Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package curl for openSUSE:Factory checked in
at 2023-02-28 12:47:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/curl (Old)
and /work/SRC/openSUSE:Factory/.curl.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl"
Tue Feb 28 12:47:41 2023 rev:182 rq:1066797 version:7.88.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/curl/curl.changes 2022-12-23
10:20:43.831215941 +0100
+++ /work/SRC/openSUSE:Factory/.curl.new.31432/curl.changes 2023-02-28
12:47:42.780118268 +0100
@@ -1,0 +2,83 @@
+Mon Feb 20 10:35:11 UTC 2023 - Guillaume GARDET <guillaume.gar...@opensuse.org>
+
+- Update to 7.88.1:
+ * Bugfix release
+- Drop upstreamed patch:
+ * curl-fix-uninitialized-value-in-tests.patch
+
+-------------------------------------------------------------------
+Wed Feb 15 08:39:24 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
+ [bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
+ * Security fixes:
+ - CVE-2023-23914: HSTS ignored on multiple requests
+ - CVE-2023-23915: HSTS amnesia with --parallel
+ - CVE-2023-23916: HTTP multi-header compression denial of service
+ * Changes:
+ - curl.h: add CURL_HTTP_VERSION_3ONLY
+ - share: add sharing of HSTS cache among handles
+ - src: add --http3-only
+ - tool_operate: share HSTS between handles
+ - urlapi: add CURLU_PUNYCODE
+ - writeout: add %{certs} and %{num_certs}
+ * Bugfixes:
+ - cf-socket: keep sockaddr local in the socket filters
+ - cfilters:Curl_conn_get_select_socks: use the first non-connected filter
+ - curl.h: allow up to 10M buffer size
+ - curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
+ - curl/websockets.h: extend the websocket frame struct
+ - curl: output warning at --verbose output for debug-enabled version
+ - curl_free.3: fix return type of `curl_free`
+ - curl_log: for failf/infof and debug logging implementations
+ - dict: URL decode the entire path always
+ - docs/DEPRECATE.md: deprecate gskit
+ - easyoptions: fix header printing in generation script
+ - haxproxy: send before TLS handhshake
+ - hsts.d: explain hsts more
+ - hsts: handle adding the same host name again
+ - HTTP/[23]: continue upload when state.drain is set
+ - http: decode transfer encoding first
+ - http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
+ - http_proxy: do not assign data->req.p.http use local copy
+ - lib: connect/h2/h3 refactor
+ - libssh2: try sha2 algos for hostkey methods
+ - md4: fix build with GnuTLS + OpenSSL v1
+ - ngtcp2: replace removed define and stop using removed function
+ - noproxy: support for space-separated names is deprecated
+ - nss: implement data_pending method
+ - openldap: fix missing sasl symbols at build in specific configs
+ - openssl: adapt to boringssl's error code type
+ - openssl: don't ignore CA paths when using Windows CA store (redux)
+ - openssl: don't log raw record headers
+ - openssl: make the BIO_METHOD a local variable in the connection filter
+ - openssl: only use CA_BLOB if verifying peer
+ - openssl: remove attached easy handles from SSL instances
+ - openssl: store the CA after first send (ClientHello)
+ - setopt: use >, not >=, when checking if uarg is larger than uint-max
+ - smb: return error on upload without size
+ - socketpair: allow localhost MITM sniffers
+ - strdup: name it Curl_strdup
+ - tool_getparam: fix hiding of command line secrets
+ - tool_operate: fix error codes on bad URL & OOM
+ - tool_operate: repair --rate
+ - transfer: break the read loop when RECV is cleared
+ - typecheck: accept expressions for option/info parameters
+ - urlapi: avoid Curl_dyn_addf() for hex outputs
+ - urlapi: skip path checks if path is just "/"
+ - urlapi: skip the extra dedotdot alloc if no dot in path
+ - urldata: cease storing TLS auth type
+ - urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
+ - urldata: make set.http200aliases conditional on HTTP being present
+ - urldata: move the cookefilelist to the 'set' struct
+ - urldata: remove unused struct fields, made more conditional
+ - vquic: stabilization and improvements
+ - vtls: fix hostname handling in filters
+ - vtls: manage current easy handle in nested cfilter calls
+ - vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
+ * Rebase libcurl-ocloexec.patch
+ * Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
+ - runtests: fix "uninitialized value $port"
+ - Add curl-fix-uninitialized-value-in-tests.patch
+
+-------------------------------------------------------------------
Old:
----
curl-7.87.0.tar.xz
curl-7.87.0.tar.xz.asc
New:
----
curl-7.88.1.tar.xz
curl-7.88.1.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ curl.spec ++++++
--- /var/tmp/diff_new_pack.iCPPdC/_old 2023-02-28 12:47:43.792124841 +0100
+++ /var/tmp/diff_new_pack.iCPPdC/_new 2023-02-28 12:47:43.796124868 +0100
@@ -1,7 +1,7 @@
#
# spec file for package curl
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
# need ssl always for python-pycurl
%bcond_without openssl
Name: curl
-Version: 7.87.0
+Version: 7.88.1
Release: 0
Summary: A Tool for Transferring Data from URLs
License: curl
++++++ curl-7.87.0.tar.xz -> curl-7.88.1.tar.xz ++++++
++++ 92894 lines of diff (skipped)
++++++ libcurl-ocloexec.patch ++++++
--- /var/tmp/diff_new_pack.iCPPdC/_old 2023-02-28 12:47:45.240134249 +0100
+++ /var/tmp/diff_new_pack.iCPPdC/_new 2023-02-28 12:47:45.240134249 +0100
@@ -7,10 +7,10 @@
compile time is not enough.
-Index: curl-7.87.0/lib/file.c
+Index: curl-7.88.0/lib/file.c
===================================================================
---- curl-7.87.0.orig/lib/file.c
-+++ curl-7.87.0/lib/file.c
+--- curl-7.88.0.orig/lib/file.c
++++ curl-7.88.0/lib/file.c
@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
}
}
@@ -29,10 +29,10 @@
if(fd < 0) {
failf(data, "Can't open %s for writing", file->path);
return CURLE_WRITE_ERROR;
-Index: curl-7.87.0/lib/if2ip.c
+Index: curl-7.88.0/lib/if2ip.c
===================================================================
---- curl-7.87.0.orig/lib/if2ip.c
-+++ curl-7.87.0/lib/if2ip.c
+--- curl-7.88.0.orig/lib/if2ip.c
++++ curl-7.88.0/lib/if2ip.c
@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND;
@@ -42,26 +42,11 @@
if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND;
-Index: curl-7.87.0/lib/connect.c
+Index: curl-7.88.0/configure.ac
===================================================================
---- curl-7.87.0.orig/lib/connect.c
-+++ curl-7.87.0/lib/connect.c
-@@ -1559,7 +1559,9 @@ CURLcode Curl_socket(struct Curl_easy *d
- }
- else
- /* opensocket callback not set, so simply create the socket now */
-- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
-+ *sockfd = socket(addr->family,
-+ addr->socktype|SOCK_CLOEXEC,
-+ addr->protocol);
-
- if(*sockfd == CURL_SOCKET_BAD)
- /* no socket, no connection */
-Index: curl-7.87.0/configure.ac
-===================================================================
---- curl-7.87.0.orig/configure.ac
-+++ curl-7.87.0/configure.ac
-@@ -347,6 +347,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
+--- curl-7.88.0.orig/configure.ac
++++ curl-7.88.0/configure.ac
+@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
# Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr])
@@ -70,10 +55,10 @@
dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE
-Index: curl-7.87.0/lib/hostip.c
+Index: curl-7.88.0/lib/hostip.c
===================================================================
---- curl-7.87.0.orig/lib/hostip.c
-+++ curl-7.87.0/lib/hostip.c
+--- curl-7.88.0.orig/lib/hostip.c
++++ curl-7.88.0/lib/hostip.c
@@ -48,6 +48,7 @@
#include <signal.h>
#endif
@@ -91,4 +76,19 @@
if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we can't get/use one */
ipv6_works = 0;
+Index: curl-7.88.0/lib/cf-socket.c
+===================================================================
+--- curl-7.88.0.orig/lib/cf-socket.c
++++ curl-7.88.0/lib/cf-socket.c
+@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
+ }
+ else {
+ /* opensocket callback not set, so simply create the socket now */
+- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
++ *sockfd = socket(addr->family,
++ addr->socktype|SOCK_CLOEXEC,
++ addr->protocol);
+ if(!*sockfd && addr->socktype == SOCK_DGRAM) {
+ /* This is icky and seems, at least, to happen on macOS:
+ * we get sockfd == 0 and if called again, we get a valid one > 0.
