new upstream release - 7.58.0

Resolves: CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read Resolves: CVE-2018-1000007 - curl: HTTP authentication leak in redirects
2018-01-24 11:36:50 +01:00 · 2018-01-24 11:36:50 +01:00 · 93c55561d3
commit 93c55561d3
parent ed352e927e
6 changed files with 26 additions and 18 deletions
--- a/0101-curl-7.32.0-multilib.patch
+++ b/0101-curl-7.32.0-multilib.patch
@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -75,7 +75,7 @@ while test $# -gt 0; do
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
         ;;
 
     --cc)
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
         ;;
 
     --prefix)
-@@ -142,29 +142,14 @@ while test $# -gt 0; do
+@@ -143,32 +143,17 @@ while test $# -gt 0; do
         ;;
 
     --libs)
@ -38,6 +38,9 @@ index 150004d..95d0759 100644
 -        fi
 +        echo -lcurl
         ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
 
     --static-libs)
 -        if test "X@ENABLE_STATIC@" != "Xno" ; then
@ -58,8 +61,8 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1
 index 14a9d2b..ffcc004 100644
 --- a/docs/curl-config.1
 +++ b/docs/curl-config.1
-@@ -66,7 +66,9 @@ be listed using uppercase and are separated by newlines. There may be none,
- one, or several protocols in the list. (Added in 7.13.0)
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
 .IP "--static-libs"
 Shows the complete set of libs and other linker options you will need in order
 -to link your application with libcurl statically. (Added in 7.17.1)
--- a/0102-curl-7.36.0-debug.patch
+++ b/0102-curl-7.36.0-debug.patch
@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16508,18 +16508,11 @@ $as_echo "yes" >&6; }
+@@ -16523,18 +16523,11 @@ $as_echo "yes" >&6; }
     gccvhi=`echo $gccver | cut -d . -f1`
     gccvlo=`echo $gccver | cut -d . -f2`
     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--- a/curl-7.57.0.tar.xz.asc
+++ b/curl-7.57.0.tar.xz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAloefhsACgkQXMkI/bce
-EsJ5Wwf/W2iMekYTk+zF2iCvCSlTT93gRl1RXIi5v3lMO3H13Xv66304ny5/XEI8
-Mf0dfif/+ADV4Cm9Gsfs5Gx3d6IDtzRW66gpoNnEt/u6xLKlJWPAKHBEAOW7bDZU
-78qgEAmH1CVbzD+yc1vkSTZWc3ilfezjMfwUa5E5RkTtcoD6mTWzeMLm5doFxc3s
-NvPu40IlJ2Ss3jqRoKgvkGeUuOiQYUb7DDDCaSF6jZjB88J1HFYWU+i7zjVoAdD3
-jRVan6R5RJbJqvo9yKT0YWxbR2RKoQIydg8Xa7ocKTM6205vc94AXSHLSkjHMr+H
-5UgyAJvkk2FaoJIwLJUSTYE3RDlqog==
-=Kzqh
-----END PGP SIGNATURE-----
--- a/curl-7.58.0.tar.xz.asc
+++ b/curl-7.58.0.tar.xz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlpoMGsACgkQXMkI/bce
+EsIxtwgAnazhBf4KjF3bw1XNxgjkWVUwqLlLwEElg4tD6g/uYw9VeZQyy2wQGmgc
+yKx2WrfqLDmE1gAqKgvGLdS6qvMtv0x/3gNjOy4/LVYBlVqP+k5p0XZhV3jcg929
+Hkv/Fgp1yvtks98CGEIp6xJSjlnL3x5VEsMslXO7dpfq+6gvnbBVBP7QUOb/CYDg
+LHHAIZFSQuTeLKAvvl1koZAZnZ5zD3dtwL8rK4CVD0ugwJplJvGbvoIMNu9uagUZ
+CpBV0Pyv0AUsMTohszyOovi/RizHWl8xTynreJh+sx++NZEX2KjsnISpZAxmD6r5
+dtt21mdhrRSsAXmHD8q5LnbrKosbvQ==
+=ZqfQ
+-----END PGP SIGNATURE-----
--- a/curl.spec
+++ b/curl.spec
@ -1,6 +1,6 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.57.0
+Version: 7.58.0
 Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
@ -298,6 +298,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal

 %changelog
+* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
+    CVE-2018-1000007 - curl: HTTP authentication leak in redirects
+
 * Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1
 - new upstream release, which fixes the following vulnerabilities
    CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (curl-7.57.0.tar.xz) = 200076753e3d7b9f3edd381937cb72710f4051b2f041102b49626e4e82c3f50d2bf4917b9ddb957fde37753e9457c81087c792528077916ae5c04875944a6b8d
+SHA512 (curl-7.58.0.tar.xz) = 965affc74ab8f8c94d1b79ebb8012ca4c1a482c7a3282f2661f6382163e47e3ea657398c1a4202008d0c683a3d2266a05a64a26bd514a64a08e4fe83929dcae5