Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2017-10-20 16:11:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Fri Oct 20 16:11:07 2017 rev:127 rq:532979 version:7.56.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2017-09-04 12:20:35.700186389 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new/curl-mini.changes 2017-10-20 16:11:09.220947285 +0200 @@ -1,0 +2,98 @@ +Thu Oct 5 16:15:04 UTC 2017 - [email protected] + +- Update to 7.56.0 [bsc#1061876, CVE-2017-1000254] + Changes: + * curl: enable compression for SCP/SFTP with --compressed-ssh + * libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION + * vtls: added dynamic changing SSL backend with curl_global_sslset() + * new MIME API, curl_mime_init() and friends + * openssl: initial SSLKEYLOGFILE implementation + Security fixes: + * CVE-2017-1000254 FTP PWD response parser out of bounds read + Bugfixes: + * FTP: zero terminate the entry path even on bad input + * examples/ftpuploadresume.c: use portable code + * runtests: match keywords case insensitively + * strtoofft: reduce integer overflow risks globally + * zsh.pl: produce a working completion script again + * cmake: remove dead code for CURL_DISABLE_RTMP + * progress: Track total times following redirects + * configure: fix --disable-threaded-resolver + * configure: fix clang version detection + * darwinssi: fix error: variable length array used + * configure: check for __builtin_available() availability + * http_proxy: fix build error for CURL_DOES_CONVERSIONS + * examples/ftpuploadresume: checksrc compliance + * ftp: fix CWD when doing multicwd then nocwd on same connection + * system.h: remove all CURL_SIZEOF_* defines + * http: Don't wait on CONNECT when there is no proxy + * system.h: check for __ppc__ as well + * http2_recv: return error better on fatal h2 errors + * tftp: fix memory leak on too long filename + * system.h: fix build for hppa + * cmake: enable picky compiler options with clang and gcc + * makefile.m32: add support for libidn2 + * curl: shorten and clean up CA cert verification error message + * imap: support PREAUTH + * CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD + * examples/threaded-ssl: mention that this is for openssl before 1.1 + * tests: Make sure libtests & unittests call curl_global_cleanup() + * system.h: include sys/poll.h for AIX + * darwinssl: handle long strings in TLS certs + * strtooff: fix build for systems with long long but no strtoll + * asyn-thread: Improved cleanup after OOM situations + * curl.h: CURLSSLBACKEND_WOLFSSL used wrong value + * unit1301: fix error message on first test + * ossfuzz: moving towards the ideal integration + * http: fix a memory leakage in checkrtspprefix() + * examples/post-callback: stop returning one byte at a time + * schannel: return CURLE_SSL_CACERT on failed verification + * http-proxy: treat all 2xx as CONNECT success + * openssl: use OpenSSL's default ciphers by default + * runtests.pl: support attribute "nonewline" in part verify/upload + * configure: remove --enable-soname-bump and SONAME_BUMP + * vtls: fix WolfSSL 3.12 build problems + * http-proxy: when not doing CONNECT, that phase is done immediately + * configure: fix curl_off_t check's include order + * configure: use -Wno-varargs on clang 3.9[.X] debug builds + * rtsp: do not call fwrite() with NULL pointer FILE * + * mbedtls: enable CA path processing + * checksrc: verify more code style rules + * HTTP proxy: on connection re-use, still use the new remote port + * tests: add initial gssapi test using stub implementation + * rtsp: Segfault when using WRITEDATA + * docs: clarify the CURLOPT_INTERLEAVE* options behavior + * non-ascii: use iconv() with 'char **' argument + * server/getpart: provide dummy function to build conversion enabled + * conversions: fix several compiler warnings + * openssl: add missing includes + * schannel: Support partial send for when data is too large + * socks: fix incorrect port number in SOCKS4 error message + * curl: fix integer overflow in timeout options + * cookies: reject oversized cookies instead of truncating + * cookies: use lock when using CURLINFO_COOKIELIST + * curl: check fseek() return code and bail on error + * examples/post-callback: use long for CURLOPT_POSTFIELDSIZE + * openssl: only verify RSA private key if supported + * tests: make the imap server not verify user+password + * imap: quote atoms properly when escaping characters + * tests: fix a compiler warning in test 643 + * file_range: avoid integer overflow when figuring out byte range + * reuse_conn: don't copy flags that are known to be equal + * http: fix adding custom empty headers to repeated requests + * docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS + * connect: fix race condition with happy eyeballs timeout + * cookie: fix memory leak if path was set twice in header + * vtls: compare and clone ssl configs properly + * proxy: read the "no_proxy" variable only if necessary + +- Refreshed patches: + * libcurl-ocloexec.patch + +- Removed patches fixed upstream: + * curl-man3.patch + * ppc-build.patch + * curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch + * curl-disable-test1427-i586.patch + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.55.0.tar.gz curl-7.55.0.tar.gz.asc curl-disable-test1427-i586.patch curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch curl-man3.patch ppc-build.patch New: ---- curl-7.56.0.tar.gz curl-7.56.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.gqzVw6/_old 2017-10-20 16:11:10.280897770 +0200 +++ /var/tmp/diff_new_pack.gqzVw6/_new 2017-10-20 16:11:10.284897584 +0200 @@ -32,7 +32,7 @@ %endif Name: curl-mini -Version: 7.55.0 +Version: 7.56.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -45,14 +45,6 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch -# PATCH-FIX-OPENSUSE curl-disable-test1427-i586.patch - Disabled test1425 that fails in i586 architecture -Patch3: curl-disable-test1427-i586.patch -# PATCH-FIX-UPSTREAM curl-man3.patch - Fix to build libcurl man3 pages -Patch4: curl-man3.patch -# PATCH-FIX-UPSTREAM ppc-build.patch - Fix build for powerpc -Patch5: ppc-build.patch -# PATCH-FIX-UPSTREAM curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch -- Fix NetworkManagers connectivity test -Patch6: curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch BuildRequires: libtool BuildRequires: pkgconfig %if !0%{?bootstrap} @@ -133,10 +125,6 @@ %patch0 %patch1 %patch2 -%patch3 -p1 -R -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.gqzVw6/_old 2017-10-20 16:11:10.304896649 +0200 +++ /var/tmp/diff_new_pack.gqzVw6/_new 2017-10-20 16:11:10.308896462 +0200 @@ -30,7 +30,7 @@ %endif Name: curl -Version: 7.55.0 +Version: 7.56.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -43,14 +43,6 @@ Patch0: libcurl-ocloexec.patch Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch -# PATCH-FIX-OPENSUSE curl-disable-test1427-i586.patch - Disabled test1425 that fails in i586 architecture -Patch3: curl-disable-test1427-i586.patch -# PATCH-FIX-UPSTREAM curl-man3.patch - Fix to build libcurl man3 pages -Patch4: curl-man3.patch -# PATCH-FIX-UPSTREAM ppc-build.patch - Fix build for powerpc -Patch5: ppc-build.patch -# PATCH-FIX-UPSTREAM curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch -- Fix NetworkManagers connectivity test -Patch6: curl-http-Don-t-wait-on-CONNECT-when-there-is-no-proxy.patch BuildRequires: libtool BuildRequires: pkgconfig %if !0%{?bootstrap} @@ -131,10 +123,6 @@ %patch0 %patch1 %patch2 -%patch3 -p1 -R -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl-7.55.0.tar.gz -> curl-7.56.0.tar.gz ++++++ ++++ 85270 lines of diff (skipped) ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.gqzVw6/_old 2017-10-20 16:11:11.392845827 +0200 +++ /var/tmp/diff_new_pack.gqzVw6/_new 2017-10-20 16:11:11.392845827 +0200 @@ -11,7 +11,7 @@ =================================================================== --- lib/file.c.orig +++ lib/file.c -@@ -242,7 +242,7 @@ static CURLcode file_connect(struct conn +@@ -248,7 +248,7 @@ static CURLcode file_connect(struct conn return CURLE_URL_MALFORMAT; } @@ -20,7 +20,7 @@ file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -338,7 +338,7 @@ static CURLcode file_upload(struct conne +@@ -343,7 +343,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -29,28 +29,6 @@ if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: lib/formdata.c -=================================================================== ---- lib/formdata.c.orig -+++ lib/formdata.c -@@ -1306,7 +1306,7 @@ CURLcode Curl_getformdata(struct Curl_ea - FILE *fileread; - - fileread = !strcmp("-", file->contents)? -- stdin:fopen(file->contents, "rb"); /* binary read for win32 */ -+ stdin:fopen(file->contents, "rbe"); /* binary read for win32 */ - - /* - * VMS: This only allows for stream files on VMS. Stream files are -@@ -1466,7 +1466,7 @@ static size_t readfromfile(struct Form * - else { - if(!form->fp) { - /* this file hasn't yet been opened */ -- form->fp = fopen_read(form->data->line, "rb"); /* b is for binary */ -+ form->fp = fopen_read(form->data->line, "rbe"); /* b is for binary */ - if(!form->fp) - return (size_t)-1; /* failure */ - } Index: lib/hostip6.c =================================================================== --- lib/hostip6.c.orig @@ -77,7 +55,7 @@ =================================================================== --- lib/if2ip.c.orig +++ lib/if2ip.c -@@ -223,7 +223,7 @@ if2ip_result_t Curl_if2ip(int af, unsign +@@ -225,7 +225,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -90,7 +68,7 @@ =================================================================== --- lib/connect.c.orig +++ lib/connect.c -@@ -1351,7 +1351,7 @@ CURLcode Curl_socket(struct connectdata +@@ -1355,7 +1355,7 @@ CURLcode Curl_socket(struct connectdata (struct curl_sockaddr *)addr); else /* opensocket callback not set, so simply create the socket now */ @@ -103,19 +81,11 @@ =================================================================== --- configure.ac.orig +++ configure.ac -@@ -185,6 +185,7 @@ AC_CANONICAL_HOST +@@ -182,6 +182,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS]) +AC_USE_SYSTEM_EXTENSIONS dnl Checks for programs. - dnl Our curl_off_t internal and external configure settings -@@ -197,6 +198,7 @@ dnl Our configure and build reentrant se - CURL_CONFIGURE_THREAD_SAFE - CURL_CONFIGURE_REENTRANT - -+ - dnl check for how to do large files - AC_SYS_LARGEFILE - + dnl This defines _ALL_SOURCE for AIX
