rpms
/
curl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
570 Commits 42 Branches 269 Tags 2.7 MiB
Commit Graph

570 Commits

Author SHA1 Message Date
Kamil Dudka 9b08152998 Resolves: CVE-2022-32207 - fix unpreserved file permissions 2022-06-29 11:06:56 +02:00
Kamil Dudka 45b18a48b4 Resolves: CVE-2022-32205 - fix Set-Cookie denial of service 2022-06-29 11:05:48 +02:00
Kamil Dudka c76b2a1a9f Resolves: CVE-2022-32206 - fix HTTP compression denial of service 2022-06-29 11:04:02 +02:00
Kamil Dudka 424d9c193f Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification 2022-06-29 10:56:13 +02:00
Lukáš Zaoral c637ed663b
tests/non-root-user-download: fix test failures 2022-05-12 12:37:03 +02:00
Kamil Dudka a28fa4e5f0 Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections 2022-05-11 10:56:40 +02:00
Kamil Dudka bd1119154c Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot 2022-05-11 10:55:31 +02:00
Kamil Dudka d8e56f956c Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names 2022-05-11 10:53:45 +02:00
Kamil Dudka f35a1d48bb Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host 2022-05-11 10:52:16 +02:00
Kamil Dudka 43690cb3af Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects 2022-05-02 10:00:34 +02:00
Kamil Dudka 02810cd68e Resolves: CVE-2022-27774 - fix credential leak on redirect 2022-04-28 10:04:45 +02:00
Kamil Dudka ee9c88927d Resolves: CVE-2022-27776 - fix auth/cookie leak on redirect 2022-04-28 09:57:55 +02:00
Kamil Dudka 159cab915b Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse 2022-04-28 09:56:54 +02:00
Kamil Dudka fd4baaca6f Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use 2022-04-28 09:52:56 +02:00
Kamil Dudka 321dbf8171 openssl: fix incorrect CURLE_OUT_OF_MEMORY error 
... on CN check failure, which was breaking the test-suite of pycurl.

Reported-by: Lukas Zaoral
 2022-03-15 14:10:04 +01:00
Kamil Dudka c8f5ee33a6 new upstream release - 7.82.0 2022-03-05 15:40:16 +01:00
Fedora Release Engineering c3286199cb - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-01-20 00:08:37 +00:00
Kamil Dudka 3e801a6f9f new upstream release - 7.81.0 2022-01-05 09:35:58 +01:00
Paul Howarth 503307b687 sshserver.pl (used in test suite) now requires the Digest::SHA perl module 2021-11-14 17:06:12 +00:00
Kamil Dudka ef0743b641 new upstream release - 7.80.0 2021-11-10 09:03:50 +01:00
Kamil Dudka ac00a5bac0 temporarily disable tests 300{0,1} on x86_64 
stunnel clashes with itself
 2021-10-27 13:57:07 +02:00
Kamil Dudka 94a3e807dd Related: #2005874 - re-enable HSTS in libcurl-minimal 
... as a security feature
 2021-10-26 17:15:50 +02:00
Miroslav Vadkerti 1b982b367e Migrate tests to tmt 
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
 2021-10-05 06:26:42 +00:00
Kamil Dudka a0acb0cc77 Related: #2005874 - use correct bug ID in the change log 2021-10-04 12:29:42 +02:00
Kamil Dudka d4c5b54bf3 run upstream tests for both curl-minimal and curl-full 
As we made libcurl-minimal more minimal, it differs more from
libcurl-full and it should be tested separately.  On the other
hand, the test-suite for libcurl-minimal runs faster now because
more tests are skipped.
 2021-10-04 09:55:13 +02:00
Kamil Dudka 5ebead952b Resolves: #1994521 - disable more protocols and features in libcurl-minimal 
... to limit vulnerability exposure in case there is a CVE in curl
in some of the rarer protocols
 2021-10-04 09:55:11 +02:00
Kamil Dudka 54117120e4 explicitly disable zstd while configuring curl 
... in order to make local builds closer to what we get from Koji
 2021-10-04 09:54:25 +02:00
Kamil Dudka c2f61abc1c curl.spec: align the lists of configure options 
... to make it easier to extend the lists
 2021-10-04 09:54:25 +02:00
Kamil Dudka 407e3960e4 new upstream release - 7.79.1 2021-09-22 09:16:36 +02:00
Kamil Dudka e2155b2695 fix regression in http2 implementation 
... introduced in the last release
 2021-09-16 12:26:16 +02:00
Sahana Prasad f97c73e9d7 Rebuilt with OpenSSL 3.0.0 2021-09-16 12:23:37 +02:00
Kamil Dudka 31329d9443 forgot to bump release in the previous commit 2021-09-16 08:51:26 +02:00
Kamil Dudka 25f443ae12 make SCP/SFTP tests work with openssh-8.7p1 2021-09-16 08:45:33 +02:00
Kamil Dudka 287da1ceec temporarily disable test 1184 
... which occasionally fails on aarch64/armv7hl Koji builders
for no apparent reason
 2021-09-15 10:55:21 +02:00
Kamil Dudka d02617d325 new upstream release - 7.79.0 
Resolves: CVE-2021-22947 - STARTTLS protocol injection via MITM
Resolves: CVE-2021-22946 - protocol downgrade required TLS bypassed
Resolves: CVE-2021-22945 - use-after-free and double-free in MQTT sending
 2021-09-15 09:09:11 +02:00
Sahana Prasad 62e2b8d564 Rebuilt with OpenSSL 3.0.0 2021-09-14 19:00:02 +02:00
Kamil Dudka f964aefff3 make explicit dependency on openssl work with alpha/beta builds of openssl 
Reported-by: Daniel Rusek
 2021-07-23 17:15:57 +02:00
Fedora Release Engineering adeb2cb476 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-07-21 20:15:37 +00:00
Kamil Dudka 85619bdba3 disable tests 320..322 on ppc64le where it started to hang/fail 
... in Koji environment only.  I was not able to reproduce the issues
with the fedora-rawhide-ppc64le buildroot in mock on a ppc64le machine.
 2021-07-21 15:53:36 +02:00
Kamil Dudka 0ac0b6fbd1 prevent valgrind from being extremely slow 2021-07-21 12:39:45 +02:00
Kamil Dudka c921b2c69d remove a valgrind-related patch no longer needed 2021-07-21 12:38:15 +02:00
Kamil Dudka ef5a5be78e temporarily disable test 1452 on s390x 
... where the client times out
 2021-07-21 12:06:57 +02:00
Kamil Dudka 64bcb4bcc1 new upstream release - 7.78.0 
Resolves: CVE-2021-22925 - TELNET stack contents disclosure again
Resolves: CVE-2021-22924 - bad connection reuse due to flawed path name checks
Resolves: CVE-2021-22923 - metalink download sends credentials
Resolves: CVE-2021-22922 - wrong content via metalink not discarded
 2021-07-21 10:22:33 +02:00
Stewart Smith ece67bdd2f gpgverify source tarball 
Signed-off-by: Stewart Smith <trawets@amazon.com>
 2021-07-09 18:42:11 +00:00
Kamil Dudka ddaf41062c Resolves: #1967213 - build the curl tool without metalink support 
Today curl upstream announced that they are going to completely remove
support for metalink from curl already in the next release of curl due
to a number of difficult to fix security issues:

    https://curl.se/mail/archive-2021-06/0006.html
    https://github.com/curl/curl/pull/7176
 2021-06-02 19:55:01 +02:00
Kamil Dudka 4c89d92ee7 new upstream release - 7.77.0 
Resolves: CVE-2021-22901 - TLS session caching disaster
Resolves: CVE-2021-22898 - TELNET stack contents disclosure
 2021-05-26 09:20:35 +02:00
Kamil Dudka 4b7b124d75 Resolves: #1938699 - http2: fix resource leaks detected by Coverity 2021-05-03 17:54:40 +02:00
Kamil Dudka bf8bb4b5b4 new upstream release - 7.76.1 2021-04-14 09:54:33 +02:00
Kamil Dudka a0d250c162 new upstream release - 7.76.0 
Resolves: CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup
Resolves: CVE-2021-22876 - Automatic referer leaks credentials
 2021-03-31 10:47:25 +02:00
Kamil Dudka 25676e54ef replace 0104-curl-7.73.0-localhost6.patch by sed invocation 
... to avoid conflict resolution on new upstream releases
 2021-03-31 10:47:24 +02:00