new upstream release - 7.72.0
Resolves: CVE-2020-8231 - libcurl: wrong connect-only connection
This commit is contained in:
parent
840be82e6f
commit
e7a12a6b7b
@ -1,65 +0,0 @@
|
||||
From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 2 Jul 2020 17:41:37 +0200
|
||||
Subject: [PATCH 1/2] tool_getparam: make --krb option work again
|
||||
|
||||
It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
|
||||
|
||||
Bug: https://bugzilla.redhat.com/1833193
|
||||
Closes #5640
|
||||
|
||||
Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
src/tool_getparam.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
||||
index 3409621..9c6bc8a 100644
|
||||
--- a/src/tool_getparam.c
|
||||
+++ b/src/tool_getparam.c
|
||||
@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
||||
break;
|
||||
case 'x': /* --krb */
|
||||
/* kerberos level string */
|
||||
- if(curlinfo->features & CURL_VERSION_KERBEROS4)
|
||||
+ if(curlinfo->features & CURL_VERSION_SPNEGO)
|
||||
GetStr(&config->krblevel, nextarg);
|
||||
else
|
||||
return PARAM_LIBCURL_DOESNT_SUPPORT;
|
||||
--
|
||||
2.21.3
|
||||
|
||||
|
||||
From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 2 Jul 2020 23:46:40 +0200
|
||||
Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
|
||||
|
||||
This came up in #5640. It make sense to clarify this in the docs!
|
||||
|
||||
Reminded-by: Kamil Dudka
|
||||
Closes #5642
|
||||
|
||||
Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/curl_version_info.3 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
|
||||
index 2d21dfb..0d26e87 100644
|
||||
--- a/docs/libcurl/curl_version_info.3
|
||||
+++ b/docs/libcurl/curl_version_info.3
|
||||
@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
|
||||
.IP CURL_VERSION_IPV6
|
||||
supports IPv6
|
||||
.IP CURL_VERSION_KERBEROS4
|
||||
-supports Kerberos V4 (when using FTP)
|
||||
+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
|
||||
.IP CURL_VERSION_KERBEROS5
|
||||
supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
|
||||
(Added in 7.40.0)
|
||||
--
|
||||
2.21.3
|
||||
|
@ -1,148 +0,0 @@
|
||||
From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 11:44:01 +0200
|
||||
Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
|
||||
|
||||
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
|
||||
action but before 7.71.0 that used to switch back to GET and with this
|
||||
change (assuming the method is still set to HEAD) this behavior is
|
||||
brought back.
|
||||
|
||||
Reported-by: causal-agent on github
|
||||
Fixes #5725
|
||||
Closes #5728
|
||||
|
||||
Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/setopt.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 90edf6a..d621335 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
if(data->set.opt_no_body)
|
||||
/* in HTTP lingo, no body means using the HEAD request... */
|
||||
data->set.method = HTTPREQ_HEAD;
|
||||
+ else if(data->set.method == HTTPREQ_HEAD)
|
||||
+ data->set.method = HTTPREQ_GET;
|
||||
break;
|
||||
case CURLOPT_FAILONERROR:
|
||||
/*
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 11:54:29 +0200
|
||||
Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
|
||||
|
||||
... and mention that HTTP with other methods than HEAD might get a body and
|
||||
there's no option available to stop that.
|
||||
|
||||
Closes #5729
|
||||
|
||||
Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
index f720f49..3674dde 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
|
||||
libcurl do a HEAD request. For most other protocols it means just not asking
|
||||
to transfer the body data.
|
||||
|
||||
-Enabling this option means asking for a download but without a body.
|
||||
+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
+option (with 0) will make it a GET again - only if the method is still set to
|
||||
+be HEAD. The proper way to get back to a GET request is to set
|
||||
+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
+options.
|
||||
+
|
||||
+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
+
|
||||
+If you do a transfer with HTTP that involves a method other than HEAD, you
|
||||
+will get a body (unless the resource and server sends a zero byte body for the
|
||||
+specific URL you request).
|
||||
.SH DEFAULT
|
||||
0, the body is transferred
|
||||
.SH PROTOCOLS
|
||||
@@ -43,9 +53,9 @@ Most
|
||||
.nf
|
||||
curl = curl_easy_init();
|
||||
if(curl) {
|
||||
- curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
|
||||
+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
|
||||
|
||||
- /* get us the resource without a body! */
|
||||
+ /* get us the resource without a body - use HEAD! */
|
||||
curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
|
||||
|
||||
/* Perform the request */
|
||||
@@ -57,5 +67,5 @@ Always
|
||||
.SH RETURN VALUE
|
||||
Returns CURLE_OK
|
||||
.SH "SEE ALSO"
|
||||
-.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
|
||||
-.BR CURLOPT_REQUEST_TARGET "(3), "
|
||||
+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
|
||||
+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jul 2020 23:59:00 +0200
|
||||
Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
|
||||
|
||||
As test 1140 fails otherwise!
|
||||
|
||||
Follow-up to e1bac81cc815
|
||||
|
||||
Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
index 3674dde..112fb1a 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
|
||||
@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
|
||||
libcurl do a HEAD request. For most other protocols it means just not asking
|
||||
to transfer the body data.
|
||||
|
||||
-For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
|
||||
option (with 0) will make it a GET again - only if the method is still set to
|
||||
be HEAD. The proper way to get back to a GET request is to set
|
||||
-\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
|
||||
options.
|
||||
|
||||
-Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
|
||||
|
||||
If you do a transfer with HTTP that involves a method other than HEAD, you
|
||||
will get a body (unless the resource and server sends a zero byte body for the
|
||||
--
|
||||
2.25.4
|
||||
|
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
|
||||
- else
|
||||
- CURLLIBDIR=""
|
||||
- fi
|
||||
- if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
|
||||
- if test "X@ENABLE_SHARED@" = "Xno"; then
|
||||
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
||||
- else
|
||||
- echo ${CURLLIBDIR}-lcurl
|
||||
|
@ -26,7 +26,7 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
||||
index 080421b..ea3b806 100644
|
||||
--- a/tests/libtest/Makefile.inc
|
||||
+++ b/tests/libtest/Makefile.inc
|
||||
@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
@@ -594,6 +594,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
lib1559_LDADD = $(TESTUTIL_LIBS)
|
||||
|
||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
|
||||
EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
|
||||
9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
|
||||
ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
|
||||
yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
|
||||
6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
|
||||
FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
|
||||
=0YwO
|
||||
-----END PGP SIGNATURE-----
|
11
curl-7.72.0.tar.xz.asc
Normal file
11
curl-7.72.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl881xgACgkQXMkI/bce
|
||||
EsIjuwgAj6aeQgnWkubxxXAQ2kbckLh6QUKZWJQxPjb91kz98cGRcrdGRP292JFN
|
||||
qQprls4rFTWWOIVVMP/kdheeNI9LqDvQAfZMCaLFAWUdw1L2pbId7VbV+NuTAce8
|
||||
V/ENqh+Xj2q2LsMnj02k0Uc1e6Nh1K4al2hwFiozarI/ltb3q7jZN2P2fAmDX89y
|
||||
f3VsVfNZgv7VIwlX2d3b1RvMdppMFrDC3ZsAXlg2GQZ5sE7yfa2Qq+J5RzaNvEDh
|
||||
p3pMbPiNgk1ZuGQrzoiYq9tqK/o7pD2t4h2GsftppALxC3SsoneNrdnly910IfKh
|
||||
8qczoMpszBs8F7jts6KnfXszyhyyhQ==
|
||||
=sC+U
|
||||
-----END PGP SIGNATURE-----
|
16
curl.spec
16
curl.spec
@ -1,16 +1,10 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.71.1
|
||||
Release: 5%{?dist}
|
||||
Version: 7.72.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
# curl: make the --krb option work again (#1833193)
|
||||
Patch1: 0001-curl-7.71.1-tool-krb-opt.patch
|
||||
|
||||
# setopt: unset NOBODY switches to GET if still HEAD
|
||||
Patch2: 0002-curl-7.71.1-unset-nobody.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -178,8 +172,6 @@ be installed.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -358,6 +350,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
|
||||
- new upstream release, which fixes the following vulnerability
|
||||
CVE-2020-8231 - libcurl: wrong connect-only connection
|
||||
|
||||
* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
|
||||
- setopt: unset NOBODY switches to GET if still HEAD
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b
|
||||
SHA512 (curl-7.72.0.tar.xz) = e5025a32eac6108ccb13d1fcce9c2de28b3a6d6e9a258a647c4be45d71718f75653e1ccd477ef5f29242a15588255c4ef43fe47bf9908b938b6769fccfaac107
|
||||
|
Loading…
Reference in New Issue
Block a user