Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package curl for openSUSE:Factory checked in
at 2023-03-24 15:15:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/curl (Old)
and /work/SRC/openSUSE:Factory/.curl.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl"
Fri Mar 24 15:15:50 2023 rev:183 rq:1073492 version:8.0.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/curl/curl.changes 2023-02-28
12:47:42.780118268 +0100
+++ /work/SRC/openSUSE:Factory/.curl.new.31432/curl.changes 2023-03-24
15:15:52.877452792 +0100
@@ -1,0 +2,45 @@
+Tue Mar 21 08:44:52 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 8.0.1:
+ * Bugfixes:
+ - fix crash in curl_easy_cleanup
+
+-------------------------------------------------------------------
+Mon Mar 20 07:19:32 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Update to 8.0.0:
+ * Security fixes:
+ - TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
+ - SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
+ - FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
+ - GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
+ - HSTS double-free [bsc#1209213, CVE-2023-27537]
+ - SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
+ * Changes:
+ - build: remove support for curl_off_t < 8 bytes
+ * Bugfixes:
+ - aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
+ - BINDINGS: add Fortran binding
+ - cf-socket: use port 80 when resolving name for local bind
+ - cookie: don't load cookies again when flushing
+ - curl_path: create the new path with dynbuf
+ - CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
+ - DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
+ - ftp: active mode with SSL, add the filter
+ - hostip: avoid sscanf and extra buffer copies
+ - http2: fix for http2-prior-knowledge when reusing connections
+ - http2: fix handling of RST and GOAWAY to recognize partial transfers
+ - http: don't send 100-continue for short PUT requests
+ - http: fix unix domain socket use in https connects
+ - libssh: use dynbuf instead of realloc
+ - ngtcp2-gnutls.yml: bump to gnutls 3.8.0
+ - sectransp: make read_cert() use a dynbuf when loading
+ - telnet: only accept option arguments in ascii
+ - telnet: parse telnet options without sscanf
+ - url: fix the SSH connection reuse check
+ - url: only reuse connections with same GSS delegation
+ - urlapi: '%' is illegal in host names
+ - ws: keep the socket non-blocking
+ * Rebase libcurl-ocloexec.patch
+
+-------------------------------------------------------------------
Old:
----
curl-7.88.1.tar.xz
curl-7.88.1.tar.xz.asc
New:
----
curl-8.0.1.tar.xz
curl-8.0.1.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ curl.spec ++++++
--- /var/tmp/diff_new_pack.bL1aKe/_old 2023-03-24 15:15:53.573456507 +0100
+++ /var/tmp/diff_new_pack.bL1aKe/_new 2023-03-24 15:15:53.573456507 +0100
@@ -21,7 +21,7 @@
# need ssl always for python-pycurl
%bcond_without openssl
Name: curl
-Version: 7.88.1
+Version: 8.0.1
Release: 0
Summary: A Tool for Transferring Data from URLs
License: curl
++++++ curl-7.88.1.tar.xz -> curl-8.0.1.tar.xz ++++++
++++ 67453 lines of diff (skipped)
++++++ libcurl-ocloexec.patch ++++++
--- /var/tmp/diff_new_pack.bL1aKe/_old 2023-03-24 15:15:54.913463660 +0100
+++ /var/tmp/diff_new_pack.bL1aKe/_new 2023-03-24 15:15:54.917463682 +0100
@@ -7,10 +7,10 @@
compile time is not enough.
-Index: curl-7.88.0/lib/file.c
+Index: curl-8.0.0/lib/file.c
===================================================================
---- curl-7.88.0.orig/lib/file.c
-+++ curl-7.88.0/lib/file.c
+--- curl-8.0.0.orig/lib/file.c
++++ curl-8.0.0/lib/file.c
@@ -232,7 +232,7 @@ static CURLcode file_connect(struct Curl
}
}
@@ -29,10 +29,10 @@
if(fd < 0) {
failf(data, "Can't open %s for writing", file->path);
return CURLE_WRITE_ERROR;
-Index: curl-7.88.0/lib/if2ip.c
+Index: curl-8.0.0/lib/if2ip.c
===================================================================
---- curl-7.88.0.orig/lib/if2ip.c
-+++ curl-7.88.0/lib/if2ip.c
+--- curl-8.0.0.orig/lib/if2ip.c
++++ curl-8.0.0/lib/if2ip.c
@@ -206,7 +206,7 @@ if2ip_result_t Curl_if2ip(int af,
if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND;
@@ -42,10 +42,10 @@
if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND;
-Index: curl-7.88.0/configure.ac
+Index: curl-8.0.0/configure.ac
===================================================================
---- curl-7.88.0.orig/configure.ac
-+++ curl-7.88.0/configure.ac
+--- curl-8.0.0.orig/configure.ac
++++ curl-8.0.0/configure.ac
@@ -420,6 +420,8 @@ AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-m
# Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr])
@@ -55,10 +55,10 @@
dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE
-Index: curl-7.88.0/lib/hostip.c
+Index: curl-8.0.0/lib/hostip.c
===================================================================
---- curl-7.88.0.orig/lib/hostip.c
-+++ curl-7.88.0/lib/hostip.c
+--- curl-8.0.0.orig/lib/hostip.c
++++ curl-8.0.0/lib/hostip.c
@@ -48,6 +48,7 @@
#include <signal.h>
#endif
@@ -67,7 +67,7 @@
#include "urldata.h"
#include "sendf.h"
#include "hostip.h"
-@@ -576,7 +577,7 @@ bool Curl_ipv6works(struct Curl_easy *da
+@@ -582,7 +583,7 @@ bool Curl_ipv6works(struct Curl_easy *da
else {
int ipv6_works = -1;
/* probe to see if we have a working IPv6 stack */
@@ -76,19 +76,19 @@
if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we can't get/use one */
ipv6_works = 0;
-Index: curl-7.88.0/lib/cf-socket.c
+Index: curl-8.0.0/lib/cf-socket.c
===================================================================
---- curl-7.88.0.orig/lib/cf-socket.c
-+++ curl-7.88.0/lib/cf-socket.c
+--- curl-8.0.0.orig/lib/cf-socket.c
++++ curl-8.0.0/lib/cf-socket.c
@@ -252,7 +252,9 @@ static CURLcode socket_open(struct Curl_
}
else {
/* opensocket callback not set, so simply create the socket now */
- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
+ *sockfd = socket(addr->family,
-+ addr->socktype|SOCK_CLOEXEC,
-+ addr->protocol);
- if(!*sockfd && addr->socktype == SOCK_DGRAM) {
- /* This is icky and seems, at least, to happen on macOS:
- * we get sockfd == 0 and if called again, we get a valid one > 0.
++ addr->socktype|SOCK_CLOEXEC,
++ addr->protocol);
+ }
+
+ if(*sockfd == CURL_SOCKET_BAD)
