Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2015-04-25 16:45:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2015-04-03 14:32:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new/curl.changes 2015-04-25 16:45:42.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Apr 22 08:03:02 UTC 2015 - [email protected] + +- update to 7.42.0 + * refresh libcurl-ocloexec.patch +- fixes security vulnerabilities: + * CVE-2015-3143 (bnc#927556) + - Re-using authenticated connection when unauthenticated + * CVE-2015-3144 (bnc#927608) + - host name out of boundary memory access + * CVE-2015-3145 (bnc#927607) + - cookie parser out of boundary memory access + * CVE-2015-3148 (bnc#927746) + - Negotiate not treated as connection-oriented + +------------------------------------------------------------------- Old: ---- curl-7.41.0.tar.lzma curl-7.41.0.tar.lzma.asc New: ---- curl-7.42.0.tar.lzma curl-7.42.0.tar.lzma.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.b7Z6in/_old 2015-04-25 16:45:43.000000000 +0200 +++ /var/tmp/diff_new_pack.b7Z6in/_new 2015-04-25 16:45:43.000000000 +0200 @@ -20,7 +20,7 @@ %bcond_with mozilla_nss %bcond_without testsuite Name: curl -Version: 7.41.0 +Version: 7.42.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: BSD-3-Clause and MIT ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.b7Z6in/_old 2015-04-25 16:45:43.000000000 +0200 +++ /var/tmp/diff_new_pack.b7Z6in/_new 2015-04-25 16:45:43.000000000 +0200 @@ -9,9 +9,9 @@ Index: lib/cookie.c =================================================================== ---- lib/cookie.c.orig 2014-12-10 00:01:02.000000000 +0100 -+++ lib/cookie.c 2015-01-08 11:33:25.855588512 +0100 -@@ -932,7 +932,7 @@ struct CookieInfo *Curl_cookie_init(stru +--- lib/cookie.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/cookie.c 2015-04-22 10:05:08.225915413 +0200 +@@ -914,7 +914,7 @@ struct CookieInfo *Curl_cookie_init(stru fp = NULL; } else @@ -20,7 +20,7 @@ c->newsession = newsession; /* new session? */ -@@ -1281,7 +1281,7 @@ static int cookie_output(struct CookieIn +@@ -1262,7 +1262,7 @@ static int cookie_output(struct CookieIn use_stdout=TRUE; } else { @@ -31,9 +31,9 @@ } Index: lib/file.c =================================================================== ---- lib/file.c.orig 2014-11-20 18:42:17.000000000 +0100 -+++ lib/file.c 2015-01-08 11:33:25.855588512 +0100 -@@ -240,7 +240,7 @@ static CURLcode file_connect(struct conn +--- lib/file.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/file.c 2015-04-22 10:05:08.226915427 +0200 +@@ -238,7 +238,7 @@ static CURLcode file_connect(struct conn /* binary zeroes indicate foul play */ return CURLE_URL_MALFORMAT; @@ -42,7 +42,7 @@ file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -338,7 +338,7 @@ static CURLcode file_upload(struct conne +@@ -336,7 +336,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -53,9 +53,9 @@ return CURLE_WRITE_ERROR; Index: lib/formdata.c =================================================================== ---- lib/formdata.c.orig 2014-11-20 18:42:17.000000000 +0100 -+++ lib/formdata.c 2015-01-08 11:33:25.856588523 +0100 -@@ -1261,7 +1261,7 @@ CURLcode Curl_getformdata(struct Session +--- lib/formdata.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/formdata.c 2015-04-22 10:05:08.226915427 +0200 +@@ -1256,7 +1256,7 @@ CURLcode Curl_getformdata(struct Session FILE *fileread; fileread = strequal("-", file->contents)? @@ -64,7 +64,7 @@ /* * VMS: This only allows for stream files on VMS. Stream files are -@@ -1420,7 +1420,7 @@ static size_t readfromfile(struct Form * +@@ -1415,7 +1415,7 @@ static size_t readfromfile(struct Form * else { if(!form->fp) { /* this file hasn't yet been opened */ @@ -75,8 +75,8 @@ } Index: lib/hostip6.c =================================================================== ---- lib/hostip6.c.orig 2014-12-28 14:36:05.000000000 +0100 -+++ lib/hostip6.c 2015-01-08 11:33:25.856588523 +0100 +--- lib/hostip6.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/hostip6.c 2015-04-22 10:05:08.226915427 +0200 @@ -39,7 +39,7 @@ #ifdef HAVE_PROCESS_H #include <process.h> @@ -86,7 +86,7 @@ #include "urldata.h" #include "sendf.h" #include "hostip.h" -@@ -107,7 +107,7 @@ bool Curl_ipv6works(void) +@@ -104,7 +104,7 @@ bool Curl_ipv6works(void) static int ipv6_works = -1; if(-1 == ipv6_works) { /* probe to see if we have a working IPv6 stack */ @@ -97,9 +97,9 @@ ipv6_works = 0; Index: lib/if2ip.c =================================================================== ---- lib/if2ip.c.orig 2014-12-28 14:36:05.000000000 +0100 -+++ lib/if2ip.c 2015-01-08 11:33:25.856588523 +0100 -@@ -224,7 +224,7 @@ if2ip_result_t Curl_if2ip(int af, unsign +--- lib/if2ip.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/if2ip.c 2015-04-22 10:05:08.227915442 +0200 +@@ -222,7 +222,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -110,22 +110,22 @@ Index: lib/netrc.c =================================================================== ---- lib/netrc.c.orig 2014-11-04 13:51:16.000000000 +0100 -+++ lib/netrc.c 2015-01-08 11:33:25.856588523 +0100 -@@ -111,7 +111,7 @@ int Curl_parsenetrc(const char *host, +--- lib/netrc.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/netrc.c 2015-04-22 10:05:08.227915442 +0200 +@@ -109,7 +109,7 @@ int Curl_parsenetrc(const char *host, netrc_alloc = TRUE; } - file = fopen(netrcfile, "r"); + file = fopen(netrcfile, "re"); if(netrc_alloc) - Curl_safefree(netrcfile); + free(netrcfile); if(file) { Index: lib/connect.c =================================================================== ---- lib/connect.c.orig 2014-12-28 14:36:05.000000000 +0100 -+++ lib/connect.c 2015-01-08 11:33:25.856588523 +0100 -@@ -1314,7 +1314,7 @@ CURLcode Curl_socket(struct connectdata +--- lib/connect.c.orig 2015-04-22 10:05:04.652863265 +0200 ++++ lib/connect.c 2015-04-22 10:05:08.227915442 +0200 +@@ -1334,7 +1334,7 @@ CURLcode Curl_socket(struct connectdata (struct curl_sockaddr *)addr); else /* opensocket callback not set, so simply create the socket now */ @@ -136,8 +136,8 @@ /* no socket, no connection */ Index: configure.ac =================================================================== ---- configure.ac.orig 2014-12-28 14:36:05.000000000 +0100 -+++ configure.ac 2015-01-08 11:33:55.103922543 +0100 +--- configure.ac.orig 2015-04-22 10:05:04.652863265 +0200 ++++ configure.ac 2015-04-22 10:05:08.228915457 +0200 @@ -182,6 +182,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])
