rpms/curl
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new upstream release - 7.61.1

Browse Source 
Resolves: CVE-2018-14618 - NTLM password overflow via integer overflow
This commit is contained in:
Kamil Dudka 2018-09-05 09:57:41 +02:00
parent e7b6b91818
commit 20b63790e4
9 changed files with 20 additions and 531 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

272
0001-curl-7.61.0-pkcs11.patch
View File

@ -1,272 +0,0 @@
From a9a65ae9f6516faf042b36eca2450db7d34bff47 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Mon, 19 Feb 2018 14:31:06 +0100
Subject: [PATCH 1/2] ssl: set engine implicitly when a PKCS#11 URI is provided
This allows the use of PKCS#11 URI for certificates and keys without
setting the corresponding type as "ENG" and the engine as "pkcs11"
explicitly. If a PKCS#11 URI is provided for certificate, key,
proxy_certificate or proxy_key, the corresponding type is set as "ENG"
if not provided and the engine is set to "pkcs11" if not provided.
Acked-by: Nikos Mavrogiannopoulos
Closes #2333
Upstream-commit: 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/cmdline-opts/cert.d | 7 ++++++
docs/cmdline-opts/key.d | 7 ++++++
lib/vtls/openssl.c | 38 ++++++++++++++++++++++++++++
src/tool_getparam.c | 2 +-
src/tool_operate.c | 53 ++++++++++++++++++++++++++++++++++++++++
tests/unit/unit1394.c | 3 +++
6 files changed, 109 insertions(+), 1 deletion(-)
diff --git a/docs/cmdline-opts/cert.d b/docs/cmdline-opts/cert.d
index adf62fc..510b833 100644
--- a/docs/cmdline-opts/cert.d
+++ b/docs/cmdline-opts/cert.d
@@ -23,6 +23,13 @@ nickname contains ":", it needs to be preceded by "\\" so that it is not
recognized as password delimiter. If the nickname contains "\\", it needs to
be escaped as "\\\\" so that it is not recognized as an escape character.
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
+then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in
+a PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
+as "pkcs11" if none was provided and the --cert-type option will be set as
+"ENG" if none was provided.
+
(iOS and macOS only) If curl is built against Secure Transport, then the
certificate string can either be the name of a certificate/private key in the
system or user keychain, or the path to a PKCS#12-encoded certificate and
diff --git a/docs/cmdline-opts/key.d b/docs/cmdline-opts/key.d
index fbf583a..4877b42 100644
--- a/docs/cmdline-opts/key.d
+++ b/docs/cmdline-opts/key.d
@@ -7,4 +7,11 @@ Private key file name. Allows you to provide your private key in this separate
file. For SSH, if not specified, curl tries the following candidates in order:
'~/.ssh/id_rsa', '~/.ssh/id_dsa', './id_rsa', './id_dsa'.
+If curl is built against OpenSSL library, and the engine pkcs11 is available,
+then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a
+PKCS#11 device. A string beginning with "pkcs11:" will be interpreted as a
+PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set
+as "pkcs11" if none was provided and the --key-type option will be set as
+"ENG" if none was provided.
+
If this option is used several times, the last one will be used.
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0b1929b..bc46eca 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis)
}
return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
}
+
+/*
+ * Check if a given string is a PKCS#11 URI
+ */
+static bool is_pkcs11_uri(const char *string)
+{
+ if(strncasecompare(string, "pkcs11:", 7)) {
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
+}
+
#endif
+static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
+ const char *engine);
+
static
int cert_stuff(struct connectdata *conn,
SSL_CTX* ctx,
@@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn,
case SSL_FILETYPE_ENGINE:
#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
{
+ /* Implicitly use pkcs11 engine if none was provided and the
+ * cert_file is a PKCS#11 URI */
+ if(!data->state.engine) {
+ if(is_pkcs11_uri(cert_file)) {
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
+ return 0;
+ }
+ }
+ }
+
if(data->state.engine) {
const char *cmd_name = "LOAD_CERT_CTRL";
struct {
@@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn,
#ifdef USE_OPENSSL_ENGINE
{ /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL;
+
+ /* Implicitly use pkcs11 engine if none was provided and the
+ * key_file is a PKCS#11 URI */
+ if(!data->state.engine) {
+ if(is_pkcs11_uri(key_file)) {
+ if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
+ return 0;
+ }
+ }
+ }
+
if(data->state.engine) {
UI_METHOD *ui_method =
UI_create_method((char *)"curl user interface");
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index cc3fcf3..a7bb7f9 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -342,7 +342,7 @@ void parse_cert_parameter(const char *cert_parameter,
* looks like a RFC7512 PKCS#11 URI which can be used as-is.
* Also if cert_parameter contains no colon nor backslash, this
* means no passphrase was given and no characters escaped */
- if(!strncmp(cert_parameter, "pkcs11:", 7) ||
+ if(curl_strnequal(cert_parameter, "pkcs11:", 7) ||
!strpbrk(cert_parameter, ":\\")) {
*certname = strdup(cert_parameter);
return;
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 26fc251..25d450c 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -113,6 +113,19 @@ static bool is_fatal_error(CURLcode code)
return FALSE;
}
+/*
+ * Check if a given string is a PKCS#11 URI
+ */
+static bool is_pkcs11_uri(const char *string)
+{
+ if(curl_strnequal(string, "pkcs11:", 7)) {
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
+}
+
#ifdef __VMS
/*
* get_vms_file_size does what it takes to get the real size of the file
@@ -1073,6 +1086,46 @@ static CURLcode operate_do(struct GlobalConfig *global,
my_setopt_str(curl, CURLOPT_PINNEDPUBLICKEY, config->pinnedpubkey);
if(curlinfo->features & CURL_VERSION_SSL) {
+ /* Check if config->cert is a PKCS#11 URI and set the
+ * config->cert_type if necessary */
+ if(config->cert) {
+ if(!config->cert_type) {
+ if(is_pkcs11_uri(config->cert)) {
+ config->cert_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->key is a PKCS#11 URI and set the
+ * config->key_type if necessary */
+ if(config->key) {
+ if(!config->key_type) {
+ if(is_pkcs11_uri(config->key)) {
+ config->key_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->proxy_cert is a PKCS#11 URI and set the
+ * config->proxy_type if necessary */
+ if(config->proxy_cert) {
+ if(!config->proxy_cert_type) {
+ if(is_pkcs11_uri(config->proxy_cert)) {
+ config->proxy_cert_type = strdup("ENG");
+ }
+ }
+ }
+
+ /* Check if config->proxy_key is a PKCS#11 URI and set the
+ * config->proxy_key_type if necessary */
+ if(config->proxy_key) {
+ if(!config->proxy_key_type) {
+ if(is_pkcs11_uri(config->proxy_key)) {
+ config->proxy_key_type = strdup("ENG");
+ }
+ }
+ }
+
my_setopt_str(curl, CURLOPT_SSLCERT, config->cert);
my_setopt_str(curl, CURLOPT_PROXY_SSLCERT, config->proxy_cert);
my_setopt_str(curl, CURLOPT_SSLCERTTYPE, config->cert_type);
diff --git a/tests/unit/unit1394.c b/tests/unit/unit1394.c
index 667991d..010f052 100644
--- a/tests/unit/unit1394.c
+++ b/tests/unit/unit1394.c
@@ -56,6 +56,9 @@ UNITTEST_START
"foo:bar\\\\", "foo", "bar\\\\",
"foo:bar:", "foo", "bar:",
"foo\\::bar\\:", "foo:", "bar\\:",
+ "pkcs11:foobar", "pkcs11:foobar", NULL,
+ "PKCS11:foobar", "PKCS11:foobar", NULL,
+ "PkCs11:foobar", "PkCs11:foobar", NULL,
#ifdef WIN32
"c:\\foo:bar:baz", "c:\\foo", "bar:baz",
"c:\\foo\\:bar:baz", "c:\\foo:bar", "baz",
--
2.17.1
From 2be42ac65f4c345ed3ddc97917c8ef54e13fcbfd Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 9 Aug 2018 15:34:22 +0200
Subject: [PATCH 2/2] docs: add files needed to regenerate curl.1 man page
Bug: https://github.com/curl/curl/pull/2856
---
docs/cmdline-opts/disallow-username-in-url.d | 7 +++++++
docs/cmdline-opts/haproxy-protocol.d | 11 +++++++++++
2 files changed, 18 insertions(+)
create mode 100644 docs/cmdline-opts/disallow-username-in-url.d
create mode 100644 docs/cmdline-opts/haproxy-protocol.d
diff --git a/docs/cmdline-opts/disallow-username-in-url.d b/docs/cmdline-opts/disallow-username-in-url.d
new file mode 100644
index 0000000..a7f46ea
--- /dev/null
+++ b/docs/cmdline-opts/disallow-username-in-url.d
@@ -0,0 +1,7 @@
+Long: disallow-username-in-url
+Help: Disallow username in url
+Protocols: HTTP
+Added: 7.61.0
+See-also: proto
+---
+This tells curl to exit if passed a url containing a username.
diff --git a/docs/cmdline-opts/haproxy-protocol.d b/docs/cmdline-opts/haproxy-protocol.d
new file mode 100644
index 0000000..cc41c9c
--- /dev/null
+++ b/docs/cmdline-opts/haproxy-protocol.d
@@ -0,0 +1,11 @@
+Long: haproxy-protocol
+Help: Send HAProxy PROXY protocol v1 header
+Protocols: HTTP
+Added: 7.60.0
+---
+Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This
+is used by some load balancers and reverse proxies to indicate the client's
+true IP address and port.
+
+This option is primarily useful when sending test requests to a service that
+expects this header.
--
2.17.1

130
0002-curl-7.61.0-libssh.patch
View File

@ -1,130 +0,0 @@
From 155d4ffb7d40daf2afa0102f91f810675220ab6e Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 14 Aug 2018 13:14:49 +0200
Subject: [PATCH] ssh-libssh: reduce excessive verbose output about pubkey auth
The verbose message "Authentication using SSH public key file" was
printed each time the ssh_userauth_publickey_auto() was called, which
meant each time a packet was transferred over network because the API
operates in non-blocking mode.
This patch makes sure that the verbose message is printed just once
(when the authentication state is entered by the SSH state machine).
Upstream-commit: 1e843a31a49484aeddf8f358e71392205f5fd6b1
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ssh-libssh.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
index cecf477ac..f40f074b9 100644
--- a/lib/ssh-libssh.c
+++ b/lib/ssh-libssh.c
@@ -618,6 +618,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
state(conn, SSH_AUTH_PKEY_INIT);
+ infof(data, "Authentication using SSH public key file\n");
}
else if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) {
state(conn, SSH_AUTH_GSSAPI);
@@ -670,8 +671,6 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
}
else {
- infof(data, "Authentication using SSH public key file\n");
-
rc = ssh_userauth_publickey_auto(sshc->ssh_session, NULL,
data->set.ssl.key_passwd);
if(rc == SSH_AUTH_AGAIN) {
--
2.17.1
From 4b445519694ab620bd6376066844a7076e8ce4ab Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 14 Aug 2018 12:47:18 +0200
Subject: [PATCH] ssh-libssh: fix infinite connect loop on invalid private key
Added test 656 (based on test 604) to verify the fix.
Bug: https://bugzilla.redhat.com/1595135
Closes #2879
Upstream-commit: a4c7911a48dadb4f68ba6b38bb1bf3f061b747f6
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/ssh-libssh.c | 1 +
tests/data/Makefile.inc | 2 +-
tests/data/test656 | 33 +++++++++++++++++++++++++++++++++
3 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 tests/data/test656
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
index f40f074b9..12d618cfe 100644
--- a/lib/ssh-libssh.c
+++ b/lib/ssh-libssh.c
@@ -663,6 +663,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
if(rc != SSH_OK) {
failf(data, "Could not load private key file %s",
data->set.str[STRING_SSH_PRIVATE_KEY]);
+ MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
break;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 20274b37c..518a5a543 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -83,7 +83,7 @@ test617 test618 test619 test620 test621 test622 test623 test624 test625 \
test626 test627 test628 test629 test630 test631 test632 test633 test634 \
test635 test636 test637 test638 test639 test640 test641 test642 \
test643 test644 test645 test646 test647 test648 test649 test650 test651 \
-test652 test653 test654 test655 \
+test652 test653 test654 test655 test656 \
\
test700 test701 test702 test703 test704 test705 test706 test707 test708 \
test709 test710 test711 test712 test713 test714 test715 \
diff --git a/tests/data/test656 b/tests/data/test656
new file mode 100644
index 000000000..4107d3d17
--- /dev/null
+++ b/tests/data/test656
@@ -0,0 +1,33 @@
+<testcase>
+<info>
+<keywords>
+SFTP
+FAILURE
+</keywords>
+</info>
+
+#
+# Client-side
+<client>
+<server>
+sftp
+</server>
+ <name>
+SFTP retrieval with nonexistent private key file
+ </name>
+ <command>
+--key DOES_NOT_EXIST --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%PWD/not-a-valid-file-moooo --insecure --connect-timeout 8
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<valgrind>
+disable
+</valgrind>
+<errorcode>
+67
+</errorcode>
+</verify>
+</testcase>
--
2.17.1

101
0003-curl-7.61.0-tls13-ciphers.patch
View File

@ -1,101 +0,0 @@
From 426b00d0587797d79806f9682b058d5c90a0ab79 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 31 Aug 2018 19:46:29 -0400
Subject: [PATCH 1/2] openssl: Fix setting TLS 1.3 cipher suites
The flag indicating TLS 1.3 cipher support in the OpenSSL backend was
missing.
Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187
Reported-by: Kamil Dudka
Closes #2926
Upstream-commit: 978574b502294ae06eb97d4f590b54ed5d24cd7f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index bc46eca..fad4287 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3804,6 +3804,9 @@ const struct Curl_ssl Curl_ssl_openssl = {
SSLSUPP_CERTINFO |
SSLSUPP_PINNEDPUBKEY |
SSLSUPP_SSL_CTX |
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ SSLSUPP_TLS13_CIPHERSUITES |
+#endif
SSLSUPP_HTTPS_PROXY,
sizeof(struct ssl_backend_data),
--
2.17.1
From 081afa4e2eb5e853833bd87ca43f48ab550fe657 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 3 Sep 2018 13:04:00 +0200
Subject: [PATCH 2/2] url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work
This is a follow-up to PR #2607 and PR #2926.
Closes #2936
Upstream-commit: 52c13d6328ff56b2d2e8313e88cfdfc78acda365
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 4 ++++
lib/vtls/vtls.c | 5 ++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/url.c b/lib/url.c
index 27b2c1e..46898c4 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4356,6 +4356,10 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
data->set.proxy_ssl.primary.cipher_list =
data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
+ data->set.ssl.primary.cipher_list13 =
+ data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
+ data->set.proxy_ssl.primary.cipher_list13 =
+ data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index bf96518..b61c640 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -96,7 +96,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list))
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
return TRUE;
return FALSE;
@@ -119,6 +120,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
CLONE_STRING(random_file);
CLONE_STRING(egdsocket);
CLONE_STRING(cipher_list);
+ CLONE_STRING(cipher_list13);
return TRUE;
}
@@ -131,6 +133,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
Curl_safefree(sslc->random_file);
Curl_safefree(sslc->egdsocket);
Curl_safefree(sslc->cipher_list);
+ Curl_safefree(sslc->cipher_list13);
}
#ifdef USE_SSL
--
2.17.1

2
0102-curl-7.36.0-debug.patch
View File

@ -12,7 +12,7 @@ diff --git a/configure b/configure
index 8f079a3..53b4774 100755 index 8f079a3..53b4774 100755
--- a/configure --- a/configure
+++ b/configure +++ b/configure
@@ -16409,18 +16409,11 @@ $as_echo "yes" >&6; } @@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
gccvhi=`echo $gccver | cut -d . -f1` gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2` gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

2
0103-curl-7.59.0-python3.patch
View File

@ -32,7 +32,7 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl
index d6aa5ca..4d395ef 100755 index d6aa5ca..4d395ef 100755
--- a/tests/runtests.pl --- a/tests/runtests.pl
+++ b/tests/runtests.pl +++ b/tests/runtests.pl
@@ -1438,7 +1438,7 @@ sub runhttpserver { @@ -1439,7 +1439,7 @@ sub runhttpserver {
elsif($alt eq "pipe") { elsif($alt eq "pipe") {
# basically the same, but another ID # basically the same, but another ID
$idnum = 3; $idnum = 3;

11
curl-7.61.0.tar.xz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAltFnUIACgkQXMkI/bce
EsJSSggAo2pO9DacErY/wVqYm2KA76s8HDMyGkvb7HXPWe3w1Nj6nwCY8Knbp2C6
s6LZ73gqKfe3K+kFsFE6bFy9l2MKNs64cBG19dNUGcoYek6zt1BBXC6LT8/eOWc4
l6HKift+CBh6ErtInB2CzmoG7dvNoZA00sERJbj9w+QZK4CTBZPWjz9BRHo7V31q
VnciTRgJ39HjL0kupdDIZgpCL741aWlkbOZu5wsRfe7nxWeiCdyOVluXluDi9t2i
s1mTPMpkMWDIEh723QL5jOlct9/hTLXAS2yZeR6qJafcicyIboXh0ZwGQGonHADi
aBs922AWx3v8x18thsCMQZwJSHiYEw==
=7p0n
-----END PGP SIGNATURE-----

11
curl-7.61.1.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce
EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi
EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy
fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy
RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B
Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb
51KLH2D0G75wlfMbgMhX/rguuXT2rg==
=vM6i
-----END PGP SIGNATURE-----

20
curl.spec
View File

@ -1,19 +1,10 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.61.0 Version: 7.61.1
Release: 8%{?dist} Release: 1%{?dist}
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
# ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
Patch1: 0001-curl-7.61.0-pkcs11.patch
# scp/sftp: fix infinite connect loop on invalid private key (#1595135)
Patch2: 0002-curl-7.61.0-libssh.patch
# make the --tls13-ciphers option work
Patch3: 0003-curl-7.61.0-tls13-ciphers.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -167,9 +158,6 @@ be installed.
%setup -q %setup -q
# upstream patches # upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -337,6 +325,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1
- new upstream release, which fixes the following vulnerability
CVE-2018-14618 - NTLM password overflow via integer overflow
* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8 * Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
- make the --tls13-ciphers option work - make the --tls13-ciphers option work

2
sources
View File

@ -1 +1 @@
SHA512 (curl-7.61.0.tar.xz) = 1b450bbd794460fea12374a49739a49a43c3651038dc092c277769bab09a62627f8eedfa94b5c1610503bf20eeaf60643a1e32fdcf1bcf8d4085090c4a598b13 SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a