Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2019-05-25 13:19:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "curl" Sat May 25 13:19:57 2019 rev:146 rq:704820 version:7.65.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2019-04-15 11:50:29.938488128 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new.5148/curl-mini.changes 2019-05-25 13:19:59.252342080 +0200 @@ -1,0 +2,101 @@ +Wed May 22 11:41:49 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> + +- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436] + * Changes: + - CURLOPT_DNS_USE_GLOBAL_CACHE: removed + - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse + - pipelining: removed + * Bugfixes: + - CVE-2019-5435: Integer overflows in curl_url_set + - CVE-2019-5436: tftp: use the current blksize for recvfrom() + - --config: clarify that initial : and = might need quoting + - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk + - CURLOPT_ADDRESS_SCOPE: fix range check and more + - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE + - CURL_MAX_INPUT_LENGTH: largest acceptable string input size + - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + - OS400/ccsidcurl: replace use of Curl_vsetopt + - OpenSSL: Report -fips in version if OpenSSL is built with FIPS + - WRITEFUNCTION: add missing set_in_callback around callback + - altsvc: Fix building with cookies disabled + - auth: Rename the various authentication clean up functions + - base64: build conditionally if there are users + - cmake: avoid linking executable for some tests with cmake 3.6+ + - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + - cmake: set SSL_BACKENDS + - configure: avoid unportable '==' test(1) operator + - configure: error out if OpenSSL wasn't detected when asked for + - configure: fix default location for fish completions + - cookie: Guard against possible NULL ptr deref + - curl: make code work with protocol-disabled libcurl + - curl: report error for "--no-" on non-boolean options + - curlver.h: use parenthesis in CURL_VERSION_BITS macro + - docs/INSTALL: fix broken link + - doh: acknowledge CURL_DISABLE_DOH + - doh: disable DOH for the cases it doesn't work + - examples: remove unused variables + - ftplistparser: fix LGTM alert "Empty block without comment" + - hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS + - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + - http: acknowledge CURL_DISABLE_HTTP_AUTH + - http: mark bundle as not for multiuse on < HTTP/2 response + - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + - http_negotiate: do not treat failure of gss_init_sec_context() as fatal + - http_ntlm: Corrected the name of the include guard + - http_ntlm_wb: Handle auth for only a single request + - http_ntlm_wb: Return the correct error on receiving an empty auth message + - lib509: add missing include for strdup + - lib557: initialize variables + - mbedtls: enable use of EC keys + - mime: acknowledge CURL_DISABLE_MIME + - multi: improved HTTP_1_1_REQUIRED handling + - netrc: acknowledge CURL_DISABLE_NETRC + - nss: allow fifos and character devices for certificates + - nss: provide more specific error messages on failed init + - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup + - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + - openssl: mark connection for close on TLS close_notify + - openvms: Remove pre-processor for SecureTransport + - parse_proxy: use the URL parser API + - parsedate: disabled on CURL_DISABLE_PARSEDATE + - pingpong: disable more when no pingpong protocols are enabled + - polarssl_threadlock: remove conditionally unused code + - progress: acknowledge CURL_DISABLE_PROGRESS_METER + - proxy: acknowledge DISABLE_PROXY more + - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries + - revert "multi: support verbose conncache closure handle" + - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + - sasl: only enable if there's a protocol enabled using it + - singleipconnect: show port in the verbose "Trying ..." message + - socks5: user name and passwords must be shorter than 256 + - socks: fix error message + - socksd: new SOCKS 4+5 server for tests + - spnego_gssapi: fix return code on gss_init_sec_context() failure + - ssh-libssh: remove unused variable + - ssh: define USE_SSH if SSH is enabled (any backend) + - ssh: move variable declaration to where it's used + - test1002: correct the name + - test2100: Fix typos in test description + - tests: Run global cleanup at end of tests + - tests: make Impacket (SMB server) Python 3 compatible + - tool_cb_wrt: fix bad-function-cast warning + - tool_formparse: remove redundant assignment + - tool_help: Warn if curl and libcurl versions do not match + - tool_help: include for strcasecmp + - url: always clone the CUROPT_CURLU handle + - url: convert the zone id from a IPv6 URL to correct scope id + - urlapi: add CURLUPART_ZONEID to set and get + - urlapi: increase supported scheme length to 40 bytes + - urlapi: require a non-zero host name length when parsing URL + - urlapi: stricter CURLUPART_PORT parsing + - urlapi: strip off zone id from numerical IPv6 addresses + - urlapi: urlencode characters above 0x7f correctly + - vauth/cleartext: update the PLAIN login to match RFC 4616 + - vauth/oauth2: Fix OAUTHBEARER token generation + - vauth: Fix incorrect function description for Curl_auth_user_contains_domain + - vtls: fix potential ssl_buffer stack overflow + - wildcard: disable from build when FTP isn't present + - xattr: skip unittest on unsupported platforms + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.64.1.tar.xz curl-7.64.1.tar.xz.asc New: ---- curl-7.65.0.tar.xz curl-7.65.0.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.KCSZY6/_old 2019-05-25 13:20:00.516341610 +0200 +++ /var/tmp/diff_new_pack.KCSZY6/_new 2019-05-25 13:20:00.528341606 +0200 @@ -29,7 +29,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl-mini -Version: 7.64.1 +Version: 7.65.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -204,15 +204,15 @@ %files %doc README RELEASE-NOTES -%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} +%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %dir %{_datadir}/fish/ -%dir %{_datadir}/fish/completions/ -%{_datadir}/fish/completions/curl.fish +%dir %{_datadir}/fish/vendor_completions.d/ +%{_datadir}/fish/vendor_completions.d/curl.fish %files -n libcurl4%{?mini} %license COPYING ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.KCSZY6/_old 2019-05-25 13:20:00.656341558 +0200 +++ /var/tmp/diff_new_pack.KCSZY6/_new 2019-05-25 13:20:00.676341550 +0200 @@ -27,7 +27,7 @@ # need ssl always for python-pycurl %bcond_without openssl Name: curl -Version: 7.64.1 +Version: 7.65.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl @@ -202,15 +202,15 @@ %files %doc README RELEASE-NOTES -%doc docs/{BUGS,FAQ,FEATURES,MANUAL,RESOURCES,TODO,TheArtOfHttpScripting} +%doc docs/{BUGS,FAQ,FEATURES,RESOURCES,TODO,TheArtOfHttpScripting} %{_bindir}/curl %{_datadir}/zsh/site-functions/_curl %{_mandir}/man1/curl.1%{ext_man} %dir %{_datadir}/zsh %dir %{_datadir}/zsh/site-functions %dir %{_datadir}/fish/ -%dir %{_datadir}/fish/completions/ -%{_datadir}/fish/completions/curl.fish +%dir %{_datadir}/fish/vendor_completions.d/ +%{_datadir}/fish/vendor_completions.d/curl.fish %files -n libcurl4%{?mini} %license COPYING ++++++ curl-7.64.1.tar.xz -> curl-7.65.0.tar.xz ++++++ ++++ 44636 lines of diff (skipped)