug 2017 16:13:32 +0200 +Subject: [PATCH] zsh.pl: produce a working completion script again + +Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help +to use and instead of FILE and DIR, which caused zsh.pl to +produce a broken completion script: + +% curl -- +_curl:10: no such file or directory: seconds + +Closes #1779 + +Upstream-commit: ab2a7079cd2a1ec279b1e6b587ba48e50c155e91 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/cacert.d | 2 +- + scripts/zsh.pl | 5 +++-- + src/tool_help.c | 2 +- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/docs/cmdline-opts/cacert.d b/docs/cmdline-opts/cacert.d +index 04e1139..b2ecf90 100644 +--- a/docs/cmdline-opts/cacert.d ++++ b/docs/cmdline-opts/cacert.d +@@ -1,5 +1,5 @@ + Long: cacert +-Arg: ++Arg: + Help: CA certificate to verify peer against + Protocols: TLS + --- +diff --git a/scripts/zsh.pl b/scripts/zsh.pl +index f0d8c19..82b4d9f 100755 +--- a/scripts/zsh.pl ++++ b/scripts/zsh.pl +@@ -54,10 +54,11 @@ sub parse_main_opts { + $option .= '}' if defined $short; + $option .= '\'[' . trim($desc) . ']\'' if defined $desc; + +- $option .= ":$arg" if defined $arg; ++ $option .= ":'$arg'" if defined $arg; + + $option .= ':_files' +- if defined $arg and ($arg eq 'FILE' || $arg eq 'DIR'); ++ if defined $arg and ($arg eq '' || $arg eq '' ++ || $arg eq ''); + + push @list, $option; + } +diff --git a/src/tool_help.c b/src/tool_help.c +index 42dc779..a5bfaba 100644 +--- a/src/tool_help.c ++++ b/src/tool_help.c +@@ -54,7 +54,7 @@ static const struct helptxt helptext[] = { + "Append to target file when uploading"}, + {" --basic", + "Use HTTP Basic Authentication"}, +- {" --cacert ", ++ {" --cacert ", + "CA certificate to verify peer against"}, + {" --capath ", + "CA directory to verify peer against"}, +-- +2.9.5 + diff --git a/0002-curl-7.55.1-proxy-connect.patch b/0002-curl-7.55.1-proxy-connect.patch new file mode 100644 index 0000000..a87e787 --- /dev/null +++ b/0002-curl-7.55.1-proxy-connect.patch @@ -0,0 +1,40 @@ +From 74dac344b2feb2e0f4baddb70532dc8e45d2d817 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" +Date: Fri, 18 Aug 2017 10:43:02 +0200 +Subject: [PATCH] http: Don't wait on CONNECT when there is no proxy + +Since curl 7.55.0, NetworkManager almost always failed its connectivity +check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP +CONNECT process entirely non-blocking). + +This patch replaces !Curl_connect_complete with Curl_connect_ongoing, +which returns false if the CONNECT state was left uninitialized and lets +the connection continue. + +Closes #1803 +Fixes #1804 + +Also-fixed-by: Gergely Nagy + +Upstream-commit: 74dac344b2feb2e0f4baddb70532dc8e45d2d817 +Signed-off-by: Kamil Dudka +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 35c7c3d43..3e3313278 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1371,7 +1371,7 @@ CURLcode Curl_http_connect(struct connectdata *conn, bool *done) + if(CONNECT_FIRSTSOCKET_PROXY_SSL()) + return CURLE_OK; /* wait for HTTPS proxy SSL initialization to complete */ + +- if(!Curl_connect_complete(conn)) ++ if(Curl_connect_ongoing(conn)) + /* nothing else to do except wait right now - we're not done here. */ + return CURLE_OK; + +-- +2.13.5 + diff --git a/0004-curl-7.59.0-http2-GOAWAY.patch b/0004-curl-7.59.0-http2-GOAWAY.patch new file mode 100644 index 0000000..790c27b --- /dev/null +++ b/0004-curl-7.59.0-http2-GOAWAY.patch @@ -0,0 +1,344 @@ +From 01f15fd3d66655872e10c36dd6a631f491fbbed0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 10 Mar 2018 23:48:43 +0100 +Subject: [PATCH 1/2] http2: mark the connection for close on GOAWAY +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... don't consider it an error! + +Assisted-by: Jay Satiro +Reported-by: Łukasz Domeradzki +Fixes #2365 +Closes #2375 + +Upstream-commit: 8b498a875c975294545581282289991bbcfeabf4 +Signed-off-by: Kamil Dudka +--- + lib/http.h | 5 ++--- + lib/http2.c | 33 +++++++++++++++++++++------------ + lib/multi.c | 9 +++------ + 3 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/lib/http.h b/lib/http.h +index a845f56..e8e41e3 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -174,8 +174,6 @@ struct HTTP { + size_t pauselen; /* the number of bytes left in data */ + bool closed; /* TRUE on HTTP2 stream close */ + bool close_handled; /* TRUE if stream closure is handled by libcurl */ +- uint32_t error_code; /* HTTP/2 error code */ +- + char *mem; /* points to a buffer in memory to store received data */ + size_t len; /* size of the buffer 'mem' points to */ + size_t memlen; /* size of data copied to mem */ +@@ -228,6 +226,7 @@ struct http_conn { + /* list of settings that will be sent */ + nghttp2_settings_entry local_settings[3]; + size_t local_settings_num; ++ uint32_t error_code; /* HTTP/2 error code */ + #else + int unused; /* prevent a compiler warning */ + #endif +diff --git a/lib/http2.c b/lib/http2.c +index 0e55801..14ab0f7 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -205,7 +205,6 @@ void Curl_http2_setup_req(struct Curl_easy *data) + http->status_code = -1; + http->pausedata = NULL; + http->pauselen = 0; +- http->error_code = NGHTTP2_NO_ERROR; + http->closed = FALSE; + http->close_handled = FALSE; + http->mem = data->state.buffer; +@@ -218,6 +217,7 @@ void Curl_http2_setup_conn(struct connectdata *conn) + { + conn->proto.httpc.settings.max_concurrent_streams = + DEFAULT_MAX_CONCURRENT_STREAMS; ++ conn->proto.httpc.error_code = NGHTTP2_NO_ERROR; + } + + /* +@@ -778,6 +778,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, + (void)stream_id; + + if(stream_id) { ++ struct http_conn *httpc; + /* get the stream from the hash based on Stream ID, stream ID zero is for + connection-oriented stuff */ + data_s = nghttp2_session_get_stream_user_data(session, stream_id); +@@ -792,10 +793,11 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, + if(!stream) + return NGHTTP2_ERR_CALLBACK_FAILURE; + +- stream->error_code = error_code; + stream->closed = TRUE; + data_s->state.drain++; +- conn->proto.httpc.drain_total++; ++ httpc = &conn->proto.httpc; ++ httpc->drain_total++; ++ httpc->error_code = error_code; + + /* remove the entry from the hash as the stream is now gone */ + nghttp2_session_set_stream_user_data(session, stream_id, 0); +@@ -1223,13 +1225,14 @@ static int h2_session_send(struct Curl_easy *data, + * This function returns 0 if it succeeds, or -1 and error code will + * be assigned to *err. + */ +-static int h2_process_pending_input(struct Curl_easy *data, ++static int h2_process_pending_input(struct connectdata *conn, + struct http_conn *httpc, + CURLcode *err) + { + ssize_t nread; + char *inbuf; + ssize_t rv; ++ struct Curl_easy *data = conn->data; + + nread = httpc->inbuflen - httpc->nread_inbuf; + inbuf = httpc->inbuf + httpc->nread_inbuf; +@@ -1267,7 +1270,13 @@ static int h2_process_pending_input(struct Curl_easy *data, + if(should_close_session(httpc)) { + DEBUGF(infof(data, + "h2_process_pending_input: nothing to do in this session\n")); +- *err = CURLE_HTTP2; ++ if(httpc->error_code) ++ *err = CURLE_HTTP2; ++ else { ++ /* not an error per se, but should still close the connection */ ++ connclose(conn, "GOAWAY received"); ++ *err = CURLE_OK; ++ } + return -1; + } + +@@ -1298,7 +1307,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn) + that it can signal EOF to nghttp2 */ + (void)nghttp2_session_resume_data(h2, stream->stream_id); + +- (void)h2_process_pending_input(conn->data, httpc, &result); ++ (void)h2_process_pending_input(conn, httpc, &result); + } + } + return result; +@@ -1322,7 +1331,7 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, + data->state.drain = 0; + + if(httpc->pause_stream_id == 0) { +- if(h2_process_pending_input(data, httpc, err) != 0) { ++ if(h2_process_pending_input(conn, httpc, err) != 0) { + return -1; + } + } +@@ -1331,10 +1340,10 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, + + /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ + stream->closed = FALSE; +- if(stream->error_code != NGHTTP2_NO_ERROR) { ++ if(httpc->error_code != NGHTTP2_NO_ERROR) { + failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", +- stream->stream_id, Curl_http2_strerror(stream->error_code), +- stream->error_code); ++ stream->stream_id, Curl_http2_strerror(httpc->error_code), ++ httpc->error_code); + *err = CURLE_HTTP2_STREAM; + return -1; + } +@@ -1482,7 +1491,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + /* We have paused nghttp2, but we have no pause data (see + on_data_chunk_recv). */ + httpc->pause_stream_id = 0; +- if(h2_process_pending_input(data, httpc, &result) != 0) { ++ if(h2_process_pending_input(conn, httpc, &result) != 0) { + *err = result; + return -1; + } +@@ -1512,7 +1521,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + frames, then we have to call it again with 0-length data. + Without this, on_stream_close callback will not be called, + and stream could be hanged. */ +- if(h2_process_pending_input(data, httpc, &result) != 0) { ++ if(h2_process_pending_input(conn, httpc, &result) != 0) { + *err = result; + return -1; + } +diff --git a/lib/multi.c b/lib/multi.c +index d5bc532..7b9ba61 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -572,11 +572,8 @@ static CURLcode multi_done(struct connectdata **connp, + result = CURLE_ABORTED_BY_CALLBACK; + } + +- if(conn->send_pipe.size + conn->recv_pipe.size != 0 && +- !data->set.reuse_forbid && +- !conn->bits.close) { +- /* Stop if pipeline is not empty and we do not have to close +- connection. */ ++ if(conn->send_pipe.size || conn->recv_pipe.size) { ++ /* Stop if pipeline is not empty . */ + data->easy_conn = NULL; + DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); + return CURLE_OK; +-- +2.14.4 + + +From 84ddda3994c1f12d79946780dee9111b3cf1c308 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 19 Apr 2018 20:03:30 +0200 +Subject: [PATCH 2/2] http2: handle GOAWAY properly + +When receiving REFUSED_STREAM, mark the connection for close and retry +streams accordingly on another/fresh connection. + +Reported-by: Terry Wu +Fixes #2416 +Fixes #1618 +Closes #2510 + +Upstream-commit: d122df5972fc01e39ae28e6bca705237d7e3318a +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 17 ++++++++++++----- + lib/multi.c | 4 +++- + lib/transfer.c | 17 +++++++++++++++-- + lib/urldata.h | 2 +- + 4 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index b2c34e9..fba4d70 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1070,7 +1070,6 @@ void Curl_http2_done(struct connectdata *conn, bool premature) + struct http_conn *httpc = &conn->proto.httpc; + + if(http->header_recvbuf) { +- DEBUGF(infof(data, "free header_recvbuf!!\n")); + Curl_add_buffer_free(http->header_recvbuf); + http->header_recvbuf = NULL; /* clear the pointer */ + Curl_add_buffer_free(http->trailer_recvbuf); +@@ -1340,7 +1339,15 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, + + /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ + stream->closed = FALSE; +- if(httpc->error_code != NGHTTP2_NO_ERROR) { ++ if(httpc->error_code == NGHTTP2_REFUSED_STREAM) { ++ DEBUGF(infof(data, "REFUSED_STREAM (%d), try again on a new connection!\n", ++ stream->stream_id)); ++ connclose(conn, "REFUSED_STREAM"); /* don't use this anymore */ ++ data->state.refused_stream = TRUE; ++ *err = CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */ ++ return -1; ++ } ++ else if(httpc->error_code != NGHTTP2_NO_ERROR) { + failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", + stream->stream_id, Curl_http2_strerror(httpc->error_code), + httpc->error_code); +@@ -1568,9 +1575,9 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, + } + + if(nread == 0) { +- failf(data, "Unexpected EOF"); +- *err = CURLE_RECV_ERROR; +- return -1; ++ DEBUGF(infof(data, "end of stream\n")); ++ *err = CURLE_OK; ++ return 0; + } + + DEBUGF(infof(data, "nread=%zd\n", nread)); +diff --git a/lib/multi.c b/lib/multi.c +index 98e5fca..d69e5f9 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -575,7 +575,9 @@ static CURLcode multi_done(struct connectdata **connp, + if(conn->send_pipe.size || conn->recv_pipe.size) { + /* Stop if pipeline is not empty . */ + data->easy_conn = NULL; +- DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); ++ DEBUGF(infof(data, "Connection still in use %d/%d, " ++ "no more multi_done now!\n", ++ conn->send_pipe.size, conn->recv_pipe.size)); + return CURLE_OK; + } + +diff --git a/lib/transfer.c b/lib/transfer.c +index fd9af31..5c29cc9 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1896,7 +1896,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + char **url) + { + struct Curl_easy *data = conn->data; +- ++ bool retry = FALSE; + *url = NULL; + + /* if we're talking upload, we can't do the checks below, unless the protocol +@@ -1909,7 +1909,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, + conn->bits.reuse && + (!data->set.opt_no_body + || (conn->handler->protocol & PROTO_FAMILY_HTTP)) && +- (data->set.rtspreq != RTSPREQ_RECEIVE)) { ++ (data->set.rtspreq != RTSPREQ_RECEIVE)) + /* We got no data, we attempted to re-use a connection. For HTTP this + can be a retry so we try again regardless if we expected a body. + For other protocols we only try again only if we expected a body. +@@ -1917,6 +1917,19 @@ CURLcode Curl_retry_request(struct connectdata *conn, + This might happen if the connection was left alive when we were + done using it before, but that was closed when we wanted to read from + it again. Bad luck. Retry the same request on a fresh connect! */ ++ retry = TRUE; ++ else if(data->state.refused_stream && ++ (data->req.bytecount + data->req.headerbytecount == 0) ) { ++ /* This was sent on a refused stream, safe to rerun. A refused stream ++ error can typically only happen on HTTP/2 level if the stream is safe ++ to issue again, but the nghttp2 API can deliver the message to other ++ streams as well, which is why this adds the check the data counters ++ too. */ ++ infof(conn->data, "REFUSED_STREAM, retrying a fresh connect\n"); ++ data->state.refused_stream = FALSE; /* clear again */ ++ retry = TRUE; ++ } ++ if(retry) { + infof(conn->data, "Connection died, retrying a fresh connect\n"); + *url = strdup(conn->data->change.url); + if(!*url) +diff --git a/lib/urldata.h b/lib/urldata.h +index 3d7b9e5..6a36ee9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1391,7 +1391,7 @@ struct UrlState { + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ + bool this_is_a_follow; /* this is a followed Location: request */ +- ++ bool refused_stream; /* this was refused, try again */ + char *first_host; /* host name of the first (not followed) request. + if set, this should be the host name that we will + sent authorization to, no else. Used to make Location: +-- +2.14.4 + diff --git a/0005-curl-7.55.1-CVE-2017-1000254.patch b/0005-curl-7.55.1-CVE-2017-1000254.patch new file mode 100644 index 0000000..6ee9bb9 --- /dev/null +++ b/0005-curl-7.55.1-CVE-2017-1000254.patch @@ -0,0 +1,136 @@ +From 1e6f9bb225047cb40232ac3e0aa5da161e49d465 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Sep 2017 00:35:22 +0200 +Subject: [PATCH] FTP: zero terminate the entry path even on bad input + +... a single double quote could leave the entry path buffer without a zero +terminating byte. CVE-2017-1000254 + +Test 1152 added to verify. + +Reported-by: Max Dymond +Bug: https://curl.haxx.se/docs/adv_20171004.html + +Upstream-commit: 5ff2c5ff25750aba1a8f64fbcad8e5b891512584 +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 7 ++++-- + tests/data/Makefile.inc | 1 + + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1152 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 6e86e53..bcba6bb 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2777,6 +2777,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + const size_t buf_size = data->set.buffer_size; + char *dir; + char *store; ++ bool entry_extracted = FALSE; + + dir = malloc(nread + 1); + if(!dir) +@@ -2808,7 +2809,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + } + else { + /* end of path */ +- *store = '\0'; /* zero terminate */ ++ entry_extracted = TRUE; + break; /* get out of this loop */ + } + } +@@ -2817,7 +2818,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + store++; + ptr++; + } +- ++ *store = '\0'; /* zero terminate */ ++ } ++ if(entry_extracted) { + /* If the path name does not look like an absolute path (i.e.: it + does not start with a '/'), we probably need some server-dependent + adjustments. For example, this is the case when connecting to +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 1657ac6..f8f6e41 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 test1145 test1146 test1147 test1148 \ ++test1152 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ +diff --git a/tests/data/test1152 b/tests/data/test1152 +new file mode 100644 +index 0000000..aa8c0a7 +--- /dev/null ++++ b/tests/data/test1152 +@@ -0,0 +1,61 @@ ++ ++ ++ ++FTP ++PASV ++LIST ++ ++ ++# ++# Server-side ++ ++ ++REPLY PWD 257 "just one ++ ++ ++# When doing LIST, we get the default list output hard-coded in the test ++# FTP server ++ ++total 20 ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 . ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. ++drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases ++-r--r--r-- 1 0 1 35 Jul 16 1996 README ++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin ++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev ++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html ++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc ++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub ++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr ++ ++ ++ ++# ++# Client-side ++ ++ ++ftp ++ ++ ++FTP with uneven quote in PWD response ++ ++ ++ftp://%HOSTIP:%FTPPORT/test-1152/ ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD test-1152 ++EPSV ++TYPE A ++LIST ++QUIT ++ ++ ++ +-- +2.13.6 + diff --git a/0006-curl-7.55.1-CVE-2017-1000257.patch b/0006-curl-7.55.1-CVE-2017-1000257.patch new file mode 100644 index 0000000..01b2d6f --- /dev/null +++ b/0006-curl-7.55.1-CVE-2017-1000257.patch @@ -0,0 +1,36 @@ +From f8b7620e0578ef44e8fd958d32f348b535d1ab77 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 7 Oct 2017 00:11:31 +0200 +Subject: [PATCH] imap: if a FETCH response has no size, don't call write + callback + +CVE-2017-1000257 + +Reported-by: Brian Carpenter and 0xd34db347 +Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 + +Upstream-commit: 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 +Signed-off-by: Kamil Dudka +--- + lib/imap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/imap.c b/lib/imap.c +index 48af290..4deba88 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1091,6 +1091,11 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, + /* The conversion from curl_off_t to size_t is always fine here */ + chunk = (size_t)size; + ++ if(!chunk) { ++ /* no size, we're done with the data */ ++ state(conn, IMAP_STOP); ++ return CURLE_OK; ++ } + result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); + if(result) + return result; +-- +2.13.6 + diff --git a/0007-curl-7.55.1-CVE-2017-8817.patch b/0007-curl-7.55.1-CVE-2017-8817.patch new file mode 100644 index 0000000..99453ce --- /dev/null +++ b/0007-curl-7.55.1-CVE-2017-8817.patch @@ -0,0 +1,132 @@ +From d288bcc0635f154fa2167bb0ac1de554bde971b6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Nov 2017 08:52:45 +0100 +Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset + +The code would previous read beyond the end of the pattern string if the +match pattern ends with an open bracket when the default pattern +matching function is used. + +Detected by OSS-Fuzz: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + +CVE-2017-8817 + +Bug: https://curl.haxx.se/docs/adv_2017-ae72.html + +Upstream-commit: 0b664ba968437715819bfe4c7ada5679d16ebbc3 +Signed-off-by: Kamil Dudka +--- + lib/curl_fnmatch.c | 9 +++------ + tests/data/Makefile.inc | 1 + + tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test1163 + +diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c +index 46d3ada..5dd5323 100644 +--- a/lib/curl_fnmatch.c ++++ b/lib/curl_fnmatch.c +@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) + unsigned char c; + for(;;) { + c = **p; ++ if(!c) ++ return SETCHARSET_FAIL; ++ + switch(state) { + case CURLFNM_SCHS_DEFAULT: + if(ISALNUM(c)) { /* ASCII value */ +@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) + else + return SETCHARSET_FAIL; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else { + charset[c] = 1; + (*p)++; +@@ -277,9 +277,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) + else if(c == ']') { + return SETCHARSET_OK; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else if(ISPRINT(c)) { + charset[c] = 1; + (*p)++; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index f8f6e41..6e2f402 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 test1145 test1146 test1147 test1148 \ + test1152 \ ++test1163 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ +diff --git a/tests/data/test1163 b/tests/data/test1163 +new file mode 100644 +index 0000000..a109b51 +--- /dev/null ++++ b/tests/data/test1163 +@@ -0,0 +1,52 @@ ++ ++ ++ ++FTP ++RETR ++LIST ++wildcardmatch ++ftplistparser ++flaky ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++lib576 ++ ++ ++FTP wildcard with pattern ending with an open-bracket ++ ++ ++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" ++ ++ ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD fully_simulated ++CWD DOS ++EPSV ++TYPE A ++LIST ++QUIT ++ ++# 78 == CURLE_REMOTE_FILE_NOT_FOUND ++ ++78 ++ ++ ++ +-- +2.13.6 + diff --git a/0008-curl-7.55.1-CVE-2017-8816.patch b/0008-curl-7.55.1-CVE-2017-8816.patch new file mode 100644 index 0000000..374d79d --- /dev/null +++ b/0008-curl-7.55.1-CVE-2017-8816.patch @@ -0,0 +1,61 @@ +From 300d6e1b2598dc34004e4608e6718f1c0c206110 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html + +Upstream-commit: 7f2a1df6f5fc598750b2c6f34465c8d924db28cc +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index aea5452..eb44f97 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -622,6 +622,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + return CURLE_OK; + } + ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +@@ -631,10 +637,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + +-- +2.13.6 + diff --git a/0009-curl-7.55.1-CVE-2018-1000007.patch b/0009-curl-7.55.1-CVE-2018-1000007.patch new file mode 100644 index 0000000..0720745 --- /dev/null +++ b/0009-curl-7.55.1-CVE-2018-1000007.patch @@ -0,0 +1,330 @@ +From e6968d1d220891230bcca5340bfd364183ceaa31 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 19 Jan 2018 13:19:25 +0100 +Subject: [PATCH] http: prevent custom Authorization headers in redirects + +... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how +curl already handles Authorization headers created internally. + +Note: this changes behavior slightly, for the sake of reducing mistakes. + +Added test 317 and 318 to verify. + +Reported-by: Craig de Stigter +Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html + +Upstream-commit: af32cd3859336ab963591ca0df9b1e33a7ee066b +Signed-off-by: Kamil Dudka +--- + docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++- + lib/http.c | 10 +++- + lib/url.c | 2 +- + lib/urldata.h | 2 +- + tests/data/Makefile.inc | 2 +- + tests/data/test317 | 94 +++++++++++++++++++++++++++++++++ + tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++ + 7 files changed, 212 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test317 + create mode 100644 tests/data/test318 + +diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +index 6aeec22..781e570 100644 +--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 ++++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +@@ -5,7 +5,7 @@ + .\" * | (__| |_| | _ <| |___ + .\" * \___|\___/|_| \_\_____| + .\" * +-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. ++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + .\" * + .\" * This software is licensed as described in the file COPYING, which + .\" * you should have received as part of this distribution. The terms +@@ -78,6 +78,16 @@ the headers. They may be private or otherwise sensitive to leak. + + Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you + intend them to get sent. ++ ++Custom headers are sent in all requests done by the easy handles, which ++implies that if you tell libcurl to follow redirects ++(\fICURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent ++in the subsequent request. Redirects can of course go to other hosts and thus ++those servers will get all the contents of your custom headers too. ++ ++Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers ++from being sent to other hosts than the first used one, unless specifically ++permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option. + .SH DEFAULT + NULL + .SH PROTOCOLS +diff --git a/lib/http.c b/lib/http.c +index b73e58c..c15208d 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -732,7 +732,7 @@ Curl_http_output_auth(struct connectdata *conn, + if(!data->state.this_is_a_follow || + conn->bits.netrc || + !data->state.first_host || +- data->set.http_disable_hostname_check_before_authentication || ++ data->set.allow_auth_to_other_hosts || + strcasecompare(data->state.first_host, conn->host.name)) { + result = output_auth_headers(conn, authhost, request, path, FALSE); + } +@@ -1651,6 +1651,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + checkprefix("Transfer-Encoding:", headers->data)) + /* HTTP/2 doesn't support chunked requests */ + ; ++ else if(checkprefix("Authorization:", headers->data) && ++ /* be careful of sending this potentially sensitive header to ++ other hosts */ ++ (data->state.this_is_a_follow && ++ data->state.first_host && ++ !data->set.allow_auth_to_other_hosts && ++ !strcasecompare(data->state.first_host, conn->host.name))) ++ ; + else { + CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", + headers->data); +diff --git a/lib/url.c b/lib/url.c +index 71d4d8b..ba53131 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1008,7 +1008,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, + * Send authentication (user+password) when following locations, even when + * hostname changed. + */ +- data->set.http_disable_hostname_check_before_authentication = ++ data->set.allow_auth_to_other_hosts = + (0 != va_arg(param, long)) ? TRUE : FALSE; + break; + +diff --git a/lib/urldata.h b/lib/urldata.h +index b4f18e7..1dd62ae 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1757,7 +1757,7 @@ struct UserDefined { + bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ + bool http_follow_location; /* follow HTTP redirects */ + bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ +- bool http_disable_hostname_check_before_authentication; ++ bool allow_auth_to_other_hosts; + bool include_header; /* include received protocol headers in data output */ + bool http_set_referer; /* is a custom referer used */ + bool http_auto_referer; /* set "correct" referer when following location: */ +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 6e2f402..870d0da 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -55,7 +55,7 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \ + test289 test290 test291 test292 test293 test294 test295 test296 test297 \ + test298 test299 test300 test301 test302 test303 test304 test305 test306 \ + test307 test308 test309 test310 test311 test312 test313 \ +- test320 test321 test322 test323 test324 \ ++ test317 test318 test320 test321 test322 test323 test324 \ + test325 \ + test350 test351 test352 test353 test354 \ + \ +diff --git a/tests/data/test317 b/tests/data/test317 +new file mode 100644 +index 0000000..c6d8697 +--- /dev/null ++++ b/tests/data/test317 +@@ -0,0 +1,94 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3170002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 ++Host: first.host.it.is ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3170002 HTTP/1.1 ++Host: goto.second.host.now ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test318 b/tests/data/test318 +new file mode 100644 +index 0000000..838d1ba +--- /dev/null ++++ b/tests/data/test318 +@@ -0,0 +1,95 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++HTTP Basic auth ++HTTP proxy Basic auth ++followlocation ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++contents ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Location: http://goto.second.host.now/3180002 ++Content-Length: 8 ++Connection: close ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake swsclose ++Content-Type: text/html ++Funny-head: yesyes ++Content-Length: 9 ++ ++contents ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with custom Authorization: and redirect to new host ++ ++ ++http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 ++Host: first.host.it.is ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++GET http://goto.second.host.now/3180002 HTTP/1.1 ++Host: goto.second.host.now ++Proxy-Authorization: Basic dGVzdGluZzp0aGlz ++Accept: */* ++Proxy-Connection: Keep-Alive ++Authorization: s3cr3t ++ ++ ++ ++ +-- +2.13.6 + diff --git a/0010-curl-7.55.1-CVE-2018-1000005.patch b/0010-curl-7.55.1-CVE-2018-1000005.patch new file mode 100644 index 0000000..9b8bdf6 --- /dev/null +++ b/0010-curl-7.55.1-CVE-2018-1000005.patch @@ -0,0 +1,42 @@ +From cbe5cf0d95a0227739bd2126d5fa411d084e1af2 Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 + +Upstream-commit: fa3dbb9a147488a2943bda809c66fc497efe06cb +Signed-off-by: Kamil Dudka +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/http2.c b/lib/http2.c +index 0e55801..3d7610d 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -926,8 +926,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); +-- +2.13.6 + diff --git a/0016-curl-7.55.1-CVE-2018-1000122.patch b/0016-curl-7.55.1-CVE-2018-1000122.patch new file mode 100644 index 0000000..14ac23f --- /dev/null +++ b/0016-curl-7.55.1-CVE-2018-1000122.patch @@ -0,0 +1,41 @@ +From fffbdcf516a527482095eac30baa27b78c2dbaa2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 8 Mar 2018 10:33:16 +0100 +Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end + +CVE-2018-1000122 +Bug: https://curl.haxx.se/docs/adv_2018-b047.html + +Detected by OSS-fuzz + +Upstream-commit: d52dc4760f6d9ca1937eefa2093058a952465128 +Signed-off-by: Kamil Dudka +--- + lib/transfer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 3537b58..bc3b39b 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -788,10 +788,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, + + } /* if(!header and data to read) */ + +- if(conn->handler->readwrite && +- (excess > 0 && !conn->bits.stream_was_rewound)) { ++ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { + /* Parse the excess data */ + k->str += nread; ++ ++ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { ++ /* the excess amount was too excessive(!), make sure ++ it doesn't read out of buffer */ ++ excess = &k->buf[data->set.buffer_size] - k->str; ++ } + nread = (ssize_t)excess; + + result = conn->handler->readwrite(data, conn, &nread, &readmore); +-- +2.14.3 + diff --git a/0017-curl-7.55.1-CVE-2018-1000121.patch b/0017-curl-7.55.1-CVE-2018-1000121.patch new file mode 100644 index 0000000..aa84a7b --- /dev/null +++ b/0017-curl-7.55.1-CVE-2018-1000121.patch @@ -0,0 +1,45 @@ +From 1d7bcc866591aba5788dc6c701ef8b564d09e329 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 6 Mar 2018 23:02:16 +0100 +Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL + before using + +CVE-2018-1000121 +Reported-by: Dario Weisser +Bug: https://curl.haxx.se/docs/adv_2018-97a2.html + +Upstream-commit: 9889db043393092e9d4b5a42720bba0b3d58deba +Signed-off-by: Kamil Dudka +--- + lib/openldap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index 369309c..d71946d 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -445,7 +445,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + + for(ent = ldap_first_message(li->ld, msg); ent; + ent = ldap_next_message(li->ld, ent)) { +- struct berval bv, *bvals, **bvp = &bvals; ++ struct berval bv, *bvals; + int binary = 0, msgtype; + CURLcode writeerr; + +@@ -507,9 +507,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, + } + data->req.bytecount += bv.bv_len + 5; + +- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); +- rc == LDAP_SUCCESS; +- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { ++ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); ++ (rc == LDAP_SUCCESS) && bvals; ++ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { + int i; + + if(bv.bv_val == NULL) break; +-- +2.14.3 + diff --git a/0018-curl-7.55.1-CVE-2018-1000120.patch b/0018-curl-7.55.1-CVE-2018-1000120.patch new file mode 100644 index 0000000..3e55578 --- /dev/null +++ b/0018-curl-7.55.1-CVE-2018-1000120.patch @@ -0,0 +1,302 @@ +From 5452fdc5ae93f3571074c591fdf28cdf630796a0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 12 Sep 2017 09:29:01 +0200 +Subject: [PATCH 1/2] FTP: URL decode path for dir listing in nocwd mode + +Reported-by: Zenju on github + +Test 244 added to verify +Fixes #1974 +Closes #1976 + +Upstream-commit: ecf21c551fa3426579463abe34b623111b8d487c +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 29 ++++++++++++-------------- + tests/data/Makefile.inc | 2 +- + tests/data/test244 | 54 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 68 insertions(+), 17 deletions(-) + create mode 100644 tests/data/test244 + +diff --git a/lib/ftp.c b/lib/ftp.c +index bcba6bb..fb3a716 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -975,7 +975,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, + char *port_start = NULL; + char *port_sep = NULL; + +- addr = calloc(addrlen+1, 1); ++ addr = calloc(addrlen + 1, 1); + if(!addr) + return CURLE_OUT_OF_MEMORY; + +@@ -1018,7 +1018,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, + if(ip_end != NULL) { + port_start = strchr(ip_end, ':'); + if(port_start) { +- port_min = curlx_ultous(strtoul(port_start+1, NULL, 10)); ++ port_min = curlx_ultous(strtoul(port_start + 1, NULL, 10)); + port_sep = strchr(port_start, '-'); + if(port_sep) { + port_max = curlx_ultous(strtoul(port_sep + 1, NULL, 10)); +@@ -1457,25 +1457,22 @@ static CURLcode ftp_state_list(struct connectdata *conn) + then just do LIST (in that case: nothing to do here) + */ + char *cmd, *lstArg, *slashPos; ++ const char *inpath = data->state.path; + + lstArg = NULL; + if((data->set.ftp_filemethod == FTPFILE_NOCWD) && +- data->state.path && +- data->state.path[0] && +- strchr(data->state.path, '/')) { +- +- lstArg = strdup(data->state.path); +- if(!lstArg) +- return CURLE_OUT_OF_MEMORY; ++ inpath && inpath[0] && strchr(inpath, '/')) { ++ size_t n = strlen(inpath); + + /* Check if path does not end with /, as then we cut off the file part */ +- if(lstArg[strlen(lstArg) - 1] != '/') { +- ++ if(inpath[n - 1] != '/') { + /* chop off the file part if format is dir/dir/file */ +- slashPos = strrchr(lstArg, '/'); +- if(slashPos) +- *(slashPos+1) = '\0'; ++ slashPos = strrchr(inpath, '/'); ++ n = slashPos - inpath; + } ++ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); ++ if(result) ++ return result; + } + + cmd = aprintf("%s%s%s", +@@ -3497,7 +3494,7 @@ static CURLcode ftp_range(struct connectdata *conn) + } + else { + /* X-Y */ +- data->req.maxdownload = (to-from)+1; /* include last byte */ ++ data->req.maxdownload = (to - from) + 1; /* include last byte */ + data->state.resume_from = from; + DEBUGF(infof(conn->data, "FTP RANGE from %" CURL_FORMAT_CURL_OFF_T + " getting %" CURL_FORMAT_CURL_OFF_T " bytes\n", +@@ -4196,7 +4193,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + return result; + } + ftpc->dirdepth = 1; /* we consider it to be a single dir */ +- filename = slash_pos ? slash_pos+1 : cur_pos; /* rest is file name */ ++ filename = slash_pos ? slash_pos + 1 : cur_pos; /* rest is file name */ + } + else + filename = cur_pos; /* this is a file name only */ +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 870d0da..d95101b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -47,7 +47,7 @@ test208 test209 test210 test211 test212 test213 test214 test215 test216 \ + test217 test218 test219 test220 test221 test222 test223 test224 test225 \ + test226 test227 test228 test229 test231 test233 test234 \ + test235 test236 test237 test238 test239 test240 test241 test242 test243 \ +- test245 test246 test247 test248 test249 test250 test251 test252 \ ++test244 test245 test246 test247 test248 test249 test250 test251 test252 \ + test253 test254 test255 test256 test257 test258 test259 test260 test261 \ + test262 test263 test264 test265 test266 test267 test268 test269 test270 \ + test271 test272 test273 test274 test275 test276 test277 test278 test279 \ +diff --git a/tests/data/test244 b/tests/data/test244 +new file mode 100644 +index 0000000..8ce4b63 +--- /dev/null ++++ b/tests/data/test244 +@@ -0,0 +1,54 @@ ++ ++ ++ ++FTP ++PASV ++CWD ++--ftp-method ++nocwd ++ ++ ++# ++# Server-side ++ ++ ++total 20 ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 . ++drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. ++drwxr-xr-x 2 98 98 512 May 2 1996 .NeXT ++-r--r--r-- 1 0 1 35 Jul 16 1996 README ++lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin ++dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev ++drwxrwxrwx 2 98 98 512 May 29 16:04 download.html ++dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc ++drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub ++dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP dir listing with nocwd and URL encoded path ++ ++ ++--ftp-method nocwd ftp://%HOSTIP:%FTPPORT/fir%23t/th%69rd/244/ ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++EPSV ++TYPE A ++LIST fir#t/third/244/ ++QUIT ++ ++ ++ +-- +2.14.3 + + +From 9534442aae1da4e6cf2ce815e47dbcd82695c3d4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 31 Jan 2018 08:40:11 +0100 +Subject: [PATCH 2/2] FTP: reject path components with control codes + +Refuse to operate when given path components featuring byte values lower +than 32. + +Previously, inserting a %00 sequence early in the directory part when +using the 'singlecwd' ftp method could make curl write a zero byte +outside of the allocated buffer. + +Test case 340 verifies. + +CVE-2018-1000120 +Reported-by: Duy Phan Thanh +Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html + +Upstream-commit: 535432c0adb62fe167ec09621500470b6fa4eb0f +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 8 ++++---- + tests/data/Makefile.inc | 3 +++ + tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test340 + +diff --git a/lib/ftp.c b/lib/ftp.c +index fb3a716..268efdd 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1470,7 +1470,7 @@ static CURLcode ftp_state_list(struct connectdata *conn) + slashPos = strrchr(inpath, '/'); + n = slashPos - inpath; + } +- result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); ++ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); + if(result) + return result; + } +@@ -3183,7 +3183,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + + if(!result) + /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); + if(result) { + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ +@@ -4187,7 +4187,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", + slash_pos ? dirlen : 1, + &ftpc->dirs[0], NULL, +- FALSE); ++ TRUE); + if(result) { + freedirs(ftpc); + return result; +@@ -4294,7 +4294,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + size_t dlen; + char *path; + CURLcode result = +- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); + if(result) { + freedirs(ftpc); + return result; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index d95101b..af41634 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -57,6 +57,9 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ + test307 test308 test309 test310 test311 test312 test313 \ + test317 test318 test320 test321 test322 test323 test324 \ + test325 \ ++\ ++test340 \ ++\ + test350 test351 test352 test353 test354 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ +diff --git a/tests/data/test340 b/tests/data/test340 +new file mode 100644 +index 0000000..d834d76 +--- /dev/null ++++ b/tests/data/test340 +@@ -0,0 +1,40 @@ ++ ++ ++ ++FTP ++PASV ++CWD ++--ftp-method ++singlecwd ++ ++ ++# ++# Server-side ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP using %00 in path with singlecwd ++ ++ ++--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++ ++ ++3 ++ ++ ++ +-- +2.14.3 + diff --git a/0019-curl-7.55.1-CVE-2018-1000301.patch b/0019-curl-7.55.1-CVE-2018-1000301.patch new file mode 100644 index 0000000..f72401b --- /dev/null +++ b/0019-curl-7.55.1-CVE-2018-1000301.patch @@ -0,0 +1,48 @@ +From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 24 Mar 2018 23:47:41 +0100 +Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is + parsed + +... leaving the k->str could lead to buffer over-reads later on. + +CVE: CVE-2018-1000301 +Assisted-by: Max Dymond + +Detected by OSS-Fuzz. +Bug: https://curl.haxx.se/docs/adv_2018-b138.html +Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + +Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d +Signed-off-by: Kamil Dudka +--- + lib/http.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 841f6cc..dc10f5f 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2944,6 +2944,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + { + CURLcode result; + struct SingleRequest *k = &data->req; ++ ssize_t onread = *nread; ++ char *ostr = k->str; + + /* header line within buffer loop */ + do { +@@ -3008,7 +3010,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + else { + /* this was all we read so it's all a bad header */ + k->badheader = HEADER_ALLBAD; +- *nread = (ssize_t)rest_length; ++ *nread = onread; ++ k->str = ostr; ++ return CURLE_OK; + } + break; + } +-- +2.14.3 + diff --git a/0020-curl-7.55.1-CVE-2018-1000300.patch b/0020-curl-7.55.1-CVE-2018-1000300.patch new file mode 100644 index 0000000..0dc80c5 --- /dev/null +++ b/0020-curl-7.55.1-CVE-2018-1000300.patch @@ -0,0 +1,39 @@ +From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 23 Mar 2018 23:30:04 +0100 +Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow + +Response data for a handle with a large buffer might be cached and then +used with the "closure" handle when it has a smaller buffer and then the +larger cache will be copied and overflow the new smaller heap based +buffer. + +Reported-by: Dario Weisser +CVE: CVE-2018-1000300 +Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + +Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248 +Signed-off-by: Kamil Dudka +--- + lib/pingpong.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 438856a..ad370ee 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -297,7 +297,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, + * it would have been populated with something of size int to begin + * with, even though its datatype may be larger than an int. + */ +- DEBUGASSERT((ptr+pp->cache_size) <= (buf+data->set.buffer_size+1)); ++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { ++ failf(data, "cached response data too big to handle"); ++ return CURLE_RECV_ERROR; ++ } + memcpy(ptr, pp->cache, pp->cache_size); + gotbytes = (ssize_t)pp->cache_size; + free(pp->cache); /* free the cache */ +-- +2.14.3 + diff --git a/0021-curl-7.55.1-pkcs11.patch b/0021-curl-7.55.1-pkcs11.patch new file mode 100644 index 0000000..1e00b6d --- /dev/null +++ b/0021-curl-7.55.1-pkcs11.patch @@ -0,0 +1,225 @@ +From 1b9c12b59b582d5366d9a11198631be54c94e440 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Mon, 19 Feb 2018 14:31:06 +0100 +Subject: [PATCH] ssl: set engine implicitly when a PKCS#11 URI is provided + +This allows the use of PKCS#11 URI for certificates and keys without +setting the corresponding type as "ENG" and the engine as "pkcs11" +explicitly. If a PKCS#11 URI is provided for certificate, key, +proxy_certificate or proxy_key, the corresponding type is set as "ENG" +if not provided and the engine is set to "pkcs11" if not provided. + +Acked-by: Nikos Mavrogiannopoulos +Closes #2333 + +Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 +Signed-off-by: Kamil Dudka +--- + docs/cmdline-opts/cert.d | 7 ++++++ + docs/cmdline-opts/key.d | 7 ++++++ + lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ + src/tool_getparam.c | 2 +- + src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ + tests/unit/unit1394.c | 3 +++ + 6 files changed, 109 insertions(+), 1 deletion(-) + +diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d +index 0cd5d53..ae6fe2f 100644 +--- a/docs/cmdline-opts/cert.d ++++ b/docs/cmdline-opts/cert.d +@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not + recognized as password delimiter. If the nickname contains "\\", it needs to + be escaped as "\\\\" so that it is not recognized as an escape character. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in ++a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --cert-type option will be set as ++"ENG" if none was provided. ++ + (iOS and macOS only) If curl is built against Secure Transport, then the + certificate string can either be the name of a certificate/private key in the + system or user keychain, or the path to a PKCS#12-encoded certificate and +diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d +index fbf583a..4877b42 100644 +--- a/docs/cmdline-opts/key.d ++++ b/docs/cmdline-opts/key.d +@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate + file. For SSH, if not specified, curl tries the following candidates in order: + '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. + ++If curl is built against OpenSSL library, and the engine pkcs11 is available, ++then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a ++PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a ++PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set ++as "pkcs11" if none was provided and the --key-type option will be set as ++"ENG" if none was provided. ++ + If this option is used several times, the last one will be used. +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 8c1d5a8..82c3c86 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -380,8 +380,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) + } + return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); + } ++ ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(strncasecompare(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #endif + ++CURLcode Curl_ossl_set_engine(struct Curl_easy *data, ++ const char *engine); ++ + static + int cert_stuff(struct connectdata *conn, + SSL_CTX* ctx, +@@ -443,6 +460,16 @@ int cert_stuff(struct connectdata *conn, + case SSL_FILETYPE_ENGINE: + #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) + { ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * cert_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(cert_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + const char *cmd_name = "LOAD_CERT_CTRL"; + struct { +@@ -614,6 +641,17 @@ int cert_stuff(struct connectdata *conn, + #ifdef HAVE_OPENSSL_ENGINE_H + { /* XXXX still needs some work */ + EVP_PKEY *priv_key = NULL; ++ ++ /* Implicitly use pkcs11 engine if none was provided and the ++ * key_file is a PKCS#11 URI */ ++ if(!data->state.engine) { ++ if(is_pkcs11_uri(key_file)) { ++ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { ++ return 0; ++ } ++ } ++ } ++ + if(data->state.engine) { + UI_METHOD *ui_method = + UI_create_method((char *)"curl user interface"); +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index b7ee519..7399757 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -333,7 +333,7 @@ void parse_cert_parameter(const char *cert_parameter, + * looks like a RFC7512 PKCS#11 URI which can be used as-is. + * Also if cert_parameter contains no colon nor backslash, this + * means no passphrase was given and no characters escaped */ +- if(!strncmp(cert_parameter, "pkcs11:", 7) || ++ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || + !strpbrk(cert_parameter, ":\\")) { + *certname = strdup(cert_parameter); + return; +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 1e8d007..f041427 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -127,6 +127,19 @@ static bool is_fatal_error(CURLcode code) + return FALSE; + } + ++/* ++ * Check if a given string is a PKCS#11 URI ++ */ ++static bool is_pkcs11_uri(const char *string) ++{ ++ if(curl_strnequal(string, "pkcs11:", 7)) { ++ return TRUE; ++ } ++ else { ++ return FALSE; ++ } ++} ++ + #ifdef __VMS + /* + * get_vms_file_size does what it takes to get the real size of the file +@@ -1136,6 +1149,46 @@ static CURLcode operate_do(struct GlobalConfig *global, + my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); + + if(curlinfo->features & CURL_VERSION_SSL) { ++ /* Check if config->cert is a PKCS#11 URI and set the ++ * config->cert_type if necessary */ ++ if(config->cert) { ++ if(!config->cert_type) { ++ if(is_pkcs11_uri(config->cert)) { ++ config->cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->key is a PKCS#11 URI and set the ++ * config->key_type if necessary */ ++ if(config->key) { ++ if(!config->key_type) { ++ if(is_pkcs11_uri(config->key)) { ++ config->key_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_cert is a PKCS#11 URI and set the ++ * config->proxy_type if necessary */ ++ if(config->proxy_cert) { ++ if(!config->proxy_cert_type) { ++ if(is_pkcs11_uri(config->proxy_cert)) { ++ config->proxy_cert_type = strdup("ENG"); ++ } ++ } ++ } ++ ++ /* Check if config->proxy_key is a PKCS#11 URI and set the ++ * config->proxy_key_type if necessary */ ++ if(config->proxy_key) { ++ if(!config->proxy_key_type) { ++ if(is_pkcs11_uri(config->proxy_key)) { ++ config->proxy_key_type = strdup("ENG"); ++ } ++ } ++ } ++ + my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); + my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); + my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); +diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c +index 667991d..010f052 100644 +--- a/tests/unit/unit1394.c ++++ b/tests/unit/unit1394.c +@@ -56,6 +56,9 @@ UNITTEST_START + "foo:bar\\\\", "foo", "bar\\\\", + "foo:bar:", "foo", "bar:", + "foo\\::bar\\:", "foo:", "bar\\:", ++ "pkcs11:foobar", "pkcs11:foobar", NULL, ++ "PKCS11:foobar", "PKCS11:foobar", NULL, ++ "PkCs11:foobar", "PkCs11:foobar", NULL, + #ifdef WIN32 + "c:\\foo:bar:baz", "c:\\foo", "bar:baz", + "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", +-- +2.17.1 + diff --git a/0022-curl-7.55.1-CVE-2018-14618.patch b/0022-curl-7.55.1-CVE-2018-14618.patch new file mode 100644 index 0000000..6e4907e --- /dev/null +++ b/0022-curl-7.55.1-CVE-2018-14618.patch @@ -0,0 +1,144 @@ +From bde648303aea273a688e65a1caafdd94b7b0123e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 4 Nov 2017 16:42:21 +0100 +Subject: [PATCH 1/3] ntlm: avoid malloc(0) for zero length passwords + +It triggers an assert() when built with memdebug since malloc(0) may +return NULL *or* a valid pointer. + +Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 + +Assisted-by: Max Dymond +Closes #2054 + +Upstream-commit: 685ef130575cdcf63fe9547757d88a49a40ef281 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index eb44f97..1c7b7b0 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -538,7 +538,7 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, + unsigned char *ntbuffer /* 21 bytes */) + { + size_t len = strlen(password); +- unsigned char *pw = malloc(len * 2); ++ unsigned char *pw = len ? malloc(len * 2) : strdup(""); + CURLcode result; + if(!pw) + return CURLE_OUT_OF_MEMORY; +-- +2.17.1 + + +From 2a23557fe8ab3316c5f961f79e50a03ab54cb07f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 27 Nov 2017 10:40:31 +0100 +Subject: [PATCH 2/3] curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if + provided + +Upstream-commit: 014887c50ab58bf35b1231dbfe11197fe41d59cc +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index 1c7b7b0..9fc3e8d 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -622,11 +622,14 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ + #if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) + #define SIZE_T_MAX 18446744073709551615U + #else + #define SIZE_T_MAX 4294967295U + #endif ++#endif + + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data +-- +2.17.1 + + +From 405a7e855f1dfcc03d01e441cc53db1980c4454d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 13 Aug 2018 10:35:52 +0200 +Subject: [PATCH 3/3] Curl_ntlm_core_mk_nt_hash: return error on too long + password + +... since it would cause an integer overflow if longer than (max size_t +/ 2). + +This is CVE-2018-14618 + +Bug: https://curl.haxx.se/docs/CVE-2018-14618.html +Closes #2756 +Reported-by: Zhaoyang Wu + +Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243 +Signed-off-by: Kamil Dudka +--- + lib/curl_ntlm_core.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c +index 9fc3e8d..34d8b67 100644 +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -124,6 +124,15 @@ + #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" + #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* + * Turns a 56-bit key into being 64-bit wide. + */ +@@ -538,8 +547,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, + unsigned char *ntbuffer /* 21 bytes */) + { + size_t len = strlen(password); +- unsigned char *pw = len ? malloc(len * 2) : strdup(""); ++ unsigned char *pw; + CURLcode result; ++ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ ++ return CURLE_OUT_OF_MEMORY; ++ pw = len ? malloc(len * 2) : strdup(""); + if(!pw) + return CURLE_OUT_OF_MEMORY; + +@@ -622,15 +634,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, + return CURLE_OK; + } + +-#ifndef SIZE_T_MAX +-/* some limits.h headers have this defined, some don't */ +-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +-#define SIZE_T_MAX 18446744073709551615U +-#else +-#define SIZE_T_MAX 4294967295U +-#endif +-#endif +- + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +-- +2.17.1 + diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index f7f66e6..dc23308 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,92 +1,86 @@ -From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 -From: Jan Macku -Date: Tue, 16 Dec 2025 10:04:40 +0100 +From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 12 Apr 2013 12:04:05 +0200 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.md | 4 +++- - libcurl.pc.in | 1 + - 3 files changed, 9 insertions(+), 19 deletions(-) + curl-config.in | 21 +++------------------ + docs/curl-config.1 | 4 +++- + libcurl.pc.in | 1 + + 3 files changed, 7 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index a1c8185875..bb43ca8335 100644 +index 150004d..95d0759 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -74,7 +74,7 @@ while test "$#" -gt 0; do - ;; +@@ -75,7 +75,7 @@ while test $# -gt 0; do + ;; - --cc) -- echo '@CC@' -+ echo 'gcc' - ;; + --cc) +- echo "@CC@" ++ echo "gcc" + ;; - --prefix) -@@ -149,16 +149,7 @@ while test "$#" -gt 0; do - ;; + --prefix) +@@ -142,29 +142,14 @@ while test $# -gt 0; do + ;; - --libs) -- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then -- curllibdir="-L@libdir@ " -- else -- curllibdir='' -- fi -- if test '@ENABLE_SHARED@' = 'no'; then -- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" -- else -- echo "${curllibdir}-lcurl" -- fi -+ echo '-lcurl' - ;; + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then +- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ +- else +- echo ${CURLLIBDIR}-lcurl +- fi ++ echo -lcurl + ;; - --ssl-backends) -@@ -166,16 +157,12 @@ while test "$#" -gt 0; do - ;; + --static-libs) +- if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ +- else +- echo "curl was built with static libraries disabled" >&2 +- exit 1 +- fi + ;; - --static-libs) -- if test '@ENABLE_STATIC@' != 'no'; then -- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" -- else -- echo 'curl was built with static libraries disabled' >&2 -- exit 1 -- fi -+ echo 'curl was built with static libraries disabled' >&2 -+ exit 1 - ;; + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; - - *) -diff --git a/docs/curl-config.md b/docs/curl-config.md -index 12ad245b79..fa0e03d273 100644 ---- a/docs/curl-config.md -+++ b/docs/curl-config.md -@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. - ## `--static-libs` - - Shows the complete set of libs and other linker options you need in order to --link your application with libcurl statically. (Added in 7.17.1) -+link your application with libcurl statically. Note that Fedora/RHEL libcurl + *) +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index 14a9d2b..ffcc004 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -66,7 +66,9 @@ be listed using uppercase and are separated by newlines. There may be none, + one, or several protocols in the list. (Added in 7.13.0) + .IP "--static-libs" + Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) ++to link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - - ## `--version` - + .IP "--version" + Outputs version information about the installed libcurl. + .IP "--vernum" diff --git a/libcurl.pc.in b/libcurl.pc.in -index c0ba5244a8..f3645e1748 100644 +index 2ba9c39..f8f8b00 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -28,6 +28,7 @@ libdir=@libdir@ +@@ -29,6 +29,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" +configure_options=@CONFIGURE_OPTIONS@ Name: libcurl - URL: https://curl.se/ + URL: https://curl.haxx.se/ -- -2.52.0 +2.5.0 diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch new file mode 100644 index 0000000..c26a03a --- /dev/null +++ b/0102-curl-7.36.0-debug.patch @@ -0,0 +1,65 @@ +From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 31 Oct 2012 11:38:30 +0100 +Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) + +--- + configure | 13 +++---------- + m4/curl-compilers.m4 | 13 +++---------- + 2 files changed, 6 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index 8f079a3..53b4774 100755 +--- a/configure ++++ b/configure +@@ -17079,18 +17079,11 @@ $as_echo "yes" >&6; } + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" +- flags_opt_yes="-O2" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + + OLDCPPFLAGS=$CPPFLAGS +diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 +index 0cbba7a..9175b5b 100644 +--- a/m4/curl-compilers.m4 ++++ b/m4/curl-compilers.m4 +@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" +- flags_opt_yes="-O2" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + CURL_CHECK_DEF([_WIN32], [], [silent]) + else +-- +1.7.1 + diff --git a/0103-curl-7.55.1-system-crypto-policy.patch b/0103-curl-7.55.1-system-crypto-policy.patch new file mode 100644 index 0000000..8dd670b --- /dev/null +++ b/0103-curl-7.55.1-system-crypto-policy.patch @@ -0,0 +1,27 @@ +From 7271547cb46a4dc28004febaea19e5edaa2250d2 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Aug 2017 17:02:26 +0200 +Subject: [PATCH] openssl: utilize system wide crypto policies + +... unless explicitly overridden via libcurl API +--- + lib/vtls/openssl.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h +index b9648d5..48036e1 100644 +--- a/lib/vtls/openssl.h ++++ b/lib/vtls/openssl.h +@@ -119,8 +119,7 @@ bool Curl_ossl_cert_status_request(void); + #endif + #define curlssl_cert_status_request() Curl_ossl_cert_status_request() + +-#define DEFAULT_CIPHER_SELECTION \ +- "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" ++#define DEFAULT_CIPHER_SELECTION "PROFILE=SYSTEM" + + #endif /* USE_OPENSSL */ + #endif /* HEADER_CURL_SSLUSE_H */ +-- +2.9.5 + diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.19.7-localhost6.patch new file mode 100644 index 0000000..4f664d3 --- /dev/null +++ b/0104-curl-7.19.7-localhost6.patch @@ -0,0 +1,51 @@ +diff --git a/tests/data/test1083 b/tests/data/test1083 +index e441278..b0958b6 100644 +--- a/tests/data/test1083 ++++ b/tests/data/test1083 +@@ -33,13 +33,13 @@ ipv6 + http-ipv6 + + +-HTTP-IPv6 GET with ip6-localhost --interface ++HTTP-IPv6 GET with localhost6 --interface + + +--g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost ++-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 + + +-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" ++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" + + + +diff --git a/tests/data/test241 b/tests/data/test241 +index 46eae1f..4e1632c 100644 +--- a/tests/data/test241 ++++ b/tests/data/test241 +@@ -30,13 +30,13 @@ ipv6 + http-ipv6 + + +-HTTP-IPv6 GET (using ip6-localhost) ++HTTP-IPv6 GET (using localhost6) + + +--g "http://ip6-localhost:%HTTP6PORT/241" ++-g "http://localhost6:%HTTP6PORT/241" + + +-./server/resolve --ipv6 ip6-localhost ++./server/resolve --ipv6 localhost6 + + + +@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost) + + + GET /241 HTTP/1.1 +-Host: ip6-localhost:%HTTP6PORT ++Host: localhost6:%HTTP6PORT + Accept: */* + + diff --git a/ci.fmf b/ci.fmf deleted file mode 100644 index d3546e9..0000000 --- a/ci.fmf +++ /dev/null @@ -1,9 +0,0 @@ -discover: - how: fmf -prepare: - how: install - exclude: - - libcurl-minimal - - curl-minimal -execute: - how: tmt diff --git a/curl-7.55.1.tar.xz.asc b/curl-7.55.1.tar.xz.asc new file mode 100644 index 0000000..c6d2d29 --- /dev/null +++ b/curl-7.55.1.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlmRPboACgkQXMkI/bce +EsIxOAf9GPx5uj4rzy5VW8UhHgZXJl97S9mEVt8I6DnwpLrlCsV7jf4CHpys0Ymt +kaRoqudjCfjfm2BRtoTZq9ZmWv6vMwuwKrfGwQSmtyNiVFnCZ2hX4QEErMDP27pn +yJnlxO0MQVXCpKAxvmx2yRQ/qoGX18dGENBGe5USBOzh3QWArIN8vIaGsINvCmcM +StMzgzNs+x4MP75xt6Wf+MH2biMfyXoq4zFsVKRYDlwZyr495uT9Zms4HzxPLlap +LPotKQTj1ZcmC0tVLGDWXEx/aE65tLhsJjyLrIlIx+VvkKPwxN8rBntAAC8jh6az +5bhonUTL94v5XnKySk7srhNP7ds8qQ== +=3zTB +-----END PGP SIGNATURE----- diff --git a/curl.rpmlintrc b/curl.rpmlintrc deleted file mode 100644 index 022a98e..0000000 --- a/curl.rpmlintrc +++ /dev/null @@ -1,15 +0,0 @@ -# Intentional stuff we're not concerned about -addFilter("unversioned-explicit-provides webclient") -addFilter("package-with-huge-docs") -addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") - -# This is just plain wrong (%_configure redefinition) -addFilter("configure-without-libdir-spec") - -# Technical term -addFilter("E: spelling-error \('kerberos',") - -# Artefacts of RemovePathPostfixes: .minimal -addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") -#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") -#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index c0ad4db..50130d9 100644 --- a/curl.spec +++ b/curl.spec @@ -1,177 +1,133 @@ -# OpenSSL ENGINE support -# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 -# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine -# Change the bcond to 0 to turn off ENGINE support by default -%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] - -# HTTP/3 support -# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's -# experimental native OpenSSL 3.5 support. -%bcond http3 %[0%{?fedora} >= 43] - Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 8.18.0 -Release: 1%{?dist} -License: curl -Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz -Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc -# The curl download page ( https://curl.se/download.html ) links -# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, -# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc -Source2: mykey.asc +Version: 7.55.1 +Release: 14%{?dist} +License: MIT +Group: Applications/Internet +Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz + +# make zsh completion work again +Patch1: 0001-curl-7.55.1-zsh-completion.patch + +# http: Don't wait on CONNECT when there is no proxy (#1485702) +Patch2: 0002-curl-7.55.1-proxy-connect.patch + +# http2: handle GOAWAY properly (#1585797) +Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch + +# fix out of bounds read in FTP PWD response parser (CVE-2017-1000254) +Patch5: 0005-curl-7.55.1-CVE-2017-1000254.patch + +# fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257) +Patch6: 0006-curl-7.55.1-CVE-2017-1000257.patch + +# fix FTP wildcard out of bounds read (CVE-2017-8817) +Patch7: 0007-curl-7.55.1-CVE-2017-8817.patch + +# fix NTLM buffer overflow via integer overflow (CVE-2017-8816) +Patch8: 0008-curl-7.55.1-CVE-2017-8816.patch + +# http: prevent custom Authorization headers in redirects (CVE-2018-1000007) +Patch9: 0009-curl-7.55.1-CVE-2018-1000007.patch + +# http2: fix incorrect trailer buffer size (CVE-2018-1000005) +Patch10: 0010-curl-7.55.1-CVE-2018-1000005.patch + +# fix RTSP RTP buffer over-read (CVE-2018-1000122) +Patch16: 0016-curl-7.55.1-CVE-2018-1000122.patch + +# fix LDAP NULL pointer dereference (CVE-2018-1000121) +Patch17: 0017-curl-7.55.1-CVE-2018-1000121.patch + +# fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) +Patch18: 0018-curl-7.55.1-CVE-2018-1000120.patch + +# fix RTSP bad headers buffer over-read (CVE-2018-1000301) +Patch19: 0019-curl-7.55.1-CVE-2018-1000301.patch + +# fix FTP shutdown response buffer overflow (CVE-2018-1000300) +Patch20: 0020-curl-7.55.1-CVE-2018-1000300.patch + +# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) +Patch21: 0021-curl-7.55.1-pkcs11.patch + +# fix NTLM password overflow via integer overflow (CVE-2018-14618) +Patch22: 0022-curl-7.55.1-CVE-2018-14618.patch # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch +# prevent configure script from discarding -g in CFLAGS (#496778) +Patch102: 0102-curl-7.36.0-debug.patch + +# utilize system wide crypto policies for TLS (#1483972) +Patch103: 0103-curl-7.55.1-system-crypto-policy.patch + +# use localhost6 instead of ip6-localhost in the curl test-suite +Patch104: 0104-curl-7.19.7-localhost6.patch + Provides: curl-full = %{version}-%{release} -# do not fail when trying to install curl-minimal after drop -Provides: curl-minimal = %{version}-%{release} Provides: webclient -URL: https://curl.se/ - -%if 0%{?fedora} -# instead of bundled wcurl utility, recommend wcurl package -Recommends: wcurl -%endif - -# The reason for maintaining two separate packages for curl is no longer valid. -# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. -# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 -Obsoletes: curl-minimal < 8.6.0-4 - +URL: https://curl.haxx.se/ +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: automake -BuildRequires: brotli-devel -BuildRequires: coreutils -BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel +BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel -%if %{with http3} -BuildRequires: libnghttp3-devel -%endif BuildRequires: libpsl-devel -BuildRequires: libssh-devel -BuildRequires: libtool -BuildRequires: make -%if %{with http3} -BuildRequires: ngtcp2-crypto-ossl-devel -%endif +BuildRequires: libssh2-devel BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server -BuildRequires: openssl BuildRequires: openssl-devel -%if %{with openssl_engine_support} && 0%{?fedora} >= 41 -BuildRequires: openssl-devel-engine -%endif -BuildRequires: perl-interpreter BuildRequires: pkgconfig -BuildRequires: python-unversioned-command -BuildRequires: python3-devel -BuildRequires: sed +BuildRequires: python +BuildRequires: stunnel BuildRequires: zlib-devel -# For gpg verification of source tarball -BuildRequires: gnupg2 - -# needed to compress content of tool_hugehelp.c after changing curl.1 man page -BuildRequires: perl(IO::Compress::Gzip) - -# needed for generation of shell completions -BuildRequires: perl(Getopt::Long) -BuildRequires: perl(Pod::Usage) -BuildRequires: perl(strict) -BuildRequires: perl(warnings) - -# needed for test1560 to succeed -BuildRequires: glibc-langpack-en - # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils -# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot -BuildRequires: hostname - # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite BuildRequires: nghttp2 # perl modules used in the test suite -BuildRequires: perl(B) -BuildRequires: perl(base) -BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) -BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) -BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) -BuildRequires: perl(List::Util) -BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(POSIX) -BuildRequires: perl(Storable) -BuildRequires: perl(Time::HiRes) +BuildRequires: perl(strict) BuildRequires: perl(Time::Local) +BuildRequires: perl(Time::HiRes) +BuildRequires: perl(warnings) BuildRequires: perl(vars) -%if 0%{?fedora} -# needed for upstream test 1451 -BuildRequires: python3-impacket -%endif - # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known # to be less reliable, in order to avoid unnecessary build failures (see RHBZ # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. -%ifarch x86_64 +%ifarch x86_64 %{ix86} BuildRequires: valgrind %endif -# stunnel is used by upstream tests but it does not seem to work reliably -# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) -%ifnarch aarch64 s390x -BuildRequires: stunnel -%endif - # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} -# Define OPENSSL_NO_ENGINE to avoid inclusion of -%if %{without openssl_engine_support} -%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE -%endif - -# require at least the version of libnghttp2 that we were built against, -# to ensure that we have the necessary symbols available (#2144277) -%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) - -# require at least the version of libnghttp3 that we were built against, -# to ensure that we have the necessary symbols available -%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) - -# require at least the version of libpsl that we were built against, -# to ensure that we have the necessary symbols available (#1631804) -%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) - -# require at least the version of libssh that we were built against, +# require at least the version of libssh2 that we were built against, # to ensure that we have the necessary symbols available (#525002, #642796) -%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) - -# require at least the version of ngtcp2 that we were built against, -# to ensure that we have the necessary symbols available -%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) +%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0) # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) -# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) -%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') +%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) %description curl is a command line tool for transferring data with URL syntax, supporting @@ -183,15 +139,8 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers -Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} -%if %{with http3} -Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} -%endif -Requires: libpsl%{?_isa} >= %{libpsl_version} -Requires: libssh%{?_isa} >= %{libssh_version} -%if %{with http3} -Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} -%endif +Group: Development/Libraries +Requires: libssh2%{?_isa} >= %{libssh2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -206,6 +155,7 @@ resume, http proxy tunneling and more. %package -n libcurl-devel Summary: Files needed for building applications with libcurl +Group: Development/Libraries Requires: libcurl%{?_isa} = %{version}-%{release} Provides: curl-devel = %{version}-%{release} @@ -217,16 +167,28 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. +%package -n curl-minimal +Summary: Conservatively configured build of curl for minimal installations +Provides: curl = %{version}-%{release} +Conflicts: curl +RemovePathPostfixes: .minimal + +# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION +Requires: libcurl%{?_isa} >= %{version}-%{release} + +%description -n curl-minimal +This is a replacement of the 'curl' package for minimal installations. It +comes with a limited set of features compared to the 'curl' package. On the +other hand, the package is smaller and requires fewer run-time dependencies to +be installed. + %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations -Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} -Conflicts: libcurl%{?_isa} +Conflicts: libcurl RemovePathPostfixes: .minimal -# needed for RemovePathPostfixes to work with shared libraries -%undefine __brp_ldconfig %description -n libcurl-minimal This is a replacement of the 'libcurl' package for minimal installations. It @@ -235,107 +197,87 @@ other hand, the package is smaller and requires fewer run-time dependencies to be installed. %prep -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -n %{name}-%{version_no_tilde} -p1 +%setup -q -# disable test 1801 +# upstream patches +%patch1 -p1 +%patch2 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 + +# Fedora patches +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 +%patch104 -p1 + +# regenerate Makefile.in files +aclocal -I m4 +automake + +# disable test 1112 (#565305) and test 1801 # -printf "1801\n" >>tests/data/DISABLED +# and test 2033, which is a flaky test for HTTP/1 pipelining +printf "1112\n1801\n2033\n" >> tests/data/DISABLED -# test3026: avoid pthread_create() failure due to resource exhaustion on i386 -%ifarch %{ix86} -sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ - -i tests/libtest/lib3026.c +# disable test 1319 on ppc64 (server times out) +%ifarch ppc64 +echo "1319" >> tests/data/DISABLED %endif -# adapt test 323 for updated OpenSSL -sed -e 's|^35$|35,52|' -i tests/data/test323 - -# use localhost6 instead of ip6-localhost in the curl test-suite -( - # avoid glob expansion in the trace output of `bash -x` - { set +x; } 2>/dev/null - cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" - printf "+ %s\n" "$cmd" >&2 - eval "$cmd" -) - -# avoid unnecessary arch-dependent line in the processed file -sed -e '/# Used in @libdir@/d' \ - -i curl-config.in +# temporarily disable failing libidn2 test-cases +printf "1034\n1035\n2046\n2047\n" >> tests/data/DISABLED %build -# regenerate the configure script and Makefile.in files -autoreconf -fiv - mkdir build-{full,minimal} -export common_configure_opts=" \ - --cache-file=../config.cache \ - --disable-manual \ - --disable-static \ - --enable-hsts \ - --enable-ipv6 \ - --enable-symbol-hiding \ - --enable-threaded-resolver \ - --without-zstd \ - --with-gssapi \ - --with-libidn2 \ - --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ - --with-zsh-functions-dir" +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-static \ + --enable-symbol-hiding \ + --enable-ipv6 \ + --enable-threaded-resolver \ + --with-gssapi \ + --with-nghttp2 \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" %global _configure ../configure # configure minimal build ( cd build-minimal - %configure $common_configure_opts \ - --disable-dict \ - --disable-gopher \ - --disable-imap \ - --disable-ldap \ - --disable-ldaps \ - --disable-mqtt \ - --disable-ntlm \ - --disable-pop3 \ - --disable-rtsp \ - --disable-smb \ - --disable-smtp \ - --disable-telnet \ - --disable-tftp \ - --disable-tls-srp \ - --disable-websockets \ - --without-brotli \ - --without-libpsl \ - --without-libssh + %configure $common_configure_opts \ + --disable-ldap \ + --disable-ldaps \ + --disable-manual \ + --without-libidn2 \ + --without-libmetalink \ + --without-libpsl \ + --without-libssh2 ) # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-dict \ - --enable-gopher \ - --enable-imap \ - --enable-ldap \ - --enable-ldaps \ - --enable-mqtt \ - --enable-ntlm \ - --enable-pop3 \ - --enable-rtsp \ - --enable-smb \ - --enable-smtp \ - --enable-telnet \ - --enable-tftp \ - --enable-tls-srp \ - --enable-websockets \ - --with-brotli \ - --with-libpsl \ - --with-libssh \ -%if %{with http3} - --with-nghttp3 \ - --with-ngtcp2 \ -%endif + %configure $common_configure_opts \ + --enable-ldap \ + --enable-ldaps \ + --enable-manual \ + --with-libidn2 \ + --with-libmetalink \ + --with-libpsl \ + --with-libssh2 ) # avoid using rpath @@ -343,91 +285,73 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ -i build-{full,minimal}/libtool -%make_build V=1 -C build-minimal -%make_build V=1 -C build-full +make %{?_smp_mflags} V=1 -C build-minimal +make %{?_smp_mflags} V=1 -C build-full %check +# we have to override LD_LIBRARY_PATH because we eliminated rpath +LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" +export LD_LIBRARY_PATH + # compile upstream test-cases -%make_build V=1 -C build-minimal/tests -%make_build V=1 -C build-full/tests - -# relax crypto policy for the test-suite to make it pass again (#1610888) -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX -export OPENSSL_CONF= - -# make runtests.pl work for out-of-tree builds -export srcdir=../../tests - -# prevent valgrind from being extremely slow (#1662656) -# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault -unset DEBUGINFOD_URLS - -# run the upstream test-suite for both curl-minimal and curl-full -for size in minimal full; do ( - cd build-${size} - - # we have to override LD_LIBRARY_PATH because we eliminated rpath - export LD_LIBRARY_PATH="${PWD}/lib/.libs" - - cd tests - perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' -) -done +cd build-full/tests +make %{?_smp_mflags} V=1 +# run the upstream test-suite +srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' %install # install and rename the library that will be packaged as libcurl-minimal -%make_install -C build-minimal/lib +make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so} for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done +# install and rename the executable that will be packaged as curl-minimal +make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src +mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} + # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal # install the executable and library that will be packaged as curl and libcurl cd build-full -%make_install +make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -# do not install /usr/share/fish/completions/curl.fish which is also installed -# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict -rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish +# install zsh completion for curl +# (we have to override LD_LIBRARY_PATH because we eliminated rpath) +LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ + make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -# do not install bundled wcurl utility -# it is provided by the wcurl package -rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl -rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* +%post -n libcurl -p /sbin/ldconfig -%ldconfig_scriptlets -n libcurl +%postun -n libcurl -p /sbin/ldconfig -%ldconfig_scriptlets -n libcurl-minimal +%post -n libcurl-minimal -p /sbin/ldconfig + +%postun -n libcurl-minimal -p /sbin/ldconfig %files -%doc CHANGES.md -%doc README -%doc docs/BUGS.md -%doc docs/DISTROS.md -%doc docs/FAQ.md -%doc docs/FEATURES.md -%doc docs/KNOWN_BUGS.md -%doc docs/TODO.md -%doc docs/TheArtOfHttpScripting.md +%doc CHANGES README* +%doc docs/BUGS docs/FAQ docs/FEATURES +%doc docs/MANUAL docs/RESOURCES +%doc docs/TheArtOfHttpScripting docs/TODO %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_datadir}/zsh +%{_datadir}/zsh/site-functions %files -n libcurl %license COPYING -%{_libdir}/libcurl.so.4 -%{_libdir}/libcurl.so.4.[0-9].[0-9] +%{_libdir}/libcurl.so.[0-9] +%{_libdir}/libcurl.so.[0-9].[0-9].[0-9] %files -n libcurl-devel %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md -%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md +%doc docs/CONTRIBUTE.md docs/libcurl/ABI %{_bindir}/curl-config* %{_includedir}/curl %{_libdir}/*.so @@ -436,701 +360,47 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 +%files -n curl-minimal +%{_bindir}/curl.minimal +%{_mandir}/man1/curl.1* + %files -n libcurl-minimal %license COPYING -%{_libdir}/libcurl.so.4.minimal -%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal +%{_libdir}/libcurl.so.[0-9].minimal +%{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %changelog -* Wed Jan 07 2026 Jan Macku - 8.18.0-1 -- new upstream release +* Wed Sep 05 2018 Kamil Dudka - 7.55.1-14 +- fix NTLM password overflow via integer overflow (CVE-2018-14618) -* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 -- new upstream release candidate - -* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 -- new upstream release candidate -- reenable valgrind on test 616 - -* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 -- new upstream release candidate -- drop upstreamed patches - -* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 -- Enable HTTP/3 support with ngtcp2 - -* Thu Dec 04 2025 Jan Macku - 8.17.0-4 -- apply upstream patches for valgrind issues in HTTP/3 (#2408809) - -* Thu Nov 13 2025 Jan Macku - 8.17.0-3 -- recommend wcurl package instead of bundled wcurl utility - -* Thu Nov 13 2025 Jan Macku - 8.17.0-2 -- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead - -* Mon Nov 10 2025 Jan Macku - 8.17.0-1 -- new upstream release - -* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 -- new upstream release candidate - -* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 -- new upstream release candidate - -* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 -- new upstream release candidate - -* Wed Sep 10 2025 Jan Macku - 8.16.0-1 -- new upstream release - -* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 -- new upstream release candidate - -* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 -- new upstream release candidate - -* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Wed Jul 16 2025 Jan Macku - 8.15.0-1 -- new upstream release - -* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 -- new upstream release candidate - -* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 -- new upstream release candidate - -* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 -- new upstream release candidate - -* Wed Jun 04 2025 Jan Macku - 8.14.1-1 -- new upstream release -- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) - -* Wed May 28 2025 Jan Macku - 8.14.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-5025 - No QUIC certificate pinning with wolfSSL - CVE-2025-4947 - QUIC certificate check skip with wolfSSL -- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles - -* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 -- new upstream release candidate -- new utility: wcurl which lets you download URLs without having to remember any parameters - -* Wed Apr 02 2025 Jan Macku - 8.13.0-1 -- new upstream release -- add build time dependency on openssl (required by tests) - -* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 -- new upstream release candidate -- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) - -* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 -- new upstream release candidate - -* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 -- fix --cert parameter (#2351531) - -* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 -- new upstream release candidate - -* Wed Feb 05 2025 Jan Macku - 8.12.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2025-0725 - gzip integer overflow - CVE-2025-0665 - eventfd double close - CVE-2025-0167 - netrc and default credential leak -- drop upstreamed patches - -* Fri Jan 31 2025 Jan Macku - 8.11.1-4 -- TLS: check connection for SSL use, not handler (#2324130#c7) - -* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 -- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) - - https://github.com/curl/curl/issues/15725 - - https://github.com/curl/curl/pull/15727 - -* Wed Dec 11 2024 Jan Macku - 8.11.1-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-11053 - netrc and redirect credential leak - -* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 -- Disable engine support on RHEL 10+ - -* Wed Nov 06 2024 Jan Macku - 8.11.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-9681 - HSTS subdomain overwrites parent cache entry - -* Tue Sep 24 2024 Jan Macku - 8.10.1-2 -- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) - -* Wed Sep 18 2024 Jan Macku - 8.10.1-1 -- new upstream release - -* Wed Sep 11 2024 Jan Macku - 8.10.0-1 -- new upstream release - -* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 -- Retire deprecated ntlm-wb configure option - -* Mon Aug 5 2024 voidanix - 8.9.1-2 -- Apply SIGPIPE-related patch due to upstream regression - -* Wed Jul 24 2024 Jan Macku - 8.9.1-1 -- new upstream release - -* Wed Jul 24 2024 Jan Macku - 8.9.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-6874 - macidn punycode buffer overread - CVE-2024-6197 - freeing stack buffer in utf8asn1str -- drop upstreamed patches - -* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 -- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine -- added build condition for openssl_engine_support, true by default so as to - not change the resulting built package (yet) -- with openssl_engine_support true, BR: openssl-devel-engine -- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE - -* Wed May 22 2024 Jan Macku - 8.8.0-1 -- new upstream release -- drop upstreamed patches - -* Wed Mar 27 2024 Jan Macku - 8.7.1-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-2004 - Usage of disabled protocol - CVE-2024-2379 - QUIC certificate check bypass with wolfSSL - CVE-2024-2398 - HTTP/2 push headers memory-leak - CVE-2024-2466 - TLS certificate check bypass with mbedTLS -- drop upstreamed patches -- reenable test 0313 -- fix zsh completions, use --with-zsh-functions-dir -- apply upstream patches for 8.7.1 issues and regressions - -* Mon Feb 19 2024 Jan Macku - 8.6.0-7 -- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) - -* Mon Feb 12 2024 Jan Macku - 8.6.0-6 -- revert "receive max buffer" + add test case -- temporarily disable test 0313 -- remove suggests of libcurl-minimal in curl-full - -* Mon Feb 12 2024 Jan Macku - 8.6.0-5 -- add Provides to curl-minimal - -* Wed Feb 07 2024 Jan Macku - 8.6.0-4 -- drop curl-minimal subpackage in favor of curl-full (#2262096) - -* Mon Feb 05 2024 Jan Macku - 8.6.0-3 -- ignore response body to HEAD requests - -* Fri Feb 02 2024 Jan Macku - 8.6.0-2 -- don't build manual for curl-full - use man 1 curl instead (#2262373) - -* Thu Feb 01 2024 Jan Macku - 8.6.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2024-0853 - OCSP verification bypass with TLS session reuse -- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) -- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) - -* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Dec 06 2023 Jan Macku - 8.5.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-46218 - cookie mixed case PSL bypass - CVE-2023-46219 - HSTS long file name clears contents - -* Wed Oct 11 2023 Jan Macku - 8.4.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-38545 - SOCKS5 heap buffer overflow - CVE-2023-38546 - cookie injection with none file - -* Wed Sep 13 2023 Jan Macku - 8.3.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-38039 - HTTP headers eat all memory - -* Wed Aug 02 2023 Jan Macku - 8.2.1-2 -- enable websockets (#2224651) - -* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 -- new upstream release (rhbz#2226659) - -* Wed Jul 19 2023 Jan Macku - 8.2.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-32001 - fopen race condition - -* Tue May 30 2023 Jan Macku - 8.1.2-1 -- new upstream release, with small bugfixes and improvements - -* Tue May 23 2023 Jan Macku - 8.1.1-1 -- new upstream release, with small bugfixes and improvements - -* Wed May 17 2023 Kamil Dudka - 8.1.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-28321 - IDN wildcard match - CVE-2023-28322 - more POST-after-PUT confusion - -* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 -- tests: re-enable temporarily disabled test-cases -- tests: attempt to fix a conflict on port numbers -- apply patches automatically - -* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 -- migrated to SPDX license - -* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 -- new upstream release - -* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-27538 - SSH connection too eager reuse still - CVE-2023-27537 - HSTS double-free - CVE-2023-27536 - GSS delegation too eager connection re-use - CVE-2023-27535 - FTP too eager connection reuse - CVE-2023-27534 - SFTP path ~ resolving discrepancy - CVE-2023-27533 - TELNET option IAC injection - -* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 -- new upstream release - -* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 -- http2: set drain on stream end - -* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2023-23916 - HTTP multi-header compression denial of service - CVE-2023-23915 - HSTS amnesia with --parallel - CVE-2023-23914 - HSTS ignored on multiple requests - -* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 -- fix regression in a public header file (#2162716) - -* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 -- test3012: temporarily disable valgrind (#2143040) - -* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2022-43552 - HTTP Proxy deny use-after-free - CVE-2022-43551 - Another HSTS bypass via IDN - -* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 -- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) - -* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 -- enforce versioned libnghttp2 dependency for libcurl (#2144277) - -* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 -- fix regression in noproxy matching - -* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2022-42916 - HSTS bypass via IDN - CVE-2022-42915 - HTTP proxy double-free - CVE-2022-35260 - .netrc parser out-of-bounds access - CVE-2022-32221 - POST following PUT confusion - -* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 -- new upstream release, which fixes the following vulnerability - CVE-2022-35252 - control code in cookie denial of service - -* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 -- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 - -* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2022-32207 - Unpreserved file permissions - CVE-2022-32205 - Set-Cookie denial of service - CVE-2022-32206 - HTTP compression denial of service - CVE-2022-32208 - FTP-KRB bad message verification - -* Wed May 11 2022 Kamil Dudka - 7.83.1-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2022-27782 - fix too eager reuse of TLS and SSH connections - CVE-2022-27779 - do not accept cookies for TLD with trailing dot - CVE-2022-27778 - do not remove wrong file on error - CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names - CVE-2022-27780 - reject percent-encoded path separator in URL host - -* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2022-27774 - curl credential leak on redirect - CVE-2022-27776 - curl auth/cookie leak on redirect - CVE-2022-27775 - curl bad local IPv6 connection reuse - CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use - -* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 -- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure - -* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 -- new upstream release - -* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 -- enable IDN support also in libcurl-minimal - -* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 -- Suggest libcurl-minimal in curl-minimal - -* Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 -- new upstream release - -* Sun Nov 14 2021 Paul Howarth - 7.80.0-2 -- sshserver.pl (used in test suite) now requires the Digest::SHA perl module - -* Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 -- new upstream release - -* Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 -- re-enable HSTS in libcurl-minimal as a security feature (#2005874) - -* Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 -- disable more protocols and features in libcurl-minimal (#2005874) - -* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 -- new upstream release - -* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 -- fix regression in http2 implementation introduced in the last release - -* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 -- make SCP/SFTP tests work with openssh-8.7p1 - -* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2021-22947 - STARTTLS protocol injection via MITM - CVE-2021-22946 - protocol downgrade required TLS bypassed - CVE-2021-22945 - use-after-free and double-free in MQTT sending - -* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 -- make explicit dependency on openssl work with alpha/beta builds of openssl - -* Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2021-22925 - TELNET stack contents disclosure again - CVE-2021-22924 - bad connection reuse due to flawed path name checks - CVE-2021-22923 - metalink download sends credentials - CVE-2021-22922 - wrong content via metalink not discarded - -* Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 -- build the curl tool without metalink support (#1967213) - -* Wed May 26 2021 Kamil Dudka - 7.77.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2021-22901 - TLS session caching disaster - CVE-2021-22898 - TELNET stack contents disclosure - -* Mon May 03 2021 Kamil Dudka - 7.76.1-2 -- http2: fix resource leaks detected by Coverity - -* Wed Apr 14 2021 Kamil Dudka - 7.76.1-1 -- new upstream release - -* Wed Mar 31 2021 Kamil Dudka - 7.76.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup - CVE-2021-22876 - Automatic referer leaks credentials - -* Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 -- fix SIGSEGV upon disconnect of a ldaps:// transfer - -* Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 -- build-require python3-impacket only on Fedora - -* Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 -- new upstream release - -* Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 -- do not use stunnel for tests on s390x builds to avoid spurious failures - -* Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 -- do not rewrite shebangs in test-suite to use python3 explicitly - -* Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2020-8286 - curl: Inferior OCSP verification - CVE-2020-8285 - libcurl: FTP wildcard stack overflow - CVE-2020-8284 - curl: trusting FTP PASV responses - -* Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 -- prevent upstream test 1451 from being skipped - -* Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 -- new upstream release - -* Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 -- fix multiarch conflicts in libcurl-minimal (#1877671) - -* Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 -- new upstream release, which fixes the following vulnerability - CVE-2020-8231 - libcurl: wrong connect-only connection - -* Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 -- setopt: unset NOBODY switches to GET if still HEAD - -* Mon Jul 27 2020 Fedora Release Engineering - 7.71.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 13 2020 Tom Stellard - 7.71.1-3 -- Use make macros -- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro - -* Fri Jul 03 2020 Kamil Dudka - 7.71.1-2 -- curl: make the --krb option work again (#1833193) - -* Wed Jul 01 2020 Kamil Dudka - 7.71.1-1 -- new upstream release - -* Wed Jun 24 2020 Kamil Dudka - 7.71.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect - CVE-2020-8177 - curl: overwrite local file with -J - -* Wed Apr 29 2020 Kamil Dudka - 7.70.0-1 -- new upstream release - -* Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 -- SSH: use new ECDSA key types to check known hosts (#1824926) - -* Fri Apr 17 2020 Tom Stellard - 7.69.1-2 -- Prevent discarding of -g when compiling with clang - -* Wed Mar 11 2020 Kamil Dudka - 7.69.1-1 -- new upstream release - -* Mon Mar 09 2020 Kamil Dudka - 7.69.0-2 -- make Flatpak work again (#1810989) - -* Wed Mar 04 2020 Kamil Dudka - 7.69.0-1 -- new upstream release - -* Tue Jan 28 2020 Fedora Release Engineering - 7.68.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jan 08 2020 Kamil Dudka - 7.68.0-1 -- new upstream release - -* Thu Nov 14 2019 Kamil Dudka - 7.67.0-2 -- fix infinite loop on upload using a glob (#1771025) - -* Wed Nov 06 2019 Kamil Dudka - 7.67.0-1 -- new upstream release - -* Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2019-5481 - double free due to subsequent call of realloc() - CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet() - -* Tue Aug 27 2019 Kamil Dudka - 7.65.3-4 -- avoid reporting spurious error in the HTTP2 framing layer (#1690971) - -* Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 -- improve handling of gss_init_sec_context() failures - -* Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sat Jul 20 2019 Paul Howarth - 7.65.3-1 -- new upstream release - -* Wed Jul 17 2019 Kamil Dudka - 7.65.2-1 -- new upstream release - -* Wed Jun 05 2019 Kamil Dudka - 7.65.1-1 -- new upstream release - -* Thu May 30 2019 Kamil Dudka - 7.65.0-2 -- fix spurious timeout events with speed-limit (#1714893) - -* Wed May 22 2019 Kamil Dudka - 7.65.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2019-5436 - TFTP receive buffer overflow - CVE-2019-5435 - integer overflows in curl_url_set() - -* Thu May 09 2019 Kamil Dudka - 7.64.1-2 -- do not treat failure of gss_init_sec_context() with --negotiate as fatal - -* Wed Mar 27 2019 Kamil Dudka - 7.64.1-1 -- new upstream release - -* Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 -- remove verbose "Expire in" ... messages (#1690971) - -* Thu Mar 21 2019 Kamil Dudka - 7.64.0-5 -- avoid spurious "Could not resolve host: [host name]" error messages - -* Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 -- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) - -* Mon Feb 25 2019 Kamil Dudka - 7.64.0-3 -- prevent NetworkManager from leaking file descriptors (#1680198) - -* Mon Feb 11 2019 Kamil Dudka - 7.64.0-2 -- make zsh completion work again - -* Wed Feb 06 2019 Kamil Dudka - 7.64.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2019-3823 - SMTP end-of-response out-of-bounds read - CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow - CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read - -* Mon Feb 04 2019 Kamil Dudka - 7.63.0-7 -- prevent valgrind from reporting false positives on x86_64 - -* Thu Jan 31 2019 Fedora Release Engineering - 7.63.0-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 21 2019 Kamil Dudka - 7.63.0-5 -- xattr: strip credentials from any URL that is stored (CVE-2018-20483) - -* Fri Jan 04 2019 Kamil Dudka - 7.63.0-4 -- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch - -* Wed Dec 19 2018 Kamil Dudka - 7.63.0-3 -- curl -J: do not append to the destination file (#1658574) - -* Fri Dec 14 2018 Kamil Dudka - 7.63.0-2 -- revert an upstream commit that broke `fedpkg new-sources` (#1659329) - -* Wed Dec 12 2018 Kamil Dudka - 7.63.0-1 -- new upstream release - -* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2018-16839 - SASL password overflow via integer overflow - CVE-2018-16840 - use-after-free in handle close - CVE-2018-16842 - warning message out-of-buffer read - -* Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 -- enable TLS 1.3 post-handshake auth in OpenSSL -- update the documentation of --tlsv1.0 in curl(1) man page - -* Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 -- enforce versioned libpsl dependency for libcurl (#1631804) -- test320: update expected output for gnutls-3.6.4 -- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) - -* Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 -- new upstream release, which fixes the following vulnerability - CVE-2018-14618 - NTLM password overflow via integer overflow - -* Tue Sep 04 2018 Kamil Dudka - 7.61.0-8 -- make the --tls13-ciphers option work - -* Mon Aug 27 2018 Kamil Dudka - 7.61.0-7 -- tests: make ssh-keygen always produce PEM format (#1622594) - -* Wed Aug 15 2018 Kamil Dudka - 7.61.0-6 -- scp/sftp: fix infinite connect loop on invalid private key (#1595135) - -* Thu Aug 09 2018 Kamil Dudka - 7.61.0-5 +* Thu Aug 09 2018 Kamil Dudka - 7.55.1-13 - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) -* Tue Aug 07 2018 Kamil Dudka - 7.61.0-4 -- relax crypto policy for the test-suite to make it pass again (#1610888) +* Tue Jun 05 2018 Kamil Dudka - 7.55.1-12 +- http2: handle GOAWAY properly (#1585797) -* Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 -- disable flaky test 1900, which covers deprecated HTTP pipelining -- adapt test 323 for updated OpenSSL +* Fri May 18 2018 Kamil Dudka - 7.55.1-11 +- fix FTP shutdown response buffer overflow (CVE-2018-1000300) +- fix RTSP bad headers buffer over-read (CVE-2018-1000301) -* Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild +* Wed Mar 14 2018 Kamil Dudka - 7.55.1-10 +- fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) +- fix LDAP NULL pointer dereference (CVE-2018-1000121) +- fix RTSP RTP buffer over-read (CVE-2018-1000122) -* Wed Jul 11 2018 Kamil Dudka - 7.61.0-1 -- new upstream release, which fixes the following vulnerability - CVE-2018-0500 - SMTP send heap buffer overflow +* Wed Jan 24 2018 Kamil Dudka - 7.55.1-9 +- http2: fix incorrect trailer buffer size (CVE-2018-1000005) +- http: prevent custom Authorization headers in redirects (CVE-2018-1000007) -* Tue Jul 10 2018 Kamil Dudka - 7.60.0-3 -- enable support for brotli compression in libcurl-full +* Thu Nov 30 2017 Kamil Dudka - 7.55.1-8 +- fix NTLM buffer overflow via integer overflow (CVE-2017-8816) +- fix FTP wildcard out of bounds read (CVE-2017-8817) -* Wed Jul 04 2018 Kamil Dudka - 7.60.0-2 -- do not hard-wire path of the Python 3 interpreter +* Mon Oct 23 2017 Kamil Dudka - 7.55.1-7 +- fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257) -* Wed May 16 2018 Kamil Dudka - 7.60.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2018-1000300 - FTP shutdown response buffer overflow - CVE-2018-1000301 - RTSP bad headers buffer over-read - -* Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 -- make the test-suite use Python 3 - -* Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 -- ftp: fix typo in recursive callback detection for seeking - -* Wed Mar 14 2018 Kamil Dudka - 7.59.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write - CVE-2018-1000121 - LDAP NULL pointer dereference - CVE-2018-1000122 - RTSP RTP buffer over-read - -* Mon Mar 12 2018 Kamil Dudka - 7.58.0-8 -- http2: mark the connection for close on GOAWAY - -* Mon Feb 19 2018 Paul Howarth - 7.58.0-7 -- Add explicity-used build requirements -- Fix libcurl soname version number in %%files list to avoid accidental soname - bumps - -* Thu Feb 15 2018 Paul Howarth - 7.58.0-6 -- switch to %%ldconfig_scriptlets -- drop legacy BuildRoot: and Group: tags -- enforce versioned libssh dependency for libcurl - -* Tue Feb 13 2018 Kamil Dudka - 7.58.0-5 -- drop temporary workaround for #1540549 - -* Wed Feb 07 2018 Fedora Release Engineering - 7.58.0-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Jan 31 2018 Kamil Dudka - 7.58.0-3 -- temporarily work around internal compiler error on x86_64 (#1540549) -- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again - -* Wed Jan 24 2018 Andreas Schneider - 7.58.0-2 -- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483) - -* Wed Jan 24 2018 Kamil Dudka - 7.58.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read - CVE-2018-1000007 - curl: HTTP authentication leak in redirects - -* Wed Nov 29 2017 Kamil Dudka - 7.57.0-1 -- new upstream release, which fixes the following vulnerabilities - CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow - CVE-2017-8817 - curl: FTP wildcard out of bounds read - CVE-2017-8818 - curl: SSL out of buffer access - -* Mon Oct 23 2017 Kamil Dudka - 7.56.1-1 -- new upstream release (fixes CVE-2017-1000257) - -* Wed Oct 04 2017 Kamil Dudka - 7.56.0-1 -- new upstream release (fixes CVE-2017-1000254) +* Wed Oct 04 2017 Kamil Dudka - 7.55.1-6 +- fix out of bounds read in FTP PWD response parser (CVE-2017-1000254) * Mon Aug 28 2017 Kamil Dudka - 7.55.1-5 - apply the patch for the previous commit and fix its name (#1485702) @@ -1482,3 +752,881 @@ rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) + +* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 +- require valgrind for build only on i386 and x86_64 (#886891) + +* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 +- prevent NSS from crashing on client auth hook failure +- clear session cache if a client cert from file is used +- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE + +* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 +- new upstream release + +* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 +- new upstream release + +* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 +- use the upstream facility to disable problematic tests +- do not crash if MD5 fingerprint is not provided by libssh2 + +* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 +- eliminate unnecessary inotify events on upload via file protocol (#844385) + +* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 +- new upstream release + +* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 +- print reason phrase from HTTP status line on error (#676596) + +* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 +- fix duplicated SSL handshake with multi interface and proxy (#788526) + +* Wed May 30 2012 Karsten Hopp 7.26.0-3 +- disable test 1319 on ppc64, server times out + +* Mon May 28 2012 Kamil Dudka 7.26.0-2 +- use human-readable error messages provided by NSS (upstream commit 72f4b534) + +* Fri May 25 2012 Kamil Dudka 7.26.0-1 +- new upstream release + +* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 +- valgrind on ppc64 works fine, disable ppc32 only + +* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 +- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed + +* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 +- use NSS_InitContext() to initialize NSS if available (#738456) +- provide human-readable names for NSS errors (upstream commit a60edcc6) + +* Fri Mar 23 2012 Paul Howarth 7.25.0-1 +- new upstream release (#806264) +- fix character encoding of docs with a patch rather than just iconv +- update debug and multilib patches +- don't use macros for commands +- reduce size of %%prep output for readability + +* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 +- new upstream release (fixes CVE-2012-0036) + +* Thu Jan 05 2012 Paul Howarth 7.23.0-6 +- rebuild for gcc 4.7 + +* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 +- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) + +* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 +- allow to run FTPS tests with nss-3.13 (#760060) + +* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 +- avoid unnecessary timeout event when waiting for 100-continue (#767490) + +* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 +- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) + +* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 +- new upstream release (#754391) + +* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 +- nss: select client certificates by DER (#733657) + +* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 +- new upstream release +- curl-config now provides dummy --static-libs option (#733956) + +* Sun Aug 21 2011 Paul Howarth 7.21.7-4 +- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) + +* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 +- fix SIGSEGV of curl -O -J given more than one URL (#723075) +- introduce the --delegation option of curl (#730444) +- initialize NSS with no database if the selected database is broken (#728562) + +* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 +- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) + +* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 +- new upstream release (fixes CVE-2011-2192) + +* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 +- avoid an invalid timeout event on a reused handle (#679709) + +* Sat Apr 23 2011 Paul Howarth 7.21.6-1 +- new upstream release + +* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 +- fix the output of curl-config --version (upstream commit 82ecc85) + +* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 +- new upstream release + +* Sat Apr 16 2011 Peter Robinson 7.21.4-4 +- no valgrind on ARMv5 arches + +* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 +- no valgrind on sparc arches + +* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 +- do not ignore failure of SSL handshake (upstream commit 7aa2d10) + +* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 +- new upstream release +- avoid memory leak on SSL connection failure (upstream commit a40f58d) +- work around valgrind bug (#678518) + +* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 +- build libcurl with --enable-hidden-symbols + +* Thu Dec 16 2010 Paul Howarth 7.21.3-1 +- update to 7.21.3: + - added --noconfigure switch to testcurl.pl + - added --xattr option + - added CURLOPT_RESOLVE and --resolve + - added CURLAUTH_ONLY + - added version-check.pl to the examples dir + - check for libcurl features for some command line options + - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support + - http_chunks: remove debug output + - URL-parsing: consider ? a divider + - SSH: avoid using the libssh2_ prefix + - SSH: use libssh2_session_handshake() to work on win64 + - ftp: prevent server from hanging on closed data connection when stopping + a transfer before the end of the full transfer (ranges) + - LDAP: detect non-binary attributes properly + - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT + - gnutls->handshake: improved timeout handling + - security: pass the right parameter to init + - krb5: use GSS_ERROR to check for error + - TFTP: resend the correct data + - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected + - GnuTLS: now detects socket errors on Windows + - symbols-in-versions: updated en masse + - added a couple of examples that were missing from the tarball + - Curl_send/recv_plain: return errno on failure + - Curl_wait_for_resolv (for c-ares): correct timeout + - ossl_connect_common: detect connection re-use + - configure: prevent link errors with --librtmp + - openldap: use remote port in URL passed to ldap_init_fd() + - url: provide dead_connection flag in Curl_handler::disconnect + - lots of compiler warning fixes + - ssh: fix a download resume point calculation + - fix getinfo CURLINFO_LOCAL* for reused connections + - multi: the returned running handles counter could turn negative + - multi: only ever consider pipelining for connections doing HTTP(S) +- drop upstream patches now in tarball +- update bz650255 and disable-test1112 patches to apply against new codebase +- add workaround for false-positive glibc-detected buffer overflow in tftpd + test server with FORTIFY_SOURCE (similar to #515361) + +* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 +- do not send QUIT to a dead FTP control connection (#650255) +- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed + +* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 +- prevent FTP client from hanging on unrecognized ABOR response (#649347) +- return more appropriate error code in case FTP server session idle + timeout has exceeded (#650255) + +* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 +- prevent FTP server from hanging on closed data connection (#643656) + +* Thu Oct 14 2010 Paul Howarth 7.21.2-2 +- enforce versioned libssh2 dependency for libcurl (#642796) + +* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 +- new upstream release, drop applied patches +- make 0102-curl-7.21.2-debug.patch less intrusive + +* Wed Sep 29 2010 jkeating - 7.21.1-6 +- Rebuilt for gcc bug 634757 + +* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 +- make it possible to run SCP/SFTP tests on x86_64 (#632914) + +* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 +- work around glibc/valgrind problem on x86_64 (#631449) + +* Tue Aug 24 2010 Paul Howarth 7.21.1-3 +- fix up patches so there's no need to run autotools in the rpm build +- drop buildreq automake +- drop dependency on automake for devel package from F-14, where + %%{_datadir}/aclocal is included in the filesystem package +- drop dependency on pkgconfig for devel package from F-11, where + pkgconfig dependencies are auto-generated + +* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 +- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) +- modify system headers to work around gcc bug (#617757) +- curl -T now ignores file size of special files (#622520) +- fix kerberos proxy authentication for https (#625676) +- work around glibc/valgrind problem on x86_64 (#626470) + +* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 +- new upstream release + +* Mon Jul 12 2010 Dan Horák 7.21.0-3 +- disable test 575 on s390(x) + +* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 +- add support for NTLM authentication (#603783) + +* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 +- new upstream release, drop applied patches +- update of %%description +- disable valgrind for certain test-cases (libssh2 problem) + +* Tue May 25 2010 Kamil Dudka 7.20.1-6 +- fix -J/--remote-header-name to strip CR-LF (upstream patch) + +* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 +- CRL support now works again (#581926) +- make it possible to start a testing OpenSSH server when building with SELinux + in the enforcing mode (#521087) + +* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 +- upstream patch preventing failure of test536 with threaded DNS resolver +- upstream patch preventing SSL handshake timeout underflow + +* Thu Apr 22 2010 Paul Howarth 7.20.1-3 +- replace Rawhide s390-sleep patch with a more targeted patch adding a + delay after tests 513 and 514 rather than after all tests + +* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 +- experimentally enabled threaded DNS lookup +- make curl-config multilib ready again (#584107) + +* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 +- new upstream release + +* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 +- add missing quote in libcurl.m4 (#576252) + +* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 +- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) +- valgrind temporarily disabled (#574889) +- kerberos installation prefix has been changed + +* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 +- exclude test1112 from the test suite (#565305) + +* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 +- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP +- dropped patches applied upstream +- dropped curl-7.16.0-privlibs.patch no longer useful +- a new patch forcing -lrt when linking the curl tool and test-cases + +* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 +- upstream patch adding a new option -J/--remote-header-name +- dropped temporary workaround for #545779 + +* Thu Jan 14 2010 Chris Weyl 7.19.7-10 +- bump for libssh2 rebuild + +* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 +- temporary workaround for #548269 + (restored behavior of 7.19.7-4) + +* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 +- replace hard wired port numbers in the test suite + +* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 +- use different port numbers for 32bit and 64bit builds +- temporary workaround for #545779 + +* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 +- make it possible to run test241 +- re-enable SCP/SFTP tests (#539444) + +* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 +- avoid use of uninitialized value in lib/nss.c +- suppress failure of test513 on s390 + +* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 +- do not require valgrind on s390 and s390x +- temporarily disabled SCP/SFTP test-suite (#539444) + +* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 +- fix crash on doubly closed NSPR descriptor, patch contributed + by Kevin Baughman (#534176) +- new version of patch for broken TLS servers (#525496, #527771) + +* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 +- increased release number (CVS problem) + +* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 +- new upstream release, dropped applied patches +- workaround for broken TLS servers (#525496, #527771) + +* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 +- fix timeout issues and gcc warnings within lib/nss.c + +* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 +- upstream patch for NSS support written by Guenter Knauf + +* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 +- build libcurl with c-ares support (#514771) + +* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 +- require libssh2>=1.2 properly (#525002) + +* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 +- let curl test-suite use valgrind +- require libssh2>=1.2 (#525002) + +* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 +- rebuild for libssh2 1.2 + +* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 +- make curl test-suite more verbose + +* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 +- update polling patch to the latest upstream version + +* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 +- cover ssh and stunnel support by the test-suite + +* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 +- use pkg-config to find nss and libssh2 if possible +- better patch (not only) for SCP/SFTP polling +- improve error message for not matching common name (#516056) + +* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 +- avoid tight loop during a sftp upload +- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 + +* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 +- let curl package depend on the same version of libcurl + +* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 +- new upstream release, dropped applied patches +- changed NSS code to not ignore the value of ssl.verifyhost and produce more + verbose error messages (#516056) + +* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 +- Use lzma compressed upstream tarball. + +* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 +- do not pre-login to all PKCS11 slots, it causes problems with HW tokens +- try to select client certificate automatically when not specified, thanks + to Claes Jakobsson + +* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 +- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson + +* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 +- force test suite to use the just built libcurl, thanks to Paul Howarth + +* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 +- run test suite after build +- enable built-in manual + +* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 +- fix bug introduced by the last build (#504857) + +* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 +- exclude curlbuild.h content from spec (#504857) + +* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 +- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) + +* Tue May 19 2009 Kamil Dudka 7.19.5-1 +- update to 7.19.5, dropped applied patches + +* Mon May 11 2009 Kamil Dudka 7.19.4-11 +- fix infinite loop while loading a private key, thanks to Michael Cronenworth + (#453612) + +* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 +- fix curl/nss memory leaks while using client certificate (#453612, accepted + by upstream) + +* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 +- add missing BuildRequire for autoconf + +* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 +- fix configure.ac to not discard -g in CFLAGS (#496778) + +* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 +- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. + +* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 +- upstream patch fixing memory leak in lib/nss.c (#453612) +- remove redundant dependency of libcurl-devel on libssh2-devel + +* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 +- enable 6 additional crypto algorithms by default (#436781, + accepted by upstream) + +* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 +- fix memory leak in src/main.c (accepted by upstream) +- avoid using %%ifarch + +* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 +- make libcurl-devel multilib-ready (bug #488922) + +* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 +- drop .easy-leak patch, causes problems in pycurl (#488791) +- fix libcurl-devel dependencies (#488895) + +* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 +- update to 7.19.4 (fixes CVE-2009-0037) +- fix leak in curl_easy* functions, thanks to Kamil Dudka +- drop nss-fix patch, applied upstream + +* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 +- update to 7.19.3, dropped applied nss patches +- add patch fixing 7.19.3 curl/nss bugs + +* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 +- rebuild for f10/rawhide cvs tag clashes + +* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 +- use improved NSS patch, thanks to Rob Crittenden (#472489) + +* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 +- update the thread safety patch, thanks to Rob Crittenden (#462217) + +* Wed Sep 03 2008 Warren Togami 7.18.2-6 +- add thread safety to libcurl NSS cleanup() functions (#459297) + +* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 +- undo mini libcurl.so.3 + +* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 +- make miniature library for libcurl.so.3 + +* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 +- enable support for libssh2 (#453958) + +* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 +- fix curl_multi_perform() over a proxy (#450140), thanks to + Rob Crittenden + +* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 +- update to 7.18.2 + +* Wed May 7 2008 Jindrich Novy 7.18.1-2 +- spec cleanup, thanks to Paul Howarth (#225671) + - drop BR: libtool + - convert CHANGES and README to UTF-8 + - _GNU_SOURCE in CFLAGS is no more needed + - remove bogus rpath + +* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 +- update to curl 7.18.1 (fixes #397911) +- add ABI docs for libcurl +- remove --static-libs from curl-config +- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf + substitution (#432667) + +* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 +- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc + +* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 +- update to curl-7.18.0 +- drop sslgen patch -> applied upstream +- fix typo in description + +* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 +- fix curl-devel obsoletes so that we don't break F8->F9 upgrade + path (#429612) + +* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 +- do not attempt to close a bad socket (#427966), + thanks to Caolan McNamara + +* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 +- rebuild because of the openldap soname bump +- remove old nsspem patch + +* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 +- drop useless ldap library detection since curl doesn't + dlopen()s it but links to it -> BR: openldap-devel +- enable LDAPS support (#225671), thanks to Paul Howarth +- BR: krb5-devel to reenable GSSAPI support +- simplify build process +- update description + +* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 +- update description to contain complete supported servers list (#393861) + +* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 +- update to curl 7.17.1 +- include patch to enable SSL usage in NSS when a socket is opened + nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) + +* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 +- correctly provide/obsolete curl-devel (#130251) + +* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 +- create libcurl and libcurl-devel subpackages (#130251) + +* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 +- list features correctly when curl is compiled against NSS (#316191) + +* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 +- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) + +* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 +- provide webclient (#225671) + +* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 +- add support for the NSS PKCS#11 pem reader so the command-line is the + same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) +- switch to NSS again + +* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 +- revert back to use OpenSSL (#266021) + +* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 +- don't use openssl, use nss instead + +* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 +- fix anonymous ftp login (#251570), thanks to David Cantrell + +* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 +- update to 7.16.4 + +* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 +- update to 7.16.3 +- drop .print patch, applied upstream +- next series of merge review fixes by Paul Howarth +- remove aclocal stuff, no more needed +- simplify makefile arguments +- don't reference standard library paths in libcurl.pc +- include docs/CONTRIBUTE + +* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 +- don't print like crazy (#236981), backported from upstream CVS + +* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 +- another series of review fixes (#225671), + thanks to Paul Howarth +- check version of ldap library automatically +- don't use %%makeinstall and preserve timestamps +- drop useless patches + +* Fri May 11 2007 Jindrich Novy 7.16.2-3 +- add automake BR to curl-devel to fix aclocal dir. ownership, + thanks to Patrice Dumas + +* Thu May 10 2007 Jindrich Novy 7.16.2-2 +- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat + +* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 +- update to 7.16.2 + +* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 +- don't create/ship static libraries (#225671) + +* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 +- merge review related spec fixes (#225671) + +* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 +- update to 7.16.1 + +* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 +- don't package generated makefiles for docs/examples to avoid + multilib conflicts + +* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 +- convert spec to UTF-8 +- don't delete BuildRoot in %%prep phase +- rpmlint fixes + +* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 +- prevent curl from dlopen()ing missing ldap libraries so that + ldap:// requests work (#215928) + +* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 +- fix BuildRoot +- add Requires: pkgconfig for curl-devel +- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) + +* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 +- update to curl-7.16.0 + +* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 +- update to curl-7.15.5 +- use %%{?dist} + +* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 +- update to 7.15.4 + +* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 +- fix multilib problem using pkg-config +- update to 7.15.3 + +* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 +- fix multilib problem - #181290 - + curl-devel.i386 not installable together with curl-devel.x86-64 + +* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 +- update to 7.15.1 (bug 175191) + +* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 +- fix curl-config bug 174556 - missing vernum value + +* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 +- rebuilt + +* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 +- update to 7.15.0 + +* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 +- update to 7.14.1 + +* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 +- rebuild new version + +* Tue May 03 2005 Ivana Varekova 7.13.1-3 +- fix bug 150768 - curl-7.12.3-2 breaks basic authentication + used Daniel Stenberg patch + +* Mon Apr 25 2005 Joe Orton 7.13.1-2 +- update to use ca-bundle in /etc/pki +- mark License as MIT not MPL + +* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 +- rebuilt (7.13.1) + +* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 +- rebuild with openssl-0.9.7e + +* Sun Feb 13 2005 Florian La Roche +- 7.13.0 + +* Wed Feb 9 2005 Joe Orton 7.12.3-3 +- don't pass /usr to --with-libidn to remove "-L/usr/lib" from + 'curl-config --libs' output on x86_64. + +* Fri Jan 28 2005 Adrian Havill 7.12.3-1 +- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) +- require libidn-devel for devel subpkg (#141341) +- remove proftpd kludge; included upstream + +* Wed Oct 06 2004 Adrian Havill 7.12.1-1 +- upgrade to 7.12.1 +- enable GSSAPI auth (#129353) +- enable I18N domain names (#134595) +- workaround for broken ProFTPD SSL auth (#134133). Thanks to + Aleksandar Milivojevic + +* Wed Sep 29 2004 Adrian Havill 7.12.0-4 +- move new docs position so defattr gets applied + +* Mon Sep 27 2004 Warren Togami 7.12.0-3 +- remove INSTALL, move libcurl docs to -devel + +* Mon Jul 26 2004 Jindrich Novy +- updated to 7.12.0 +- updated nousr patch + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed Apr 07 2004 Adrian Havill 7.11.1-1 +- upgraded; updated nousr patch +- added COPYING (#115956) +- + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Sat Jan 31 2004 Florian La Roche +- update to 7.10.8 +- remove patch2, already upstream + +* Wed Oct 15 2003 Adrian Havill 7.10.6-7 +- aclocal before libtoolize +- move OpenLDAP license so it's present as a doc file, present in + both the source and binary as per conditions + +* Mon Oct 13 2003 Adrian Havill 7.10.6-6 +- add OpenLDAP copyright notice for usage of code, add OpenLDAP + license for this code + +* Tue Oct 07 2003 Adrian Havill 7.10.6-5 +- match serverAltName certs with SSL (#106168) + +* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 +- bump n-v-r for RHEL + +* Tue Sep 16 2003 Adrian Havill 7.10.6-4 +- restore ca cert bundle (#104400) +- require openssl, we want to use its ca-cert bundle + +* Sun Sep 7 2003 Joe Orton 7.10.6-3 +- rebuild + +* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 +- fix to include libcurl.so + +* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 +- bump n-v-r for RHEL + +* Mon Aug 25 2003 Adrian Havill 7.10.6-2 +- devel subpkg needs openssl-devel as a Require (#102963) + +* Mon Jul 28 2003 Adrian Havill 7.10.6-1 +- bumped version + +* Tue Jul 01 2003 Adrian Havill 7.10.5-1 +- bumped version + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Sat Apr 12 2003 Florian La Roche +- update to 7.10.4 +- adapt nousr patch + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 21 2003 Joe Orton 7.9.8-4 +- don't add -L/usr/lib to 'curl-config --libs' output + +* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 +- rebuild + +* Wed Nov 6 2002 Joe Orton 7.9.8-2 +- fix `curl-config --libs` output for libdir!=/usr/lib +- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la +- libtoolize and reconf + +* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 +- 7.9.8 (# 69473) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 +- 7.9.7 + +* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 +- 7.9.6 + +* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 +- Stop the curl-config script from printing -I/usr/include + and -L/usr/lib (#59497) + +* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 +- 7.9.5 + +* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 +- Rebuild + +* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 +- update to 7.9.3 + +* Wed Jan 09 2002 Tim Powers 7.9.2-2 +- automated rebuild + +* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 +- 7.9.2 + +* Fri Aug 17 2001 Nalin Dahyabhai +- include curl-config in curl-devel +- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl + +* Wed Jul 18 2001 Crutcher Dunnavant +- added openssl-devel build req + +* Mon May 21 2001 Tim Powers +- built for the distro + +* Tue Apr 24 2001 Jeff Johnson +- upgrade to curl-7.7.2. +- enable IPv6. + +* Fri Mar 2 2001 Tim Powers +- rebuilt against openssl-0.9.6-1 + +* Thu Jan 4 2001 Tim Powers +- fixed mising ldconfigs +- updated to 7.5.2, bug fixes + +* Mon Dec 11 2000 Tim Powers +- updated to 7.5.1 + +* Mon Nov 6 2000 Tim Powers +- update to 7.4.1 to fix bug #20337, problems with curl -c +- not using patch anymore, it's included in the new source. Keeping + for reference + +* Fri Oct 20 2000 Nalin Dahyabhai +- fix bogus req in -devel package + +* Fri Oct 20 2000 Tim Powers +- devel package needed defattr so that root owns the files + +* Mon Oct 16 2000 Nalin Dahyabhai +- update to 7.3 +- apply vsprintf/vsnprintf patch from Colin Phipps via Debian + +* Mon Aug 21 2000 Nalin Dahyabhai +- enable SSL support +- fix packager tag +- move buildroot to %%{_tmppath} + +* Tue Aug 1 2000 Tim Powers +- fixed vendor tag for bug #15028 + +* Mon Jul 24 2000 Prospector +- rebuilt + +* Tue Jul 11 2000 Tim Powers +- workaround alpha build problems with optimizations + +* Mon Jul 10 2000 Tim Powers +- rebuilt + +* Mon Jun 5 2000 Tim Powers +- put man pages in correct place +- use %%makeinstall + +* Mon Apr 24 2000 Tim Powers +- updated to 6.5.2 + +* Wed Nov 3 1999 Tim Powers +- updated sources to 6.2 +- gzip man page + +* Mon Aug 30 1999 Tim Powers +- changed group + +* Thu Aug 26 1999 Tim Powers +- changelog started +- general cleanups, changed prefix to /usr, added manpage to files section +- including in Powertools diff --git a/mykey.asc b/mykey.asc deleted file mode 100644 index 0c77721..0000000 --- a/mykey.asc +++ /dev/null @@ -1,77 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 - -mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ -QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV -0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 -EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch -soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje -f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL -gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo -SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 -m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 -ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU -ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w -i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD -AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv -jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb -XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz -7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM -wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ -dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT -rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t -FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 -OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx -5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h -zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O -poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA -Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d -6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 -tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu -c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ -EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 -svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ -Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv -+BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh -Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg -rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL -y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP -BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ -0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf -09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG -6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 -67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H -a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr -LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK -nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb -0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb -2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC -OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ -PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC -8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 -/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e -8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk -bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 -IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx -AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN -2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ -L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD -/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 -UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb -9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh -TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k -IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ -AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ -eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 -sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI -c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND -KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j -4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S -wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv -BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF -PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu -gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 -ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb -j/qx4ytjt5uxt6Jm6IXV9cry8i6x -=Phs/ ------END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 002e494..1002b5a 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c -SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 +SHA512 (curl-7.55.1.tar.xz) = 69f906655064b9cfef5b8763a893a658b25fcc4e595141ef122ac2b12158c5dc3b9535cb392f6f5af8346b6d495eb0609a08b5a6e638d4b10b82a15a0e8a7517 diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf deleted file mode 100644 index 2e3980f..0000000 --- a/tests/non-root-user-download/main.fmf +++ /dev/null @@ -1,18 +0,0 @@ -summary: various download methods with non-root user -description: '' -contact: Daniel Rusek -component: - - curl -require: - - findutils - - libselinux-utils - - openssh-clients - - openssh-server - - passwd -test: ./runtest.sh -framework: beakerlib -duration: 5m -enabled: true -tier: '1' -link: - - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh deleted file mode 100755 index 0d72276..0000000 --- a/tests/non-root-user-download/runtest.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash -# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/curl/Sanity/non-root-user-download -# Description: various download methods with non-root user -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2013 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="curl" - -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM -CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab -PASSWORD=pAssw0rd -OPTIONS="" -rlIsRHEL 7 && OPTIONS="--insecure" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "useradd -m curltester" 0 "Adding the test user" - rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" - rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" - rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts - rlRun "rm -f $HOME/.ssh/*" - [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) - rlRun "rlServiceStart sshd" - rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" - rlPhaseEnd - - rlPhaseStartTest "http download" - rlRun "su - curltester -c 'curl $HTTP_URL' &> http.log" - cat http.log - rlAssertGrep "$CONTENT" http.log - rlPhaseEnd - - rlPhaseStartTest "ftp download" - rlRun "su - curltester -c 'curl $FTP_URL' &> ftp.log" - cat ftp.log - rlAssertGrep "$CONTENT" ftp.log - rlPhaseEnd - -if ! rlIsRHEL 5; then -# scp sftp not supported on RHEL5 - - rlPhaseStartTest "scp download" - rlRun "curl -u curltester:$PASSWORD $OPTIONS scp://localhost/home/curltester/testfile &> scp.log" - cat scp.log - rlAssertGrep "$CONTENT" scp.log - rlPhaseEnd - - rlPhaseStartTest "sftp download" - rlRun "curl -u curltester:$PASSWORD $OPTIONS sftp://localhost/home/curltester/testfile &> sftp.log" - cat sftp.log - rlAssertGrep "$CONTENT" sftp.log - rlPhaseEnd - -fi - - rlPhaseStartCleanup - rlRun "rlServiceRestore" - rlFileRestore - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlRun "userdel -r --force curltester" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/scp-and-sftp-download-test/main.fmf b/tests/scp-and-sftp-download-test/main.fmf deleted file mode 100644 index b69aff6..0000000 --- a/tests/scp-and-sftp-download-test/main.fmf +++ /dev/null @@ -1,20 +0,0 @@ -summary: downloads test file through scp and sftp -description: | - Test scenario: - - scp download - - sftp download - - scp upload - - sftp upload - - When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed - with empty --pubkey parameter (--pubkey "") or with the paramiter omitted -contact: Daniel Rusek -require: - - findutils -component: - - curl -test: ./runtest.sh -path: /tests/scp-and-sftp-download-test -framework: beakerlib -duration: 10m -enabled: true diff --git a/tests/scp-and-sftp-download-test/runtest.sh b/tests/scp-and-sftp-download-test/runtest.sh deleted file mode 100755 index 9cf9a2c..0000000 --- a/tests/scp-and-sftp-download-test/runtest.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/bash -# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/curl/Sanity/scp-and-sftp-download-test -# Description: downloads test file through scp and sftp -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2012 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="curl" - -# GLOBAL/ENVIRONMENT VARIABLE: -# PUBKEY_PARAM - -if [ "$PUBKEY_PARAM" == 'none' ]; then - PUBKEY_PARAM="" -elif [ "$PUBKEY_PARAM" == 'empty' ]; then - PUBKEY_PARAM="--pubkey ''" -else - PUBKEY_PARAM='--pubkey /root/.ssh/id_rsa.pub' -fi - -FILESIZE=200 #MB -OPTIONS="" -rlIsRHEL 7 && OPTIONS="--insecure" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlFileBackup --clean /root/.ssh/known_hosts /root/.ssh - rlFileBackup --clean /etc/ssh/sshd_config - rlRun "useradd -m curltestuser" - - # In FIPS-140 we need to explicitly allow one of libssh2-implemented - # Kex algorithms (eg. DH14-SHA1). - rlRun "echo 'KexAlgorithms +diffie-hellman-group14-sha1' >> /etc/ssh/sshd_config" 0 - rlServiceStop "sshd" - rlRun "service sshd start && sleep 5" 0 - - # file for download test - rlRun "su - curltestuser -c 'dd if=/dev/zero of=testfile bs=1M count=200'" 0 "Creating $FILESIZE MB large test file" - SUM=`sha256sum /home/curltestuser/testfile | cut -d ' ' -f 1` - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "rm -vf /root/.ssh/*" - rlRun "ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''" 0 "Generate ssh key" - rlRun "mkdir /home/curltestuser/.ssh && cat /root/.ssh/id_rsa.pub > /home/curltestuser/.ssh/authorized_keys && chown -R curltestuser.curltestuser /home/curltestuser/.ssh/" 0 "Save the key to .ssh/authorized_keys" - - # this is a workaround as libssh2 is not able to use newer hashes - #rlRun "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/root/.ssh/known_hosts curltestuser@localhost 'exit'" 0 "First ssh login to add localhost to known_hosts" - rlRun "ssh-keyscan localhost >>/root/.ssh/known_hosts" - - # files for upload test - rlRun "dd if=/dev/zero of=uploadfile1 bs=1M count=50" 0 "Creating 50 MB large test file" - UPSUM1=`sha256sum uploadfile1 | cut -d ' ' -f 1` - rlRun "dd if=/dev/zero of=uploadfile2 bs=1M count=20" 0 "Creating 20 MB large test file" - UPSUM2=`sha256sum uploadfile2 | cut -d ' ' -f 1` - rlPhaseEnd - - rlPhaseStartTest "scp download test" - rlRun "curl -o ./scp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS scp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download" - rlAssertExists scp_file - SCPSUM=`sha256sum ./scp_file | cut -d ' ' -f 1` - rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SCPSUM - rm -f ./scp_file - rlPhaseEnd - - rlPhaseStartTest "sftp download test" - rlRun "curl -o ./sftp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS sftp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download" - rlAssertExists sftp_file - SFTPSUM=`sha256sum ./sftp_file | cut -d ' ' -f 1` - rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SFTPSUM - rm -f ./sftp_file - rlPhaseEnd - - rlPhaseStartTest "scp upload test" - rlRun "curl -T '{uploadfile1,uploadfile2}' scp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl scp upload" - rlAssertExists /home/curltestuser/uploadfile1 - rlAssertExists /home/curltestuser/uploadfile2 - SCPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1` - SCPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1` - rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SCPUPSUM1} - rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SCPUPSUM2} - rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2 - rlPhaseEnd - - rlPhaseStartTest "sftp upload test" - rlRun "curl -T '{uploadfile1,uploadfile2}' sftp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl sftp upload" - rlAssertExists /home/curltestuser/uploadfile1 - rlAssertExists /home/curltestuser/uploadfile2 - SFTPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1` - SFTPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1` - rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SFTPUPSUM1} - rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SFTPUPSUM2} - rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2 - rlPhaseEnd - - - rlPhaseStartCleanup - rlRun "userdel -r --force curltestuser" - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlFileRestore - rlServiceRestore "sshd" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd