diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 7dcfd8f..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ /curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz +/curl-[0-9.]*.tar.xz.asc +/curl-[0-9]*.[0-9]*.[0-9]*/ +/*.src.rpm diff --git a/0001-curl-7.55.1-zsh-completion.patch b/0001-curl-7.55.1-zsh-completion.patch deleted file mode 100644 index 8a37cd4..0000000 --- a/0001-curl-7.55.1-zsh-completion.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 918eb4c10b60a58ea6b14bea7b9fbfba4d29598c Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 14 Aug 2017 16:13:32 +0200 -Subject: [PATCH] zsh.pl: produce a working completion script again - -Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help -to use and instead of FILE and DIR, which caused zsh.pl to -produce a broken completion script: - -% curl -- -_curl:10: no such file or directory: seconds - -Closes #1779 - -Upstream-commit: ab2a7079cd2a1ec279b1e6b587ba48e50c155e91 -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/cacert.d | 2 +- - scripts/zsh.pl | 5 +++-- - src/tool_help.c | 2 +- - 3 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/docs/cmdline-opts/cacert.d b/docs/cmdline-opts/cacert.d -index 04e1139..b2ecf90 100644 ---- a/docs/cmdline-opts/cacert.d -+++ b/docs/cmdline-opts/cacert.d -@@ -1,5 +1,5 @@ - Long: cacert --Arg: -+Arg: - Help: CA certificate to verify peer against - Protocols: TLS - --- -diff --git a/scripts/zsh.pl b/scripts/zsh.pl -index f0d8c19..82b4d9f 100755 ---- a/scripts/zsh.pl -+++ b/scripts/zsh.pl -@@ -54,10 +54,11 @@ sub parse_main_opts { - $option .= '}' if defined $short; - $option .= '\'[' . trim($desc) . ']\'' if defined $desc; - -- $option .= ":$arg" if defined $arg; -+ $option .= ":'$arg'" if defined $arg; - - $option .= ':_files' -- if defined $arg and ($arg eq 'FILE' || $arg eq 'DIR'); -+ if defined $arg and ($arg eq '' || $arg eq '' -+ || $arg eq ''); - - push @list, $option; - } -diff --git a/src/tool_help.c b/src/tool_help.c -index 42dc779..a5bfaba 100644 ---- a/src/tool_help.c -+++ b/src/tool_help.c -@@ -54,7 +54,7 @@ static const struct helptxt helptext[] = { - "Append to target file when uploading"}, - {" --basic", - "Use HTTP Basic Authentication"}, -- {" --cacert ", -+ {" --cacert ", - "CA certificate to verify peer against"}, - {" --capath ", - "CA directory to verify peer against"}, --- -2.9.5 - diff --git a/0002-curl-7.55.1-proxy-connect.patch b/0002-curl-7.55.1-proxy-connect.patch deleted file mode 100644 index a87e787..0000000 --- a/0002-curl-7.55.1-proxy-connect.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 74dac344b2feb2e0f4baddb70532dc8e45d2d817 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" -Date: Fri, 18 Aug 2017 10:43:02 +0200 -Subject: [PATCH] http: Don't wait on CONNECT when there is no proxy - -Since curl 7.55.0, NetworkManager almost always failed its connectivity -check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP -CONNECT process entirely non-blocking). - -This patch replaces !Curl_connect_complete with Curl_connect_ongoing, -which returns false if the CONNECT state was left uninitialized and lets -the connection continue. - -Closes #1803 -Fixes #1804 - -Also-fixed-by: Gergely Nagy - -Upstream-commit: 74dac344b2feb2e0f4baddb70532dc8e45d2d817 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/http.c b/lib/http.c -index 35c7c3d43..3e3313278 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -1371,7 +1371,7 @@ CURLcode Curl_http_connect(struct connectdata *conn, bool *done) - if(CONNECT_FIRSTSOCKET_PROXY_SSL()) - return CURLE_OK; /* wait for HTTPS proxy SSL initialization to complete */ - -- if(!Curl_connect_complete(conn)) -+ if(Curl_connect_ongoing(conn)) - /* nothing else to do except wait right now - we're not done here. */ - return CURLE_OK; - --- -2.13.5 - diff --git a/0004-curl-7.59.0-http2-GOAWAY.patch b/0004-curl-7.59.0-http2-GOAWAY.patch deleted file mode 100644 index 790c27b..0000000 --- a/0004-curl-7.59.0-http2-GOAWAY.patch +++ /dev/null @@ -1,344 +0,0 @@ -From 01f15fd3d66655872e10c36dd6a631f491fbbed0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 10 Mar 2018 23:48:43 +0100 -Subject: [PATCH 1/2] http2: mark the connection for close on GOAWAY -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... don't consider it an error! - -Assisted-by: Jay Satiro -Reported-by: Łukasz Domeradzki -Fixes #2365 -Closes #2375 - -Upstream-commit: 8b498a875c975294545581282289991bbcfeabf4 -Signed-off-by: Kamil Dudka ---- - lib/http.h | 5 ++--- - lib/http2.c | 33 +++++++++++++++++++++------------ - lib/multi.c | 9 +++------ - 3 files changed, 26 insertions(+), 21 deletions(-) - -diff --git a/lib/http.h b/lib/http.h -index a845f56..e8e41e3 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -7,7 +7,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -174,8 +174,6 @@ struct HTTP { - size_t pauselen; /* the number of bytes left in data */ - bool closed; /* TRUE on HTTP2 stream close */ - bool close_handled; /* TRUE if stream closure is handled by libcurl */ -- uint32_t error_code; /* HTTP/2 error code */ -- - char *mem; /* points to a buffer in memory to store received data */ - size_t len; /* size of the buffer 'mem' points to */ - size_t memlen; /* size of data copied to mem */ -@@ -228,6 +226,7 @@ struct http_conn { - /* list of settings that will be sent */ - nghttp2_settings_entry local_settings[3]; - size_t local_settings_num; -+ uint32_t error_code; /* HTTP/2 error code */ - #else - int unused; /* prevent a compiler warning */ - #endif -diff --git a/lib/http2.c b/lib/http2.c -index 0e55801..14ab0f7 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -205,7 +205,6 @@ void Curl_http2_setup_req(struct Curl_easy *data) - http->status_code = -1; - http->pausedata = NULL; - http->pauselen = 0; -- http->error_code = NGHTTP2_NO_ERROR; - http->closed = FALSE; - http->close_handled = FALSE; - http->mem = data->state.buffer; -@@ -218,6 +217,7 @@ void Curl_http2_setup_conn(struct connectdata *conn) - { - conn->proto.httpc.settings.max_concurrent_streams = - DEFAULT_MAX_CONCURRENT_STREAMS; -+ conn->proto.httpc.error_code = NGHTTP2_NO_ERROR; - } - - /* -@@ -778,6 +778,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, - (void)stream_id; - - if(stream_id) { -+ struct http_conn *httpc; - /* get the stream from the hash based on Stream ID, stream ID zero is for - connection-oriented stuff */ - data_s = nghttp2_session_get_stream_user_data(session, stream_id); -@@ -792,10 +793,11 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, - if(!stream) - return NGHTTP2_ERR_CALLBACK_FAILURE; - -- stream->error_code = error_code; - stream->closed = TRUE; - data_s->state.drain++; -- conn->proto.httpc.drain_total++; -+ httpc = &conn->proto.httpc; -+ httpc->drain_total++; -+ httpc->error_code = error_code; - - /* remove the entry from the hash as the stream is now gone */ - nghttp2_session_set_stream_user_data(session, stream_id, 0); -@@ -1223,13 +1225,14 @@ static int h2_session_send(struct Curl_easy *data, - * This function returns 0 if it succeeds, or -1 and error code will - * be assigned to *err. - */ --static int h2_process_pending_input(struct Curl_easy *data, -+static int h2_process_pending_input(struct connectdata *conn, - struct http_conn *httpc, - CURLcode *err) - { - ssize_t nread; - char *inbuf; - ssize_t rv; -+ struct Curl_easy *data = conn->data; - - nread = httpc->inbuflen - httpc->nread_inbuf; - inbuf = httpc->inbuf + httpc->nread_inbuf; -@@ -1267,7 +1270,13 @@ static int h2_process_pending_input(struct Curl_easy *data, - if(should_close_session(httpc)) { - DEBUGF(infof(data, - "h2_process_pending_input: nothing to do in this session\n")); -- *err = CURLE_HTTP2; -+ if(httpc->error_code) -+ *err = CURLE_HTTP2; -+ else { -+ /* not an error per se, but should still close the connection */ -+ connclose(conn, "GOAWAY received"); -+ *err = CURLE_OK; -+ } - return -1; - } - -@@ -1298,7 +1307,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn) - that it can signal EOF to nghttp2 */ - (void)nghttp2_session_resume_data(h2, stream->stream_id); - -- (void)h2_process_pending_input(conn->data, httpc, &result); -+ (void)h2_process_pending_input(conn, httpc, &result); - } - } - return result; -@@ -1322,7 +1331,7 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, - data->state.drain = 0; - - if(httpc->pause_stream_id == 0) { -- if(h2_process_pending_input(data, httpc, err) != 0) { -+ if(h2_process_pending_input(conn, httpc, err) != 0) { - return -1; - } - } -@@ -1331,10 +1340,10 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, - - /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ - stream->closed = FALSE; -- if(stream->error_code != NGHTTP2_NO_ERROR) { -+ if(httpc->error_code != NGHTTP2_NO_ERROR) { - failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", -- stream->stream_id, Curl_http2_strerror(stream->error_code), -- stream->error_code); -+ stream->stream_id, Curl_http2_strerror(httpc->error_code), -+ httpc->error_code); - *err = CURLE_HTTP2_STREAM; - return -1; - } -@@ -1482,7 +1491,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, - /* We have paused nghttp2, but we have no pause data (see - on_data_chunk_recv). */ - httpc->pause_stream_id = 0; -- if(h2_process_pending_input(data, httpc, &result) != 0) { -+ if(h2_process_pending_input(conn, httpc, &result) != 0) { - *err = result; - return -1; - } -@@ -1512,7 +1521,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, - frames, then we have to call it again with 0-length data. - Without this, on_stream_close callback will not be called, - and stream could be hanged. */ -- if(h2_process_pending_input(data, httpc, &result) != 0) { -+ if(h2_process_pending_input(conn, httpc, &result) != 0) { - *err = result; - return -1; - } -diff --git a/lib/multi.c b/lib/multi.c -index d5bc532..7b9ba61 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -572,11 +572,8 @@ static CURLcode multi_done(struct connectdata **connp, - result = CURLE_ABORTED_BY_CALLBACK; - } - -- if(conn->send_pipe.size + conn->recv_pipe.size != 0 && -- !data->set.reuse_forbid && -- !conn->bits.close) { -- /* Stop if pipeline is not empty and we do not have to close -- connection. */ -+ if(conn->send_pipe.size || conn->recv_pipe.size) { -+ /* Stop if pipeline is not empty . */ - data->easy_conn = NULL; - DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); - return CURLE_OK; --- -2.14.4 - - -From 84ddda3994c1f12d79946780dee9111b3cf1c308 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 19 Apr 2018 20:03:30 +0200 -Subject: [PATCH 2/2] http2: handle GOAWAY properly - -When receiving REFUSED_STREAM, mark the connection for close and retry -streams accordingly on another/fresh connection. - -Reported-by: Terry Wu -Fixes #2416 -Fixes #1618 -Closes #2510 - -Upstream-commit: d122df5972fc01e39ae28e6bca705237d7e3318a -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 17 ++++++++++++----- - lib/multi.c | 4 +++- - lib/transfer.c | 17 +++++++++++++++-- - lib/urldata.h | 2 +- - 4 files changed, 31 insertions(+), 9 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index b2c34e9..fba4d70 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -1070,7 +1070,6 @@ void Curl_http2_done(struct connectdata *conn, bool premature) - struct http_conn *httpc = &conn->proto.httpc; - - if(http->header_recvbuf) { -- DEBUGF(infof(data, "free header_recvbuf!!\n")); - Curl_add_buffer_free(http->header_recvbuf); - http->header_recvbuf = NULL; /* clear the pointer */ - Curl_add_buffer_free(http->trailer_recvbuf); -@@ -1340,7 +1339,15 @@ static ssize_t http2_handle_stream_close(struct connectdata *conn, - - /* Reset to FALSE to prevent infinite loop in readwrite_data function. */ - stream->closed = FALSE; -- if(httpc->error_code != NGHTTP2_NO_ERROR) { -+ if(httpc->error_code == NGHTTP2_REFUSED_STREAM) { -+ DEBUGF(infof(data, "REFUSED_STREAM (%d), try again on a new connection!\n", -+ stream->stream_id)); -+ connclose(conn, "REFUSED_STREAM"); /* don't use this anymore */ -+ data->state.refused_stream = TRUE; -+ *err = CURLE_RECV_ERROR; /* trigger Curl_retry_request() later */ -+ return -1; -+ } -+ else if(httpc->error_code != NGHTTP2_NO_ERROR) { - failf(data, "HTTP/2 stream %u was not closed cleanly: %s (err %d)", - stream->stream_id, Curl_http2_strerror(httpc->error_code), - httpc->error_code); -@@ -1568,9 +1575,9 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, - } - - if(nread == 0) { -- failf(data, "Unexpected EOF"); -- *err = CURLE_RECV_ERROR; -- return -1; -+ DEBUGF(infof(data, "end of stream\n")); -+ *err = CURLE_OK; -+ return 0; - } - - DEBUGF(infof(data, "nread=%zd\n", nread)); -diff --git a/lib/multi.c b/lib/multi.c -index 98e5fca..d69e5f9 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -575,7 +575,9 @@ static CURLcode multi_done(struct connectdata **connp, - if(conn->send_pipe.size || conn->recv_pipe.size) { - /* Stop if pipeline is not empty . */ - data->easy_conn = NULL; -- DEBUGF(infof(data, "Connection still in use, no more multi_done now!\n")); -+ DEBUGF(infof(data, "Connection still in use %d/%d, " -+ "no more multi_done now!\n", -+ conn->send_pipe.size, conn->recv_pipe.size)); - return CURLE_OK; - } - -diff --git a/lib/transfer.c b/lib/transfer.c -index fd9af31..5c29cc9 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1896,7 +1896,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, - char **url) - { - struct Curl_easy *data = conn->data; -- -+ bool retry = FALSE; - *url = NULL; - - /* if we're talking upload, we can't do the checks below, unless the protocol -@@ -1909,7 +1909,7 @@ CURLcode Curl_retry_request(struct connectdata *conn, - conn->bits.reuse && - (!data->set.opt_no_body - || (conn->handler->protocol & PROTO_FAMILY_HTTP)) && -- (data->set.rtspreq != RTSPREQ_RECEIVE)) { -+ (data->set.rtspreq != RTSPREQ_RECEIVE)) - /* We got no data, we attempted to re-use a connection. For HTTP this - can be a retry so we try again regardless if we expected a body. - For other protocols we only try again only if we expected a body. -@@ -1917,6 +1917,19 @@ CURLcode Curl_retry_request(struct connectdata *conn, - This might happen if the connection was left alive when we were - done using it before, but that was closed when we wanted to read from - it again. Bad luck. Retry the same request on a fresh connect! */ -+ retry = TRUE; -+ else if(data->state.refused_stream && -+ (data->req.bytecount + data->req.headerbytecount == 0) ) { -+ /* This was sent on a refused stream, safe to rerun. A refused stream -+ error can typically only happen on HTTP/2 level if the stream is safe -+ to issue again, but the nghttp2 API can deliver the message to other -+ streams as well, which is why this adds the check the data counters -+ too. */ -+ infof(conn->data, "REFUSED_STREAM, retrying a fresh connect\n"); -+ data->state.refused_stream = FALSE; /* clear again */ -+ retry = TRUE; -+ } -+ if(retry) { - infof(conn->data, "Connection died, retrying a fresh connect\n"); - *url = strdup(conn->data->change.url); - if(!*url) -diff --git a/lib/urldata.h b/lib/urldata.h -index 3d7b9e5..6a36ee9 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1391,7 +1391,7 @@ struct UrlState { - curl_off_t current_speed; /* the ProgressShow() function sets this, - bytes / second */ - bool this_is_a_follow; /* this is a followed Location: request */ -- -+ bool refused_stream; /* this was refused, try again */ - char *first_host; /* host name of the first (not followed) request. - if set, this should be the host name that we will - sent authorization to, no else. Used to make Location: --- -2.14.4 - diff --git a/0005-curl-7.55.1-CVE-2017-1000254.patch b/0005-curl-7.55.1-CVE-2017-1000254.patch deleted file mode 100644 index 6ee9bb9..0000000 --- a/0005-curl-7.55.1-CVE-2017-1000254.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 1e6f9bb225047cb40232ac3e0aa5da161e49d465 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Sep 2017 00:35:22 +0200 -Subject: [PATCH] FTP: zero terminate the entry path even on bad input - -... a single double quote could leave the entry path buffer without a zero -terminating byte. CVE-2017-1000254 - -Test 1152 added to verify. - -Reported-by: Max Dymond -Bug: https://curl.haxx.se/docs/adv_20171004.html - -Upstream-commit: 5ff2c5ff25750aba1a8f64fbcad8e5b891512584 -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 7 ++++-- - tests/data/Makefile.inc | 1 + - tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 67 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test1152 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 6e86e53..bcba6bb 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2777,6 +2777,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) - const size_t buf_size = data->set.buffer_size; - char *dir; - char *store; -+ bool entry_extracted = FALSE; - - dir = malloc(nread + 1); - if(!dir) -@@ -2808,7 +2809,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) - } - else { - /* end of path */ -- *store = '\0'; /* zero terminate */ -+ entry_extracted = TRUE; - break; /* get out of this loop */ - } - } -@@ -2817,7 +2818,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) - store++; - ptr++; - } -- -+ *store = '\0'; /* zero terminate */ -+ } -+ if(entry_extracted) { - /* If the path name does not look like an absolute path (i.e.: it - does not start with a '/'), we probably need some server-dependent - adjustments. For example, this is the case when connecting to -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 1657ac6..f8f6e41 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ - test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ - test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ - test1144 test1145 test1146 test1147 test1148 \ -+test1152 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ - test1216 test1217 test1218 test1219 \ -diff --git a/tests/data/test1152 b/tests/data/test1152 -new file mode 100644 -index 0000000..aa8c0a7 ---- /dev/null -+++ b/tests/data/test1152 -@@ -0,0 +1,61 @@ -+ -+ -+ -+FTP -+PASV -+LIST -+ -+ -+# -+# Server-side -+ -+ -+REPLY PWD 257 "just one -+ -+ -+# When doing LIST, we get the default list output hard-coded in the test -+# FTP server -+ -+total 20 -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 . -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. -+drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases -+-r--r--r-- 1 0 1 35 Jul 16 1996 README -+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin -+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev -+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html -+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc -+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub -+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr -+ -+ -+ -+# -+# Client-side -+ -+ -+ftp -+ -+ -+FTP with uneven quote in PWD response -+ -+ -+ftp://%HOSTIP:%FTPPORT/test-1152/ -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD test-1152 -+EPSV -+TYPE A -+LIST -+QUIT -+ -+ -+ --- -2.13.6 - diff --git a/0006-curl-7.55.1-CVE-2017-1000257.patch b/0006-curl-7.55.1-CVE-2017-1000257.patch deleted file mode 100644 index 01b2d6f..0000000 --- a/0006-curl-7.55.1-CVE-2017-1000257.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f8b7620e0578ef44e8fd958d32f348b535d1ab77 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 7 Oct 2017 00:11:31 +0200 -Subject: [PATCH] imap: if a FETCH response has no size, don't call write - callback - -CVE-2017-1000257 - -Reported-by: Brian Carpenter and 0xd34db347 -Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 - -Upstream-commit: 13c9a9ded3ae744a1e11cbc14e9146d9fa427040 -Signed-off-by: Kamil Dudka ---- - lib/imap.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/imap.c b/lib/imap.c -index 48af290..4deba88 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -1091,6 +1091,11 @@ static CURLcode imap_state_fetch_resp(struct connectdata *conn, int imapcode, - /* The conversion from curl_off_t to size_t is always fine here */ - chunk = (size_t)size; - -+ if(!chunk) { -+ /* no size, we're done with the data */ -+ state(conn, IMAP_STOP); -+ return CURLE_OK; -+ } - result = Curl_client_write(conn, CLIENTWRITE_BODY, pp->cache, chunk); - if(result) - return result; --- -2.13.6 - diff --git a/0007-curl-7.55.1-CVE-2017-8817.patch b/0007-curl-7.55.1-CVE-2017-8817.patch deleted file mode 100644 index 99453ce..0000000 --- a/0007-curl-7.55.1-CVE-2017-8817.patch +++ /dev/null @@ -1,132 +0,0 @@ -From d288bcc0635f154fa2167bb0ac1de554bde971b6 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Nov 2017 08:52:45 +0100 -Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset - -The code would previous read beyond the end of the pattern string if the -match pattern ends with an open bracket when the default pattern -matching function is used. - -Detected by OSS-Fuzz: -https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 - -CVE-2017-8817 - -Bug: https://curl.haxx.se/docs/adv_2017-ae72.html - -Upstream-commit: 0b664ba968437715819bfe4c7ada5679d16ebbc3 -Signed-off-by: Kamil Dudka ---- - lib/curl_fnmatch.c | 9 +++------ - tests/data/Makefile.inc | 1 + - tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 56 insertions(+), 6 deletions(-) - create mode 100644 tests/data/test1163 - -diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c -index 46d3ada..5dd5323 100644 ---- a/lib/curl_fnmatch.c -+++ b/lib/curl_fnmatch.c -@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char *charset) - unsigned char c; - for(;;) { - c = **p; -+ if(!c) -+ return SETCHARSET_FAIL; -+ - switch(state) { - case CURLFNM_SCHS_DEFAULT: - if(ISALNUM(c)) { /* ASCII value */ -@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) - else - return SETCHARSET_FAIL; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else { - charset[c] = 1; - (*p)++; -@@ -277,9 +277,6 @@ static int setcharset(unsigned char **p, unsigned char *charset) - else if(c == ']') { - return SETCHARSET_OK; - } -- else if(c == '\0') { -- return SETCHARSET_FAIL; -- } - else if(ISPRINT(c)) { - charset[c] = 1; - (*p)++; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index f8f6e41..6e2f402 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -122,6 +122,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ - test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ - test1144 test1145 test1146 test1147 test1148 \ - test1152 \ -+test1163 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ - test1216 test1217 test1218 test1219 \ -diff --git a/tests/data/test1163 b/tests/data/test1163 -new file mode 100644 -index 0000000..a109b51 ---- /dev/null -+++ b/tests/data/test1163 -@@ -0,0 +1,52 @@ -+ -+ -+ -+FTP -+RETR -+LIST -+wildcardmatch -+ftplistparser -+flaky -+ -+ -+ -+# -+# Server-side -+ -+ -+ -+ -+ -+# Client-side -+ -+ -+ftp -+ -+ -+lib576 -+ -+ -+FTP wildcard with pattern ending with an open-bracket -+ -+ -+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" -+ -+ -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD fully_simulated -+CWD DOS -+EPSV -+TYPE A -+LIST -+QUIT -+ -+# 78 == CURLE_REMOTE_FILE_NOT_FOUND -+ -+78 -+ -+ -+ --- -2.13.6 - diff --git a/0008-curl-7.55.1-CVE-2017-8816.patch b/0008-curl-7.55.1-CVE-2017-8816.patch deleted file mode 100644 index 374d79d..0000000 --- a/0008-curl-7.55.1-CVE-2017-8816.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 300d6e1b2598dc34004e4608e6718f1c0c206110 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 6 Nov 2017 23:51:52 +0100 -Subject: [PATCH] ntlm: avoid integer overflow for malloc size - -Reported-by: Alex Nichols -Assisted-by: Kamil Dudka and Max Dymond - -CVE-2017-8816 - -Bug: https://curl.haxx.se/docs/adv_2017-11e7.html - -Upstream-commit: 7f2a1df6f5fc598750b2c6f34465c8d924db28cc -Signed-off-by: Kamil Dudka ---- - lib/curl_ntlm_core.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index aea5452..eb44f97 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -622,6 +622,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, - return CURLE_OK; - } - -+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -+#define SIZE_T_MAX 18446744073709551615U -+#else -+#define SIZE_T_MAX 4294967295U -+#endif -+ - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode - * (uppercase UserName + Domain) as the data - */ -@@ -631,10 +637,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, - unsigned char *ntlmv2hash) - { - /* Unicode representation */ -- size_t identity_len = (userlen + domlen) * 2; -- unsigned char *identity = malloc(identity_len); -+ size_t identity_len; -+ unsigned char *identity; - CURLcode result = CURLE_OK; - -+ /* we do the length checks below separately to avoid integer overflow risk -+ on extreme data lengths */ -+ if((userlen > SIZE_T_MAX/2) || -+ (domlen > SIZE_T_MAX/2) || -+ ((userlen + domlen) > SIZE_T_MAX/2)) -+ return CURLE_OUT_OF_MEMORY; -+ -+ identity_len = (userlen + domlen) * 2; -+ identity = malloc(identity_len); -+ - if(!identity) - return CURLE_OUT_OF_MEMORY; - --- -2.13.6 - diff --git a/0009-curl-7.55.1-CVE-2018-1000007.patch b/0009-curl-7.55.1-CVE-2018-1000007.patch deleted file mode 100644 index 0720745..0000000 --- a/0009-curl-7.55.1-CVE-2018-1000007.patch +++ /dev/null @@ -1,330 +0,0 @@ -From e6968d1d220891230bcca5340bfd364183ceaa31 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 19 Jan 2018 13:19:25 +0100 -Subject: [PATCH] http: prevent custom Authorization headers in redirects - -... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how -curl already handles Authorization headers created internally. - -Note: this changes behavior slightly, for the sake of reducing mistakes. - -Added test 317 and 318 to verify. - -Reported-by: Craig de Stigter -Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html - -Upstream-commit: af32cd3859336ab963591ca0df9b1e33a7ee066b -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++- - lib/http.c | 10 +++- - lib/url.c | 2 +- - lib/urldata.h | 2 +- - tests/data/Makefile.inc | 2 +- - tests/data/test317 | 94 +++++++++++++++++++++++++++++++++ - tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++ - 7 files changed, 212 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test317 - create mode 100644 tests/data/test318 - -diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -index 6aeec22..781e570 100644 ---- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -@@ -5,7 +5,7 @@ - .\" * | (__| |_| | _ <| |___ - .\" * \___|\___/|_| \_\_____| - .\" * --.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. -+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. - .\" * - .\" * This software is licensed as described in the file COPYING, which - .\" * you should have received as part of this distribution. The terms -@@ -78,6 +78,16 @@ the headers. They may be private or otherwise sensitive to leak. - - Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you - intend them to get sent. -+ -+Custom headers are sent in all requests done by the easy handles, which -+implies that if you tell libcurl to follow redirects -+(\fICURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent -+in the subsequent request. Redirects can of course go to other hosts and thus -+those servers will get all the contents of your custom headers too. -+ -+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers -+from being sent to other hosts than the first used one, unless specifically -+permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option. - .SH DEFAULT - NULL - .SH PROTOCOLS -diff --git a/lib/http.c b/lib/http.c -index b73e58c..c15208d 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -732,7 +732,7 @@ Curl_http_output_auth(struct connectdata *conn, - if(!data->state.this_is_a_follow || - conn->bits.netrc || - !data->state.first_host || -- data->set.http_disable_hostname_check_before_authentication || -+ data->set.allow_auth_to_other_hosts || - strcasecompare(data->state.first_host, conn->host.name)) { - result = output_auth_headers(conn, authhost, request, path, FALSE); - } -@@ -1651,6 +1651,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, - checkprefix("Transfer-Encoding:", headers->data)) - /* HTTP/2 doesn't support chunked requests */ - ; -+ else if(checkprefix("Authorization:", headers->data) && -+ /* be careful of sending this potentially sensitive header to -+ other hosts */ -+ (data->state.this_is_a_follow && -+ data->state.first_host && -+ !data->set.allow_auth_to_other_hosts && -+ !strcasecompare(data->state.first_host, conn->host.name))) -+ ; - else { - CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", - headers->data); -diff --git a/lib/url.c b/lib/url.c -index 71d4d8b..ba53131 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1008,7 +1008,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, - * Send authentication (user+password) when following locations, even when - * hostname changed. - */ -- data->set.http_disable_hostname_check_before_authentication = -+ data->set.allow_auth_to_other_hosts = - (0 != va_arg(param, long)) ? TRUE : FALSE; - break; - -diff --git a/lib/urldata.h b/lib/urldata.h -index b4f18e7..1dd62ae 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1757,7 +1757,7 @@ struct UserDefined { - bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ - bool http_follow_location; /* follow HTTP redirects */ - bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ -- bool http_disable_hostname_check_before_authentication; -+ bool allow_auth_to_other_hosts; - bool include_header; /* include received protocol headers in data output */ - bool http_set_referer; /* is a custom referer used */ - bool http_auto_referer; /* set "correct" referer when following location: */ -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 6e2f402..870d0da 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -55,7 +55,7 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \ - test289 test290 test291 test292 test293 test294 test295 test296 test297 \ - test298 test299 test300 test301 test302 test303 test304 test305 test306 \ - test307 test308 test309 test310 test311 test312 test313 \ -- test320 test321 test322 test323 test324 \ -+ test317 test318 test320 test321 test322 test323 test324 \ - test325 \ - test350 test351 test352 test353 test354 \ - \ -diff --git a/tests/data/test317 b/tests/data/test317 -new file mode 100644 -index 0000000..c6d8697 ---- /dev/null -+++ b/tests/data/test317 -@@ -0,0 +1,94 @@ -+ -+ -+ -+HTTP -+HTTP proxy -+HTTP Basic auth -+HTTP proxy Basic auth -+followlocation -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 302 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Location: http://goto.second.host.now/3170002 -+Content-Length: 8 -+Connection: close -+ -+contents -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Content-Length: 9 -+ -+contents -+ -+ -+ -+HTTP/1.1 302 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Location: http://goto.second.host.now/3170002 -+Content-Length: 8 -+Connection: close -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Content-Length: 9 -+ -+contents -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with custom Authorization: and redirect to new host -+ -+ -+http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 -+Host: first.host.it.is -+Proxy-Authorization: Basic dGVzdGluZzp0aGlz -+Accept: */* -+Proxy-Connection: Keep-Alive -+Authorization: s3cr3t -+ -+GET http://goto.second.host.now/3170002 HTTP/1.1 -+Host: goto.second.host.now -+Proxy-Authorization: Basic dGVzdGluZzp0aGlz -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ -diff --git a/tests/data/test318 b/tests/data/test318 -new file mode 100644 -index 0000000..838d1ba ---- /dev/null -+++ b/tests/data/test318 -@@ -0,0 +1,95 @@ -+ -+ -+ -+HTTP -+HTTP proxy -+HTTP Basic auth -+HTTP proxy Basic auth -+followlocation -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 302 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Location: http://goto.second.host.now/3180002 -+Content-Length: 8 -+Connection: close -+ -+contents -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Content-Length: 9 -+ -+contents -+ -+ -+ -+HTTP/1.1 302 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Location: http://goto.second.host.now/3180002 -+Content-Length: 8 -+Connection: close -+ -+HTTP/1.1 200 OK -+Date: Thu, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake swsclose -+Content-Type: text/html -+Funny-head: yesyes -+Content-Length: 9 -+ -+contents -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with custom Authorization: and redirect to new host -+ -+ -+http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 -+Host: first.host.it.is -+Proxy-Authorization: Basic dGVzdGluZzp0aGlz -+Accept: */* -+Proxy-Connection: Keep-Alive -+Authorization: s3cr3t -+ -+GET http://goto.second.host.now/3180002 HTTP/1.1 -+Host: goto.second.host.now -+Proxy-Authorization: Basic dGVzdGluZzp0aGlz -+Accept: */* -+Proxy-Connection: Keep-Alive -+Authorization: s3cr3t -+ -+ -+ -+ --- -2.13.6 - diff --git a/0010-curl-7.55.1-CVE-2018-1000005.patch b/0010-curl-7.55.1-CVE-2018-1000005.patch deleted file mode 100644 index 9b8bdf6..0000000 --- a/0010-curl-7.55.1-CVE-2018-1000005.patch +++ /dev/null @@ -1,42 +0,0 @@ -From cbe5cf0d95a0227739bd2126d5fa411d084e1af2 Mon Sep 17 00:00:00 2001 -From: Zhouyihai Ding -Date: Wed, 10 Jan 2018 10:12:18 -0800 -Subject: [PATCH] http2: fix incorrect trailer buffer size - -Prior to this change the stored byte count of each trailer was -miscalculated and 1 less than required. It appears any trailer -after the first that was passed to Curl_client_write would be truncated -or corrupted as well as the size. Potentially the size of some -subsequent trailer could be erroneously extracted from the contents of -that trailer, and since that size is used by client write an -out-of-bounds read could occur and cause a crash or be otherwise -processed by client write. - -The bug appears to have been born in 0761a51 (precedes 7.49.0). - -Closes https://github.com/curl/curl/pull/2231 - -Upstream-commit: fa3dbb9a147488a2943bda809c66fc497efe06cb -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index 0e55801..3d7610d 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -926,8 +926,8 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, - - if(stream->bodystarted) { - /* This is trailer fields. */ -- /* 3 is for ":" and "\r\n". */ -- uint32_t n = (uint32_t)(namelen + valuelen + 3); -+ /* 4 is for ": " and "\r\n". */ -+ uint32_t n = (uint32_t)(namelen + valuelen + 4); - - DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, - value)); --- -2.13.6 - diff --git a/0016-curl-7.55.1-CVE-2018-1000122.patch b/0016-curl-7.55.1-CVE-2018-1000122.patch deleted file mode 100644 index 14ac23f..0000000 --- a/0016-curl-7.55.1-CVE-2018-1000122.patch +++ /dev/null @@ -1,41 +0,0 @@ -From fffbdcf516a527482095eac30baa27b78c2dbaa2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 8 Mar 2018 10:33:16 +0100 -Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end - -CVE-2018-1000122 -Bug: https://curl.haxx.se/docs/adv_2018-b047.html - -Detected by OSS-fuzz - -Upstream-commit: d52dc4760f6d9ca1937eefa2093058a952465128 -Signed-off-by: Kamil Dudka ---- - lib/transfer.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 3537b58..bc3b39b 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -788,10 +788,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, - - } /* if(!header and data to read) */ - -- if(conn->handler->readwrite && -- (excess > 0 && !conn->bits.stream_was_rewound)) { -+ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { - /* Parse the excess data */ - k->str += nread; -+ -+ if(&k->str[excess] > &k->buf[data->set.buffer_size]) { -+ /* the excess amount was too excessive(!), make sure -+ it doesn't read out of buffer */ -+ excess = &k->buf[data->set.buffer_size] - k->str; -+ } - nread = (ssize_t)excess; - - result = conn->handler->readwrite(data, conn, &nread, &readmore); --- -2.14.3 - diff --git a/0017-curl-7.55.1-CVE-2018-1000121.patch b/0017-curl-7.55.1-CVE-2018-1000121.patch deleted file mode 100644 index aa84a7b..0000000 --- a/0017-curl-7.55.1-CVE-2018-1000121.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 1d7bcc866591aba5788dc6c701ef8b564d09e329 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 6 Mar 2018 23:02:16 +0100 -Subject: [PATCH] openldap: check ldap_get_attribute_ber() results for NULL - before using - -CVE-2018-1000121 -Reported-by: Dario Weisser -Bug: https://curl.haxx.se/docs/adv_2018-97a2.html - -Upstream-commit: 9889db043393092e9d4b5a42720bba0b3d58deba -Signed-off-by: Kamil Dudka ---- - lib/openldap.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/lib/openldap.c b/lib/openldap.c -index 369309c..d71946d 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -445,7 +445,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, - - for(ent = ldap_first_message(li->ld, msg); ent; - ent = ldap_next_message(li->ld, ent)) { -- struct berval bv, *bvals, **bvp = &bvals; -+ struct berval bv, *bvals; - int binary = 0, msgtype; - CURLcode writeerr; - -@@ -507,9 +507,9 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, - } - data->req.bytecount += bv.bv_len + 5; - -- for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp); -- rc == LDAP_SUCCESS; -- rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, bvp)) { -+ for(rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals); -+ (rc == LDAP_SUCCESS) && bvals; -+ rc = ldap_get_attribute_ber(li->ld, ent, ber, &bv, &bvals)) { - int i; - - if(bv.bv_val == NULL) break; --- -2.14.3 - diff --git a/0018-curl-7.55.1-CVE-2018-1000120.patch b/0018-curl-7.55.1-CVE-2018-1000120.patch deleted file mode 100644 index 3e55578..0000000 --- a/0018-curl-7.55.1-CVE-2018-1000120.patch +++ /dev/null @@ -1,302 +0,0 @@ -From 5452fdc5ae93f3571074c591fdf28cdf630796a0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 12 Sep 2017 09:29:01 +0200 -Subject: [PATCH 1/2] FTP: URL decode path for dir listing in nocwd mode - -Reported-by: Zenju on github - -Test 244 added to verify -Fixes #1974 -Closes #1976 - -Upstream-commit: ecf21c551fa3426579463abe34b623111b8d487c -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 29 ++++++++++++-------------- - tests/data/Makefile.inc | 2 +- - tests/data/test244 | 54 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 68 insertions(+), 17 deletions(-) - create mode 100644 tests/data/test244 - -diff --git a/lib/ftp.c b/lib/ftp.c -index bcba6bb..fb3a716 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -975,7 +975,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, - char *port_start = NULL; - char *port_sep = NULL; - -- addr = calloc(addrlen+1, 1); -+ addr = calloc(addrlen + 1, 1); - if(!addr) - return CURLE_OUT_OF_MEMORY; - -@@ -1018,7 +1018,7 @@ static CURLcode ftp_state_use_port(struct connectdata *conn, - if(ip_end != NULL) { - port_start = strchr(ip_end, ':'); - if(port_start) { -- port_min = curlx_ultous(strtoul(port_start+1, NULL, 10)); -+ port_min = curlx_ultous(strtoul(port_start + 1, NULL, 10)); - port_sep = strchr(port_start, '-'); - if(port_sep) { - port_max = curlx_ultous(strtoul(port_sep + 1, NULL, 10)); -@@ -1457,25 +1457,22 @@ static CURLcode ftp_state_list(struct connectdata *conn) - then just do LIST (in that case: nothing to do here) - */ - char *cmd, *lstArg, *slashPos; -+ const char *inpath = data->state.path; - - lstArg = NULL; - if((data->set.ftp_filemethod == FTPFILE_NOCWD) && -- data->state.path && -- data->state.path[0] && -- strchr(data->state.path, '/')) { -- -- lstArg = strdup(data->state.path); -- if(!lstArg) -- return CURLE_OUT_OF_MEMORY; -+ inpath && inpath[0] && strchr(inpath, '/')) { -+ size_t n = strlen(inpath); - - /* Check if path does not end with /, as then we cut off the file part */ -- if(lstArg[strlen(lstArg) - 1] != '/') { -- -+ if(inpath[n - 1] != '/') { - /* chop off the file part if format is dir/dir/file */ -- slashPos = strrchr(lstArg, '/'); -- if(slashPos) -- *(slashPos+1) = '\0'; -+ slashPos = strrchr(inpath, '/'); -+ n = slashPos - inpath; - } -+ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); -+ if(result) -+ return result; - } - - cmd = aprintf("%s%s%s", -@@ -3497,7 +3494,7 @@ static CURLcode ftp_range(struct connectdata *conn) - } - else { - /* X-Y */ -- data->req.maxdownload = (to-from)+1; /* include last byte */ -+ data->req.maxdownload = (to - from) + 1; /* include last byte */ - data->state.resume_from = from; - DEBUGF(infof(conn->data, "FTP RANGE from %" CURL_FORMAT_CURL_OFF_T - " getting %" CURL_FORMAT_CURL_OFF_T " bytes\n", -@@ -4196,7 +4193,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) - return result; - } - ftpc->dirdepth = 1; /* we consider it to be a single dir */ -- filename = slash_pos ? slash_pos+1 : cur_pos; /* rest is file name */ -+ filename = slash_pos ? slash_pos + 1 : cur_pos; /* rest is file name */ - } - else - filename = cur_pos; /* this is a file name only */ -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 870d0da..d95101b 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -47,7 +47,7 @@ test208 test209 test210 test211 test212 test213 test214 test215 test216 \ - test217 test218 test219 test220 test221 test222 test223 test224 test225 \ - test226 test227 test228 test229 test231 test233 test234 \ - test235 test236 test237 test238 test239 test240 test241 test242 test243 \ -- test245 test246 test247 test248 test249 test250 test251 test252 \ -+test244 test245 test246 test247 test248 test249 test250 test251 test252 \ - test253 test254 test255 test256 test257 test258 test259 test260 test261 \ - test262 test263 test264 test265 test266 test267 test268 test269 test270 \ - test271 test272 test273 test274 test275 test276 test277 test278 test279 \ -diff --git a/tests/data/test244 b/tests/data/test244 -new file mode 100644 -index 0000000..8ce4b63 ---- /dev/null -+++ b/tests/data/test244 -@@ -0,0 +1,54 @@ -+ -+ -+ -+FTP -+PASV -+CWD -+--ftp-method -+nocwd -+ -+ -+# -+# Server-side -+ -+ -+total 20 -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 . -+drwxr-xr-x 8 98 98 512 Oct 22 13:06 .. -+drwxr-xr-x 2 98 98 512 May 2 1996 .NeXT -+-r--r--r-- 1 0 1 35 Jul 16 1996 README -+lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin -+dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev -+drwxrwxrwx 2 98 98 512 May 29 16:04 download.html -+dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc -+drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub -+dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr -+ -+ -+ -+# Client-side -+ -+ -+ftp -+ -+ -+FTP dir listing with nocwd and URL encoded path -+ -+ -+--ftp-method nocwd ftp://%HOSTIP:%FTPPORT/fir%23t/th%69rd/244/ -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+EPSV -+TYPE A -+LIST fir#t/third/244/ -+QUIT -+ -+ -+ --- -2.14.3 - - -From 9534442aae1da4e6cf2ce815e47dbcd82695c3d4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 31 Jan 2018 08:40:11 +0100 -Subject: [PATCH 2/2] FTP: reject path components with control codes - -Refuse to operate when given path components featuring byte values lower -than 32. - -Previously, inserting a %00 sequence early in the directory part when -using the 'singlecwd' ftp method could make curl write a zero byte -outside of the allocated buffer. - -Test case 340 verifies. - -CVE-2018-1000120 -Reported-by: Duy Phan Thanh -Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html - -Upstream-commit: 535432c0adb62fe167ec09621500470b6fa4eb0f -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 8 ++++---- - tests/data/Makefile.inc | 3 +++ - tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 47 insertions(+), 4 deletions(-) - create mode 100644 tests/data/test340 - -diff --git a/lib/ftp.c b/lib/ftp.c -index fb3a716..268efdd 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1470,7 +1470,7 @@ static CURLcode ftp_state_list(struct connectdata *conn) - slashPos = strrchr(inpath, '/'); - n = slashPos - inpath; - } -- result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); -+ result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); - if(result) - return result; - } -@@ -3183,7 +3183,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, - - if(!result) - /* get the "raw" path */ -- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); -+ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); - if(result) { - /* We can limp along anyway (and should try to since we may already be in - * the error path) */ -@@ -4187,7 +4187,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) - result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", - slash_pos ? dirlen : 1, - &ftpc->dirs[0], NULL, -- FALSE); -+ TRUE); - if(result) { - freedirs(ftpc); - return result; -@@ -4294,7 +4294,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) - size_t dlen; - char *path; - CURLcode result = -- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); -+ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); - if(result) { - freedirs(ftpc); - return result; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index d95101b..af41634 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -57,6 +57,9 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ - test307 test308 test309 test310 test311 test312 test313 \ - test317 test318 test320 test321 test322 test323 test324 \ - test325 \ -+\ -+test340 \ -+\ - test350 test351 test352 test353 test354 \ - \ - test400 test401 test402 test403 test404 test405 test406 test407 test408 \ -diff --git a/tests/data/test340 b/tests/data/test340 -new file mode 100644 -index 0000000..d834d76 ---- /dev/null -+++ b/tests/data/test340 -@@ -0,0 +1,40 @@ -+ -+ -+ -+FTP -+PASV -+CWD -+--ftp-method -+singlecwd -+ -+ -+# -+# Server-side -+ -+ -+ -+# Client-side -+ -+ -+ftp -+ -+ -+FTP using %00 in path with singlecwd -+ -+ -+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+ -+ -+3 -+ -+ -+ --- -2.14.3 - diff --git a/0019-curl-7.55.1-CVE-2018-1000301.patch b/0019-curl-7.55.1-CVE-2018-1000301.patch deleted file mode 100644 index f72401b..0000000 --- a/0019-curl-7.55.1-CVE-2018-1000301.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 5815730864a2010872840bae24797983e892eb90 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 24 Mar 2018 23:47:41 +0100 -Subject: [PATCH 1/2] http: restore buffer pointer when bad response-line is - parsed - -... leaving the k->str could lead to buffer over-reads later on. - -CVE: CVE-2018-1000301 -Assisted-by: Max Dymond - -Detected by OSS-Fuzz. -Bug: https://curl.haxx.se/docs/adv_2018-b138.html -Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 - -Upstream-commit: 8c7b3737d29ed5c0575bf592063de8a51450812d -Signed-off-by: Kamil Dudka ---- - lib/http.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/http.c b/lib/http.c -index 841f6cc..dc10f5f 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2944,6 +2944,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, - { - CURLcode result; - struct SingleRequest *k = &data->req; -+ ssize_t onread = *nread; -+ char *ostr = k->str; - - /* header line within buffer loop */ - do { -@@ -3008,7 +3010,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, - else { - /* this was all we read so it's all a bad header */ - k->badheader = HEADER_ALLBAD; -- *nread = (ssize_t)rest_length; -+ *nread = onread; -+ k->str = ostr; -+ return CURLE_OK; - } - break; - } --- -2.14.3 - diff --git a/0020-curl-7.55.1-CVE-2018-1000300.patch b/0020-curl-7.55.1-CVE-2018-1000300.patch deleted file mode 100644 index 0dc80c5..0000000 --- a/0020-curl-7.55.1-CVE-2018-1000300.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9b757a9a431f6859807d9f6e697cc2d2a120098d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 23 Mar 2018 23:30:04 +0100 -Subject: [PATCH 2/2] pingpong: fix response cache memcpy overflow - -Response data for a handle with a large buffer might be cached and then -used with the "closure" handle when it has a smaller buffer and then the -larger cache will be copied and overflow the new smaller heap based -buffer. - -Reported-by: Dario Weisser -CVE: CVE-2018-1000300 -Bug: https://curl.haxx.se/docs/adv_2018-82c2.html - -Upstream-commit: 583b42cb3b809b1bf597af160468ccba728c2248 -Signed-off-by: Kamil Dudka ---- - lib/pingpong.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/pingpong.c b/lib/pingpong.c -index 438856a..ad370ee 100644 ---- a/lib/pingpong.c -+++ b/lib/pingpong.c -@@ -297,7 +297,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, - * it would have been populated with something of size int to begin - * with, even though its datatype may be larger than an int. - */ -- DEBUGASSERT((ptr+pp->cache_size) <= (buf+data->set.buffer_size+1)); -+ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { -+ failf(data, "cached response data too big to handle"); -+ return CURLE_RECV_ERROR; -+ } - memcpy(ptr, pp->cache, pp->cache_size); - gotbytes = (ssize_t)pp->cache_size; - free(pp->cache); /* free the cache */ --- -2.14.3 - diff --git a/0021-curl-7.55.1-pkcs11.patch b/0021-curl-7.55.1-pkcs11.patch deleted file mode 100644 index 1e00b6d..0000000 --- a/0021-curl-7.55.1-pkcs11.patch +++ /dev/null @@ -1,225 +0,0 @@ -From 1b9c12b59b582d5366d9a11198631be54c94e440 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Mon, 19 Feb 2018 14:31:06 +0100 -Subject: [PATCH] ssl: set engine implicitly when a PKCS#11 URI is provided - -This allows the use of PKCS#11 URI for certificates and keys without -setting the corresponding type as "ENG" and the engine as "pkcs11" -explicitly. If a PKCS#11 URI is provided for certificate, key, -proxy_certificate or proxy_key, the corresponding type is set as "ENG" -if not provided and the engine is set to "pkcs11" if not provided. - -Acked-by: Nikos Mavrogiannopoulos -Closes #2333 - -Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/cert.d | 7 ++++++ - docs/cmdline-opts/key.d | 7 ++++++ - lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++ - src/tool_getparam.c | 2 +- - src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++ - tests/unit/unit1394.c | 3 +++ - 6 files changed, 109 insertions(+), 1 deletion(-) - -diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d -index 0cd5d53..ae6fe2f 100644 ---- a/docs/cmdline-opts/cert.d -+++ b/docs/cmdline-opts/cert.d -@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not - recognized as password delimiter. If the nickname contains "\\", it needs to - be escaped as "\\\\" so that it is not recognized as an escape character. - -+If curl is built against OpenSSL library, and the engine pkcs11 is available, -+then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in -+a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a -+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set -+as "pkcs11" if none was provided and the --cert-type option will be set as -+"ENG" if none was provided. -+ - (iOS and macOS only) If curl is built against Secure Transport, then the - certificate string can either be the name of a certificate/private key in the - system or user keychain, or the path to a PKCS#12-encoded certificate and -diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d -index fbf583a..4877b42 100644 ---- a/docs/cmdline-opts/key.d -+++ b/docs/cmdline-opts/key.d -@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate - file. For SSH, if not specified, curl tries the following candidates in order: - '~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'. - -+If curl is built against OpenSSL library, and the engine pkcs11 is available, -+then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a -+PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a -+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set -+as "pkcs11" if none was provided and the --key-type option will be set as -+"ENG" if none was provided. -+ - If this option is used several times, the last one will be used. -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 8c1d5a8..82c3c86 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -380,8 +380,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis) - } - return (UI_method_get_writer(UI_OpenSSL()))(ui, uis); - } -+ -+/* -+ * Check if a given string is a PKCS#11 URI -+ */ -+static bool is_pkcs11_uri(const char *string) -+{ -+ if(strncasecompare(string, "pkcs11:", 7)) { -+ return TRUE; -+ } -+ else { -+ return FALSE; -+ } -+} -+ - #endif - -+CURLcode Curl_ossl_set_engine(struct Curl_easy *data, -+ const char *engine); -+ - static - int cert_stuff(struct connectdata *conn, - SSL_CTX* ctx, -@@ -443,6 +460,16 @@ int cert_stuff(struct connectdata *conn, - case SSL_FILETYPE_ENGINE: - #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) - { -+ /* Implicitly use pkcs11 engine if none was provided and the -+ * cert_file is a PKCS#11 URI */ -+ if(!data->state.engine) { -+ if(is_pkcs11_uri(cert_file)) { -+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { -+ return 0; -+ } -+ } -+ } -+ - if(data->state.engine) { - const char *cmd_name = "LOAD_CERT_CTRL"; - struct { -@@ -614,6 +641,17 @@ int cert_stuff(struct connectdata *conn, - #ifdef HAVE_OPENSSL_ENGINE_H - { /* XXXX still needs some work */ - EVP_PKEY *priv_key = NULL; -+ -+ /* Implicitly use pkcs11 engine if none was provided and the -+ * key_file is a PKCS#11 URI */ -+ if(!data->state.engine) { -+ if(is_pkcs11_uri(key_file)) { -+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { -+ return 0; -+ } -+ } -+ } -+ - if(data->state.engine) { - UI_METHOD *ui_method = - UI_create_method((char *)"curl user interface"); -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index b7ee519..7399757 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -333,7 +333,7 @@ void parse_cert_parameter(const char *cert_parameter, - * looks like a RFC7512 PKCS#11 URI which can be used as-is. - * Also if cert_parameter contains no colon nor backslash, this - * means no passphrase was given and no characters escaped */ -- if(!strncmp(cert_parameter, "pkcs11:", 7) || -+ if(curl_strnequal(cert_parameter, "pkcs11:", 7) || - !strpbrk(cert_parameter, ":\\")) { - *certname = strdup(cert_parameter); - return; -diff --git a/src/tool_operate.c b/src/tool_operate.c -index 1e8d007..f041427 100644 ---- a/src/tool_operate.c -+++ b/src/tool_operate.c -@@ -127,6 +127,19 @@ static bool is_fatal_error(CURLcode code) - return FALSE; - } - -+/* -+ * Check if a given string is a PKCS#11 URI -+ */ -+static bool is_pkcs11_uri(const char *string) -+{ -+ if(curl_strnequal(string, "pkcs11:", 7)) { -+ return TRUE; -+ } -+ else { -+ return FALSE; -+ } -+} -+ - #ifdef __VMS - /* - * get_vms_file_size does what it takes to get the real size of the file -@@ -1136,6 +1149,46 @@ static CURLcode operate_do(struct GlobalConfig *global, - my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey); - - if(curlinfo->features & CURL_VERSION_SSL) { -+ /* Check if config->cert is a PKCS#11 URI and set the -+ * config->cert_type if necessary */ -+ if(config->cert) { -+ if(!config->cert_type) { -+ if(is_pkcs11_uri(config->cert)) { -+ config->cert_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->key is a PKCS#11 URI and set the -+ * config->key_type if necessary */ -+ if(config->key) { -+ if(!config->key_type) { -+ if(is_pkcs11_uri(config->key)) { -+ config->key_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->proxy_cert is a PKCS#11 URI and set the -+ * config->proxy_type if necessary */ -+ if(config->proxy_cert) { -+ if(!config->proxy_cert_type) { -+ if(is_pkcs11_uri(config->proxy_cert)) { -+ config->proxy_cert_type = strdup("ENG"); -+ } -+ } -+ } -+ -+ /* Check if config->proxy_key is a PKCS#11 URI and set the -+ * config->proxy_key_type if necessary */ -+ if(config->proxy_key) { -+ if(!config->proxy_key_type) { -+ if(is_pkcs11_uri(config->proxy_key)) { -+ config->proxy_key_type = strdup("ENG"); -+ } -+ } -+ } -+ - my_setopt_str(curl, CURLOPT_SSLCERT, config->cert); - my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert); - my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type); -diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c -index 667991d..010f052 100644 ---- a/tests/unit/unit1394.c -+++ b/tests/unit/unit1394.c -@@ -56,6 +56,9 @@ UNITTEST_START - "foo:bar\\\\", "foo", "bar\\\\", - "foo:bar:", "foo", "bar:", - "foo\\::bar\\:", "foo:", "bar\\:", -+ "pkcs11:foobar", "pkcs11:foobar", NULL, -+ "PKCS11:foobar", "PKCS11:foobar", NULL, -+ "PkCs11:foobar", "PkCs11:foobar", NULL, - #ifdef WIN32 - "c:\\foo:bar:baz", "c:\\foo", "bar:baz", - "c:\\foo\\:bar:baz", "c:\\foo:bar", "baz", --- -2.17.1 - diff --git a/0022-curl-7.55.1-CVE-2018-14618.patch b/0022-curl-7.55.1-CVE-2018-14618.patch deleted file mode 100644 index 6e4907e..0000000 --- a/0022-curl-7.55.1-CVE-2018-14618.patch +++ /dev/null @@ -1,144 +0,0 @@ -From bde648303aea273a688e65a1caafdd94b7b0123e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 4 Nov 2017 16:42:21 +0100 -Subject: [PATCH 1/3] ntlm: avoid malloc(0) for zero length passwords - -It triggers an assert() when built with memdebug since malloc(0) may -return NULL *or* a valid pointer. - -Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 - -Assisted-by: Max Dymond -Closes #2054 - -Upstream-commit: 685ef130575cdcf63fe9547757d88a49a40ef281 -Signed-off-by: Kamil Dudka ---- - lib/curl_ntlm_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index eb44f97..1c7b7b0 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -538,7 +538,7 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, - unsigned char *ntbuffer /* 21 bytes */) - { - size_t len = strlen(password); -- unsigned char *pw = malloc(len * 2); -+ unsigned char *pw = len ? malloc(len * 2) : strdup(""); - CURLcode result; - if(!pw) - return CURLE_OUT_OF_MEMORY; --- -2.17.1 - - -From 2a23557fe8ab3316c5f961f79e50a03ab54cb07f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Nov 2017 10:40:31 +0100 -Subject: [PATCH 2/3] curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if - provided - -Upstream-commit: 014887c50ab58bf35b1231dbfe11197fe41d59cc -Signed-off-by: Kamil Dudka ---- - lib/curl_ntlm_core.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index 1c7b7b0..9fc3e8d 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -622,11 +622,14 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, - return CURLE_OK; - } - -+#ifndef SIZE_T_MAX -+/* some limits.h headers have this defined, some don't */ - #if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) - #define SIZE_T_MAX 18446744073709551615U - #else - #define SIZE_T_MAX 4294967295U - #endif -+#endif - - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode - * (uppercase UserName + Domain) as the data --- -2.17.1 - - -From 405a7e855f1dfcc03d01e441cc53db1980c4454d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 13 Aug 2018 10:35:52 +0200 -Subject: [PATCH 3/3] Curl_ntlm_core_mk_nt_hash: return error on too long - password - -... since it would cause an integer overflow if longer than (max size_t -/ 2). - -This is CVE-2018-14618 - -Bug: https://curl.haxx.se/docs/CVE-2018-14618.html -Closes #2756 -Reported-by: Zhaoyang Wu - -Upstream-commit: 57d299a499155d4b327e341c6024e293b0418243 -Signed-off-by: Kamil Dudka ---- - lib/curl_ntlm_core.c | 23 +++++++++++++---------- - 1 file changed, 13 insertions(+), 10 deletions(-) - -diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index 9fc3e8d..34d8b67 100644 ---- a/lib/curl_ntlm_core.c -+++ b/lib/curl_ntlm_core.c -@@ -124,6 +124,15 @@ - #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" - #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) - -+#ifndef SIZE_T_MAX -+/* some limits.h headers have this defined, some don't */ -+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -+#define SIZE_T_MAX 18446744073709551615U -+#else -+#define SIZE_T_MAX 4294967295U -+#endif -+#endif -+ - /* - * Turns a 56-bit key into being 64-bit wide. - */ -@@ -538,8 +547,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, - unsigned char *ntbuffer /* 21 bytes */) - { - size_t len = strlen(password); -- unsigned char *pw = len ? malloc(len * 2) : strdup(""); -+ unsigned char *pw; - CURLcode result; -+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */ -+ return CURLE_OUT_OF_MEMORY; -+ pw = len ? malloc(len * 2) : strdup(""); - if(!pw) - return CURLE_OUT_OF_MEMORY; - -@@ -622,15 +634,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, - return CURLE_OK; - } - --#ifndef SIZE_T_MAX --/* some limits.h headers have this defined, some don't */ --#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) --#define SIZE_T_MAX 18446744073709551615U --#else --#define SIZE_T_MAX 4294967295U --#endif --#endif -- - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode - * (uppercase UserName + Domain) as the data - */ --- -2.17.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index dc23308..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,86 +1,92 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 21 +++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + - 3 files changed, 7 insertions(+), 19 deletions(-) + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -75,7 +75,7 @@ while test $# -gt 0; do - ;; +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo 'gcc' + ;; - --prefix) -@@ -142,29 +142,14 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; + --libs) +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " +- else +- curllibdir='' +- fi +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo "${curllibdir}-lcurl" +- fi ++ echo '-lcurl' + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi - ;; + --ssl-backends) +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo 'curl was built with static libraries disabled' >&2 ++ exit 1 + ;; - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -66,7 +66,9 @@ be listed using uppercase and are separated by newlines. There may be none, - one, or several protocols in the list. (Added in 7.13.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index 12ad245b79..fa0e03d273 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` + + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" + + ## `--version` + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" +configure_options=@CONFIGURE_OPTIONS@ Name: libcurl - URL: https://curl.haxx.se/ + URL: https://curl.se/ -- -2.5.0 +2.52.0 diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch deleted file mode 100644 index c26a03a..0000000 --- a/0102-curl-7.36.0-debug.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) - ---- - configure | 13 +++---------- - m4/curl-compilers.m4 | 13 +++---------- - 2 files changed, 6 insertions(+), 20 deletions(-) - -diff --git a/configure b/configure -index 8f079a3..53b4774 100755 ---- a/configure -+++ b/configure -@@ -17079,18 +17079,11 @@ $as_echo "yes" >&6; } - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - - OLDCPPFLAGS=$CPPFLAGS -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index 0cbba7a..9175b5b 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else --- -1.7.1 - diff --git a/0103-curl-7.55.1-system-crypto-policy.patch b/0103-curl-7.55.1-system-crypto-policy.patch deleted file mode 100644 index 8dd670b..0000000 --- a/0103-curl-7.55.1-system-crypto-policy.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7271547cb46a4dc28004febaea19e5edaa2250d2 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 22 Aug 2017 17:02:26 +0200 -Subject: [PATCH] openssl: utilize system wide crypto policies - -... unless explicitly overridden via libcurl API ---- - lib/vtls/openssl.h | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h -index b9648d5..48036e1 100644 ---- a/lib/vtls/openssl.h -+++ b/lib/vtls/openssl.h -@@ -119,8 +119,7 @@ bool Curl_ossl_cert_status_request(void); - #endif - #define curlssl_cert_status_request() Curl_ossl_cert_status_request() - --#define DEFAULT_CIPHER_SELECTION \ -- "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" -+#define DEFAULT_CIPHER_SELECTION "PROFILE=SYSTEM" - - #endif /* USE_OPENSSL */ - #endif /* HEADER_CURL_SSLUSE_H */ --- -2.9.5 - diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.19.7-localhost6.patch deleted file mode 100644 index 4f664d3..0000000 --- a/0104-curl-7.19.7-localhost6.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/tests/data/test1083 b/tests/data/test1083 -index e441278..b0958b6 100644 ---- a/tests/data/test1083 -+++ b/tests/data/test1083 -@@ -33,13 +33,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET with ip6-localhost --interface -+HTTP-IPv6 GET with localhost6 --interface - - ---g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost -+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 - - --perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" -+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" - - - -diff --git a/tests/data/test241 b/tests/data/test241 -index 46eae1f..4e1632c 100644 ---- a/tests/data/test241 -+++ b/tests/data/test241 -@@ -30,13 +30,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET (using ip6-localhost) -+HTTP-IPv6 GET (using localhost6) - - ---g "http://ip6-localhost:%HTTP6PORT/241" -+-g "http://localhost6:%HTTP6PORT/241" - - --./server/resolve --ipv6 ip6-localhost -+./server/resolve --ipv6 localhost6 - - - -@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost) - - - GET /241 HTTP/1.1 --Host: ip6-localhost:%HTTP6PORT -+Host: localhost6:%HTTP6PORT - Accept: */* - - diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..d3546e9 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,9 @@ +discover: + how: fmf +prepare: + how: install + exclude: + - libcurl-minimal + - curl-minimal +execute: + how: tmt diff --git a/curl-7.55.1.tar.xz.asc b/curl-7.55.1.tar.xz.asc deleted file mode 100644 index c6d2d29..0000000 --- a/curl-7.55.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlmRPboACgkQXMkI/bce -EsIxOAf9GPx5uj4rzy5VW8UhHgZXJl97S9mEVt8I6DnwpLrlCsV7jf4CHpys0Ymt -kaRoqudjCfjfm2BRtoTZq9ZmWv6vMwuwKrfGwQSmtyNiVFnCZ2hX4QEErMDP27pn -yJnlxO0MQVXCpKAxvmx2yRQ/qoGX18dGENBGe5USBOzh3QWArIN8vIaGsINvCmcM -StMzgzNs+x4MP75xt6Wf+MH2biMfyXoq4zFsVKRYDlwZyr495uT9Zms4HzxPLlap -LPotKQTj1ZcmC0tVLGDWXEx/aE65tLhsJjyLrIlIx+VvkKPwxN8rBntAAC8jh6az -5bhonUTL94v5XnKySk7srhNP7ds8qQ== -=3zTB ------END PGP SIGNATURE----- diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index 50130d9..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,133 +1,177 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.55.1 -Release: 14%{?dist} -License: MIT -Group: Applications/Internet -Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz - -# make zsh completion work again -Patch1: 0001-curl-7.55.1-zsh-completion.patch - -# http: Don't wait on CONNECT when there is no proxy (#1485702) -Patch2: 0002-curl-7.55.1-proxy-connect.patch - -# http2: handle GOAWAY properly (#1585797) -Patch4: 0004-curl-7.59.0-http2-GOAWAY.patch - -# fix out of bounds read in FTP PWD response parser (CVE-2017-1000254) -Patch5: 0005-curl-7.55.1-CVE-2017-1000254.patch - -# fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257) -Patch6: 0006-curl-7.55.1-CVE-2017-1000257.patch - -# fix FTP wildcard out of bounds read (CVE-2017-8817) -Patch7: 0007-curl-7.55.1-CVE-2017-8817.patch - -# fix NTLM buffer overflow via integer overflow (CVE-2017-8816) -Patch8: 0008-curl-7.55.1-CVE-2017-8816.patch - -# http: prevent custom Authorization headers in redirects (CVE-2018-1000007) -Patch9: 0009-curl-7.55.1-CVE-2018-1000007.patch - -# http2: fix incorrect trailer buffer size (CVE-2018-1000005) -Patch10: 0010-curl-7.55.1-CVE-2018-1000005.patch - -# fix RTSP RTP buffer over-read (CVE-2018-1000122) -Patch16: 0016-curl-7.55.1-CVE-2018-1000122.patch - -# fix LDAP NULL pointer dereference (CVE-2018-1000121) -Patch17: 0017-curl-7.55.1-CVE-2018-1000121.patch - -# fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) -Patch18: 0018-curl-7.55.1-CVE-2018-1000120.patch - -# fix RTSP bad headers buffer over-read (CVE-2018-1000301) -Patch19: 0019-curl-7.55.1-CVE-2018-1000301.patch - -# fix FTP shutdown response buffer overflow (CVE-2018-1000300) -Patch20: 0020-curl-7.55.1-CVE-2018-1000300.patch - -# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) -Patch21: 0021-curl-7.55.1-pkcs11.patch - -# fix NTLM password overflow via integer overflow (CVE-2018-14618) -Patch22: 0022-curl-7.55.1-CVE-2018-14618.patch +Version: 8.18.0 +Release: 1%{?dist} +License: curl +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc +# The curl download page ( https://curl.se/download.html ) links +# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, +# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc +Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.36.0-debug.patch - -# utilize system wide crypto policies for TLS (#1483972) -Patch103: 0103-curl-7.55.1-system-crypto-policy.patch - -# use localhost6 instead of ip6-localhost in the curl test-suite -Patch104: 0104-curl-7.19.7-localhost6.patch - Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient -URL: https://curl.haxx.se/ -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +URL: https://curl.se/ + +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake +BuildRequires: brotli-devel +BuildRequires: coreutils +BuildRequires: gcc BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel -BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel -BuildRequires: libssh2-devel +BuildRequires: libssh-devel +BuildRequires: libtool +BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif +BuildRequires: perl-interpreter BuildRequires: pkgconfig -BuildRequires: python -BuildRequires: stunnel +BuildRequires: python-unversioned-command +BuildRequires: python3-devel +BuildRequires: sed BuildRequires: zlib-devel +# For gpg verification of source tarball +BuildRequires: gnupg2 + +# needed to compress content of tool_hugehelp.c after changing curl.1 man page +BuildRequires: perl(IO::Compress::Gzip) + +# needed for generation of shell completions +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(Pod::Usage) +BuildRequires: perl(strict) +BuildRequires: perl(warnings) + +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils +# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot +BuildRequires: hostname + # nghttpx (an HTTP/2 proxy) is used by the upstream test-suite BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) +BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(strict) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) -BuildRequires: perl(warnings) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) +%if 0%{?fedora} +# needed for upstream test 1451 +BuildRequires: python3-impacket +%endif + # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known # to be less reliable, in order to avoid unnecessary build failures (see RHBZ # #810992, #816175, and #886891). Nevertheless developers are free to install # valgrind manually to improve test coverage on any architecture. -%ifarch x86_64 %{ix86} +%ifarch x86_64 BuildRequires: valgrind %endif +# stunnel is used by upstream tests but it does not seem to work reliably +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x +BuildRequires: stunnel +%endif + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} -# require at least the version of libssh2 that we were built against, +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + +# require at least the version of libpsl that we were built against, +# to ensure that we have the necessary symbols available (#1631804) +%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) + +# require at least the version of libssh that we were built against, # to ensure that we have the necessary symbols available (#525002, #642796) -%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0) +%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) + +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) +# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') %description curl is a command line tool for transferring data with URL syntax, supporting @@ -139,8 +183,15 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers -Group: Development/Libraries -Requires: libssh2%{?_isa} >= %{libssh2_version} +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif +Requires: libpsl%{?_isa} >= %{libpsl_version} +Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -155,7 +206,6 @@ resume, http proxy tunneling and more. %package -n libcurl-devel Summary: Files needed for building applications with libcurl -Group: Development/Libraries Requires: libcurl%{?_isa} = %{version}-%{release} Provides: curl-devel = %{version}-%{release} @@ -167,28 +217,16 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} -Conflicts: libcurl +Conflicts: libcurl%{?_isa} RemovePathPostfixes: .minimal +# needed for RemovePathPostfixes to work with shared libraries +%undefine __brp_ldconfig %description -n libcurl-minimal This is a replacement of the 'libcurl' package for minimal installations. It @@ -197,87 +235,107 @@ other hand, the package is smaller and requires fewer run-time dependencies to be installed. %prep -%setup -q +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -n %{name}-%{version_no_tilde} -p1 -# upstream patches -%patch1 -p1 -%patch2 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 -%patch104 -p1 - -# regenerate Makefile.in files -aclocal -I m4 -automake - -# disable test 1112 (#565305) and test 1801 +# disable test 1801 # -# and test 2033, which is a flaky test for HTTP/1 pipelining -printf "1112\n1801\n2033\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c %endif -# temporarily disable failing libidn2 test-cases -printf "1034\n1035\n2046\n2047\n" >> tests/data/DISABLED +# adapt test 323 for updated OpenSSL +sed -e 's|^35$|35,52|' -i tests/data/test323 + +# use localhost6 instead of ip6-localhost in the curl test-suite +( + # avoid glob expansion in the trace output of `bash -x` + { set +x; } 2>/dev/null + cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" + printf "+ %s\n" "$cmd" >&2 + eval "$cmd" +) + +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in %build +# regenerate the configure script and Makefile.in files +autoreconf -fiv + mkdir build-{full,minimal} -export common_configure_opts=" \ - --cache-file=../config.cache \ - --disable-static \ - --enable-symbol-hiding \ - --enable-ipv6 \ - --enable-threaded-resolver \ - --with-gssapi \ - --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-manual \ + --disable-static \ + --enable-hsts \ + --enable-ipv6 \ + --enable-symbol-hiding \ + --enable-threaded-resolver \ + --without-zstd \ + --with-gssapi \ + --with-libidn2 \ + --with-nghttp2 \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ + --with-zsh-functions-dir" %global _configure ../configure # configure minimal build ( cd build-minimal - %configure $common_configure_opts \ - --disable-ldap \ - --disable-ldaps \ - --disable-manual \ - --without-libidn2 \ - --without-libmetalink \ - --without-libpsl \ - --without-libssh2 + %configure $common_configure_opts \ + --disable-dict \ + --disable-gopher \ + --disable-imap \ + --disable-ldap \ + --disable-ldaps \ + --disable-mqtt \ + --disable-ntlm \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smb \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ + --disable-websockets \ + --without-brotli \ + --without-libpsl \ + --without-libssh ) # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-ldap \ - --enable-ldaps \ - --enable-manual \ - --with-libidn2 \ - --with-libmetalink \ - --with-libpsl \ - --with-libssh2 + %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-imap \ + --enable-ldap \ + --enable-ldaps \ + --enable-mqtt \ + --enable-ntlm \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ + --enable-websockets \ + --with-brotli \ + --with-libpsl \ + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -285,73 +343,91 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \ -i build-{full,minimal}/libtool -make %{?_smp_mflags} V=1 -C build-minimal -make %{?_smp_mflags} V=1 -C build-full +%make_build V=1 -C build-minimal +%make_build V=1 -C build-full %check -# we have to override LD_LIBRARY_PATH because we eliminated rpath -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" -export LD_LIBRARY_PATH - # compile upstream test-cases -cd build-full/tests -make %{?_smp_mflags} V=1 +%make_build V=1 -C build-minimal/tests +%make_build V=1 -C build-full/tests + +# relax crypto policy for the test-suite to make it pass again (#1610888) +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX +export OPENSSL_CONF= + +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + +# prevent valgrind from being extremely slow (#1662656) +# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault +unset DEBUGINFOD_URLS + +# run the upstream test-suite for both curl-minimal and curl-full +for size in minimal full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +) +done -# run the upstream test-suite -srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' %install # install and rename the library that will be packaged as libcurl-minimal -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib +%make_install -C build-minimal/lib rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so} for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal # install the executable and library that will be packaged as curl and libcurl cd build-full -make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install +%make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts +# do not install /usr/share/fish/completions/curl.fish which is also installed +# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict +rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la -%post -n libcurl -p /sbin/ldconfig +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* -%postun -n libcurl -p /sbin/ldconfig +%ldconfig_scriptlets -n libcurl -%post -n libcurl-minimal -p /sbin/ldconfig - -%postun -n libcurl-minimal -p /sbin/ldconfig +%ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES README* -%doc docs/BUGS docs/FAQ docs/FEATURES -%doc docs/MANUAL docs/RESOURCES -%doc docs/TheArtOfHttpScripting docs/TODO +%doc CHANGES.md +%doc README +%doc docs/BUGS.md +%doc docs/DISTROS.md +%doc docs/FAQ.md +%doc docs/FEATURES.md +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md +%doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* -%{_datadir}/zsh/site-functions +%{_datadir}/zsh %files -n libcurl %license COPYING -%{_libdir}/libcurl.so.[0-9] -%{_libdir}/libcurl.so.[0-9].[0-9].[0-9] +%{_libdir}/libcurl.so.4 +%{_libdir}/libcurl.so.4.[0-9].[0-9] %files -n libcurl-devel %doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md -%doc docs/CONTRIBUTE.md docs/libcurl/ABI +%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md %{_bindir}/curl-config* %{_includedir}/curl %{_libdir}/*.so @@ -360,47 +436,701 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING -%{_libdir}/libcurl.so.[0-9].minimal -%{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal +%{_libdir}/libcurl.so.4.minimal +%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Sep 05 2018 Kamil Dudka - 7.55.1-14 -- fix NTLM password overflow via integer overflow (CVE-2018-14618) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Thu Aug 09 2018 Kamil Dudka - 7.55.1-13 +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option + +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case +- temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full + +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases +- tests: attempt to fix a conflict on port numbers +- apply patches automatically + +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching + +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion + +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service + +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 + +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification + +* Wed May 11 2022 Kamil Dudka - 7.83.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27782 - fix too eager reuse of TLS and SSH connections + CVE-2022-27779 - do not accept cookies for TLD with trailing dot + CVE-2022-27778 - do not remove wrong file on error + CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names + CVE-2022-27780 - reject percent-encoded path separator in URL host + +* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27774 - curl credential leak on redirect + CVE-2022-27776 - curl auth/cookie leak on redirect + CVE-2022-27775 - curl bad local IPv6 connection reuse + CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use + +* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 +- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure + +* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 +- new upstream release + +* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 +- enable IDN support also in libcurl-minimal + +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 +- Suggest libcurl-minimal in curl-minimal + +* Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 +- new upstream release + +* Sun Nov 14 2021 Paul Howarth - 7.80.0-2 +- sshserver.pl (used in test suite) now requires the Digest::SHA perl module + +* Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 +- new upstream release + +* Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 +- re-enable HSTS in libcurl-minimal as a security feature (#2005874) + +* Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 +- disable more protocols and features in libcurl-minimal (#2005874) + +* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 +- new upstream release + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 +- fix regression in http2 implementation introduced in the last release + +* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 +- make SCP/SFTP tests work with openssh-8.7p1 + +* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22947 - STARTTLS protocol injection via MITM + CVE-2021-22946 - protocol downgrade required TLS bypassed + CVE-2021-22945 - use-after-free and double-free in MQTT sending + +* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 +- make explicit dependency on openssl work with alpha/beta builds of openssl + +* Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22925 - TELNET stack contents disclosure again + CVE-2021-22924 - bad connection reuse due to flawed path name checks + CVE-2021-22923 - metalink download sends credentials + CVE-2021-22922 - wrong content via metalink not discarded + +* Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 +- build the curl tool without metalink support (#1967213) + +* Wed May 26 2021 Kamil Dudka - 7.77.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22901 - TLS session caching disaster + CVE-2021-22898 - TELNET stack contents disclosure + +* Mon May 03 2021 Kamil Dudka - 7.76.1-2 +- http2: fix resource leaks detected by Coverity + +* Wed Apr 14 2021 Kamil Dudka - 7.76.1-1 +- new upstream release + +* Wed Mar 31 2021 Kamil Dudka - 7.76.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup + CVE-2021-22876 - Automatic referer leaks credentials + +* Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 +- fix SIGSEGV upon disconnect of a ldaps:// transfer + +* Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 +- build-require python3-impacket only on Fedora + +* Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 +- new upstream release + +* Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 +- do not use stunnel for tests on s390x builds to avoid spurious failures + +* Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 +- do not rewrite shebangs in test-suite to use python3 explicitly + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8286 - curl: Inferior OCSP verification + CVE-2020-8285 - libcurl: FTP wildcard stack overflow + CVE-2020-8284 - curl: trusting FTP PASV responses + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 +- prevent upstream test 1451 from being skipped + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 +- new upstream release + +* Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 +- fix multiarch conflicts in libcurl-minimal (#1877671) + +* Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2020-8231 - libcurl: wrong connect-only connection + +* Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 +- setopt: unset NOBODY switches to GET if still HEAD + +* Mon Jul 27 2020 Fedora Release Engineering - 7.71.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 7.71.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri Jul 03 2020 Kamil Dudka - 7.71.1-2 +- curl: make the --krb option work again (#1833193) + +* Wed Jul 01 2020 Kamil Dudka - 7.71.1-1 +- new upstream release + +* Wed Jun 24 2020 Kamil Dudka - 7.71.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect + CVE-2020-8177 - curl: overwrite local file with -J + +* Wed Apr 29 2020 Kamil Dudka - 7.70.0-1 +- new upstream release + +* Mon Apr 20 2020 Kamil Dudka - 7.69.1-3 +- SSH: use new ECDSA key types to check known hosts (#1824926) + +* Fri Apr 17 2020 Tom Stellard - 7.69.1-2 +- Prevent discarding of -g when compiling with clang + +* Wed Mar 11 2020 Kamil Dudka - 7.69.1-1 +- new upstream release + +* Mon Mar 09 2020 Kamil Dudka - 7.69.0-2 +- make Flatpak work again (#1810989) + +* Wed Mar 04 2020 Kamil Dudka - 7.69.0-1 +- new upstream release + +* Tue Jan 28 2020 Fedora Release Engineering - 7.68.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 08 2020 Kamil Dudka - 7.68.0-1 +- new upstream release + +* Thu Nov 14 2019 Kamil Dudka - 7.67.0-2 +- fix infinite loop on upload using a glob (#1771025) + +* Wed Nov 06 2019 Kamil Dudka - 7.67.0-1 +- new upstream release + +* Wed Sep 11 2019 Kamil Dudka - 7.66.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5481 - double free due to subsequent call of realloc() + CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet() + +* Tue Aug 27 2019 Kamil Dudka - 7.65.3-4 +- avoid reporting spurious error in the HTTP2 framing layer (#1690971) + +* Thu Aug 01 2019 Kamil Dudka - 7.65.3-3 +- improve handling of gss_init_sec_context() failures + +* Wed Jul 24 2019 Fedora Release Engineering - 7.65.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Jul 20 2019 Paul Howarth - 7.65.3-1 +- new upstream release + +* Wed Jul 17 2019 Kamil Dudka - 7.65.2-1 +- new upstream release + +* Wed Jun 05 2019 Kamil Dudka - 7.65.1-1 +- new upstream release + +* Thu May 30 2019 Kamil Dudka - 7.65.0-2 +- fix spurious timeout events with speed-limit (#1714893) + +* Wed May 22 2019 Kamil Dudka - 7.65.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-5436 - TFTP receive buffer overflow + CVE-2019-5435 - integer overflows in curl_url_set() + +* Thu May 09 2019 Kamil Dudka - 7.64.1-2 +- do not treat failure of gss_init_sec_context() with --negotiate as fatal + +* Wed Mar 27 2019 Kamil Dudka - 7.64.1-1 +- new upstream release + +* Mon Mar 25 2019 Kamil Dudka - 7.64.0-6 +- remove verbose "Expire in" ... messages (#1690971) + +* Thu Mar 21 2019 Kamil Dudka - 7.64.0-5 +- avoid spurious "Could not resolve host: [host name]" error messages + +* Wed Feb 27 2019 Kamil Dudka - 7.64.0-4 +- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676) + +* Mon Feb 25 2019 Kamil Dudka - 7.64.0-3 +- prevent NetworkManager from leaking file descriptors (#1680198) + +* Mon Feb 11 2019 Kamil Dudka - 7.64.0-2 +- make zsh completion work again + +* Wed Feb 06 2019 Kamil Dudka - 7.64.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2019-3823 - SMTP end-of-response out-of-bounds read + CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow + CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read + +* Mon Feb 04 2019 Kamil Dudka - 7.63.0-7 +- prevent valgrind from reporting false positives on x86_64 + +* Thu Jan 31 2019 Fedora Release Engineering - 7.63.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 21 2019 Kamil Dudka - 7.63.0-5 +- xattr: strip credentials from any URL that is stored (CVE-2018-20483) + +* Fri Jan 04 2019 Kamil Dudka - 7.63.0-4 +- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch + +* Wed Dec 19 2018 Kamil Dudka - 7.63.0-3 +- curl -J: do not append to the destination file (#1658574) + +* Fri Dec 14 2018 Kamil Dudka - 7.63.0-2 +- revert an upstream commit that broke `fedpkg new-sources` (#1659329) + +* Wed Dec 12 2018 Kamil Dudka - 7.63.0-1 +- new upstream release + +* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-16839 - SASL password overflow via integer overflow + CVE-2018-16840 - use-after-free in handle close + CVE-2018-16842 - warning message out-of-buffer read + +* Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 +- enable TLS 1.3 post-handshake auth in OpenSSL +- update the documentation of --tlsv1.0 in curl(1) man page + +* Thu Oct 04 2018 Kamil Dudka - 7.61.1-2 +- enforce versioned libpsl dependency for libcurl (#1631804) +- test320: update expected output for gnutls-3.6.4 +- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594) + +* Wed Sep 05 2018 Kamil Dudka - 7.61.1-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-14618 - NTLM password overflow via integer overflow + +* Tue Sep 04 2018 Kamil Dudka - 7.61.0-8 +- make the --tls13-ciphers option work + +* Mon Aug 27 2018 Kamil Dudka - 7.61.0-7 +- tests: make ssh-keygen always produce PEM format (#1622594) + +* Wed Aug 15 2018 Kamil Dudka - 7.61.0-6 +- scp/sftp: fix infinite connect loop on invalid private key (#1595135) + +* Thu Aug 09 2018 Kamil Dudka - 7.61.0-5 - ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544) -* Tue Jun 05 2018 Kamil Dudka - 7.55.1-12 -- http2: handle GOAWAY properly (#1585797) +* Tue Aug 07 2018 Kamil Dudka - 7.61.0-4 +- relax crypto policy for the test-suite to make it pass again (#1610888) -* Fri May 18 2018 Kamil Dudka - 7.55.1-11 -- fix FTP shutdown response buffer overflow (CVE-2018-1000300) -- fix RTSP bad headers buffer over-read (CVE-2018-1000301) +* Tue Jul 31 2018 Kamil Dudka - 7.61.0-3 +- disable flaky test 1900, which covers deprecated HTTP pipelining +- adapt test 323 for updated OpenSSL -* Wed Mar 14 2018 Kamil Dudka - 7.55.1-10 -- fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) -- fix LDAP NULL pointer dereference (CVE-2018-1000121) -- fix RTSP RTP buffer over-read (CVE-2018-1000122) +* Thu Jul 12 2018 Fedora Release Engineering - 7.61.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Wed Jan 24 2018 Kamil Dudka - 7.55.1-9 -- http2: fix incorrect trailer buffer size (CVE-2018-1000005) -- http: prevent custom Authorization headers in redirects (CVE-2018-1000007) +* Wed Jul 11 2018 Kamil Dudka - 7.61.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2018-0500 - SMTP send heap buffer overflow -* Thu Nov 30 2017 Kamil Dudka - 7.55.1-8 -- fix NTLM buffer overflow via integer overflow (CVE-2017-8816) -- fix FTP wildcard out of bounds read (CVE-2017-8817) +* Tue Jul 10 2018 Kamil Dudka - 7.60.0-3 +- enable support for brotli compression in libcurl-full -* Mon Oct 23 2017 Kamil Dudka - 7.55.1-7 -- fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257) +* Wed Jul 04 2018 Kamil Dudka - 7.60.0-2 +- do not hard-wire path of the Python 3 interpreter -* Wed Oct 04 2017 Kamil Dudka - 7.55.1-6 -- fix out of bounds read in FTP PWD response parser (CVE-2017-1000254) +* Wed May 16 2018 Kamil Dudka - 7.60.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000300 - FTP shutdown response buffer overflow + CVE-2018-1000301 - RTSP bad headers buffer over-read + +* Thu Mar 15 2018 Kamil Dudka - 7.59.0-3 +- make the test-suite use Python 3 + +* Wed Mar 14 2018 Kamil Dudka - 7.59.0-2 +- ftp: fix typo in recursive callback detection for seeking + +* Wed Mar 14 2018 Kamil Dudka - 7.59.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write + CVE-2018-1000121 - LDAP NULL pointer dereference + CVE-2018-1000122 - RTSP RTP buffer over-read + +* Mon Mar 12 2018 Kamil Dudka - 7.58.0-8 +- http2: mark the connection for close on GOAWAY + +* Mon Feb 19 2018 Paul Howarth - 7.58.0-7 +- Add explicity-used build requirements +- Fix libcurl soname version number in %%files list to avoid accidental soname + bumps + +* Thu Feb 15 2018 Paul Howarth - 7.58.0-6 +- switch to %%ldconfig_scriptlets +- drop legacy BuildRoot: and Group: tags +- enforce versioned libssh dependency for libcurl + +* Tue Feb 13 2018 Kamil Dudka - 7.58.0-5 +- drop temporary workaround for #1540549 + +* Wed Feb 07 2018 Fedora Release Engineering - 7.58.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Kamil Dudka - 7.58.0-3 +- temporarily work around internal compiler error on x86_64 (#1540549) +- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again + +* Wed Jan 24 2018 Andreas Schneider - 7.58.0-2 +- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483) + +* Wed Jan 24 2018 Kamil Dudka - 7.58.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read + CVE-2018-1000007 - curl: HTTP authentication leak in redirects + +* Wed Nov 29 2017 Kamil Dudka - 7.57.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow + CVE-2017-8817 - curl: FTP wildcard out of bounds read + CVE-2017-8818 - curl: SSL out of buffer access + +* Mon Oct 23 2017 Kamil Dudka - 7.56.1-1 +- new upstream release (fixes CVE-2017-1000257) + +* Wed Oct 04 2017 Kamil Dudka - 7.56.0-1 +- new upstream release (fixes CVE-2017-1000254) * Mon Aug 28 2017 Kamil Dudka - 7.55.1-5 - apply the patch for the previous commit and fix its name (#1485702) @@ -752,881 +1482,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools diff --git a/mykey.asc b/mykey.asc new file mode 100644 index 0000000..0c77721 --- /dev/null +++ b/mykey.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD +AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv +jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb +XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz +7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM +wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ +dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT +rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t +FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 +OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx +5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h +zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O +poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA +Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d +6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 +tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu +c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 +svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ +Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv ++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh +Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg +rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL +y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP +BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ +0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf +09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG +6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 +67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H +a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr +LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK +nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb +0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb +2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC +OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ +PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC +8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 +/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e +8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk +bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 +IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN +2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ +L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD +/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 +UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb +9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh +TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k +IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ +AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ +eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 +sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI +c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND +KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j +4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S +wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv +BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF +PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu +gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 +ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb +j/qx4ytjt5uxt6Jm6IXV9cry8i6x +=Phs/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 1002b5a..002e494 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (curl-7.55.1.tar.xz) = 69f906655064b9cfef5b8763a893a658b25fcc4e595141ef122ac2b12158c5dc3b9535cb392f6f5af8346b6d495eb0609a08b5a6e638d4b10b82a15a0e8a7517 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf new file mode 100644 index 0000000..2e3980f --- /dev/null +++ b/tests/non-root-user-download/main.fmf @@ -0,0 +1,18 @@ +summary: various download methods with non-root user +description: '' +contact: Daniel Rusek +component: + - curl +require: + - findutils + - libselinux-utils + - openssh-clients + - openssh-server + - passwd +test: ./runtest.sh +framework: beakerlib +duration: 5m +enabled: true +tier: '1' +link: + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh new file mode 100755 index 0000000..0d72276 --- /dev/null +++ b/tests/non-root-user-download/runtest.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/curl/Sanity/non-root-user-download +# Description: various download methods with non-root user +# Author: Karel Srot +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="curl" + +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab +PASSWORD=pAssw0rd +OPTIONS="" +rlIsRHEL 7 && OPTIONS="--insecure" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "useradd -m curltester" 0 "Adding the test user" + rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" + rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" + rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts + rlRun "rm -f $HOME/.ssh/*" + [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) + rlRun "rlServiceStart sshd" + rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" + rlPhaseEnd + + rlPhaseStartTest "http download" + rlRun "su - curltester -c 'curl $HTTP_URL' &> http.log" + cat http.log + rlAssertGrep "$CONTENT" http.log + rlPhaseEnd + + rlPhaseStartTest "ftp download" + rlRun "su - curltester -c 'curl $FTP_URL' &> ftp.log" + cat ftp.log + rlAssertGrep "$CONTENT" ftp.log + rlPhaseEnd + +if ! rlIsRHEL 5; then +# scp sftp not supported on RHEL5 + + rlPhaseStartTest "scp download" + rlRun "curl -u curltester:$PASSWORD $OPTIONS scp://localhost/home/curltester/testfile &> scp.log" + cat scp.log + rlAssertGrep "$CONTENT" scp.log + rlPhaseEnd + + rlPhaseStartTest "sftp download" + rlRun "curl -u curltester:$PASSWORD $OPTIONS sftp://localhost/home/curltester/testfile &> sftp.log" + cat sftp.log + rlAssertGrep "$CONTENT" sftp.log + rlPhaseEnd + +fi + + rlPhaseStartCleanup + rlRun "rlServiceRestore" + rlFileRestore + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlRun "userdel -r --force curltester" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/scp-and-sftp-download-test/main.fmf b/tests/scp-and-sftp-download-test/main.fmf new file mode 100644 index 0000000..b69aff6 --- /dev/null +++ b/tests/scp-and-sftp-download-test/main.fmf @@ -0,0 +1,20 @@ +summary: downloads test file through scp and sftp +description: | + Test scenario: + - scp download + - sftp download + - scp upload + - sftp upload + + When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed + with empty --pubkey parameter (--pubkey "") or with the paramiter omitted +contact: Daniel Rusek +require: + - findutils +component: + - curl +test: ./runtest.sh +path: /tests/scp-and-sftp-download-test +framework: beakerlib +duration: 10m +enabled: true diff --git a/tests/scp-and-sftp-download-test/runtest.sh b/tests/scp-and-sftp-download-test/runtest.sh new file mode 100755 index 0000000..9cf9a2c --- /dev/null +++ b/tests/scp-and-sftp-download-test/runtest.sh @@ -0,0 +1,129 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/curl/Sanity/scp-and-sftp-download-test +# Description: downloads test file through scp and sftp +# Author: Karel Srot +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2012 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="curl" + +# GLOBAL/ENVIRONMENT VARIABLE: +# PUBKEY_PARAM + +if [ "$PUBKEY_PARAM" == 'none' ]; then + PUBKEY_PARAM="" +elif [ "$PUBKEY_PARAM" == 'empty' ]; then + PUBKEY_PARAM="--pubkey ''" +else + PUBKEY_PARAM='--pubkey /root/.ssh/id_rsa.pub' +fi + +FILESIZE=200 #MB +OPTIONS="" +rlIsRHEL 7 && OPTIONS="--insecure" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlFileBackup --clean /root/.ssh/known_hosts /root/.ssh + rlFileBackup --clean /etc/ssh/sshd_config + rlRun "useradd -m curltestuser" + + # In FIPS-140 we need to explicitly allow one of libssh2-implemented + # Kex algorithms (eg. DH14-SHA1). + rlRun "echo 'KexAlgorithms +diffie-hellman-group14-sha1' >> /etc/ssh/sshd_config" 0 + rlServiceStop "sshd" + rlRun "service sshd start && sleep 5" 0 + + # file for download test + rlRun "su - curltestuser -c 'dd if=/dev/zero of=testfile bs=1M count=200'" 0 "Creating $FILESIZE MB large test file" + SUM=`sha256sum /home/curltestuser/testfile | cut -d ' ' -f 1` + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlRun "rm -vf /root/.ssh/*" + rlRun "ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''" 0 "Generate ssh key" + rlRun "mkdir /home/curltestuser/.ssh && cat /root/.ssh/id_rsa.pub > /home/curltestuser/.ssh/authorized_keys && chown -R curltestuser.curltestuser /home/curltestuser/.ssh/" 0 "Save the key to .ssh/authorized_keys" + + # this is a workaround as libssh2 is not able to use newer hashes + #rlRun "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/root/.ssh/known_hosts curltestuser@localhost 'exit'" 0 "First ssh login to add localhost to known_hosts" + rlRun "ssh-keyscan localhost >>/root/.ssh/known_hosts" + + # files for upload test + rlRun "dd if=/dev/zero of=uploadfile1 bs=1M count=50" 0 "Creating 50 MB large test file" + UPSUM1=`sha256sum uploadfile1 | cut -d ' ' -f 1` + rlRun "dd if=/dev/zero of=uploadfile2 bs=1M count=20" 0 "Creating 20 MB large test file" + UPSUM2=`sha256sum uploadfile2 | cut -d ' ' -f 1` + rlPhaseEnd + + rlPhaseStartTest "scp download test" + rlRun "curl -o ./scp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS scp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download" + rlAssertExists scp_file + SCPSUM=`sha256sum ./scp_file | cut -d ' ' -f 1` + rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SCPSUM + rm -f ./scp_file + rlPhaseEnd + + rlPhaseStartTest "sftp download test" + rlRun "curl -o ./sftp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS sftp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download" + rlAssertExists sftp_file + SFTPSUM=`sha256sum ./sftp_file | cut -d ' ' -f 1` + rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SFTPSUM + rm -f ./sftp_file + rlPhaseEnd + + rlPhaseStartTest "scp upload test" + rlRun "curl -T '{uploadfile1,uploadfile2}' scp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl scp upload" + rlAssertExists /home/curltestuser/uploadfile1 + rlAssertExists /home/curltestuser/uploadfile2 + SCPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1` + SCPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1` + rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SCPUPSUM1} + rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SCPUPSUM2} + rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2 + rlPhaseEnd + + rlPhaseStartTest "sftp upload test" + rlRun "curl -T '{uploadfile1,uploadfile2}' sftp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl sftp upload" + rlAssertExists /home/curltestuser/uploadfile1 + rlAssertExists /home/curltestuser/uploadfile2 + SFTPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1` + SFTPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1` + rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SFTPUPSUM1} + rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SFTPUPSUM2} + rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2 + rlPhaseEnd + + + rlPhaseStartCleanup + rlRun "userdel -r --force curltestuser" + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlFileRestore + rlServiceRestore "sshd" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd