new upstream release - 7.56.0 (fixes CVE-2017-1000254)

This commit is contained in:
Kamil Dudka 2017-10-04 09:31:13 +02:00
parent c7e4ac606d
commit 46c8abb050
8 changed files with 18 additions and 161 deletions

View File

@ -1,67 +0,0 @@
From 918eb4c10b60a58ea6b14bea7b9fbfba4d29598c Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 14 Aug 2017 16:13:32 +0200
Subject: [PATCH] zsh.pl: produce a working completion script again
Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
produce a broken completion script:
% curl --<TAB>
_curl:10: no such file or directory: seconds
Closes #1779
Upstream-commit: ab2a7079cd2a1ec279b1e6b587ba48e50c155e91
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/cmdline-opts/cacert.d | 2 +-
scripts/zsh.pl | 5 +++--
src/tool_help.c | 2 +-
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/docs/cmdline-opts/cacert.d b/docs/cmdline-opts/cacert.d
index 04e1139..b2ecf90 100644
--- a/docs/cmdline-opts/cacert.d
+++ b/docs/cmdline-opts/cacert.d
@@ -1,5 +1,5 @@
Long: cacert
-Arg: <CA certificate>
+Arg: <file>
Help: CA certificate to verify peer against
Protocols: TLS
---
diff --git a/scripts/zsh.pl b/scripts/zsh.pl
index f0d8c19..82b4d9f 100755
--- a/scripts/zsh.pl
+++ b/scripts/zsh.pl
@@ -54,10 +54,11 @@ sub parse_main_opts {
$option .= '}' if defined $short;
$option .= '\'[' . trim($desc) . ']\'' if defined $desc;
- $option .= ":$arg" if defined $arg;
+ $option .= ":'$arg'" if defined $arg;
$option .= ':_files'
- if defined $arg and ($arg eq 'FILE' || $arg eq 'DIR');
+ if defined $arg and ($arg eq '<file>' || $arg eq '<filename>'
+ || $arg eq '<dir>');
push @list, $option;
}
diff --git a/src/tool_help.c b/src/tool_help.c
index 42dc779..a5bfaba 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -54,7 +54,7 @@ static const struct helptxt helptext[] = {
"Append to target file when uploading"},
{" --basic",
"Use HTTP Basic Authentication"},
- {" --cacert <CA certificate>",
+ {" --cacert <file>",
"CA certificate to verify peer against"},
{" --capath <dir>",
"CA directory to verify peer against"},
--
2.9.5

View File

@ -1,40 +0,0 @@
From 74dac344b2feb2e0f4baddb70532dc8e45d2d817 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Fri, 18 Aug 2017 10:43:02 +0200
Subject: [PATCH] http: Don't wait on CONNECT when there is no proxy
Since curl 7.55.0, NetworkManager almost always failed its connectivity
check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
CONNECT process entirely non-blocking).
This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
which returns false if the CONNECT state was left uninitialized and lets
the connection continue.
Closes #1803
Fixes #1804
Also-fixed-by: Gergely Nagy
Upstream-commit: 74dac344b2feb2e0f4baddb70532dc8e45d2d817
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/http.c b/lib/http.c
index 35c7c3d43..3e3313278 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1371,7 +1371,7 @@ CURLcode Curl_http_connect(struct connectdata *conn, bool *done)
if(CONNECT_FIRSTSOCKET_PROXY_SSL())
return CURLE_OK; /* wait for HTTPS proxy SSL initialization to complete */
- if(!Curl_connect_complete(conn))
+ if(Curl_connect_ongoing(conn))
/* nothing else to do except wait right now - we're not done here. */
return CURLE_OK;
--
2.13.5

View File

@ -12,7 +12,7 @@ diff --git a/configure b/configure
index 8f079a3..53b4774 100755 index 8f079a3..53b4774 100755
--- a/configure --- a/configure
+++ b/configure +++ b/configure
@@ -17079,18 +17079,11 @@ $as_echo "yes" >&6; } @@ -20351,18 +20351,11 @@ $as_echo "yes" >&6; }
gccvhi=`echo $gccver | cut -d . -f1` gccvhi=`echo $gccver | cut -d . -f1`
gccvlo=`echo $gccver | cut -d . -f2` gccvlo=`echo $gccver | cut -d . -f2`
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

View File

@ -1,27 +0,0 @@
From 7271547cb46a4dc28004febaea19e5edaa2250d2 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 22 Aug 2017 17:02:26 +0200
Subject: [PATCH] openssl: utilize system wide crypto policies
... unless explicitly overridden via libcurl API
---
lib/vtls/openssl.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index b9648d5..48036e1 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -119,8 +119,7 @@ bool Curl_ossl_cert_status_request(void);
#endif
#define curlssl_cert_status_request() Curl_ossl_cert_status_request()
-#define DEFAULT_CIPHER_SELECTION \
- "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
+#define DEFAULT_CIPHER_SELECTION "PROFILE=SYSTEM"
#endif /* USE_OPENSSL */
#endif /* HEADER_CURL_SSLUSE_H */
--
2.9.5

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlmRPboACgkQXMkI/bce
EsIxOAf9GPx5uj4rzy5VW8UhHgZXJl97S9mEVt8I6DnwpLrlCsV7jf4CHpys0Ymt
kaRoqudjCfjfm2BRtoTZq9ZmWv6vMwuwKrfGwQSmtyNiVFnCZ2hX4QEErMDP27pn
yJnlxO0MQVXCpKAxvmx2yRQ/qoGX18dGENBGe5USBOzh3QWArIN8vIaGsINvCmcM
StMzgzNs+x4MP75xt6Wf+MH2biMfyXoq4zFsVKRYDlwZyr495uT9Zms4HzxPLlap
LPotKQTj1ZcmC0tVLGDWXEx/aE65tLhsJjyLrIlIx+VvkKPwxN8rBntAAC8jh6az
5bhonUTL94v5XnKySk7srhNP7ds8qQ==
=3zTB
-----END PGP SIGNATURE-----

11
curl-7.56.0.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlnUd8QACgkQXMkI/bce
EsLXpgf/RNe897KrWq4s9H/ycobJXt4UEHXMbpjxQwEggNO4n0EwZ7Mt7WZ1aYR9
q0ELx4mYS0/Lr9u1v5RxtMiG9L91B9nSdhFzL3/hhiTubTyhxgleGJMc94iTFMQY
FjZYWZKHtBQlS8rjzTy2f7ESBIAs7zDPgWCfUlm0iuawSPx/Rw8ZrxC4yULvRubV
2wZgjOZeVnhTt6CyNihY9+xrNgEOLAd2b0zjDJSoS0iQmZ5QYZKP+XeD9imQvLLF
O0yhlE9PgCJTGCfjoehQop9rR7CtzDTT65A+syab5mQY+YbphL+8MfjKtoeWA78I
JzW//7fC4iCORd3D/HJ1lOa442cfCA==
=qKHn
-----END PGP SIGNATURE-----

View File

@ -1,26 +1,17 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.55.1 Version: 7.56.0
Release: 5%{?dist} Release: 1%{?dist}
License: MIT License: MIT
Group: Applications/Internet Group: Applications/Internet
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
# make zsh completion work again
Patch1: 0001-curl-7.55.1-zsh-completion.patch
# http: Don't wait on CONNECT when there is no proxy (#1485702)
Patch2: 0002-curl-7.55.1-proxy-connect.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
# prevent configure script from discarding -g in CFLAGS (#496778) # prevent configure script from discarding -g in CFLAGS (#496778)
Patch102: 0102-curl-7.36.0-debug.patch Patch102: 0102-curl-7.36.0-debug.patch
# utilize system wide crypto policies for TLS (#1483972)
Patch103: 0103-curl-7.55.1-system-crypto-policy.patch
# use localhost6 instead of ip6-localhost in the curl test-suite # use localhost6 instead of ip6-localhost in the curl test-suite
Patch104: 0104-curl-7.19.7-localhost6.patch Patch104: 0104-curl-7.19.7-localhost6.patch
@ -158,13 +149,10 @@ be installed.
%setup -q %setup -q
# upstream patches # upstream patches
%patch1 -p1
%patch2 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
%patch102 -p1 %patch102 -p1
%patch103 -p1
%patch104 -p1 %patch104 -p1
# regenerate Makefile.in files # regenerate Makefile.in files
@ -314,6 +302,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
%changelog %changelog
* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1
- new upstream release (fixes CVE-2017-1000254)
* Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5 * Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5
- apply the patch for the previous commit and fix its name (#1485702) - apply the patch for the previous commit and fix its name (#1485702)

View File

@ -1 +1 @@
SHA512 (curl-7.55.1.tar.xz) = 69f906655064b9cfef5b8763a893a658b25fcc4e595141ef122ac2b12158c5dc3b9535cb392f6f5af8346b6d495eb0609a08b5a6e638d4b10b82a15a0e8a7517 SHA512 (curl-7.56.0.tar.xz) = a6bd5c56cd3a939a31b755bee3733df6670eec3d65b81b6c3e32ef9df110e3e748adc2cee81b1eb29f81cdf344230314c7ac1a2ed8f329f41c8352f920de3bfe