Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2016-11-03 12:56:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl.changes 2016-09-17 14:32:33.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new/curl.changes 2016-11-03 12:56:26.000000000 +0100 @@ -1,0 +2,71 @@ +Wed Nov 2 07:15:44 UTC 2016 - idon...@suse.com + +- Update to 7.51.0 + Changes: + * nss: additional cipher suites are now accepted by + CURLOPT_SSL_CIPHER_LIST + * New option: CURLOPT_KEEP_SENDING_ON_ERROR + Bugfixes: + * CVE-2016-8615: cookie injection for other servers + * CVE-2016-8616: case insensitive password comparison + * CVE-2016-8617: OOB write via unchecked multiplication + * CVE-2016-8618: double-free in curl_maprintf + * CVE-2016-8619: double-free in krb5 code + * CVE-2016-8620: glob parser write/read out of bounds + * CVE-2016-8621: curl_getdate read out of bounds + * CVE-2016-8622: URL unescape heap overflow via integer truncation + * CVE-2016-8623: Use-after-free via shared cookies + * CVE-2016-8624: invalid URL parsing with '#' + * CVE-2016-8625: IDNA 2003 makes curl use wrong host + * openssl: fix per-thread memory leak using 1.0.1 or 1.0.2 + * http: accept "Transfer-Encoding: chunked" for HTTP/2 as well + * LICENSE-MIXING.md: update with mbedTLS dual licensing + * examples/imap-append: Set size of data to be uploaded + * test2048: fix url + * darwinssl: disable RC4 cipher-suite support + * CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting + * openssl: don’t call CRYTPO_cleanup_all_ex_data + * libressl: fix version output + * easy: Reset all statistical session info in curl_easy_reset + * curl_global_cleanup.3: don't unload the lib with sub threads running + * dist: add CurlSymbolHiding.cmake to the tarball + * docs: Remove that --proto is just used for initial retrieval + * configure: Fixed builds with libssh2 in a custom location + * curl.1: --trace supports % for sending to stderr! + * cookies: same domain handling changed to match browser behavior + * formpost: trying to attach a directory no longer crashes + * CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning + * formpost: avoid silent snprintf() truncation + * ftp: fix Curl_ftpsendf + * mprintf: return error on too many arguments + * smb: properly check incoming packet boundaries + * GIT-INFO: remove the Mac 10.1-specific details + * resolve: add error message when resolving using SIGALRM + * cmake: add nghttp2 support + * dist: remove PDF and HTML converted docs from the releases + * configure: disable poll() in macOS builds + * vtls: only re-use session-ids using the same scheme + * pipelining: skip to-be-closed connections when pipelining + * win: fix Universal Windows Platform build + * curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically + * maketgz: make it support "only" generating version info + * Curl_socket_check: add extra check to avoid integer overflow + * gopher: properly return error for poll failures + * curl: set INTERLEAVEDATA too + * polarssl: clear thread array at init + * polarssl: fix unaligned SSL session-id lock + * polarssl: reduce #ifdef madness with a macro + * curl_multi_add_handle: set timeouts in closure handles + * configure: set min version flags for builds on mac + * INSTALL: converted to markdown => INSTALL.md + * curl_multi_remove_handle: fix a double-free + * multi: fix inifinte loop in curl_multi_cleanup() + * nss: fix tight loop in non-blocking TLS handhsake over proxy + * mk-ca-bundle: Change URL retrieval to HTTPS-only by default + * mbedtls: stop using deprecated include file + * docs: fix req->data in multi-uv example + * configure: Fix test syntax for monotonic clock_gettime + * CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2 +- Refresh libcurl-ocloexec.patch + +------------------------------------------------------------------- Old: ---- curl-7.50.3.tar.lzma curl-7.50.3.tar.lzma.asc New: ---- curl-7.51.0.tar.lzma curl-7.51.0.tar.lzma.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.Afyekr/_old 2016-11-03 12:56:27.000000000 +0100 +++ /var/tmp/diff_new_pack.Afyekr/_new 2016-11-03 12:56:27.000000000 +0100 @@ -20,7 +20,7 @@ %bcond_with mozilla_nss %bcond_without testsuite Name: curl -Version: 7.50.3 +Version: 7.51.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: BSD-3-Clause and MIT ++++++ libcurl-ocloexec.patch ++++++ --- /var/tmp/diff_new_pack.Afyekr/_old 2016-11-03 12:56:27.000000000 +0100 +++ /var/tmp/diff_new_pack.Afyekr/_new 2016-11-03 12:56:27.000000000 +0100 @@ -9,9 +9,9 @@ Index: lib/file.c =================================================================== ---- lib/file.c.orig 2016-07-21 00:31:36.000000000 +0200 -+++ lib/file.c 2016-07-21 11:39:54.121170539 +0200 -@@ -241,7 +241,7 @@ static CURLcode file_connect(struct conn +--- lib/file.c.orig ++++ lib/file.c +@@ -242,7 +242,7 @@ static CURLcode file_connect(struct conn return CURLE_URL_MALFORMAT; } @@ -20,7 +20,7 @@ file->path = real_path; #endif file->freepath = real_path; /* free this when done */ -@@ -337,7 +337,7 @@ static CURLcode file_upload(struct conne +@@ -338,7 +338,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; @@ -31,18 +31,18 @@ return CURLE_WRITE_ERROR; Index: lib/formdata.c =================================================================== ---- lib/formdata.c.orig 2016-07-21 00:31:36.000000000 +0200 -+++ lib/formdata.c 2016-07-21 11:39:54.121170539 +0200 -@@ -1290,7 +1290,7 @@ CURLcode Curl_getformdata(struct Curl_ea +--- lib/formdata.c.orig ++++ lib/formdata.c +@@ -1306,7 +1306,7 @@ CURLcode Curl_getformdata(struct Curl_ea FILE *fileread; - fileread = strequal("-", file->contents)? + fileread = !strcmp("-", file->contents)? - stdin:fopen(file->contents, "rb"); /* binary read for win32 */ + stdin:fopen(file->contents, "rbe"); /* binary read for win32 */ /* * VMS: This only allows for stream files on VMS. Stream files are -@@ -1450,7 +1450,7 @@ static size_t readfromfile(struct Form * +@@ -1466,7 +1466,7 @@ static size_t readfromfile(struct Form * else { if(!form->fp) { /* this file hasn't yet been opened */ @@ -53,8 +53,8 @@ } Index: lib/hostip6.c =================================================================== ---- lib/hostip6.c.orig 2016-07-21 00:31:36.000000000 +0200 -+++ lib/hostip6.c 2016-07-21 11:39:54.121170539 +0200 +--- lib/hostip6.c.orig ++++ lib/hostip6.c @@ -39,7 +39,7 @@ #ifdef HAVE_PROCESS_H #include <process.h> @@ -75,8 +75,8 @@ ipv6_works = 0; Index: lib/if2ip.c =================================================================== ---- lib/if2ip.c.orig 2016-06-27 16:11:14.000000000 +0200 -+++ lib/if2ip.c 2016-07-21 11:39:54.121170539 +0200 +--- lib/if2ip.c.orig ++++ lib/if2ip.c @@ -223,7 +223,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; @@ -88,8 +88,8 @@ Index: lib/connect.c =================================================================== ---- lib/connect.c.orig 2016-07-21 00:31:36.000000000 +0200 -+++ lib/connect.c 2016-07-21 11:39:54.121170539 +0200 +--- lib/connect.c.orig ++++ lib/connect.c @@ -1351,7 +1351,7 @@ CURLcode Curl_socket(struct connectdata (struct curl_sockaddr *)addr); else @@ -101,8 +101,8 @@ /* no socket, no connection */ Index: configure.ac =================================================================== ---- configure.ac.orig 2016-07-21 00:31:36.000000000 +0200 -+++ configure.ac 2016-07-21 11:39:54.125170603 +0200 +--- configure.ac.orig ++++ configure.ac @@ -185,6 +185,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS])