new upstream release - 7.51.0
Resolves: CVE-2016-8615 - Cookie injection for other servers Resolves: CVE-2016-8616 - Case insensitive password comparison Resolves: CVE-2016-8617 - Out-of-bounds write via unchecked multiplication Resolves: CVE-2016-8618 - Double-free in curl_maprintf Resolves: CVE-2016-8619 - Double-free in krb5 code Resolves: CVE-2016-8620 - Glob parser write/read out of bounds Resolves: CVE-2016-8621 - curl_getdate out-of-bounds read Resolves: CVE-2016-8622 - URL unescape heap overflow via integer truncation Resolves: CVE-2016-8623 - Use-after-free via shared cookies Resolves: CVE-2016-8624 - Invalid URL parsing with '#' Resolves: CVE-2016-8625 - IDNA 2003 makes curl use wrong host
This commit is contained in:
Kamil Dudka
parent
837f1f0f4e
commit
5169cd3899
|
|
@ -1,26 +0,0 @@
|
|||
From d6c42a5bf66d4d458b20836573d6989e53f7d423 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Fri, 18 Feb 2011 17:49:59 +0100
|
||||
Subject: [PATCH] curl: work around valgrind bug (RHBZ#678518)
|
||||
|
||||
https://bugs.kde.org/show_bug.cgi?id=264936
|
||||
---
|
||||
tests/data/test165 | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/tests/data/test165 b/tests/data/test165
|
||||
index ddfe1e9..b2cbc4f 100644
|
||||
--- a/tests/data/test165
|
||||
+++ b/tests/data/test165
|
||||
@@ -54,5 +54,8 @@ Accept: */*
|
||||
Proxy-Connection: Keep-Alive
|
||||
|
||||
</protocol>
|
||||
+<valgrind>
|
||||
+disable
|
||||
+</valgrind>
|
||||
</verify>
|
||||
</testcase>
|
||||
--
|
||||
1.7.4
|
||||
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEcBAABCgAGBQJX2OcWAAoJEFzJCP23HhLCOUkH/A+cGespPSg0Z8DH8P+VGBf2
|
||||
r4kKlx+BktOFmD9v35EGTUpLAmJ7rH573kOXXTuu4uBLN5P05Vy2Y6Pb3RJkutJA
|
||||
uXPg0tvIyopGWKSEPEsffk83YkunKr0DaCfILM2XyMZpAEvS6hUf+RZmSTOqNn8Y
|
||||
Yn6zO1FnhG/407w1T63eFovbfbjo4Qwh+CYkfLhzj9niGEEinocUqkni4F1AH1vj
|
||||
W1iCLCEa13bcBU1lw1AuPPYz8S5hAeOmZB2PQUj/Qa9rQq5iAfwfCuVAU8u/mVo1
|
||||
0LFzwh7/iV0a73GXL1KaCJ1MkiDgZwoSdtjLm+k0hcpOJR0NwU4TjLC7EyXEBrI=
|
||||
=s7H5
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf
|
||||
JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO
|
||||
FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk
|
||||
nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1
|
||||
IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i
|
||||
Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI=
|
||||
=v+YR
|
||||
-----END PGP SIGNATURE-----
|
||||
26
curl.spec
26
curl.spec
|
|
@ -1,7 +1,7 @@
|
|||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.50.3
|
||||
Release: 2%{?dist}
|
||||
Version: 7.51.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Group: Applications/Internet
|
||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||
|
|
@ -15,15 +15,12 @@ Patch102: 0102-curl-7.36.0-debug.patch
|
|||
# use localhost6 instead of ip6-localhost in the curl test-suite
|
||||
Patch104: 0104-curl-7.19.7-localhost6.patch
|
||||
|
||||
# work around valgrind bug (#678518)
|
||||
Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
|
||||
|
||||
Provides: webclient
|
||||
URL: http://curl.haxx.se/
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
BuildRequires: groff
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: libidn-devel
|
||||
BuildRequires: libidn2-devel
|
||||
BuildRequires: libmetalink-devel
|
||||
BuildRequires: libnghttp2-devel
|
||||
BuildRequires: libpsl-devel
|
||||
|
|
@ -130,7 +127,6 @@ documentation of the library, too.
|
|||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
%patch104 -p1
|
||||
%patch107 -p1
|
||||
|
||||
# disable test 1112 (#565305) and test 1801
|
||||
# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
|
||||
|
|
@ -151,7 +147,7 @@ echo "1319" >> tests/data/DISABLED
|
|||
--enable-threaded-resolver \
|
||||
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
|
||||
--with-gssapi${KRB5_PREFIX} \
|
||||
--with-libidn \
|
||||
--with-libidn2 \
|
||||
--with-libmetalink \
|
||||
--with-libpsl \
|
||||
--with-libssh2 \
|
||||
|
|
@ -230,6 +226,20 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_datadir}/aclocal/libcurl.m4
|
||||
|
||||
%changelog
|
||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
|
||||
- new upstream release, which fixes the following vulnerabilities
|
||||
CVE-2016-8615 - Cookie injection for other servers
|
||||
CVE-2016-8616 - Case insensitive password comparison
|
||||
CVE-2016-8617 - Out-of-bounds write via unchecked multiplication
|
||||
CVE-2016-8618 - Double-free in curl_maprintf
|
||||
CVE-2016-8619 - Double-free in krb5 code
|
||||
CVE-2016-8620 - Glob parser write/read out of bounds
|
||||
CVE-2016-8621 - curl_getdate out-of-bounds read
|
||||
CVE-2016-8622 - URL unescape heap overflow via integer truncation
|
||||
CVE-2016-8623 - Use-after-free via shared cookies
|
||||
CVE-2016-8624 - Invalid URL parsing with '#'
|
||||
CVE-2016-8625 - IDNA 2003 makes curl use wrong host
|
||||
|
||||
* Thu Oct 20 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-3
|
||||
- drop 0103-curl-7.50.0-stunnel.patch no longer needed
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue