Re: [blfs-book] [BLFS Trac] #6618: curl-7.43.0

Wed, 17 Jun 2015 06:13:50 -0700 

#6618: curl-7.43.0
-------------------------+--------------------------
 Reporter:  fo           |       Owner:  blfs-book@…
     Type:  enhancement  |      Status:  new
 Priority:  high         |   Milestone:  7.8
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+--------------------------
Description changed by fo:

Old description:

> [http://curl.haxx.se/download/curl-7.43.0.tar.lzma]
>
> [http://curl.haxx.se/download/curl-7.43.0.tar.lzma.asc]
>
> [http://curl.haxx.se/docs/adv_20150617A.html] (CVE-2015-3236)
>
> [http://curl.haxx.se/docs/adv_20150617B.html] (CVE-2015-3237)
>
> [http://curl.haxx.se/changes.html#7_43_0]
>
> {{{
>  Fixed in 7.43.0 - June 17 2015
>
> Changes:
>
>    • Added CURLOPT_PROXY_SERVICE_NAME
>    • Added CURLOPT_SERVICE_NAME
>    • New curl option: --proxy-service-name
>    • New curl option: --service-name
>    • New curl option: --data-raw
>    • Added CURLOPT_PIPEWAIT
>    • Added support for multiplexing transfers using HTTP/2, enable this
>      with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
>    • HTTP/2: requires nghttp2 1.0.0 or later
>    • scripts: add zsh.pl for generating zsh completion
>    • curl.h: add CURL_HTTP_VERSION_2
>
> Bugfixes:
>
>    • CVE-2015-3236: lingering HTTP credentials in connection re-use
>    • CVE-2015-3237: SMB send off unrelated memory contents
>    • nss: fix compilation failure with old versions of NSS
>    • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
>    • schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
>    • Curl_ossl_init: load builtin modules
>    • configure: follow-up fix for krb5-config
>    • sasl_sspi: Populate domain from the realm in the challenge
>    • netrc: support 'default' token
>    • README: convert to UTF-8
>    • cyassl: Implement public key pinning
>    • nss: implement public key pinning for NSS backend
>    • mingw build: add arch -m32/-m64 to LDFLAGS
>    • schannel: Fix out of bounds array
>    • configure: remove autogenerated files by autoconf
>    • configure: remove --automake from libtoolize call
>    • acinclude.m4: fix shell test for default CA cert bundle/path
>    • schannel: fix regression in schannel_recv
>    • openssl: skip trace outputs for ssl_ver == 0
>    • gnutls: properly retrieve certificate status
>    • netrc: Read in text mode when cygwin
>    • winbuild: Document the option used to statically link the CRT
>    • FTP: Make EPSV use the control IP address rather than the original
>      host
>    • FTP: fix dangling conn->ip_addr dereference on verbose EPSV
>    • conncache: keep bundles on host+port bases, not only host names
>    • runtests.pl: use 'h2c' now, no -14 anymore
>    • curlver: introducing new version number (checking) macros
>    • openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
>    • CURLOPT_POSTFIELDS.3: correct variable names
>    • curl_easy_unescape.3: update RFC reference
>    • gnutls: don't fail on non-fatal alerts during handshake
>    • testcurl.pl: allow source to be in an arbitrary directory
>    • CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
>    • SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
>    • parse_proxy: switch off tunneling if non-HTTP proxy
>    • share_init: fix OOM crash
>    • perl: remove subdir, not touched in 9 years
>    • CURLOPT_COOKIELIST.3: Add example
>    • CURLOPT_COOKIE.3: Explain that the cookies won't be modified
>    • CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
>    • FAQ: How do I port libcurl to my OS?
>    • openssl: Use TLS_client_method for OpenSSL 1.1.0+
>    • HTTP-NTLM: fail auth on connection close instead of looping
>    • curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
>    • curl_getdate.3: update RFC reference
>    • curl_multi_info_read.3: added example
>    • curl_multi_perform.3: added example
>    • curl_multi_timeout.3: added example
>    • cookie: Stop exporting any-domain cookies
>    • openssl: remove dummy callback use from SSL_CTX_set_verify()
>    • openssl: remove SSL_get_session()-using code
>    • openssl: removed USERDATA_IN_PWD_CALLBACK kludge
>    • openssl: removed error string #ifdef
>    • openssl: Fix verification of server-sent legacy intermediates
>    • docs: man page indentation and syntax fixes
>    • docs: Spelling fixes
>    • fopen.c: fix a few compiler warnings
>    • CURLOPT_OPENSOCKETFUNCTION: return error at once
>    • schannel: Add support for optional client certificates
>    • build: Properly detect OpenSSL 1.0.2 when using configure
>    • urldata: store POST size in state.infilesize too
>    • security:choose_mech remove dead code
>    • rtsp_do: remove dead code
>    • docs: many HTTP URIs changed to HTTPS
>    • schannel: schannel_recv overhaul
> }}}

New description:

 [http://curl.haxx.se/download/curl-7.43.0.tar.lzma]

 [http://curl.haxx.se/download/curl-7.43.0.tar.lzma.asc]

 [http://curl.haxx.se/docs/adv_20150617A.html] (CVE-2015-3236)

 [http://curl.haxx.se/docs/adv_20150617B.html] (CVE-2015-3237)

 [http://curl.haxx.se/mail/archive-2015-06/0031.html]

 or

 [http://curl.haxx.se/changes.html#7_43_0]

 {{{
  Fixed in 7.43.0 - June 17 2015

 Changes:

    • Added CURLOPT_PROXY_SERVICE_NAME
    • Added CURLOPT_SERVICE_NAME
    • New curl option: --proxy-service-name
    • New curl option: --service-name
    • New curl option: --data-raw
    • Added CURLOPT_PIPEWAIT
    • Added support for multiplexing transfers using HTTP/2, enable this
      with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
    • HTTP/2: requires nghttp2 1.0.0 or later
    • scripts: add zsh.pl for generating zsh completion
    • curl.h: add CURL_HTTP_VERSION_2

 Bugfixes:

    • CVE-2015-3236: lingering HTTP credentials in connection re-use
    • CVE-2015-3237: SMB send off unrelated memory contents
    • nss: fix compilation failure with old versions of NSS
    • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
    • schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
    • Curl_ossl_init: load builtin modules
    • configure: follow-up fix for krb5-config
    • sasl_sspi: Populate domain from the realm in the challenge
    • netrc: support 'default' token
    • README: convert to UTF-8
    • cyassl: Implement public key pinning
    • nss: implement public key pinning for NSS backend
    • mingw build: add arch -m32/-m64 to LDFLAGS
    • schannel: Fix out of bounds array
    • configure: remove autogenerated files by autoconf
    • configure: remove --automake from libtoolize call
    • acinclude.m4: fix shell test for default CA cert bundle/path
    • schannel: fix regression in schannel_recv
    • openssl: skip trace outputs for ssl_ver == 0
    • gnutls: properly retrieve certificate status
    • netrc: Read in text mode when cygwin
    • winbuild: Document the option used to statically link the CRT
    • FTP: Make EPSV use the control IP address rather than the original
      host
    • FTP: fix dangling conn->ip_addr dereference on verbose EPSV
    • conncache: keep bundles on host+port bases, not only host names
    • runtests.pl: use 'h2c' now, no -14 anymore
    • curlver: introducing new version number (checking) macros
    • openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
    • CURLOPT_POSTFIELDS.3: correct variable names
    • curl_easy_unescape.3: update RFC reference
    • gnutls: don't fail on non-fatal alerts during handshake
    • testcurl.pl: allow source to be in an arbitrary directory
    • CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
    • SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
    • parse_proxy: switch off tunneling if non-HTTP proxy
    • share_init: fix OOM crash
    • perl: remove subdir, not touched in 9 years
    • CURLOPT_COOKIELIST.3: Add example
    • CURLOPT_COOKIE.3: Explain that the cookies won't be modified
    • CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
    • FAQ: How do I port libcurl to my OS?
    • openssl: Use TLS_client_method for OpenSSL 1.1.0+
    • HTTP-NTLM: fail auth on connection close instead of looping
    • curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
    • curl_getdate.3: update RFC reference
    • curl_multi_info_read.3: added example
    • curl_multi_perform.3: added example
    • curl_multi_timeout.3: added example
    • cookie: Stop exporting any-domain cookies
    • openssl: remove dummy callback use from SSL_CTX_set_verify()
    • openssl: remove SSL_get_session()-using code
    • openssl: removed USERDATA_IN_PWD_CALLBACK kludge
    • openssl: removed error string #ifdef
    • openssl: Fix verification of server-sent legacy intermediates
    • docs: man page indentation and syntax fixes
    • docs: Spelling fixes
    • fopen.c: fix a few compiler warnings
    • CURLOPT_OPENSOCKETFUNCTION: return error at once
    • schannel: Add support for optional client certificates
    • build: Properly detect OpenSSL 1.0.2 when using configure
    • urldata: store POST size in state.infilesize too
    • security:choose_mech remove dead code
    • rtsp_do: remove dead code
    • docs: many HTTP URIs changed to HTTPS
    • schannel: schannel_recv overhaul
 }}}

--

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/6618#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to