Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2018-03-19 23:31:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Mon Mar 19 23:31:34 2018 rev:133 rq:587006 version:7.59.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2018-02-25 12:19:01.826789479 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new/curl-mini.changes 2018-03-19 23:31:36.180018084 +0100 @@ -1,0 +2,94 @@ +Wed Mar 14 14:23:22 UTC 2018 - pmonrealgonza...@suse.com + +- Added message about protocol redirection not supported or + disabled to the function findprotocol() [bsc#1076446] + * Added curl-disabled-redirect-protocol-message.patch + +------------------------------------------------------------------- +Wed Mar 14 13:08:33 UTC 2018 - pmonrealgonza...@suse.com + +- Update to version 7.59.0 + [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] + [bsc#1084532, CVE-2018-1000122] + Changes: + * curl: add --proxy-pinnedpubkey + * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T + * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry + * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS + * Add new tool option --happy-eyeballs-timeout-ms + * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA + Bugfixes: + * openldap: check ldap_get_attribute_ber() results for NULL before using + * FTP: reject path components with control codes + * readwrite: make sure excess reads don't go beyond buffer end + * lib555: drop text conversion and encode data as ascii codes + * lib517: make variable static to avoid compiler warning + * lib544: sync ascii code data with textual data + * GSKit: restore pinnedpubkey functionality + * darwinssl: Don't import client certificates into Keychain on macOS + * parsedate: fix date parsing for systems with 32 bit long + * openssl: fix pinned public key build error in FIPS mode + * SChannel/WinSSL: Implement public key pinning + * cookies: remove verbose "cookie size:" output + * progress-bar: don't use stderr explicitly, use bar->out + * build: open VC15 projects with VS 2017 + * curl_ctype: private is*() type macros and functions + * configure: set PATH_SEPARATOR to colon for PATH w/o separator + * curl_easy_reset: clear digest auth state + * curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + * range: commonize FTP and FILE range handling + * progress-bar docs: update to match implementation + * fnmatch: do not match the empty string with a character set + * fnmatch: accept an alphanum to be followed by a non-alphanum in char set + * build: fix termios issue on android cross-compile + * getdate: return -1 for out of range + * formdata: use the mime-content type function + * openssl: Don't add verify locations when verifypeer==0 + * fnmatch: optimize processing of consecutive *s and ?s pattern characters + * schannel: fix compiler warnings + * content_encoding: Add "none" alias to "identity" + * get_posix_time: only check for overflows if they can happen + * http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING + * README: language fix + * sha256: build with OpenSSL < 0.9.8 + * smtp: fix processing of initial dot in data + * --tlsauthtype: works only if libcurl is built with TLS-SRP support + * tests: new tests for http raw mode + * libcurl-security.3: man page discussion security concerns when using libcurl + * curl_gssapi: make sure this file too uses our *printf() + * BINDINGS: fix curb link (and remove ruby-curl-multi) + * nss: use PK11_CreateManagedGenericObject() if available + * travis: add build with iconv enabled + * ssh: add two missing state names + * CURLOPT_HEADERFUNCTION.3: mention folded headers + * http: fix the max header length detection logic + * header callback: don't chop headers into smaller pieces + * CURLOPT_HEADER.3: clarify problems with different data sizes + * curl --version: show PSL if the run-time lib has it enabled + * examples/sftpuploadresume: resume upload via CURLOPT_APPEND + * Return error if called recursively from within callbacks + * sasl: prefer PLAIN mechanism over LOGIN + * winbuild: Use CALL to run batch scripts + * curl_share_setopt.3: connection cache is shared within multi handles + * projects/README: remove reference to dead IDN link/package + * lib655: silence compiler warning + * configure: Fix version check for OpenSSL 1.1.1 + * docs/MANUAL: formfind.pl is not accessible on the site anymore + * unit1307: proper cleanup on OOM to fix torture tests + * curl_ctype: fix macro redefinition warnings + * build: get CFLAGS (including -werror) used for examples and tests + * NO_PROXY: fix for IPv6 numericals in the URL + * krb5: use nondeprecated functions + * http2: mark the connection for close on GOAWAY + * limit-rate: kick in even before "limit" data has been received + * HTTP: allow "header;" to replace an internal header with a blank one + * http2: verbose output new MAX_CONCURRENT_STREAMS values + * SECURITY: distros' max embargo time is 14 days + * curl tool: accept --compressed also if Brotli is enabled and zlib is not + * WolfSSL: adding TLSv1.3 + * checksrc.pl: add -i and -m options + * CURLOPT_COOKIEFILE.3: "-" as file name means stdin + +- Refreshed patch libcurl-ocloexec.patch + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.58.0.tar.gz curl-7.58.0.tar.gz.asc New: ---- curl-7.59.0.tar.gz curl-7.59.0.tar.gz.asc curl-disabled-redirect-protocol-message.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.0rZx90/_old 2018-03-19 23:31:37.831958490 +0100 +++ /var/tmp/diff_new_pack.0rZx90/_new 2018-03-19 23:31:37.835958347 +0100 @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.58.0 +Version: 7.59.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -43,6 +43,8 @@ Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch +# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled +Patch4: curl-disabled-redirect-protocol-message.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} @@ -121,6 +123,7 @@ %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.0rZx90/_old 2018-03-19 23:31:37.871957048 +0100 +++ /var/tmp/diff_new_pack.0rZx90/_new 2018-03-19 23:31:37.875956903 +0100 @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.58.0 +Version: 7.59.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -41,6 +41,8 @@ Patch1: dont-mess-with-rpmoptflags.diff Patch2: curl-secure-getenv.patch Patch3: ignore_runtests_failure.patch +# PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled +Patch4: curl-disabled-redirect-protocol-message.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} @@ -119,6 +121,7 @@ %ifarch ppc ppc64 ppc64le %patch3 -p1 %endif +%patch4 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl-7.58.0.tar.gz -> curl-7.59.0.tar.gz ++++++ ++++ 43989 lines of diff (skipped) ++++++ curl-disabled-redirect-protocol-message.patch ++++++ --- a/lib/url.c +++ a/lib/url.c @@ -1955,9 +1955,13 @@ static CURLcode findprotocol(struct Curl_easy *data, /* it is allowed for "normal" request, now do an extra check if this is the result of a redirect */ if(data->state.this_is_a_follow && - !(data->set.redir_protocols & p->protocol)) + !(data->set.redir_protocols & p->protocol)) { /* nope, get out */ - break; + failf(data, "Redirect to protocol \"%s\" not supported or disabled in " LIBCURL_NAME, + protostr); + + return CURLE_UNSUPPORTED_PROTOCOL; + } /* Perform setup complement if some. */ conn->handler = conn->given = p; ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.0rZx90/_old 2018-03-19 23:31:39.463899618 +0100 +++ /var/tmp/diff_new_pack.0rZx90/_new 2018-03-19 23:31:39.467899475 +0100 @@ -11,7 +11,7 @@ =================================================================== --- lib/file.c.orig +++ lib/file.c -@@ -248,7 +248,7 @@ static CURLcode file_connect(struct conn +@@ -190,7 +190,7 @@ static CURLcode file_connect(struct conn return CURLE_URL_MALFORMAT; } @@ -20,7 +20,7 @@ file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -343,7 +343,7 @@ static CURLcode file_upload(struct conne +@@ -285,7 +285,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -33,7 +33,7 @@ =================================================================== --- lib/hostip6.c.orig +++ lib/hostip6.c -@@ -39,7 +39,7 @@ +@@ -44,7 +44,7 @@ #ifdef HAVE_PROCESS_H #include <process.h> #endif @@ -68,8 +68,8 @@ =================================================================== --- lib/connect.c.orig +++ lib/connect.c -@@ -1355,7 +1355,7 @@ CURLcode Curl_socket(struct connectdata - (struct curl_sockaddr *)addr); +@@ -1389,7 +1389,7 @@ CURLcode Curl_socket(struct connectdata + } else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); @@ -81,7 +81,7 @@ =================================================================== --- configure.ac.orig +++ configure.ac -@@ -182,6 +182,7 @@ AC_CANONICAL_HOST +@@ -188,6 +188,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])