Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2018-05-29 16:45:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "curl" Tue May 29 16:45:48 2018 rev:134 rq:610352 version:7.60.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2018-03-19 23:31:36.180018084 +0100 +++ /work/SRC/openSUSE:Factory/.curl.new/curl-mini.changes 2018-05-29 16:45:51.753976155 +0200 @@ -1,0 +2,128 @@ +Fri May 18 11:47:00 UTC 2018 - [email protected] + +- Use OPENSSL_config instead of CONF_modules_load_file() to avoid + crashes due to openssl engines conflicts (bsc#1086367) + * add curl-use_OPENSSL_config.patch + +------------------------------------------------------------------- +Wed May 16 08:41:48 UTC 2018 - [email protected] + +- Update to version 7.60.0 + [bsc#1092094, CVE-2018-1000300][bsc#1092098, CVE-2018-1000301] + Changes: + * Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol + * Add --haproxy-protocol for the command line tool + * Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses + Bugfixes: + * FTP: shutdown response buffer overflow CVE-2018-1000300 + * RTSP: bad headers buffer over-read CVE-2018-1000301 + * FTP: fix typo in recursive callback detection for seeking + * test1208: marked flaky + * HTTP: make header-less responses still count correct body size + * user-agent.d:: mention --proxy-header as well + * http2: fixes typo + * cleanup: misc typos in strings and comments + * rate-limit: use three second window to better handle high speeds + * examples/hiperfifo.c: improved + * pause: when changing pause state, update socket state + * multi: improved pending transfers handling => improved performance + * curl_version_info.3: fix ssl_version description + * add_handle/easy_perform: clear errorbuffer on start if set + * cmake: add support for brotli + * parsedate: support UT timezone + * vauth/ntlm.h: fix the #ifdef header guard + * lib/curl_path.h: added #ifdef header guard + * vauth/cleartext: fix integer overflow check + * CURLINFO_COOKIELIST.3: made the example not leak memory + * cookie.d: mention that "-" as filename means stdin + * CURLINFO_SSL_VERIFYRESULT.3: fixed the example + * http2: read pending frames (including GOAWAY) in connection-check + * timeval: remove compilation warning by casting + * cmake: avoid warn-as-error during config checks + * travis-ci: enable -Werror for CMake builds + * openldap: fix for NULL return from ldap_get_attribute_ber() + * threaded resolver: track resolver time and set suitable timeout values + * cmake: Add advapi32 as explicit link library for win32 + * docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T + * test1148: set a fixed locale for the test + * cookies: when reading from a file, only remove_expired once + * cookie: store cookies per top-level-domain-specific hash table + * openssl: fix build with LibreSSL 2.7 + * tls: fix mbedTLS 2.7.0 build + handle sha256 failures + * openssl: RESTORED verify locations when verifypeer==0 + * file: restore old behavior for file:////foo/bar URLs + * FTP: allow PASV on IPv6 connections when a proxy is being used + * build-openssl.bat: allow custom paths for VS and perl + * winbuild: make the clean target work without build-type + * build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 + * curl: retry on FTP 4xx, ignore other protocols + * configure: detect (and use) sa_family_t + * examples/sftpuploadresume: Fix Windows large file seek + * build: cleanup to fix clang warnings/errors + * winbuild: updated the documentation + * lib: silence null-dereference warnings + * travis: bump to clang 6 and gcc 7 + * travis: build libpsl and make builds use it + * proxy: show getenv proxy use in verbose output + * duphandle: make sure CURLOPT_RESOLVE is duplicated + * all: Refactor malloc+memset to use calloc + * checksrc: Fix typo + * system.h: Add sparcv8plus to oracle/sunpro 32-bit detection + * vauth: Fix typo + * ssh: show libSSH2 error code when closing fails + * test1148: tolerate progress updates better + * urldata: make service names unconditional + * configure: keep LD_LIBRARY_PATH changes local + * ntlm_sspi: fix authentication using Credential Manager + * schannel: add client certificate authentication + * winbuild: Support custom devel paths for each dependency + * schannel: add support for CURLOPT_CAINFO + * http2: handle on_begin_headers() called more than once + * openssl: support OpenSSL 1.1.1 verbose-mode trace messages + * openssl: fix subjectAltName check on non-ASCII platforms + * http2: avoid strstr() on data not zero terminated + * http2: clear the "drain counter" when a stream is closed + * http2: handle GOAWAY properly + * tool_help: clarify --max-time unit of time is seconds + * curl.1: clarify that options and URLs can be mixed + * http2: convert an assert to run-time check + * curl_global_sslset: always provide available backends + * ftplistparser: keep state between invokes + * Curl_memchr: zero length input can't match + * examples/sftpuploadresume: typecast fseek argument to long + * examples/http2-upload: expand buffer to avoid silly warning + * ctype: restore character classification for non-ASCII platforms + * mime: avoid NULL pointer dereference risk + * cookies: ensure that we have cookies before writing jar + * os400.c: fix checksrc warnings + * configure: provide --with-wolfssl as an alias for --with-cyassl + * cyassl: adapt to libraries without TLS 1.0 support built-in + * http2: get rid of another strstr + * checksrc: force indentation of lines after an else + * cookies: remove unused macro + * CURLINFO_PROTOCOL.3: mention the existing defined names + * tests: provide 'manual' as a feature to optionally require + * travis: enable libssh2 on both macos and Linux + * CURLOPT_URL.3: added ENCODING section + * wolfssl: Fix non-blocking connect + * vtls: don't define MD5_DIGEST_LENGTH for wolfssl + * docs: remove extraneous commas in man pages + * URL: fix ASCII dependency in strcpy_url and strlen_url + * ssh-libssh.c: fix left shift compiler warning + * configure: only check for CA bundle for file-using SSL backends + * travis: add an mbedtls build + * http: don't set the "rewind" flag when not uploading anything + * configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h + * transfer: don't unset writesockfd on setup of multiplexed conns + * vtls: use unified "supports" bitfield member in backends + * URLs: fix one more http url + * travis: add a build using WolfSSL + * openssl: change FILE ops to BIO ops + * travis: add build using NSS + * smb: reject negative file sizes + * cookies: accept parameter names as cookie name + * http2: getsock fix for uploads + * all over: fixed format specifiers + * http2: use the correct function pointer typedef + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.59.0.tar.gz curl-7.59.0.tar.gz.asc New: ---- curl-7.60.0.tar.gz curl-7.60.0.tar.gz.asc curl-use_OPENSSL_config.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.6jpZRR/_old 2018-05-29 16:45:53.801900782 +0200 +++ /var/tmp/diff_new_pack.6jpZRR/_new 2018-05-29 16:45:53.801900782 +0200 @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.59.0 +Version: 7.60.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.6jpZRR/_old 2018-05-29 16:45:53.829899752 +0200 +++ /var/tmp/diff_new_pack.6jpZRR/_new 2018-05-29 16:45:53.833899605 +0200 @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.59.0 +Version: 7.60.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -43,6 +43,7 @@ Patch3: ignore_runtests_failure.patch # PATCH-FIX-OPENSUSE bsc#1076446 protocol redirection not supported or disabled Patch4: curl-disabled-redirect-protocol-message.patch +Patch5: curl-use_OPENSSL_config.patch BuildRequires: libtool BuildRequires: pkgconfig Requires: libcurl4%{?mini} = %{version} @@ -122,6 +123,7 @@ %patch3 -p1 %endif %patch4 -p1 +%patch5 -p1 %build # curl complains if macro definition is contained in CFLAGS ++++++ curl-7.59.0.tar.gz -> curl-7.60.0.tar.gz ++++++ ++++ 47717 lines of diff (skipped) ++++++ curl-use_OPENSSL_config.patch ++++++ This basically reverts https://github.com/curl/curl/commit/7d2f61f66ab4e047fc9aefc2effc1ac6d340a66a diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 80e9bf940..ba227891f 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -925,26 +925,12 @@ static int Curl_ossl_init(void) ENGINE_load_builtin_engines(); #endif - /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately - that function makes an exit() call on wrongly formatted config files - which makes it hard to use in some situations. OPENSSL_config() itself - calls CONF_modules_load_file() and we use that instead and we ignore - its return code! */ - - /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and - 0.9.8e */ -#ifndef CONF_MFLAGS_DEFAULT_SECTION -#define CONF_MFLAGS_DEFAULT_SECTION 0x0 -#endif - - CONF_modules_load_file(NULL, NULL, - CONF_MFLAGS_DEFAULT_SECTION| - CONF_MFLAGS_IGNORE_MISSING_FILE); - #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) - /* OpenSSL 1.1.0+ takes care of initialization itself */ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else + OPENSSL_config(NULL); + /* Lets get nice error messages */ SSL_load_error_strings();
