diff --git a/.gitignore b/.gitignore index 7dcfd8f..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ /curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz +/curl-[0-9.]*.tar.xz.asc +/curl-[0-9]*.[0-9]*.[0-9]*/ +/*.src.rpm diff --git a/0001-curl-7.76.1-resource-leaks.patch b/0001-curl-7.76.1-resource-leaks.patch deleted file mode 100644 index 3fd4f40..0000000 --- a/0001-curl-7.76.1-resource-leaks.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 30 Apr 2021 18:14:45 +0200 -Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url() - -... detected by Coverity: - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". -lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.] -lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to. - -Closes #6986 - -Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 24 +++++++++++++++++------- - 1 file changed, 17 insertions(+), 7 deletions(-) - -diff --git a/lib/http2.c b/lib/http2.c -index ce9a0d3..d5ba89b 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data, - CURLU *u = curl_url(); - CURLUcode uc; - char *url; -+ int rc = 0; - - v = curl_pushheader_byname(hp, ":scheme"); - if(v) { - uc = curl_url_set(u, CURLUPART_SCHEME, v, 0); -- if(uc) -- return 1; -+ if(uc) { -+ rc = 1; -+ goto fail; -+ } - } - - v = curl_pushheader_byname(hp, ":authority"); - if(v) { - uc = curl_url_set(u, CURLUPART_HOST, v, 0); -- if(uc) -- return 2; -+ if(uc) { -+ rc = 2; -+ goto fail; -+ } - } - - v = curl_pushheader_byname(hp, ":path"); - if(v) { - uc = curl_url_set(u, CURLUPART_PATH, v, 0); -- if(uc) -- return 3; -+ if(uc) { -+ rc = 3; -+ goto fail; -+ } - } - - uc = curl_url_get(u, CURLUPART_URL, &url, 0); - if(uc) -- return 4; -+ rc = 4; -+ fail: - curl_url_cleanup(u); -+ if(rc) -+ return rc; - - if(data->state.url_alloc) - free(data->state.url); --- -2.30.2 - - -From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 30 Apr 2021 18:18:02 +0200 -Subject: [PATCH 2/2] http2: fix a resource leak in push_promise() - -... detected by Coverity: - -Error: RESOURCE_LEAK (CWE-772): -lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle". -lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)". -lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url". -lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to. - -Closes #6986 - -Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822 -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/http2.c b/lib/http2.c -index d5ba89b..d0f69ea 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data, - - rv = set_transfer_url(newhandle, &heads); - if(rv) { -+ (void)Curl_close(&newhandle); - rv = CURL_PUSH_DENY; - goto fail; - } --- -2.30.2 - diff --git a/0002-curl-7.76.1-CVE-2021-22898.patch b/0002-curl-7.76.1-CVE-2021-22898.patch deleted file mode 100644 index 691850b..0000000 --- a/0002-curl-7.76.1-CVE-2021-22898.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Fri, 7 May 2021 13:09:57 +0200 -Subject: [PATCH] telnet: check sscanf() for correct number of matches - -CVE-2021-22898 - -Bug: https://curl.se/docs/CVE-2021-22898.html - -Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/telnet.c b/lib/telnet.c -index f96a4cb..4551435 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data) - size_t tmplen = (strlen(v->data) + 1); - /* Add the variable only if it fits */ - if(len + tmplen < (int)sizeof(temp)-6) { -- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { -+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { - msnprintf((char *)&temp[len], sizeof(temp) - len, - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, - CURL_NEW_ENV_VALUE, varval); --- -2.31.1 - diff --git a/0003-curl-7.76.1-CVE-2021-22901.patch b/0003-curl-7.76.1-CVE-2021-22901.patch deleted file mode 100644 index 1af7204..0000000 --- a/0003-curl-7.76.1-CVE-2021-22901.patch +++ /dev/null @@ -1,1012 +0,0 @@ -From c8210a16e8b61704da7bbf4bb0992ecbb1c7746d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 17 May 2021 08:54:00 +0200 -Subject: [PATCH 1/3] conn: add 'attach' to protocol handler, make libssh2 use - it - -The libssh2 backend has SSH session associated with the connection but -the callback context is the easy handle, so when a connection gets -attached to a transfer, the protocol handler now allows for a custom -function to get used to set things up correctly. - -Reported-by: Michael O'Farrell -Fixes #6898 -Closes #7078 - -Upstream-commit: 0c55fbab45bedb761766109d41c3da49c4bc66c6 -Signed-off-by: Kamil Dudka ---- - lib/curl_rtmp.c | 6 ++++++ - lib/dict.c | 1 + - lib/file.c | 1 + - lib/ftp.c | 2 ++ - lib/gopher.c | 2 ++ - lib/http.c | 2 ++ - lib/http2.c | 2 ++ - lib/imap.c | 2 ++ - lib/ldap.c | 2 ++ - lib/mqtt.c | 1 + - lib/multi.c | 2 ++ - lib/openldap.c | 2 ++ - lib/pop3.c | 2 ++ - lib/rtsp.c | 1 + - lib/smb.c | 2 ++ - lib/smtp.c | 2 ++ - lib/telnet.c | 1 + - lib/tftp.c | 1 + - lib/url.c | 1 + - lib/urldata.h | 4 ++++ - lib/vssh/libssh.c | 2 ++ - lib/vssh/libssh2.c | 20 ++++++++++++++++++++ - lib/vssh/ssh.h | 3 +++ - lib/vssh/wolfssh.c | 2 ++ - 24 files changed, 66 insertions(+) - -diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c -index 1360f33..2fa0267 100644 ---- a/lib/curl_rtmp.c -+++ b/lib/curl_rtmp.c -@@ -79,6 +79,7 @@ const struct Curl_handler Curl_handler_rtmp = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMP, /* defport */ - CURLPROTO_RTMP, /* protocol */ - CURLPROTO_RTMP, /* family */ -@@ -101,6 +102,7 @@ const struct Curl_handler Curl_handler_rtmpt = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMPT, /* defport */ - CURLPROTO_RTMPT, /* protocol */ - CURLPROTO_RTMPT, /* family */ -@@ -123,6 +125,7 @@ const struct Curl_handler Curl_handler_rtmpe = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMP, /* defport */ - CURLPROTO_RTMPE, /* protocol */ - CURLPROTO_RTMPE, /* family */ -@@ -145,6 +148,7 @@ const struct Curl_handler Curl_handler_rtmpte = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMPT, /* defport */ - CURLPROTO_RTMPTE, /* protocol */ - CURLPROTO_RTMPTE, /* family */ -@@ -167,6 +171,7 @@ const struct Curl_handler Curl_handler_rtmps = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMPS, /* defport */ - CURLPROTO_RTMPS, /* protocol */ - CURLPROTO_RTMP, /* family */ -@@ -189,6 +194,7 @@ const struct Curl_handler Curl_handler_rtmpts = { - rtmp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTMPS, /* defport */ - CURLPROTO_RTMPTS, /* protocol */ - CURLPROTO_RTMPT, /* family */ -diff --git a/lib/dict.c b/lib/dict.c -index 4319dad..7b27f79 100644 ---- a/lib/dict.c -+++ b/lib/dict.c -@@ -89,6 +89,7 @@ const struct Curl_handler Curl_handler_dict = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_DICT, /* defport */ - CURLPROTO_DICT, /* protocol */ - CURLPROTO_DICT, /* family */ -diff --git a/lib/file.c b/lib/file.c -index 1d174e5..10d8f05 100644 ---- a/lib/file.c -+++ b/lib/file.c -@@ -111,6 +111,7 @@ const struct Curl_handler Curl_handler_file = { - file_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - 0, /* defport */ - CURLPROTO_FILE, /* protocol */ - CURLPROTO_FILE, /* family */ -diff --git a/lib/ftp.c b/lib/ftp.c -index 5bf44f1..5ef1e2e 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -175,6 +175,7 @@ const struct Curl_handler Curl_handler_ftp = { - ftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_FTP, /* defport */ - CURLPROTO_FTP, /* protocol */ - CURLPROTO_FTP, /* family */ -@@ -205,6 +206,7 @@ const struct Curl_handler Curl_handler_ftps = { - ftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_FTPS, /* defport */ - CURLPROTO_FTPS, /* protocol */ - CURLPROTO_FTP, /* family */ -diff --git a/lib/gopher.c b/lib/gopher.c -index a39cc7e..f61232f 100644 ---- a/lib/gopher.c -+++ b/lib/gopher.c -@@ -74,6 +74,7 @@ const struct Curl_handler Curl_handler_gopher = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_GOPHER, /* defport */ - CURLPROTO_GOPHER, /* protocol */ - CURLPROTO_GOPHER, /* family */ -@@ -97,6 +98,7 @@ const struct Curl_handler Curl_handler_gophers = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_GOPHER, /* defport */ - CURLPROTO_GOPHERS, /* protocol */ - CURLPROTO_GOPHER, /* family */ -diff --git a/lib/http.c b/lib/http.c -index 02c81c4..91da200 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -133,6 +133,7 @@ const struct Curl_handler Curl_handler_http = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_HTTP, /* defport */ - CURLPROTO_HTTP, /* protocol */ - CURLPROTO_HTTP, /* family */ -@@ -160,6 +161,7 @@ const struct Curl_handler Curl_handler_https = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_HTTPS, /* defport */ - CURLPROTO_HTTPS, /* protocol */ - CURLPROTO_HTTP, /* family */ -diff --git a/lib/http2.c b/lib/http2.c -index d0f69ea..1eb4e89 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -319,6 +319,7 @@ static const struct Curl_handler Curl_handler_http2 = { - http2_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - http2_conncheck, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_HTTP, /* defport */ - CURLPROTO_HTTP, /* protocol */ - CURLPROTO_HTTP, /* family */ -@@ -341,6 +342,7 @@ static const struct Curl_handler Curl_handler_http2_ssl = { - http2_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - http2_conncheck, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_HTTP, /* defport */ - CURLPROTO_HTTPS, /* protocol */ - CURLPROTO_HTTP, /* family */ -diff --git a/lib/imap.c b/lib/imap.c -index e887357..e50d7fd 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_imap = { - imap_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_IMAP, /* defport */ - CURLPROTO_IMAP, /* protocol */ - CURLPROTO_IMAP, /* family */ -@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_imaps = { - imap_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_IMAPS, /* defport */ - CURLPROTO_IMAPS, /* protocol */ - CURLPROTO_IMAP, /* family */ -diff --git a/lib/ldap.c b/lib/ldap.c -index 860a4a8..d632a7e 100644 ---- a/lib/ldap.c -+++ b/lib/ldap.c -@@ -149,6 +149,7 @@ const struct Curl_handler Curl_handler_ldap = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_LDAP, /* defport */ - CURLPROTO_LDAP, /* protocol */ - CURLPROTO_LDAP, /* family */ -@@ -176,6 +177,7 @@ const struct Curl_handler Curl_handler_ldaps = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_LDAPS, /* defport */ - CURLPROTO_LDAPS, /* protocol */ - CURLPROTO_LDAP, /* family */ -diff --git a/lib/mqtt.c b/lib/mqtt.c -index 2134409..d88fa73 100644 ---- a/lib/mqtt.c -+++ b/lib/mqtt.c -@@ -86,6 +86,7 @@ const struct Curl_handler Curl_handler_mqtt = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_MQTT, /* defport */ - CURLPROTO_MQTT, /* protocol */ - CURLPROTO_MQTT, /* family */ -diff --git a/lib/multi.c b/lib/multi.c -index be3e41f..e624bc3 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -890,6 +890,8 @@ void Curl_attach_connnection(struct Curl_easy *data, - data->conn = conn; - Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, - &data->conn_queue); -+ if(conn->handler->attach) -+ conn->handler->attach(data, conn); - } - - static int waitconnect_getsock(struct connectdata *conn, -diff --git a/lib/openldap.c b/lib/openldap.c -index b6980c5..b515554 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -107,6 +107,7 @@ const struct Curl_handler Curl_handler_ldap = { - ldap_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_LDAP, /* defport */ - CURLPROTO_LDAP, /* protocol */ - CURLPROTO_LDAP, /* family */ -@@ -134,6 +135,7 @@ const struct Curl_handler Curl_handler_ldaps = { - ldap_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_LDAPS, /* defport */ - CURLPROTO_LDAPS, /* protocol */ - CURLPROTO_LDAP, /* family */ -diff --git a/lib/pop3.c b/lib/pop3.c -index ccfebd0..6168b12 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -131,6 +131,7 @@ const struct Curl_handler Curl_handler_pop3 = { - pop3_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_POP3, /* defport */ - CURLPROTO_POP3, /* protocol */ - CURLPROTO_POP3, /* family */ -@@ -159,6 +160,7 @@ const struct Curl_handler Curl_handler_pop3s = { - pop3_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_POP3S, /* defport */ - CURLPROTO_POP3S, /* protocol */ - CURLPROTO_POP3, /* family */ -diff --git a/lib/rtsp.c b/lib/rtsp.c -index 3029ff5..cdd49dc 100644 ---- a/lib/rtsp.c -+++ b/lib/rtsp.c -@@ -109,6 +109,7 @@ const struct Curl_handler Curl_handler_rtsp = { - rtsp_disconnect, /* disconnect */ - rtsp_rtp_readwrite, /* readwrite */ - rtsp_conncheck, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_RTSP, /* defport */ - CURLPROTO_RTSP, /* protocol */ - CURLPROTO_RTSP, /* family */ -diff --git a/lib/smb.c b/lib/smb.c -index 183bc12..9f65cfd 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -88,6 +88,7 @@ const struct Curl_handler Curl_handler_smb = { - smb_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SMB, /* defport */ - CURLPROTO_SMB, /* protocol */ - CURLPROTO_SMB, /* family */ -@@ -114,6 +115,7 @@ const struct Curl_handler Curl_handler_smbs = { - smb_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SMBS, /* defport */ - CURLPROTO_SMBS, /* protocol */ - CURLPROTO_SMB, /* family */ -diff --git a/lib/smtp.c b/lib/smtp.c -index be4cd67..1defb25 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -136,6 +136,7 @@ const struct Curl_handler Curl_handler_smtp = { - smtp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SMTP, /* defport */ - CURLPROTO_SMTP, /* protocol */ - CURLPROTO_SMTP, /* family */ -@@ -164,6 +165,7 @@ const struct Curl_handler Curl_handler_smtps = { - smtp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SMTPS, /* defport */ - CURLPROTO_SMTPS, /* protocol */ - CURLPROTO_SMTP, /* family */ -diff --git a/lib/telnet.c b/lib/telnet.c -index 4551435..fdd137f 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -185,6 +185,7 @@ const struct Curl_handler Curl_handler_telnet = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_TELNET, /* defport */ - CURLPROTO_TELNET, /* protocol */ - CURLPROTO_TELNET, /* family */ -diff --git a/lib/tftp.c b/lib/tftp.c -index 76d3ff4..bf499f3 100644 ---- a/lib/tftp.c -+++ b/lib/tftp.c -@@ -182,6 +182,7 @@ const struct Curl_handler Curl_handler_tftp = { - tftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_TFTP, /* defport */ - CURLPROTO_TFTP, /* protocol */ - CURLPROTO_TFTP, /* family */ -diff --git a/lib/url.c b/lib/url.c -index 19fcfb8..9f2c9f2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -292,6 +292,7 @@ static const struct Curl_handler Curl_handler_dummy = { - ZERO_NULL, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - 0, /* defport */ - 0, /* protocol */ - 0, /* family */ -diff --git a/lib/urldata.h b/lib/urldata.h -index fec8756..2bb7d81 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -791,12 +791,16 @@ struct Curl_handler { - struct connectdata *conn, - unsigned int checks_to_perform); - -+ /* attach() attaches this transfer to this connection */ -+ void (*attach)(struct Curl_easy *data, struct connectdata *conn); -+ - int defport; /* Default port. */ - unsigned int protocol; /* See CURLPROTO_* - this needs to be the single - specific protocol bit */ - unsigned int family; /* single bit for protocol family; basically the - non-TLS name of the protocol this is */ - unsigned int flags; /* Extra particular characteristics, see PROTOPT_* */ -+ - }; - - #define PROTOPT_NONE 0 /* nothing extra */ -diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c -index 4644f4c..450ab28 100644 ---- a/lib/vssh/libssh.c -+++ b/lib/vssh/libssh.c -@@ -159,6 +159,7 @@ const struct Curl_handler Curl_handler_scp = { - scp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SSH, /* defport */ - CURLPROTO_SCP, /* protocol */ - CURLPROTO_SCP, /* family */ -@@ -185,6 +186,7 @@ const struct Curl_handler Curl_handler_sftp = { - sftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SSH, /* defport */ - CURLPROTO_SFTP, /* protocol */ - CURLPROTO_SFTP, /* family */ -diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c -index 9d188d0..0a468dd 100644 ---- a/lib/vssh/libssh2.c -+++ b/lib/vssh/libssh2.c -@@ -121,6 +121,7 @@ static int ssh_getsock(struct Curl_easy *data, struct connectdata *conn, - curl_socket_t *sock); - static CURLcode ssh_setup_connection(struct Curl_easy *data, - struct connectdata *conn); -+static void ssh_attach(struct Curl_easy *data, struct connectdata *conn); - - /* - * SCP protocol handler. -@@ -142,6 +143,7 @@ const struct Curl_handler Curl_handler_scp = { - scp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ssh_attach, - PORT_SSH, /* defport */ - CURLPROTO_SCP, /* protocol */ - CURLPROTO_SCP, /* family */ -@@ -170,6 +172,7 @@ const struct Curl_handler Curl_handler_sftp = { - sftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ssh_attach, - PORT_SSH, /* defport */ - CURLPROTO_SFTP, /* protocol */ - CURLPROTO_SFTP, /* family */ -@@ -3607,4 +3610,21 @@ size_t Curl_ssh_version(char *buffer, size_t buflen) - return msnprintf(buffer, buflen, "libssh2/%s", LIBSSH2_VERSION); - } - -+/* The SSH session is associated with the *CONNECTION* but the callback user -+ * pointer is an easy handle pointer. This function allows us to reassign the -+ * user pointer to the *CURRENT* (new) easy handle. -+ */ -+static void ssh_attach(struct Curl_easy *data, struct connectdata *conn) -+{ -+ DEBUGASSERT(data); -+ DEBUGASSERT(conn); -+ if(conn->handler->protocol & PROTO_FAMILY_SSH) { -+ struct ssh_conn *sshc = &conn->proto.sshc; -+ if(sshc->ssh_session) { -+ /* only re-attach if the session already exists */ -+ void **abstract = libssh2_session_abstract(sshc->ssh_session); -+ *abstract = data; -+ } -+ } -+} - #endif /* USE_LIBSSH2 */ -diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h -index 52e1ee6..505b078 100644 ---- a/lib/vssh/ssh.h -+++ b/lib/vssh/ssh.h -@@ -263,9 +263,12 @@ extern const struct Curl_handler Curl_handler_sftp; - CURLcode Curl_ssh_init(void); - void Curl_ssh_cleanup(void); - size_t Curl_ssh_version(char *buffer, size_t buflen); -+void Curl_ssh_attach(struct Curl_easy *data, -+ struct connectdata *conn); - #else - /* for non-SSH builds */ - #define Curl_ssh_cleanup() -+#define Curl_ssh_attach(x,y) - #endif - - #endif /* HEADER_CURL_SSH_H */ -diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c -index de0b1c7..8aa8067 100644 ---- a/lib/vssh/wolfssh.c -+++ b/lib/vssh/wolfssh.c -@@ -91,6 +91,7 @@ const struct Curl_handler Curl_handler_scp = { - wscp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SSH, /* defport */ - CURLPROTO_SCP, /* protocol */ - PROTOPT_DIRLOCK | PROTOPT_CLOSEACTION -@@ -119,6 +120,7 @@ const struct Curl_handler Curl_handler_sftp = { - wsftp_disconnect, /* disconnect */ - ZERO_NULL, /* readwrite */ - ZERO_NULL, /* connection_check */ -+ ZERO_NULL, /* attach connection */ - PORT_SSH, /* defport */ - CURLPROTO_SFTP, /* protocol */ - CURLPROTO_SFTP, /* family */ --- -2.31.1 - - -From b5971f4854aab00fcd7810aa9a425c0a6790e050 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Wed, 5 May 2021 13:42:26 +0200 -Subject: [PATCH 2/3] openssl: associate/detach the transfer from connection - -CVE-2021-22901 - -Bug: https://curl.se/docs/CVE-2021-22901.html - -Upstream-commit: 7f4a9a9b2a49547eae24d2e19bc5c346e9026479 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 5 +- - lib/vtls/gskit.c | 4 +- - lib/vtls/gtls.c | 4 +- - lib/vtls/mbedtls.c | 4 +- - lib/vtls/mesalink.c | 4 +- - lib/vtls/nss.c | 4 +- - lib/vtls/openssl.c | 146 +++++++++++++++++++++++++++++++------------ - lib/vtls/rustls.c | 4 +- - lib/vtls/schannel.c | 4 +- - lib/vtls/sectransp.c | 2 + - lib/vtls/vtls.c | 23 ++++++- - lib/vtls/vtls.h | 12 ++++ - lib/vtls/wolfssl.c | 4 +- - 13 files changed, 171 insertions(+), 49 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index e624bc3..2228264 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -872,8 +872,10 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) - void Curl_detach_connnection(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; -- if(conn) -+ if(conn) { - Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); -+ Curl_ssl_detach_conn(data, conn); -+ } - data->conn = NULL; - } - -@@ -892,6 +894,7 @@ void Curl_attach_connnection(struct Curl_easy *data, - &data->conn_queue); - if(conn->handler->attach) - conn->handler->attach(data, conn); -+ Curl_ssl_associate_conn(data, conn); - } - - static int waitconnect_getsock(struct connectdata *conn, -diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c -index b0c7343..3fe54c1 100644 ---- a/lib/vtls/gskit.c -+++ b/lib/vtls/gskit.c -@@ -1281,7 +1281,9 @@ const struct Curl_ssl Curl_ssl_gskit = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- NULL /* sha256sum */ -+ NULL, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_GSKIT */ -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index e3fad7f..ea54fe3 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -1645,7 +1645,9 @@ const struct Curl_ssl Curl_ssl_gnutls = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- gtls_sha256sum /* sha256sum */ -+ gtls_sha256sum, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_GNUTLS */ -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index 4b36f2d..0a9f7b4 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -1113,7 +1113,9 @@ const struct Curl_ssl Curl_ssl_mbedtls = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- mbedtls_sha256sum /* sha256sum */ -+ mbedtls_sha256sum, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_MBEDTLS */ -diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c -index 5d6a149..0a41dd3 100644 ---- a/lib/vtls/mesalink.c -+++ b/lib/vtls/mesalink.c -@@ -667,7 +667,9 @@ const struct Curl_ssl Curl_ssl_mesalink = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- NULL /* sha256sum */ -+ NULL, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index a9f6959..ae3945c 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2442,7 +2442,9 @@ const struct Curl_ssl Curl_ssl_nss = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - nss_false_start, /* false_start */ -- nss_sha256sum /* sha256sum */ -+ nss_sha256sum, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_NSS */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 6583300..2404393 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -246,6 +246,10 @@ struct ssl_backend_data { - #endif - }; - -+static void ossl_associate_connection(struct Curl_easy *data, -+ struct connectdata *conn, -+ int sockindex); -+ - /* - * Number of bytes to read from the random number seed file. This must be - * a finite value (because some entropy "files" like /dev/urandom have -@@ -2528,6 +2532,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - ctx_option_t ctx_options = 0; -+ void *ssl_sessionid = NULL; - - #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - bool sni; -@@ -3209,46 +3214,23 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - } - #endif - -- /* Check if there's a cached ID we can/should use here! */ -- if(SSL_SET_OPTION(primary.sessionid)) { -- void *ssl_sessionid = NULL; -- int data_idx = ossl_get_ssl_data_index(); -- int connectdata_idx = ossl_get_ssl_conn_index(); -- int sockindex_idx = ossl_get_ssl_sockindex_index(); -- int proxy_idx = ossl_get_proxy_index(); -- -- if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && -- proxy_idx >= 0) { -- /* Store the data needed for the "new session" callback. -- * The sockindex is stored as a pointer to an array element. */ -- SSL_set_ex_data(backend->handle, data_idx, data); -- SSL_set_ex_data(backend->handle, connectdata_idx, conn); -- SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); --#ifndef CURL_DISABLE_PROXY -- SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: -- NULL); --#else -- SSL_set_ex_data(backend->handle, proxy_idx, NULL); --#endif -- -- } -+ ossl_associate_connection(data, conn, sockindex); - -- Curl_ssl_sessionid_lock(data); -- if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, -- &ssl_sessionid, NULL, sockindex)) { -- /* we got a session id, use it! */ -- if(!SSL_set_session(backend->handle, ssl_sessionid)) { -- Curl_ssl_sessionid_unlock(data); -- failf(data, "SSL: SSL_set_session failed: %s", -- ossl_strerror(ERR_get_error(), error_buffer, -- sizeof(error_buffer))); -- return CURLE_SSL_CONNECT_ERROR; -- } -- /* Informational message */ -- infof(data, "SSL re-using session ID\n"); -+ Curl_ssl_sessionid_lock(data); -+ if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)) { -+ /* we got a session id, use it! */ -+ if(!SSL_set_session(backend->handle, ssl_sessionid)) { -+ Curl_ssl_sessionid_unlock(data); -+ failf(data, "SSL: SSL_set_session failed: %s", -+ ossl_strerror(ERR_get_error(), error_buffer, -+ sizeof(error_buffer))); -+ return CURLE_SSL_CONNECT_ERROR; - } -- Curl_ssl_sessionid_unlock(data); -+ /* Informational message */ -+ infof(data, "SSL re-using session ID\n"); - } -+ Curl_ssl_sessionid_unlock(data); - - #ifndef CURL_DISABLE_PROXY - if(conn->proxy_ssl[sockindex].use) { -@@ -4474,6 +4456,90 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, - (void *)backend->ctx : (void *)backend->handle; - } - -+static void ossl_associate_connection(struct Curl_easy *data, -+ struct connectdata *conn, -+ int sockindex) -+{ -+ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ struct ssl_backend_data *backend = connssl->backend; -+ -+ /* If we don't have SSL context, do nothing. */ -+ if(!backend->handle) -+ return; -+ -+ if(SSL_SET_OPTION(primary.sessionid)) { -+ int data_idx = ossl_get_ssl_data_index(); -+ int connectdata_idx = ossl_get_ssl_conn_index(); -+ int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); -+ -+ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && -+ proxy_idx >= 0) { -+ /* Store the data needed for the "new session" callback. -+ * The sockindex is stored as a pointer to an array element. */ -+ SSL_set_ex_data(backend->handle, data_idx, data); -+ SSL_set_ex_data(backend->handle, connectdata_idx, conn); -+ SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); -+#ifndef CURL_DISABLE_PROXY -+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: -+ NULL); -+#else -+ SSL_set_ex_data(backend->handle, proxy_idx, NULL); -+#endif -+ } -+ } -+} -+ -+/* -+ * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after -+ * the handshake. If the transfer that sets up the callback gets killed before -+ * this callback arrives, we must make sure to properly clear the data to -+ * avoid UAF problems. A future optimization could be to instead store another -+ * transfer that might still be using the same connection. -+ */ -+ -+static void ossl_disassociate_connection(struct Curl_easy *data, -+ int sockindex) -+{ -+ struct connectdata *conn = data->conn; -+ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ struct ssl_backend_data *backend = connssl->backend; -+ -+ /* If we don't have SSL context, do nothing. */ -+ if(!backend->handle) -+ return; -+ -+ if(SSL_SET_OPTION(primary.sessionid)) { -+ bool isproxy = FALSE; -+ bool incache; -+ void *old_ssl_sessionid = NULL; -+ int data_idx = ossl_get_ssl_data_index(); -+ int connectdata_idx = ossl_get_ssl_conn_index(); -+ int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); -+ -+ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && -+ proxy_idx >= 0) { -+ /* Invalidate the session cache entry, if any */ -+ isproxy = SSL_get_ex_data(backend->handle, proxy_idx) ? TRUE : FALSE; -+ -+ /* Disable references to data in "new session" callback to avoid -+ * accessing a stale pointer. */ -+ SSL_set_ex_data(backend->handle, data_idx, NULL); -+ SSL_set_ex_data(backend->handle, connectdata_idx, NULL); -+ SSL_set_ex_data(backend->handle, sockindex_idx, NULL); -+ SSL_set_ex_data(backend->handle, proxy_idx, NULL); -+ } -+ -+ Curl_ssl_sessionid_lock(data); -+ incache = !(Curl_ssl_getsessionid(data, conn, isproxy, -+ &old_ssl_sessionid, NULL, sockindex)); -+ if(incache) -+ Curl_ssl_delsessionid(data, old_ssl_sessionid); -+ Curl_ssl_sessionid_unlock(data); -+ } -+} -+ - const struct Curl_ssl Curl_ssl_openssl = { - { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ - -@@ -4508,10 +4574,12 @@ const struct Curl_ssl Curl_ssl_openssl = { - ossl_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ - #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -- ossl_sha256sum /* sha256sum */ -+ ossl_sha256sum, /* sha256sum */ - #else -- NULL /* sha256sum */ -+ NULL, /* sha256sum */ - #endif -+ ossl_associate_connection, /* associate_connection */ -+ ossl_disassociate_connection /* disassociate_connection */ - }; - - #endif /* USE_OPENSSL */ -diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c -index e4f589d..fb8d634 100644 ---- a/lib/vtls/rustls.c -+++ b/lib/vtls/rustls.c -@@ -554,7 +554,9 @@ const struct Curl_ssl Curl_ssl_rustls = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- NULL /* sha256sum */ -+ NULL, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_RUSTLS */ -diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c -index 961a71f..a80eb50 100644 ---- a/lib/vtls/schannel.c -+++ b/lib/vtls/schannel.c -@@ -2429,7 +2429,9 @@ const struct Curl_ssl Curl_ssl_schannel = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- schannel_sha256sum /* sha256sum */ -+ schannel_sha256sum, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif /* USE_SCHANNEL */ -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index 9d637da..b24b489 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -3314,6 +3314,8 @@ const struct Curl_ssl Curl_ssl_sectransp = { - Curl_none_engines_list, /* engines_list */ - sectransp_false_start, /* false_start */ - sectransp_sha256sum /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #ifdef __clang__ -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 2e07df0..22cfb88 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -579,6 +579,25 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, - return CURLE_OK; - } - -+void Curl_ssl_associate_conn(struct Curl_easy *data, -+ struct connectdata *conn) -+{ -+ if(Curl_ssl->associate_connection) { -+ Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); -+ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) -+ Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); -+ } -+} -+ -+void Curl_ssl_detach_conn(struct Curl_easy *data, -+ struct connectdata *conn) -+{ -+ if(Curl_ssl->disassociate_connection) { -+ Curl_ssl->disassociate_connection(data, FIRSTSOCKET); -+ if(conn->sock[SECONDARYSOCKET] && conn->bits.sock_accepted) -+ Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); -+ } -+} - - void Curl_ssl_close_all(struct Curl_easy *data) - { -@@ -1207,7 +1226,9 @@ static const struct Curl_ssl Curl_ssl_multi = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- NULL /* sha256sum */ -+ NULL, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - const struct Curl_ssl *Curl_ssl = -diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h -index 2b43e77..78d1003 100644 ---- a/lib/vtls/vtls.h -+++ b/lib/vtls/vtls.h -@@ -83,6 +83,11 @@ struct Curl_ssl { - bool (*false_start)(void); - CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, - unsigned char *sha256sum, size_t sha256sumlen); -+ -+ void (*associate_connection)(struct Curl_easy *data, -+ struct connectdata *conn, -+ int sockindex); -+ void (*disassociate_connection)(struct Curl_easy *data, int sockindex); - }; - - #ifdef USE_SSL -@@ -277,6 +282,11 @@ bool Curl_ssl_cert_status_request(void); - - bool Curl_ssl_false_start(void); - -+void Curl_ssl_associate_conn(struct Curl_easy *data, -+ struct connectdata *conn); -+void Curl_ssl_detach_conn(struct Curl_easy *data, -+ struct connectdata *conn); -+ - #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ - - #else /* if not USE_SSL */ -@@ -303,6 +313,8 @@ bool Curl_ssl_false_start(void); - #define Curl_ssl_cert_status_request() FALSE - #define Curl_ssl_false_start() FALSE - #define Curl_ssl_tls13_ciphersuites() FALSE -+#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt -+#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt - #endif - - #endif /* HEADER_CURL_VTLS_H */ -diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c -index c6f4280..9c1598b 100644 ---- a/lib/vtls/wolfssl.c -+++ b/lib/vtls/wolfssl.c -@@ -1164,7 +1164,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ -- wolfssl_sha256sum /* sha256sum */ -+ wolfssl_sha256sum, /* sha256sum */ -+ NULL, /* associate_connection */ -+ NULL /* disassociate_connection */ - }; - - #endif --- -2.31.1 - - -From dd657bd43c0dc406a0be442a3b6546b3f97bb13f Mon Sep 17 00:00:00 2001 -From: Koichi Shiraishi -Date: Mon, 24 May 2021 20:26:44 +0900 -Subject: [PATCH 3/3] sectransp: fix 7f4a9a9b2a49 commit about missing comma - -Follow-up to 7f4a9a9b2a495 - -Closes #7119 - -Upstream-commit: 98770344b2d6527c5b504fa740d7bbddbee1728e -Signed-off-by: Kamil Dudka ---- - lib/vtls/sectransp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index b24b489..f2d7835 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -3313,7 +3313,7 @@ const struct Curl_ssl Curl_ssl_sectransp = { - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - sectransp_false_start, /* false_start */ -- sectransp_sha256sum /* sha256sum */ -+ sectransp_sha256sum, /* sha256sum */ - NULL, /* associate_connection */ - NULL /* disassociate_connection */ - }; --- -2.31.1 - diff --git a/0004-curl-7.76.1-ldaps-segv.patch b/0004-curl-7.76.1-ldaps-segv.patch deleted file mode 100644 index 23f77b1..0000000 --- a/0004-curl-7.76.1-ldaps-segv.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Fri, 23 Apr 2021 00:33:46 +0200 -Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure - -Fixes the segfault in ldaps disconnect. - -Reported-by: Illarion Taev -Fixes #6934 -Closes #6937 - -Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d -Signed-off-by: Kamil Dudka ---- - lib/vtls/vtls.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 22cfb88..fa8a6fa 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, - - if(!result) - Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ -+ else -+ conn->ssl[sockindex].use = FALSE; - - return result; - } -@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, - /* mark this is being ssl requested from here on. */ - conn->ssl[sockindex].use = TRUE; - result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done); -- if(!result && *done) -+ if(result) -+ conn->ssl[sockindex].use = FALSE; -+ else if(*done) - Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ - return result; - } --- -2.31.1 - diff --git a/0005-curl-7.76.1-CVE-2021-22924.patch b/0005-curl-7.76.1-CVE-2021-22924.patch deleted file mode 100644 index 3160b8f..0000000 --- a/0005-curl-7.76.1-CVE-2021-22924.patch +++ /dev/null @@ -1,279 +0,0 @@ -From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 19 Jun 2021 00:42:28 +0200 -Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case - sensitivity - -CVE-2021-22924 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2021-22924.html - -Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 10 ++++++---- - lib/urldata.h | 4 ++-- - lib/vtls/gtls.c | 10 +++++----- - lib/vtls/nss.c | 4 ++-- - lib/vtls/openssl.c | 18 +++++++++--------- - lib/vtls/vtls.c | 26 +++++++++++++++++++++----- - 6 files changed, 45 insertions(+), 27 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 9f2c9f2..bdcb095 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data, - */ - data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; - data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; -+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; -+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; - data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; - data->set.ssl.primary.cipher_list = -@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.primary.pinned_key = - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; - data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; -+ data->set.proxy_ssl.primary.issuercert = -+ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; -+ data->set.proxy_ssl.primary.issuercert_blob = -+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; -@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; -@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif -- - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - - if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, - &conn->ssl_config)) { -diff --git a/lib/urldata.h b/lib/urldata.h -index 2bb7d81..7cf63d0 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -246,6 +246,7 @@ struct ssl_primary_config { - long version_max; /* max supported version the client wants to use*/ - char *CApath; /* certificate dir (doesn't work on windows) */ - char *CAfile; /* certificate to verify peer against */ -+ char *issuercert; /* optional issuer certificate filename */ - char *clientcert; - char *random_file; /* path to file containing "random" data */ - char *egdsocket; /* path to file containing the EGD daemon socket */ -@@ -253,6 +254,7 @@ struct ssl_primary_config { - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; - struct curl_blob *cert_blob; -+ struct curl_blob *issuercert_blob; - char *curves; /* list of curves to use */ - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ -@@ -264,8 +266,6 @@ struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ - char *CRLfile; /* CRL to check certificate revocation */ -- char *issuercert;/* optional issuer certificate filename */ -- struct curl_blob *issuercert_blob; - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert_type; /* format for certificate (default: PEM)*/ -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index ea54fe3..ccc5ce8 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data, - if(!chainp) { - if(SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost) || -- SSL_SET_OPTION(issuercert)) { -+ SSL_CONN_CONFIG(issuercert)) { - #ifdef HAVE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL -@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data, - gnutls_x509_crt_t format */ - gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); - -- if(SSL_SET_OPTION(issuercert)) { -+ if(SSL_CONN_CONFIG(issuercert)) { - gnutls_x509_crt_init(&x509_issuer); -- issuerp = load_file(SSL_SET_OPTION(issuercert)); -+ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); - gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); - rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); - gnutls_x509_crt_deinit(x509_issuer); - unload_file(issuerp); - if(rc <= 0) { - failf(data, "server certificate issuer check failed (IssuerCert: %s)", -- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); -+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); - gnutls_x509_crt_deinit(x509_cert); - return CURLE_SSL_ISSUER_ERROR; - } - infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", -- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); -+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); - } - - size = sizeof(certname); -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index ae3945c..b0b1e8c 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, - if(result) - goto error; - -- if(SSL_SET_OPTION(issuercert)) { -+ if(SSL_CONN_CONFIG(issuercert)) { - SECStatus ret = SECFailure; -- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); -+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); - if(nickname) { - /* we support only nicknames in case of issuercert for now */ - ret = check_issuer_cert(backend->handle, nickname); -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 2404393..be7b811 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data, - deallocating the certificate. */ - - /* e.g. match issuer name with provided issuer certificate */ -- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { -- if(SSL_SET_OPTION(issuercert_blob)) -- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, -- (int)SSL_SET_OPTION(issuercert_blob)->len); -+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { -+ if(SSL_CONN_CONFIG(issuercert_blob)) -+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, -+ (int)SSL_CONN_CONFIG(issuercert_blob)->len); - else { - fp = BIO_new(BIO_s_file()); - if(fp == NULL) { -@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - -- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { -+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { - if(strict) - failf(data, "SSL: Unable to open issuer cert (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(backend->server_cert); - backend->server_cert = NULL; -@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data, - if(!issuer) { - if(strict) - failf(data, "SSL: Unable to read issuer cert (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - X509_free(backend->server_cert); -@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data, - if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { - if(strict) - failf(data, "SSL: Certificate issuer check failed (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - X509_free(backend->server_cert); -@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data, - } - - infof(data, " SSL certificate issuer check ok (%s)\n", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - } -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index fa8a6fa..1aa6fc8 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - -+static bool safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ else if(!a && !b) -+ return TRUE; /* match */ -+ return FALSE; /* no match */ -+} -+ -+ - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, - struct ssl_primary_config *needle) -@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && - blobcmp(data->cert_blob, needle->cert_blob) && -- Curl_safe_strcasecompare(data->CApath, needle->CApath) && -- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && -- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && -- Curl_safe_strcasecompare(data->random_file, needle->random_file) && -- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && -+ blobcmp(data->issuercert_blob, needle->issuercert_blob) && -+ safecmp(data->CApath, needle->CApath) && -+ safecmp(data->CAfile, needle->CAfile) && -+ safecmp(data->issuercert, needle->issuercert) && -+ safecmp(data->clientcert, needle->clientcert) && -+ safecmp(data->random_file, needle->random_file) && -+ safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && -@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - dest->sessionid = source->sessionid; - - CLONE_BLOB(cert_blob); -+ CLONE_BLOB(issuercert_blob); - CLONE_STRING(CApath); - CLONE_STRING(CAfile); -+ CLONE_STRING(issuercert); - CLONE_STRING(clientcert); - CLONE_STRING(random_file); - CLONE_STRING(egdsocket); -@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - { - Curl_safefree(sslc->CApath); - Curl_safefree(sslc->CAfile); -+ Curl_safefree(sslc->issuercert); - Curl_safefree(sslc->clientcert); - Curl_safefree(sslc->random_file); - Curl_safefree(sslc->egdsocket); -@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - Curl_safefree(sslc->cipher_list13); - Curl_safefree(sslc->pinned_key); - Curl_safefree(sslc->cert_blob); -+ Curl_safefree(sslc->issuercert_blob); - Curl_safefree(sslc->curves); - } - --- -2.31.1 - diff --git a/0006-curl-7.76.1-CVE-2021-22925.patch b/0006-curl-7.76.1-CVE-2021-22925.patch deleted file mode 100644 index 769f74c..0000000 --- a/0006-curl-7.76.1-CVE-2021-22925.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 12 Jun 2021 18:25:15 +0200 -Subject: [PATCH] telnet: fix option parser to not send uninitialized contents - -CVE-2021-22925 - -Reported-by: Red Hat Product Security -Bug: https://curl.se/docs/CVE-2021-22925.html - -Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/lib/telnet.c b/lib/telnet.c -index fdd137f..567c22c 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data) - size_t tmplen = (strlen(v->data) + 1); - /* Add the variable only if it fits */ - if(len + tmplen < (int)sizeof(temp)-6) { -- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { -- msnprintf((char *)&temp[len], sizeof(temp) - len, -- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -- CURL_NEW_ENV_VALUE, varval); -- len += tmplen; -- } -+ int rv; -+ char sep[2] = ""; -+ varval[0] = 0; -+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); -+ if(rv == 1) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s", CURL_NEW_ENV_VAR, varname); -+ else if(rv >= 2) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -+ CURL_NEW_ENV_VALUE, varval); - } - } - msnprintf((char *)&temp[len], sizeof(temp) - len, --- -2.31.1 - diff --git a/0007-curl-7.76.1-CVE-2021-22945.patch b/0007-curl-7.76.1-CVE-2021-22945.patch deleted file mode 100644 index 4d301fc..0000000 --- a/0007-curl-7.76.1-CVE-2021-22945.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001 -From: z2_ on hackerone <> -Date: Tue, 24 Aug 2021 09:50:33 +0200 -Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds - -CVE-2021-22945 - -Bug: https://curl.se/docs/CVE-2021-22945.html - -Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49 -Signed-off-by: Kamil Dudka ---- - lib/mqtt.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/mqtt.c b/lib/mqtt.c -index d88fa73..f3fc045 100644 ---- a/lib/mqtt.c -+++ b/lib/mqtt.c -@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data, - mq->sendleftovers = sendleftovers; - mq->nsend = nsend; - } -+ else { -+ mq->sendleftovers = NULL; -+ mq->nsend = 0; -+ } - return result; - } - --- -2.31.1 - diff --git a/0008-curl-7.76.1-CVE-2021-22946.patch b/0008-curl-7.76.1-CVE-2021-22946.patch deleted file mode 100644 index 54a5957..0000000 --- a/0008-curl-7.76.1-CVE-2021-22946.patch +++ /dev/null @@ -1,331 +0,0 @@ -From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Wed, 8 Sep 2021 11:56:22 +0200 -Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd - -In imap and pop3, check if TLS is required even when capabilities -request has failed. - -In ftp, ignore preauthentication (230 status of server greeting) if TLS -is required. - -Bug: https://curl.se/docs/CVE-2021-22946.html - -CVE-2021-22946 - -Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 9 ++++--- - lib/imap.c | 24 ++++++++---------- - lib/pop3.c | 33 +++++++++++------------- - tests/data/Makefile.inc | 2 ++ - tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ - tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ - 7 files changed, 195 insertions(+), 36 deletions(-) - create mode 100644 tests/data/test984 - create mode 100644 tests/data/test985 - create mode 100644 tests/data/test986 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 5ef1e2e..71f998e 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, - /* we have now received a full FTP server response */ - switch(ftpc->state) { - case FTP_WAIT220: -- if(ftpcode == 230) -- /* 230 User logged in - already! */ -- return ftp_state_user_resp(data, ftpcode, ftpc->state); -+ if(ftpcode == 230) { -+ /* 230 User logged in - already! Take as 220 if TLS required. */ -+ if(data->set.use_ssl <= CURLUSESSL_TRY || -+ conn->bits.ftp_use_control_ssl) -+ return ftp_state_user_resp(data, ftpcode, ftpc->state); -+ } - else if(ftpcode != 220) { - failf(data, "Got a %03d ftp-server response when 220 was expected", - ftpcode); -diff --git a/lib/imap.c b/lib/imap.c -index e50d7fd..feb7445 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, - line += wordlen; - } - } -- else if(imapcode == IMAP_RESP_OK) { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(imapc->tls_supported) -- /* Switch to TLS connection now */ -- result = imap_perform_starttls(data, conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = imap_perform_authentication(data, conn); -- else { -- failf(data, "STARTTLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -+ /* PREAUTH is not compatible with STARTTLS. */ -+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { -+ /* Switch to TLS connection now */ -+ result = imap_perform_starttls(data, conn); - } -- else -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) - result = imap_perform_authentication(data, conn); -+ else { -+ failf(data, "STARTTLS not available."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - else - result = imap_perform_authentication(data, conn); -diff --git a/lib/pop3.c b/lib/pop3.c -index 6168b12..7698d1c 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, - } - } - } -- else if(pop3code == '+') { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(pop3c->tls_supported) -- /* Switch to TLS connection now */ -- result = pop3_perform_starttls(data, conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = pop3_perform_authentication(data, conn); -- else { -- failf(data, "STLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -- } -- else -- result = pop3_perform_authentication(data, conn); -- } - else { - /* Clear text is supported when CAPA isn't recognised */ -- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; -+ if(pop3code != '+') -+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - -- result = pop3_perform_authentication(data, conn); -+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) -+ result = pop3_perform_authentication(data, conn); -+ else if(pop3code == '+' && pop3c->tls_supported) -+ /* Switch to TLS connection now */ -+ result = pop3_perform_starttls(data, conn); -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) -+ /* Fallback and carry on with authentication */ -+ result = pop3_perform_authentication(data, conn); -+ else { -+ failf(data, "STLS not supported."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - - return result; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index d083baf..163ce59 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ - \ -+test984 test985 test986 \ -+\ - test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ - test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ - test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ -diff --git a/tests/data/test984 b/tests/data/test984 -new file mode 100644 -index 0000000..e573f23 ---- /dev/null -+++ b/tests/data/test984 -@@ -0,0 +1,56 @@ -+ -+ -+ -+IMAP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY CAPABILITY A001 BAD Not implemented -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+imap -+ -+ -+IMAP require STARTTLS with failing capabilities -+ -+ -+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd -+ -+ -+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) -+From: Fred Foobar -+Subject: afternoon meeting -+To: joe@example.com -+Message-Id: -+MIME-Version: 1.0 -+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII -+ -+Hello Joe, do you think we can meet at 3:30 tomorrow? -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+A001 CAPABILITY -+ -+ -+ -diff --git a/tests/data/test985 b/tests/data/test985 -new file mode 100644 -index 0000000..d0db4aa ---- /dev/null -+++ b/tests/data/test985 -@@ -0,0 +1,54 @@ -+ -+ -+ -+POP3 -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY CAPA -ERR Not implemented -+ -+ -+From: me@somewhere -+To: fake@nowhere -+ -+body -+ -+-- -+ yours sincerely -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+pop3 -+ -+ -+POP3 require STARTTLS with failing capabilities -+ -+ -+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+CAPA -+ -+ -+ -diff --git a/tests/data/test986 b/tests/data/test986 -new file mode 100644 -index 0000000..a709437 ---- /dev/null -+++ b/tests/data/test986 -@@ -0,0 +1,53 @@ -+ -+ -+ -+FTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY welcome 230 Welcome -+REPLY AUTH 500 unknown command -+ -+ -+ -+# Client-side -+ -+ -+SSL -+ -+ -+ftp -+ -+ -+FTP require STARTTLS while preauthenticated -+ -+ -+data -+ to -+ see -+that FTPS -+works -+ so does it? -+ -+ -+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+AUTH SSL -+AUTH TLS -+ -+ -+ --- -2.31.1 - diff --git a/0009-curl-7.76.1-CVE-2021-22947.patch b/0009-curl-7.76.1-CVE-2021-22947.patch deleted file mode 100644 index 6c4cab1..0000000 --- a/0009-curl-7.76.1-CVE-2021-22947.patch +++ /dev/null @@ -1,354 +0,0 @@ -From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Tue, 7 Sep 2021 13:26:42 +0200 -Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response - pipelining - -If a server pipelines future responses within the STARTTLS response, the -former are preserved in the pingpong cache across TLS negotiation and -used as responses to the encrypted commands. - -This fix detects pipelined STARTTLS responses and rejects them with an -error. - -CVE-2021-22947 - -Bug: https://curl.se/docs/CVE-2021-22947.html - -Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 3 +++ - lib/imap.c | 4 +++ - lib/pop3.c | 4 +++ - lib/smtp.c | 4 +++ - tests/data/Makefile.inc | 2 +- - tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ - tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ - tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ - 9 files changed, 236 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test980 - create mode 100644 tests/data/test981 - create mode 100644 tests/data/test982 - create mode 100644 tests/data/test983 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 71f998e..e920138 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, - case FTP_AUTH: - /* we have gotten the response to a previous AUTH command */ - -+ if(pp->cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ -+ - /* RFC2228 (page 5) says: - * - * If the server is willing to accept the named security mechanism, -diff --git a/lib/imap.c b/lib/imap.c -index feb7445..09bc5d6 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data, - - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.imapc.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(imapcode != IMAP_RESP_OK) { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied"); -diff --git a/lib/pop3.c b/lib/pop3.c -index 7698d1c..dccfced 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data, - CURLcode result = CURLE_OK; - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.pop3c.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(pop3code != '+') { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied"); -diff --git a/lib/smtp.c b/lib/smtp.c -index 1defb25..1f89777 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data, - CURLcode result = CURLE_OK; - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.smtpc.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(smtpcode != 220) { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied, code %d", smtpcode); -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 163ce59..42b0569 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ - \ --test984 test985 test986 \ -+test980 test981 test982 test983 test984 test985 test986 \ - \ - test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ - test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ -diff --git a/tests/data/test980 b/tests/data/test980 -new file mode 100644 -index 0000000..97567f8 ---- /dev/null -+++ b/tests/data/test980 -@@ -0,0 +1,52 @@ -+ -+ -+ -+SMTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STARTTLS -+AUTH PLAIN -+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted -+REPLY AUTH 535 5.7.8 Authentication credentials invalid -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+smtp -+ -+ -+SMTP STARTTLS pipelined server response -+ -+ -+mail body -+ -+ -+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+EHLO %TESTNUMBER -+STARTTLS -+ -+ -+ -diff --git a/tests/data/test981 b/tests/data/test981 -new file mode 100644 -index 0000000..2b98ce4 ---- /dev/null -+++ b/tests/data/test981 -@@ -0,0 +1,59 @@ -+ -+ -+ -+IMAP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STARTTLS -+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted -+REPLY LOGIN A003 BAD Authentication credentials invalid -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+imap -+ -+ -+IMAP STARTTLS pipelined server response -+ -+ -+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl -+ -+ -+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) -+From: Fred Foobar -+Subject: afternoon meeting -+To: joe@example.com -+Message-Id: -+MIME-Version: 1.0 -+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII -+ -+Hello Joe, do you think we can meet at 3:30 tomorrow? -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+A001 CAPABILITY -+A002 STARTTLS -+ -+ -+ -diff --git a/tests/data/test982 b/tests/data/test982 -new file mode 100644 -index 0000000..9e07cc0 ---- /dev/null -+++ b/tests/data/test982 -@@ -0,0 +1,57 @@ -+ -+ -+ -+POP3 -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STLS USER -+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated -+REPLY PASS -ERR Authentication credentials invalid -+ -+ -+From: me@somewhere -+To: fake@nowhere -+ -+body -+ -+-- -+ yours sincerely -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+pop3 -+ -+ -+POP3 STARTTLS pipelined server response -+ -+ -+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+CAPA -+STLS -+ -+ -+ -diff --git a/tests/data/test983 b/tests/data/test983 -new file mode 100644 -index 0000000..300ec45 ---- /dev/null -+++ b/tests/data/test983 -@@ -0,0 +1,52 @@ -+ -+ -+ -+FTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete -+REPLY PASS 530 Login incorrect -+ -+ -+ -+# Client-side -+ -+ -+SSL -+ -+ -+ftp -+ -+ -+FTP STARTTLS pipelined server response -+ -+ -+data -+ to -+ see -+that FTPS -+works -+ so does it? -+ -+ -+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+AUTH SSL -+ -+ -+ --- -2.31.1 - diff --git a/0010-curl-7.76.1-CVE-2022-22576.patch b/0010-curl-7.76.1-CVE-2022-22576.patch deleted file mode 100644 index 90c94c7..0000000 --- a/0010-curl-7.76.1-CVE-2022-22576.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Mon, 25 Apr 2022 11:44:05 +0200 -Subject: [PATCH] url: check sasl additional parameters for connection reuse. - -Also move static function safecmp() as non-static Curl_safecmp() since -its purpose is needed at several places. - -Bug: https://curl.se/docs/CVE-2022-22576.html - -CVE-2022-22576 - -Closes #8746 - -Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 -Signed-off-by: Kamil Dudka ---- - lib/strcase.c | 10 ++++++++++ - lib/strcase.h | 2 ++ - lib/url.c | 13 ++++++++++++- - lib/urldata.h | 1 + - lib/vtls/vtls.c | 21 ++++++--------------- - 5 files changed, 31 insertions(+), 16 deletions(-) - -diff --git a/lib/strcase.c b/lib/strcase.c -index dd46ca1..692a3f1 100644 ---- a/lib/strcase.c -+++ b/lib/strcase.c -@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) - } while(*src++ && --n); - } - -+/* Compare case-sensitive NUL-terminated strings, taking care of possible -+ * null pointers. Return true if arguments match. -+ */ -+bool Curl_safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ return !a && !b; -+} -+ - /* --- public functions --- */ - - int curl_strequal(const char *first, const char *second) -diff --git a/lib/strcase.h b/lib/strcase.h -index b628656..382b80a 100644 ---- a/lib/strcase.h -+++ b/lib/strcase.h -@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); - void Curl_strntoupper(char *dest, const char *src, size_t n); - void Curl_strntolower(char *dest, const char *src, size_t n); - -+bool Curl_safecmp(char *a, char *b); -+ - #endif /* HEADER_CURL_STRCASE_H */ -diff --git a/lib/url.c b/lib/url.c -index adef2cd..94e3406 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn) - Curl_safefree(conn->passwd); - Curl_safefree(conn->sasl_authzid); - Curl_safefree(conn->options); -+ Curl_safefree(conn->oauth_bearer); - Curl_dyn_free(&conn->trailer); - Curl_safefree(conn->host.rawalloc); /* host name buffer */ - Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ -@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data, - /* This protocol requires credentials per connection, - so verify that we're using the same name and password as well */ - if(strcmp(needle->user, check->user) || -- strcmp(needle->passwd, check->passwd)) { -+ strcmp(needle->passwd, check->passwd) || -+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || -+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { - /* one of them was different */ - continue; - } -@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data, - } - } - -+ if(data->set.str[STRING_BEARER]) { -+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); -+ if(!conn->oauth_bearer) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto out; -+ } -+ } -+ - #ifdef USE_UNIX_SOCKETS - if(data->set.str[STRING_UNIX_SOCKET_PATH]) { - conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); -diff --git a/lib/urldata.h b/lib/urldata.h -index cc8a600..03da59a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -991,6 +991,7 @@ struct connectdata { - char *passwd; /* password string, allocated */ - char *options; /* options string, allocated */ - char *sasl_authzid; /* authorisation identity string, allocated */ -+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ - struct curltime now; /* "current" time */ - struct curltime created; /* creation time */ -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 03b85ba..a40ac06 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - --static bool safecmp(char *a, char *b) --{ -- if(a && b) -- return !strcmp(a, b); -- else if(!a && !b) -- return TRUE; /* match */ -- return FALSE; /* no match */ --} -- - - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, -@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - (data->verifystatus == needle->verifystatus) && - blobcmp(data->cert_blob, needle->cert_blob) && - blobcmp(data->issuercert_blob, needle->issuercert_blob) && -- safecmp(data->CApath, needle->CApath) && -- safecmp(data->CAfile, needle->CAfile) && -- safecmp(data->issuercert, needle->issuercert) && -- safecmp(data->clientcert, needle->clientcert) && -- safecmp(data->random_file, needle->random_file) && -- safecmp(data->egdsocket, needle->egdsocket) && -+ Curl_safecmp(data->CApath, needle->CApath) && -+ Curl_safecmp(data->CAfile, needle->CAfile) && -+ Curl_safecmp(data->issuercert, needle->issuercert) && -+ Curl_safecmp(data->clientcert, needle->clientcert) && -+ Curl_safecmp(data->random_file, needle->random_file) && -+ Curl_safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && --- -2.34.1 - diff --git a/0011-curl-7.76.1-CVE-2022-27775.patch b/0011-curl-7.76.1-CVE-2022-27775.patch deleted file mode 100644 index 769a0fd..0000000 --- a/0011-curl-7.76.1-CVE-2022-27775.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 11:48:00 +0200 -Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey - -Make connections to two separate IPv6 zone ids create separate -connections. - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27775.html -Closes #8747 - -Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 -Signed-off-by: Kamil Dudka ---- - lib/conncache.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/conncache.c b/lib/conncache.c -index cd5756a..9b9f683 100644 ---- a/lib/conncache.c -+++ b/lib/conncache.c -@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf, - /* report back which name we used */ - *hostp = hostname; - -- /* put the number first so that the hostname gets cut off if too long */ -- msnprintf(buf, len, "%ld%s", port, hostname); -+ /* put the numbers first so that the hostname gets cut off if too long */ -+#ifdef ENABLE_IPV6 -+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); -+#else -+ msnprintf(buf, len, "%ld/%s", port, hostname); -+#endif - } - - /* Returns number of connections currently held in the connection cache. --- -2.34.1 - diff --git a/0012-curl-7.76.1-CVE-2022-27776.patch b/0012-curl-7.76.1-CVE-2022-27776.patch deleted file mode 100644 index 7dd5fdf..0000000 --- a/0012-curl-7.76.1-CVE-2022-27776.patch +++ /dev/null @@ -1,243 +0,0 @@ -From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 13:05:40 +0200 -Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port - -CVE-2022-27776 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27776.html -Closes #8749 - -Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 33 +++++++++++++++++++++------------ - lib/urldata.h | 16 +++++++++------- - 2 files changed, 30 insertions(+), 19 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 799d4fb..0791dcf 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, - return CURLE_OK; - } - -+/* -+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive -+ * data" can (still) be sent to this host. -+ */ -+static bool allow_auth_to_host(struct Curl_easy *data) -+{ -+ struct connectdata *conn = data->conn; -+ return (!data->state.this_is_a_follow || -+ data->set.allow_auth_to_other_hosts || -+ (data->state.first_host && -+ strcasecompare(data->state.first_host, conn->host.name) && -+ (data->state.first_remote_port == conn->remote_port) && -+ (data->state.first_remote_protocol == conn->handler->protocol))); -+} -+ - /** - * Curl_http_output_auth() setups the authentication headers for the - * host/proxy and the correct authentication -@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data, - with it */ - authproxy->done = TRUE; - -- /* To prevent the user+password to get sent to other than the original -- host due to a location-follow, we do some weirdo checks here */ -- if(!data->state.this_is_a_follow || -- conn->bits.netrc || -- !data->state.first_host || -- data->set.allow_auth_to_other_hosts || -- strcasecompare(data->state.first_host, conn->host.name)) { -+ /* To prevent the user+password to get sent to other than the original host -+ due to a location-follow */ -+ if(allow_auth_to_host(data) -+ || conn->bits.netrc) - result = output_auth_headers(data, conn, authhost, request, path, FALSE); -- } - else - authhost->done = TRUE; - -@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- (data->state.this_is_a_follow && -- data->state.first_host && -- !data->set.allow_auth_to_other_hosts && -- !strcasecompare(data->state.first_host, conn->host.name))) -+ !allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) - return CURLE_OUT_OF_MEMORY; - - data->state.first_remote_port = conn->remote_port; -+ data->state.first_remote_protocol = conn->handler->protocol; - } - Curl_safefree(data->state.aptr.host); - -diff --git a/lib/urldata.h b/lib/urldata.h -index 03da59a..f92052a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1336,14 +1336,16 @@ struct UrlState { - char *ulbuf; /* allocated upload buffer or NULL */ - curl_off_t current_speed; /* the ProgressShow() function sets this, - bytes / second */ -- char *first_host; /* host name of the first (not followed) request. -- if set, this should be the host name that we will -- sent authorization to, no else. Used to make Location: -- following not keep sending user+password... This is -- strdup() data. -- */ -+ -+ /* host name, port number and protocol of the first (not followed) request. -+ if set, this should be the host name that we will sent authorization to, -+ no else. Used to make Location: following not keep sending user+password. -+ This is strdup()ed data. */ -+ char *first_host; -+ int first_remote_port; -+ unsigned int first_remote_protocol; -+ - int retrycount; /* number of retries on a new connection */ -- int first_remote_port; /* remote port of the first (not followed) request */ - struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ - long sessionage; /* number of the most recent session */ - struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ --- -2.34.1 - - -From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 13:05:47 +0200 -Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776 - -Do not pass on Authorization headers on redirects to another port - -Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 91 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test898 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 59d46bc..7ae2cf8 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \ - test863 test864 test865 test866 test867 test868 test869 test870 test871 \ - test872 test873 test874 test875 test876 test877 test878 test879 test880 \ - test881 test882 test883 test884 test885 test886 test887 test888 test889 \ --test890 test891 test892 test893 test894 test895 test896 \ -+test890 test891 test892 test893 test894 test895 test896 test898 \ - \ - test900 test901 test902 test903 test904 test905 test906 test907 test908 \ - test909 test910 test911 test912 test913 test914 test915 test916 test917 \ -diff --git a/tests/data/test898 b/tests/data/test898 -new file mode 100644 -index 0000000..5cbb7d8 ---- /dev/null -+++ b/tests/data/test898 -@@ -0,0 +1,90 @@ -+ -+ -+ -+HTTP -+--location -+Authorization -+Cookie -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with custom auth and cookies redirected to HTTP on a diff port -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA==" -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+Authorization: Basic am9lOnNlY3JldA== -+Cookie: userpwd=am9lOnNlY3JldA== -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -2.34.1 - diff --git a/0013-curl-7.76.1-CVE-2022-27774.patch b/0013-curl-7.76.1-CVE-2022-27774.patch deleted file mode 100644 index a911611..0000000 --- a/0013-curl-7.76.1-CVE-2022-27774.patch +++ /dev/null @@ -1,635 +0,0 @@ -From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct - -To make it available after the connection ended. - -Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 -Signed-off-by: Kamil Dudka ---- - lib/connect.c | 1 + - lib/urldata.h | 6 +++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/connect.c b/lib/connect.c -index 64f9511..7518807 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, - data->info.conn_scheme = conn->handler->scheme; - data->info.conn_protocol = conn->handler->protocol; - data->info.conn_primary_port = conn->port; -+ data->info.conn_remote_port = conn->remote_port; - data->info.conn_local_port = local_port; - } - -diff --git a/lib/urldata.h b/lib/urldata.h -index f92052a..5218f76 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1167,7 +1167,11 @@ struct PureInfo { - reused, in the connection cache. */ - - char conn_primary_ip[MAX_IPADR_LEN]; -- int conn_primary_port; -+ int conn_primary_port; /* this is the destination port to the connection, -+ which might have been a proxy */ -+ int conn_remote_port; /* this is the "remote port", which is the port -+ number of the used URL, independent of proxy or -+ not */ - char conn_local_ip[MAX_IPADR_LEN]; - int conn_local_port; - const char *conn_scheme; --- -2.34.1 - - -From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear - auth - -... unless explicitly permitted. - -Bug: https://curl.se/docs/CVE-2022-27774.html -Reported-by: Harry Sintonen -Closes #8748 - -Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 -Signed-off-by: Kamil Dudka ---- - lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 48 insertions(+), 1 deletion(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 1f8019b..752fe14 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - else { -- - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); - if(uc) - return Curl_uc_to_curlcode(uc); -+ -+ /* Clear auth if this redirects to a different port number or protocol, -+ unless permitted */ -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { -+ char *portnum; -+ int port; -+ bool clear = FALSE; -+ -+ if(data->set.use_port && data->state.allow_port) -+ /* a custom port is used */ -+ port = (int)data->set.use_port; -+ else { -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, -+ CURLU_DEFAULT_PORT); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ port = atoi(portnum); -+ free(portnum); -+ } -+ if(port != data->info.conn_remote_port) { -+ infof(data, "Clear auth, redirects to port from %u to %u", -+ data->info.conn_remote_port, port); -+ clear = TRUE; -+ } -+ else { -+ char *scheme; -+ const struct Curl_handler *p; -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ -+ p = Curl_builtin_scheme(scheme); -+ if(p && (p->protocol != data->info.conn_protocol)) { -+ infof(data, "Clear auth, redirects scheme from %s to %s", -+ data->info.conn_scheme, scheme); -+ clear = TRUE; -+ } -+ free(scheme); -+ } -+ if(clear) { -+ Curl_safefree(data->state.aptr.user); -+ Curl_safefree(data->state.aptr.passwd); -+ } -+ } - } - - if(type == FOLLOW_FAKE) { --- -2.34.1 - - -From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 - - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth - -Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 1 + - tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ - tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 352 insertions(+) - create mode 100644 tests/data/test973 - create mode 100644 tests/data/test974 - create mode 100644 tests/data/test975 - create mode 100644 tests/data/test976 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 7ae2cf8..175fc43 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ - test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ -+test973 test974 test975 test976 \ - \ - test980 test981 test982 test983 test984 test985 test986 \ - \ -diff --git a/tests/data/test973 b/tests/data/test973 -new file mode 100644 -index 0000000..6ced107 ---- /dev/null -+++ b/tests/data/test973 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+FTP -+--location -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+ -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ftp -+ -+ -+HTTP with auth redirected to FTP w/o auth -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD a -+CWD path -+EPSV -+TYPE I -+SIZE %TESTNUMBER0002 -+RETR %TESTNUMBER0002 -+QUIT -+ -+ -+ -diff --git a/tests/data/test974 b/tests/data/test974 -new file mode 100644 -index 0000000..ac4e641 ---- /dev/null -+++ b/tests/data/test974 -@@ -0,0 +1,87 @@ -+ -+ -+ -+HTTP -+--location -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with auth redirected to HTTP on a diff port w/o auth -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ -diff --git a/tests/data/test975 b/tests/data/test975 -new file mode 100644 -index 0000000..85e03e4 ---- /dev/null -+++ b/tests/data/test975 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+FTP -+--location-trusted -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+ -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ftp -+ -+ -+HTTP with auth redirected to FTP allowing auth to continue -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+ -+USER joe -+PASS secret -+PWD -+CWD a -+CWD path -+EPSV -+TYPE I -+SIZE %TESTNUMBER0002 -+RETR %TESTNUMBER0002 -+QUIT -+ -+ -+ -diff --git a/tests/data/test976 b/tests/data/test976 -new file mode 100644 -index 0000000..c4dd61e ---- /dev/null -+++ b/tests/data/test976 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+--location-trusted -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with auth redirected to HTTP on a diff port --location-trusted -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -2.34.1 - - -From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 17:59:15 +0200 -Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects - either - -Follow-up to 620ea21410030 - -Reported-by: Harry Sintonen -Closes #8751 - -Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 10 +++++----- - lib/http.h | 6 ++++++ - lib/vtls/openssl.c | 3 ++- - 3 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 0791dcf..4433824 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, - } - - /* -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive -- * data" can (still) be sent to this host. -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. - */ --static bool allow_auth_to_host(struct Curl_easy *data) -+bool Curl_allow_auth_to_host(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || -@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, - - /* To prevent the user+password to get sent to other than the original host - due to a location-follow */ -- if(allow_auth_to_host(data) -+ if(Curl_allow_auth_to_host(data) - || conn->bits.netrc) - result = output_auth_headers(data, conn, authhost, request, path, FALSE); - else -@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- !allow_auth_to_host(data)) -+ !Curl_allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -diff --git a/lib/http.h b/lib/http.h -index 07e963d..9000bae 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data, - bool proxytunnel); /* TRUE if this is the request setting - up the proxy tunnel */ - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data); -+ - #endif /* HEADER_CURL_HTTP_H */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 1bafe96..97c5666 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - - #ifdef USE_OPENSSL_SRP -- if(ssl_authtype == CURL_TLSAUTH_SRP) { -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - - infof(data, "Using TLS-SRP username: %s\n", ssl_username); --- -2.34.1 - diff --git a/0014-curl-7.76.1-CVE-2022-27782.patch b/0014-curl-7.76.1-CVE-2022-27782.patch deleted file mode 100644 index 515ebd3..0000000 --- a/0014-curl-7.76.1-CVE-2022-27782.patch +++ /dev/null @@ -1,461 +0,0 @@ -From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 28 Jan 2022 16:48:38 +0100 -Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds - -Closes #8350 - -Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 08827d1..9eaa187 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; -+#ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], - va_arg(param, char *)); --#ifndef CURL_DISABLE_PROXY - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ --#endif - break; -+#endif - case CURLOPT_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; -+#ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], - va_arg(param, char *)); --#ifndef CURL_DISABLE_PROXY - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ --#endif - break; -+#endif - case CURLOPT_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || --- -2.34.1 - - -From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 2/3] tls: check more TLS details for connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 29 +++++++++++++++++------------ - lib/url.c | 23 ++++++++++++++++------- - lib/urldata.h | 13 +++++++------ - lib/vtls/openssl.c | 10 +++++----- - lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 5 files changed, 66 insertions(+), 30 deletions(-) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 8e1bf12..7aa6fdb 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - - case CURLOPT_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.ssl.enable_beast = - (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); - data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); -@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.proxy_ssl.enable_beast = - (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); - data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); -@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to -+ SRP */ - break; - #endif - case CURLOPT_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #endif - case CURLOPT_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #endif - #endif -diff --git a/lib/url.c b/lib/url.c -index 94e3406..5ebf5e2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - set->ssl.primary.verifypeer = TRUE; - set->ssl.primary.verifyhost = TRUE; - #ifdef USE_TLS_SRP -- set->ssl.authtype = CURL_TLSAUTH_NONE; -+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; - #endif - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth - type */ -@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) - conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; - conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; - conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; -+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #ifndef CURL_DISABLE_PROXY - conn->proxy_ssl_config.verifystatus = - data->set.proxy_ssl.primary.verifystatus; - conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; - conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; -+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #endif - conn->ip_version = data->set.ipver; - conn->bits.connect_only = data->set.connect_only; -@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.primary.issuercert_blob = - data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; -- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -+ data->set.proxy_ssl.primary.CRLfile = -+ data->set.str[STRING_SSL_CRLFILE_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; -@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; - #ifdef USE_TLS_SRP -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; -+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; -+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; - #ifndef CURL_DISABLE_PROXY -- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; -+ data->set.proxy_ssl.primary.username = -+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -+ data->set.proxy_ssl.primary.password = -+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -diff --git a/lib/urldata.h b/lib/urldata.h -index 5218f76..e006495 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -253,9 +253,16 @@ struct ssl_primary_config { - char *cipher_list; /* list of ciphers to use */ - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; -+ char *CRLfile; /* CRL to check certificate revocation */ - struct curl_blob *cert_blob; - struct curl_blob *issuercert_blob; -+#ifdef USE_TLS_SRP -+ char *username; /* TLS username (for, e.g., SRP) */ -+ char *password; /* TLS password (for, e.g., SRP) */ -+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -+#endif - char *curves; /* list of curves to use */ -+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ - BIT(verifystatus); /* set TRUE if certificate status must be checked */ -@@ -265,7 +272,6 @@ struct ssl_primary_config { - struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ -- char *CRLfile; /* CRL to check certificate revocation */ - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert_type; /* format for certificate (default: PEM)*/ -@@ -273,11 +279,6 @@ struct ssl_config_data { - struct curl_blob *key_blob; - char *key_type; /* format for private key (default: PEM) */ - char *key_passwd; /* plain text private key password */ --#ifdef USE_TLS_SRP -- char *username; /* TLS username (for, e.g., SRP) */ -- char *password; /* TLS password (for, e.g., SRP) */ -- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ --#endif - BIT(certinfo); /* gather lots of certificate info */ - BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 97c5666..a4ef9d1 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - const long int ssl_version = SSL_CONN_CONFIG(version); - #ifdef USE_OPENSSL_SRP -- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); -+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); - #endif - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - char error_buffer[256]; - struct ssl_backend_data *backend = connssl->backend; - bool imported_native_ca = false; -@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- char * const ssl_username = SSL_SET_OPTION(username); -- -+ char * const ssl_username = SSL_SET_OPTION(primary.username); -+ char * const ssl_password = SSL_SET_OPTION(primary.password); - infof(data, "Using TLS-SRP username: %s\n", ssl_username); - - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { - failf(data, "Unable to set SRP user name"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { -+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { - failf(data, "failed setting SRP password"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index a40ac06..e2d3438 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - { - if((data->version == needle->version) && - (data->version_max == needle->version_max) && -+ (data->ssl_options == needle->ssl_options) && - (data->verifypeer == needle->verifypeer) && - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && -@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - Curl_safecmp(data->clientcert, needle->clientcert) && - Curl_safecmp(data->random_file, needle->random_file) && - Curl_safecmp(data->egdsocket, needle->egdsocket) && -+#ifdef USE_TLS_SRP -+ Curl_safecmp(data->username, needle->username) && -+ Curl_safecmp(data->password, needle->password) && -+ (data->authtype == needle->authtype) && -+#endif - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && -+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) - return TRUE; - -@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - dest->verifyhost = source->verifyhost; - dest->verifystatus = source->verifystatus; - dest->sessionid = source->sessionid; -+ dest->ssl_options = source->ssl_options; -+#ifdef USE_TLS_SRP -+ dest->authtype = source->authtype; -+#endif - - CLONE_BLOB(cert_blob); - CLONE_BLOB(issuercert_blob); -@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - CLONE_STRING(cipher_list13); - CLONE_STRING(pinned_key); - CLONE_STRING(curves); -+ CLONE_STRING(CRLfile); -+#ifdef USE_TLS_SRP -+ CLONE_STRING(username); -+ CLONE_STRING(password); -+#endif - - return TRUE; - } -@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - Curl_safefree(sslc->cert_blob); - Curl_safefree(sslc->issuercert_blob); - Curl_safefree(sslc->curves); -+ Curl_safefree(sslc->CRLfile); -+#ifdef USE_TLS_SRP -+ Curl_safefree(sslc->username); -+ Curl_safefree(sslc->password); -+#endif - } - - #ifdef USE_SSL --- -2.34.1 - - -From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 3/3] url: check SSH config match on connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 11 +++++++++++ - lib/vssh/ssh.h | 6 +++--- - 2 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 5ebf5e2..c713e54 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data) - } - } - -+static bool ssh_config_matches(struct connectdata *one, -+ struct connectdata *two) -+{ -+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && -+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); -+} - /* - * Given one filled in connection struct (named needle), this function should - * detect if there already is one that has all the significant details -@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data, - } - } - -+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ if(!ssh_config_matches(needle, check)) -+ continue; -+ } -+ - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY - || !needle->bits.httpproxy || needle->bits.tunnel_proxy -diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h -index 7972081..30d82e5 100644 ---- a/lib/vssh/ssh.h -+++ b/lib/vssh/ssh.h -@@ -7,7 +7,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -131,8 +131,8 @@ struct ssh_conn { - - /* common */ - const char *passphrase; /* pass-phrase to use */ -- char *rsa_pub; /* path name */ -- char *rsa; /* path name */ -+ char *rsa_pub; /* strdup'ed public key file */ -+ char *rsa; /* strdup'ed private key file */ - bool authed; /* the connection has been authenticated fine */ - bool acceptfail; /* used by the SFTP_QUOTE (continue if - quote command fails) */ --- -2.34.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 46c8986..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,84 +1,85 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -76,7 +76,7 @@ while test $# -gt 0; do - ;; +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo 'gcc' + ;; - --prefix) -@@ -155,32 +155,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " +- else +- curllibdir='' +- fi +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo "${curllibdir}-lcurl" +- fi ++ echo '-lcurl' + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo 'curl was built with static libraries disabled' >&2 ++ exit 1 + ;; - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index 12ad245b79..fa0e03d273 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` + + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" + + ## `--version` + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -87,5 +88,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.52.0 diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch deleted file mode 100644 index c096d67..0000000 --- a/0102-curl-7.36.0-debug.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS - (#496778) - ---- - m4/curl-compilers.m4 | 26 ++++++-------------------- - 1 file changed, 6 insertions(+), 20 deletions(-) - -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index c64db4bc6..d115a4aed 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [ - clangvhi=`echo $clangver | cut -d . -f1` - clangvlo=`echo $clangver | cut -d . -f2` - compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" -- flags_opt_yes="-Os" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - else - AC_MSG_RESULT([no]) -@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else --- -1.7.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch deleted file mode 100644 index f492ac5..0000000 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 4 Feb 2019 17:32:56 +0100 -Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp - -... to prevent valgrind from reporting false positives on x86_64: - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCAA: part2id (lib1560.c:489) - by 0x10BCAA: updateurl (lib1560.c:521) - by 0x10BCAA: set_parts (lib1560.c:630) - by 0x10BCAA: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCC3: part2id (lib1560.c:491) - by 0x10BCC3: updateurl (lib1560.c:521) - by 0x10BCC3: set_parts (lib1560.c:630) - by 0x10BCC3: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) ---- - tests/libtest/Makefile.inc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index 080421b..ea3b806 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -592,6 +592,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1559_LDADD = $(TESTUTIL_LIBS) - - lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp - lib1560_LDADD = $(TESTUTIL_LIBS) - - lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) --- -2.17.2 - diff --git a/curl-7.76.1.tar.xz.asc b/curl-7.76.1.tar.xz.asc deleted file mode 100644 index c66be4f..0000000 --- a/curl-7.76.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmB2hJEACgkQXMkI/bce -EsJN2Qf9GFcide66cPmOPEVW9Lu9dYmg5R6g6KanvxCO02CrdlCzD1Z49M7YjJdp -dU6sP71/BWqI0+IoUd+94O39BR96ARqPgL3TjPf1Fux8x5PeaUP0oD0TaSGq635m -da930dB1RABlvf5/0L9A5+x+Mkgjk/u+RCeoX1nh6WF0HLZ9RSQmBSBxuInzZgHe -Q5bAj1DSOrDizHQ2yvNqymmDqUZVeiusIc3QIzTIwsFSg0PbBqG9sYUCSMdeVSjm -jGcyp5EjyzCyBq7YIzA7VpSRvNTGFr7Q+QP+Sm68kZ6AMCCn/a83jiFUfMyy7H5/ -PEKUqdkKrPScu7DKFWAyqL5DWXt7cA== -=GTGl ------END PGP SIGNATURE----- diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index 93d26a2..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,64 +1,45 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.76.1 -Release: 16%{?dist} -License: MIT -Source: https://curl.se/download/%{name}-%{version}.tar.xz - -# http2: fix resource leaks detected by Coverity -Patch1: 0001-curl-7.76.1-resource-leaks.patch - -# fix TELNET stack contents disclosure (CVE-2021-22898) -Patch2: 0002-curl-7.76.1-CVE-2021-22898.patch - -# fix TLS session caching disaster (CVE-2021-22901) -Patch3: 0003-curl-7.76.1-CVE-2021-22901.patch - -# fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925) -Patch4: 0004-curl-7.76.1-ldaps-segv.patch - -# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) -Patch5: 0005-curl-7.76.1-CVE-2021-22924.patch - -# fix TELNET stack contents disclosure again (CVE-2021-22925) -Patch6: 0006-curl-7.76.1-CVE-2021-22925.patch - -# fix use-after-free and double-free in MQTT sending (CVE-2021-22945) -Patch7: 0007-curl-7.76.1-CVE-2021-22945.patch - -# fix protocol downgrade required TLS bypass (CVE-2021-22946) -Patch8: 0008-curl-7.76.1-CVE-2021-22946.patch - -# fix STARTTLS protocol injection via MITM (CVE-2021-22947) -Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch - -# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) -Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch - -# fix bad local IPv6 connection reuse (CVE-2022-27775) -Patch11: 0011-curl-7.76.1-CVE-2022-27775.patch - -# fix auth/cookie leak on redirect (CVE-2022-27776) -Patch12: 0012-curl-7.76.1-CVE-2022-27776.patch - -# fix credential leak on redirect (CVE-2022-27774) -Patch13: 0013-curl-7.76.1-CVE-2022-27774.patch - -# fix too eager reuse of TLS and SSH connections (CVE-2022-27782) -Patch14: 0014-curl-7.76.1-CVE-2022-27782.patch +Version: 8.18.0 +Release: 1%{?dist} +License: curl +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc +# The curl download page ( https://curl.se/download.html ) links +# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, +# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc +Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.36.0-debug.patch - -# prevent valgrind from reporting false positives on x86_64 -Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch - Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -67,14 +48,24 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -82,6 +73,9 @@ BuildRequires: python3-devel BuildRequires: sed BuildRequires: zlib-devel +# For gpg verification of source tarball +BuildRequires: gnupg2 + # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) @@ -91,6 +85,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -101,16 +98,25 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) +BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} @@ -129,14 +135,27 @@ BuildRequires: valgrind %endif # stunnel is used by upstream tests but it does not seem to work reliably -# on s390x and occasionally breaks some tests (mainly 1561 and 1562) -%ifnarch s390x +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x BuildRequires: stunnel %endif # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -145,9 +164,14 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) +# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') %description curl is a command line tool for transferring data with URL syntax, supporting @@ -159,8 +183,15 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -186,23 +217,9 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -218,47 +235,17 @@ other hand, the package is smaller and requires fewer run-time dependencies to be installed. %prep -%setup -q +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -n %{name}-%{version_no_tilde} -p1 -# upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch105 -p1 - -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# temporarily disable test 582 on s390x (client times out) -%ifarch s390x -echo "582" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c %endif # adapt test 323 for updated OpenSSL @@ -273,48 +260,82 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} -export common_configure_opts=" \ - --cache-file=../config.cache \ - --disable-static \ - --enable-symbol-hiding \ - --enable-ipv6 \ - --enable-threaded-resolver \ - --without-libmetalink \ - --with-gssapi \ - --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-manual \ + --disable-static \ + --enable-hsts \ + --enable-ipv6 \ + --enable-symbol-hiding \ + --enable-threaded-resolver \ + --without-zstd \ + --with-gssapi \ + --with-libidn2 \ + --with-nghttp2 \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ + --with-zsh-functions-dir" %global _configure ../configure # configure minimal build ( cd build-minimal - %configure $common_configure_opts \ - --disable-ldap \ - --disable-ldaps \ - --disable-manual \ - --without-brotli \ - --without-libidn2 \ - --without-libpsl \ + %configure $common_configure_opts \ + --disable-dict \ + --disable-gopher \ + --disable-imap \ + --disable-ldap \ + --disable-ldaps \ + --disable-mqtt \ + --disable-ntlm \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smb \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ + --disable-websockets \ + --without-brotli \ + --without-libpsl \ --without-libssh ) # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-ldap \ - --enable-ldaps \ - --enable-manual \ - --with-brotli \ - --with-libidn2 \ - --with-libpsl \ - --with-libssh + %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-imap \ + --enable-ldap \ + --enable-ldaps \ + --enable-mqtt \ + --enable-ntlm \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ + --enable-websockets \ + --with-brotli \ + --with-libpsl \ + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -326,20 +347,33 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ %make_build V=1 -C build-full %check -# we have to override LD_LIBRARY_PATH because we eliminated rpath -LD_LIBRARY_PATH="${PWD}/build-full/lib/.libs" -export LD_LIBRARY_PATH - # compile upstream test-cases -cd build-full/tests -%make_build V=1 +%make_build V=1 -C build-minimal/tests +%make_build V=1 -C build-full/tests # relax crypto policy for the test-suite to make it pass again (#1610888) export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX export OPENSSL_CONF= -# run the upstream test-suite -srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + +# prevent valgrind from being extremely slow (#1662656) +# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault +unset DEBUGINFOD_URLS + +# run the upstream test-suite for both curl-minimal and curl-full +for size in minimal full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +) +done + %install # install and rename the library that will be packaged as libcurl-minimal @@ -349,10 +383,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -361,28 +391,30 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md -%doc docs/FAQ +%doc docs/DISTROS.md +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -404,51 +436,412 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed May 11 2022 Kamil Dudka - 7.76.1-16 -- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Mon May 02 2022 Kamil Dudka - 7.76.1-15 -- fix leak of SRP credentials in redirects (CVE-2022-27774) +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate -* Fri Apr 29 2022 Kamil Dudka - 7.76.1-14 -- add missing tests to Makefile +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 -* Thu Apr 28 2022 Kamil Dudka - 7.76.1-13 -- fix credential leak on redirect (CVE-2022-27774) -- fix auth/cookie leak on redirect (CVE-2022-27776) -- fix bad local IPv6 connection reuse (CVE-2022-27775) -- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches -* Fri Sep 17 2021 Kamil Dudka - 7.76.1-12 -- fix STARTTLS protocol injection via MITM (CVE-2021-22947) -- fix protocol downgrade required TLS bypass (CVE-2021-22946) -- fix use-after-free and double-free in MQTT sending (CVE-2021-22945) +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 -* Wed Jul 21 2021 Kamil Dudka - 7.76.1-7 -- fix TELNET stack contents disclosure again (CVE-2021-22925) -- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) -* Wed Jul 21 2021 Kamil Dudka - 7.76.1-5 -- disable metalink support to fix the following vulnerabilities +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option + +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case +- temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full + +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases +- tests: attempt to fix a conflict on port numbers +- apply patches automatically + +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching + +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion + +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service + +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 + +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification + +* Wed May 11 2022 Kamil Dudka - 7.83.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27782 - fix too eager reuse of TLS and SSH connections + CVE-2022-27779 - do not accept cookies for TLD with trailing dot + CVE-2022-27778 - do not remove wrong file on error + CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names + CVE-2022-27780 - reject percent-encoded path separator in URL host + +* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27774 - curl credential leak on redirect + CVE-2022-27776 - curl auth/cookie leak on redirect + CVE-2022-27775 - curl bad local IPv6 connection reuse + CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use + +* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 +- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure + +* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 +- new upstream release + +* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 +- enable IDN support also in libcurl-minimal + +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 +- Suggest libcurl-minimal in curl-minimal + +* Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 +- new upstream release + +* Sun Nov 14 2021 Paul Howarth - 7.80.0-2 +- sshserver.pl (used in test suite) now requires the Digest::SHA perl module + +* Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 +- new upstream release + +* Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 +- re-enable HSTS in libcurl-minimal as a security feature (#2005874) + +* Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 +- disable more protocols and features in libcurl-minimal (#2005874) + +* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 +- new upstream release + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 +- fix regression in http2 implementation introduced in the last release + +* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 +- make SCP/SFTP tests work with openssh-8.7p1 + +* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22947 - STARTTLS protocol injection via MITM + CVE-2021-22946 - protocol downgrade required TLS bypassed + CVE-2021-22945 - use-after-free and double-free in MQTT sending + +* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 +- make explicit dependency on openssl work with alpha/beta builds of openssl + +* Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22925 - TELNET stack contents disclosure again + CVE-2021-22924 - bad connection reuse due to flawed path name checks CVE-2021-22923 - metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded -* Wed Jun 02 2021 Kamil Dudka - 7.76.1-4 -- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925) +* Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 +- build the curl tool without metalink support (#1967213) -* Wed May 26 2021 Kamil Dudka - 7.76.1-3 -- fix TLS session caching disaster (CVE-2021-22901) -- fix TELNET stack contents disclosure (CVE-2021-22898) +* Wed May 26 2021 Kamil Dudka - 7.77.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22901 - TLS session caching disaster + CVE-2021-22898 - TELNET stack contents disclosure * Mon May 03 2021 Kamil Dudka - 7.76.1-2 - http2: fix resource leaks detected by Coverity @@ -1089,881 +1482,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools diff --git a/mykey.asc b/mykey.asc new file mode 100644 index 0000000..0c77721 --- /dev/null +++ b/mykey.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD +AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv +jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb +XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz +7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM +wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ +dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT +rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t +FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 +OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx +5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h +zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O +poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA +Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d +6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 +tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu +c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 +svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ +Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv ++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh +Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg +rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL +y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP +BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ +0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf +09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG +6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 +67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H +a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr +LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK +nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb +0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb +2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC +OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ +PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC +8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 +/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e +8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk +bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 +IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN +2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ +L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD +/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 +UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb +9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh +TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k +IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ +AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ +eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 +sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI +c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND +KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j +4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S +wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv +BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF +PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu +gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 +ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb +j/qx4ytjt5uxt6Jm6IXV9cry8i6x +=Phs/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 01a34cd..002e494 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (curl-7.76.1.tar.xz) = 5fe85d2e776789aa8117c57fe7648e375b7fa92d5ead5d69855f19ca9a2624d77a1f9ab91766ecb72bbc17e82862248cd07e48917884d6fd856b93fb00d83e28 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"