Hello community, here is the log from the commit of package curl for openSUSE:11.4 checked in at Tue Jan 31 15:33:19 CET 2012. -------- --- old-versions/11.4/UPDATES/all/curl/curl.changes 2012-01-22 15:44:59.000000000 +0100 +++ 11.4/curl/curl.changes 2012-01-31 14:49:09.000000000 +0100 @@ -1,0 +2,5 @@ +Thu Jan 26 14:03:02 UTC 2012 - vcizek@suse.com + +- workaround to CVE-2011-2192 by disabling GSSAPI (bnc#698796) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- curl-7.21.2-CVE-2011-2192.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.OaCnx7/_old 2012-01-31 15:32:01.000000000 +0100 +++ /var/tmp/diff_new_pack.OaCnx7/_new 2012-01-31 15:32:01.000000000 +0100 @@ -15,14 +15,16 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %bcond_without openssl %bcond_with mozilla_nss %bcond_without testsuite Name: curl -BuildRequires: libidn-devel openldap2-devel pkg-config zlib-devel +BuildRequires: libidn-devel +BuildRequires: openldap2-devel +BuildRequires: pkg-config +BuildRequires: zlib-devel %if %{with openssl} BuildRequires: openssl-devel %endif @@ -34,23 +36,23 @@ %else BuildRequires: heimdal-devel %endif -BuildRequires: libssh2-devel openssh +BuildRequires: libssh2-devel +BuildRequires: openssh %if 0%{?_with_stunnel:1} # used by the testsuite BuildRequires: stunnel %endif #define cvs_suffix -20090302 Version: 7.21.2 -Release: 10.<RELEASE11> -AutoReqProv: on +Release: 10.<RELEASE13> # bug437293 %ifarch ppc64 Obsoletes: curl-64bit %endif # -License: BSD3c(or similar) ; MIT License (or similar) -Group: Productivity/Networking/Web/Utilities Summary: A Tool for Transferring Data from URLs +License: BSD-3-Clause ; MIT +Group: Productivity/Networking/Web/Utilities Url: http://curl.haxx.se/ Source: curl-%version%{?cvs_suffix}.tar.bz2 Source2: baselibs.conf @@ -58,6 +60,7 @@ Patch2: 0002-URL-sanitize-reject-URLs-containing-bad-data.patch Patch3: 0003-OpenSSL-SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG-opti.patch Patch4: 0004-OpenSSL-don-t-disable-security-work-around.patch +Patch5: curl-7.21.2-CVE-2011-2192.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -67,7 +70,7 @@ without user interaction or any kind of interactivity. %package -n libcurl4 -License: BSD3c(or similar) ; MIT License (or similar) + Summary: cURL shared library version 4 Group: Productivity/Networking/Web/Utilities @@ -75,7 +78,7 @@ cURL shared library version 4. %package -n libcurl-devel -License: BSD3c(or similar) ; MIT License (or similar) + Summary: A Tool for Transferring Data from URLs Group: Development/Libraries/C and C++ Requires: libcurl4 = %{version} glibc-devel @@ -95,6 +98,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build # local hack to make curl-config --libs stop printing libraries it depends on ++++++ curl-7.21.2-CVE-2011-2192.patch ++++++

From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Wed, 8 Jun 2011 00:10:26 +0200 Subject: [PATCH] Curl_input_negotiate: do not delegate credentials

This is a security flaw. See curl advisory 201106xx for details. Reported by: Richard Silverman --- lib/http_negotiate.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c index 202d69e..5127e64 100644 --- a/lib/http_negotiate.c +++ b/lib/http_negotiate.c @@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, &neg_ctx->context, neg_ctx->server_name, GSS_C_NO_OID, - GSS_C_DELEG_FLAG, + 0, 0, GSS_C_NO_CHANNEL_BINDINGS, &input_token, -- 1.7.5.3 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org