Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2023-02-28 12:47:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Tue Feb 28 12:47:41 2023 rev:182 rq:1066797 version:7.88.1 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2022-12-23 10:20:43.831215941 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new.31432/curl.changes 2023-02-28 12:47:42.780118268 +0100 @@ -1,0 +2,83 @@ +Mon Feb 20 10:35:11 UTC 2023 - Guillaume GARDET <guillaume.gar...@opensuse.org> + +- Update to 7.88.1: + * Bugfix release +- Drop upstreamed patch: + * curl-fix-uninitialized-value-in-tests.patch + +------------------------------------------------------------------- +Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal <pmonr...@suse.com> + +- Update to 7.88.0: [bsc#1207990, CVE-2023-23914] + [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916] + * Security fixes: + - CVE-2023-23914: HSTS ignored on multiple requests + - CVE-2023-23915: HSTS amnesia with --parallel + - CVE-2023-23916: HTTP multi-header compression denial of service + * Changes: + - curl.h: add CURL_HTTP_VERSION_3ONLY + - share: add sharing of HSTS cache among handles + - src: add --http3-only + - tool_operate: share HSTS between handles + - urlapi: add CURLU_PUNYCODE + - writeout: add %{certs} and %{num_certs} + * Bugfixes: + - cf-socket: keep sockaddr local in the socket filters + - cfilters:Curl_conn_get_select_socks: use the first non-connected filter + - curl.h: allow up to 10M buffer size + - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated + - curl/websockets.h: extend the websocket frame struct + - curl: output warning at --verbose output for debug-enabled version + - curl_free.3: fix return type of `curl_free` + - curl_log: for failf/infof and debug logging implementations + - dict: URL decode the entire path always + - docs/DEPRECATE.md: deprecate gskit + - easyoptions: fix header printing in generation script + - haxproxy: send before TLS handhshake + - hsts.d: explain hsts more + - hsts: handle adding the same host name again + - HTTP/[23]: continue upload when state.drain is set + - http: decode transfer encoding first + - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro + - http_proxy: do not assign data->req.p.http use local copy + - lib: connect/h2/h3 refactor + - libssh2: try sha2 algos for hostkey methods + - md4: fix build with GnuTLS + OpenSSL v1 + - ngtcp2: replace removed define and stop using removed function + - noproxy: support for space-separated names is deprecated + - nss: implement data_pending method + - openldap: fix missing sasl symbols at build in specific configs + - openssl: adapt to boringssl's error code type + - openssl: don't ignore CA paths when using Windows CA store (redux) + - openssl: don't log raw record headers + - openssl: make the BIO_METHOD a local variable in the connection filter + - openssl: only use CA_BLOB if verifying peer + - openssl: remove attached easy handles from SSL instances + - openssl: store the CA after first send (ClientHello) + - setopt: use >, not >=, when checking if uarg is larger than uint-max + - smb: return error on upload without size + - socketpair: allow localhost MITM sniffers + - strdup: name it Curl_strdup + - tool_getparam: fix hiding of command line secrets + - tool_operate: fix error codes on bad URL & OOM + - tool_operate: repair --rate + - transfer: break the read loop when RECV is cleared + - typecheck: accept expressions for option/info parameters + - urlapi: avoid Curl_dyn_addf() for hex outputs + - urlapi: skip path checks if path is just "/" + - urlapi: skip the extra dedotdot alloc if no dot in path + - urldata: cease storing TLS auth type + - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP + - urldata: make set.http200aliases conditional on HTTP being present + - urldata: move the cookefilelist to the 'set' struct + - urldata: remove unused struct fields, made more conditional + - vquic: stabilization and improvements + - vtls: fix hostname handling in filters + - vtls: manage current easy handle in nested cfilter calls + - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used + * Rebase libcurl-ocloexec.patch + * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091 + - runtests: fix "uninitialized value $port" + - Add curl-fix-uninitialized-value-in-tests.patch + +------------------------------------------------------------------- Old: ---- curl-7.87.0.tar.xz curl-7.87.0.tar.xz.asc New: ---- curl-7.88.1.tar.xz curl-7.88.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.iCPPdC/_old 2023-02-28 12:47:43.792124841 +0100 +++ /var/tmp/diff_new_pack.iCPPdC/_new 2023-02-28 12:47:43.796124868 +0100 @@ -1,7 +1,7 @@ # # spec file for package curl # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.87.0 +Version: 7.88.1 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl ++++++ curl-7.87.0.tar.xz -> curl-7.88.1.tar.xz ++++++ ++++ 92894 lines of diff (skipped) ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.iCPPdC/_old 2023-02-28 12:47:45.240134249 +0100 +++ /var/tmp/diff_new_pack.iCPPdC/_new 2023-02-28 12:47:45.240134249 +0100 @@ -7,10 +7,10 @@ compile time is not enough. -Index: curl-7.87.0/lib/file.c +Index: curl-7.88.0/lib/file.c =================================================================== ---- curl-7.87.0.orig/lib/file.c -+++ curl-7.87.0/lib/file.c +--- curl-7.88.0.orig/lib/file.c ++++ curl-7.88.0/lib/file.c @@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl } } @@ -29,10 +29,10 @@ if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; -Index: curl-7.87.0/lib/if2ip.c +Index: curl-7.88.0/lib/if2ip.c =================================================================== ---- curl-7.87.0.orig/lib/if2ip.c -+++ curl-7.87.0/lib/if2ip.c +--- curl-7.88.0.orig/lib/if2ip.c ++++ curl-7.88.0/lib/if2ip.c @@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af, if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -42,26 +42,11 @@ if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; -Index: curl-7.87.0/lib/connect.c +Index: curl-7.88.0/configure.ac =================================================================== ---- curl-7.87.0.orig/lib/connect.c -+++ curl-7.87.0/lib/connect.c -@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d - } - else - /* opensocket callback not set, so simply create the socket now */ -- *sockfd = socket(addr->family, addr->socktype, addr->protocol); -+ *sockfd = socket(addr->family, -+ addr->socktype|SOCK_CLOEXEC, -+ addr->protocol); - - if(*sockfd == CURL_SOCKET_BAD) - /* no socket, no connection */ -Index: curl-7.87.0/configure.ac -=================================================================== ---- curl-7.87.0.orig/configure.ac -+++ curl-7.87.0/configure.ac -@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m +--- curl-7.88.0.orig/configure.ac ++++ curl-7.88.0/configure.ac +@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m # Silence warning: ar: 'u' modifier ignored since 'D' is the default AC_SUBST(AR_FLAGS, [cr]) @@ -70,10 +55,10 @@ dnl This defines _ALL_SOURCE for AIX CURL_CHECK_AIX_ALL_SOURCE -Index: curl-7.87.0/lib/hostip.c +Index: curl-7.88.0/lib/hostip.c =================================================================== ---- curl-7.87.0.orig/lib/hostip.c -+++ curl-7.87.0/lib/hostip.c +--- curl-7.88.0.orig/lib/hostip.c ++++ curl-7.88.0/lib/hostip.c @@ -48,6 +48,7 @@ #include <signal.h> #endif @@ -91,4 +76,19 @@ if(s == CURL_SOCKET_BAD) /* an IPv6 address was requested but we can't get/use one */ ipv6_works = 0; +Index: curl-7.88.0/lib/cf-socket.c +=================================================================== +--- curl-7.88.0.orig/lib/cf-socket.c ++++ curl-7.88.0/lib/cf-socket.c +@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_ + } + else { + /* opensocket callback not set, so simply create the socket now */ +- *sockfd = socket(addr->family, addr->socktype, addr->protocol); ++ *sockfd = socket(addr->family, ++ addr->socktype|SOCK_CLOEXEC, ++ addr->protocol); + if(!*sockfd && addr->socktype == SOCK_DGRAM) { + /* This is icky and seems, at least, to happen on macOS: + * we get sockfd == 0 and if called again, we get a valid one > 0.