From 5169cd38995965933c5ac9b73f4054a1ae20653e Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Nov 2016 10:26:24 +0100 Subject: [PATCH] new upstream release - 7.51.0 Resolves: CVE-2016-8615 - Cookie injection for other servers Resolves: CVE-2016-8616 - Case insensitive password comparison Resolves: CVE-2016-8617 - Out-of-bounds write via unchecked multiplication Resolves: CVE-2016-8618 - Double-free in curl_maprintf Resolves: CVE-2016-8619 - Double-free in krb5 code Resolves: CVE-2016-8620 - Glob parser write/read out of bounds Resolves: CVE-2016-8621 - curl_getdate out-of-bounds read Resolves: CVE-2016-8622 - URL unescape heap overflow via integer truncation Resolves: CVE-2016-8623 - Use-after-free via shared cookies Resolves: CVE-2016-8624 - Invalid URL parsing with '#' Resolves: CVE-2016-8625 - IDNA 2003 makes curl use wrong host --- 0107-curl-7.21.4-libidn-valgrind.patch | 26 -------------------------- curl-7.50.3.tar.lzma.asc | 10 ---------- curl-7.51.0.tar.lzma.asc | 10 ++++++++++ curl.spec | 26 ++++++++++++++++++-------- sources | 2 +- 5 files changed, 29 insertions(+), 45 deletions(-) delete mode 100644 0107-curl-7.21.4-libidn-valgrind.patch delete mode 100644 curl-7.50.3.tar.lzma.asc create mode 100644 curl-7.51.0.tar.lzma.asc diff --git a/0107-curl-7.21.4-libidn-valgrind.patch b/0107-curl-7.21.4-libidn-valgrind.patch deleted file mode 100644 index 719b3a6..0000000 --- a/0107-curl-7.21.4-libidn-valgrind.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d6c42a5bf66d4d458b20836573d6989e53f7d423 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 18 Feb 2011 17:49:59 +0100 -Subject: [PATCH] curl: work around valgrind bug (RHBZ#678518) - -https://bugs.kde.org/show_bug.cgi?id=264936 ---- - tests/data/test165 | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/tests/data/test165 b/tests/data/test165 -index ddfe1e9..b2cbc4f 100644 ---- a/tests/data/test165 -+++ b/tests/data/test165 -@@ -54,5 +54,8 @@ Accept: */* - Proxy-Connection: Keep-Alive - - -+ -+disable -+ - - --- -1.7.4 - diff --git a/curl-7.50.3.tar.lzma.asc b/curl-7.50.3.tar.lzma.asc deleted file mode 100644 index f51fcc1..0000000 --- a/curl-7.50.3.tar.lzma.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABCgAGBQJX2OcWAAoJEFzJCP23HhLCOUkH/A+cGespPSg0Z8DH8P+VGBf2 -r4kKlx+BktOFmD9v35EGTUpLAmJ7rH573kOXXTuu4uBLN5P05Vy2Y6Pb3RJkutJA -uXPg0tvIyopGWKSEPEsffk83YkunKr0DaCfILM2XyMZpAEvS6hUf+RZmSTOqNn8Y -Yn6zO1FnhG/407w1T63eFovbfbjo4Qwh+CYkfLhzj9niGEEinocUqkni4F1AH1vj -W1iCLCEa13bcBU1lw1AuPPYz8S5hAeOmZB2PQUj/Qa9rQq5iAfwfCuVAU8u/mVo1 -0LFzwh7/iV0a73GXL1KaCJ1MkiDgZwoSdtjLm+k0hcpOJR0NwU4TjLC7EyXEBrI= -=s7H5 ------END PGP SIGNATURE----- diff --git a/curl-7.51.0.tar.lzma.asc b/curl-7.51.0.tar.lzma.asc new file mode 100644 index 0000000..e52e6c9 --- /dev/null +++ b/curl-7.51.0.tar.lzma.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABCgAGBQJYGY4MAAoJEFzJCP23HhLCNkQH/0AjH+fRd4vuv9/AoO2CjZGf +JEXOPF2ZfKeBKc14dPfxhNj/klX3JvmLG9Z1jZLySWYl1/be0CM0LSoxh11rtioO +FiScVNNdUOUnJ6b8m0qVoX1wx9lCn3pjVKGzkfCx4pZ3eZDhtSRBbKNe+92fSOTk +nnMEDDj9q9C++yO8EMifDBfyX2u+JCpvnUu3EFa/znRjZB88Uyrc9Li+fl4aBfo1 +IyH8EGmM0QkYBuGZhQBGg6mYg8LkG0JROHpk+j3lh9hZNA2An7tIEhbqoktaLW2i +Ude6R2g2/AdqfZrifY3fBXHc4d0XO4T7GIGREmo4TKDHTLDthKSNTTHt2a9dpiI= +=v+YR +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 46e9bd7..c2f821b 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.50.3 -Release: 2%{?dist} +Version: 7.51.0 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -15,15 +15,12 @@ Patch102: 0102-curl-7.36.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch -# work around valgrind bug (#678518) -Patch107: 0107-curl-7.21.4-libidn-valgrind.patch - Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: groff BuildRequires: krb5-devel -BuildRequires: libidn-devel +BuildRequires: libidn2-devel BuildRequires: libmetalink-devel BuildRequires: libnghttp2-devel BuildRequires: libpsl-devel @@ -130,7 +127,6 @@ documentation of the library, too. %patch101 -p1 %patch102 -p1 %patch104 -p1 -%patch107 -p1 # disable test 1112 (#565305) and test 1801 # @@ -151,7 +147,7 @@ echo "1319" >> tests/data/DISABLED --enable-threaded-resolver \ --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ --with-gssapi${KRB5_PREFIX} \ - --with-libidn \ + --with-libidn2 \ --with-libmetalink \ --with-libpsl \ --with-libssh2 \ @@ -230,6 +226,20 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Nov 02 2016 Kamil Dudka 7.51.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2016-8615 - Cookie injection for other servers + CVE-2016-8616 - Case insensitive password comparison + CVE-2016-8617 - Out-of-bounds write via unchecked multiplication + CVE-2016-8618 - Double-free in curl_maprintf + CVE-2016-8619 - Double-free in krb5 code + CVE-2016-8620 - Glob parser write/read out of bounds + CVE-2016-8621 - curl_getdate out-of-bounds read + CVE-2016-8622 - URL unescape heap overflow via integer truncation + CVE-2016-8623 - Use-after-free via shared cookies + CVE-2016-8624 - Invalid URL parsing with '#' + CVE-2016-8625 - IDNA 2003 makes curl use wrong host + * Thu Oct 20 2016 Kamil Dudka 7.50.3-3 - drop 0103-curl-7.50.0-stunnel.patch no longer needed diff --git a/sources b/sources index 55ec8da..a427d2d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6080c1eb3e72d5da6c892ba72a074ad2 curl-7.50.3.tar.lzma +0f876ef6d5776d96b08510461d57db1b curl-7.51.0.tar.lzma