Hello community, here is the log from the commit of package curl for openSUSE:Factory checked in at 2017-12-03 10:09:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/curl (Old) and /work/SRC/openSUSE:Factory/.curl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "curl" Sun Dec 3 10:09:33 2017 rev:129 rq:546406 version:7.57.0 Changes: -------- --- /work/SRC/openSUSE:Factory/curl/curl-mini.changes 2017-10-26 18:40:04.820000952 +0200 +++ /work/SRC/openSUSE:Factory/.curl.new/curl-mini.changes 2017-12-03 10:09:36.663300808 +0100 @@ -1,0 +2,77 @@ +Wed Nov 29 10:43:55 UTC 2017 - pmonrealgonzalez@suse.com + +- Update to version 7.57.0 [bsc#1069226, CVE-2017-8816] + [bsc#1069222, CVE-2017-8817] [bsc#1069714, CVE-2017-8818] + Changes: + * auth: add support for RFC7616 - HTTP Digest access authentication + * share: add support for sharing the connection cache + * HTTP: implement Brotli content encoding + Bugfixes: + * CVE-2017-8816: NTLM buffer overflow via integer overflow + * CVE-2017-8817: FTP wildcard out of bounds read + * CVE-2017-8818: SSL out of buffer access + * curl_mime_filedata.3: fix typos + * libtest: Add required test libraries for lib1552 and lib1553 + * fix time diffs for systems using unsigned time_t + * ftplistparser: memory leak fix: free temporary memory always + * multi: allow table handle sizes to be overridden + * wildcards: don't use with non-supported protocols + * curl_fnmatch: return error on illegal wildcard pattern + * transfer: Fix chunked-encoding upload too early exit + * resolvers: only include anything if needed + * setopt: fix CURLOPT_SSH_AUTH_TYPES option read + * Curl_timeleft: change return type to timediff_t + * cmake: Export libcurl and curl targets to use by other cmake projects + * curl: in -F option arg, comma is a delimiter for files only + * curl: improved ";type=" handling in -F option arguments + * timeval: use mach_absolute_time() on MacOS + * curlx: the timeval functions are no longer provided as curlx_* + * mkhelp.pl: do not generate comment with current date + * memdebug: use send/recv signature for curl_dosend/curl_dorecv + * cookie: avoid NULL dereference + * url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 + * include: remove conncache.h inclusion from where its not needed + * CURLOPT_MAXREDIRS: allow -1 as a value + * tests: Fixed torture tests on tests 556 and 650 + * http2: Fixed OOM handling in upgrade request + * url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 + * CURLOPT_INFILESIZE: accept -1 + * curl: pass through [] in URLs instead of calling globbing error + * curl: speed up handling of many URLs + * ntlm: avoid malloc(0) for zero length passwords + * url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES + * HTTP: support multiple Content-Encodings + * travis: add a job with brotli enabled + * url: remove unncessary NULL-check + * fnmatch: remove dead code + * connect: store IPv6 connection status after valid connection + * imap: deal with commands case insensitively + * --interface: add support for Linux VRF + * content_encoding: fix inflate_stream for no bytes available + * cmake: Add missing setmode check + * connect.c: remove executable bit on file + * SMB: fix uninitialized local variable + * zlib/brotli: only include header files in modules needing them + * URL: return error on malformed URLs with junk after IPv6 bracket + * openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY + * macOS: Fix missing connectx function with Xcode version older than 9.0 + * --resolve: allow IP address within [] brackets + * examples/curlx: Fix code style + * ntlm: remove unnecessary NULL-check to please scan-build + * Curl_llist_remove: fix potential NULL pointer deref + * mime: fix "Value stored to 'sz' is never read" scan-build error + * openssl: fix "Value stored to 'rc' is never read" scan-build error + * http2: fix "Value stored to 'hdbuf' is never read" scan-build error + * http2: fix "Value stored to 'end' is never read" scan-build error + * Curl_open: fix OOM return error correctly + * url: reject ASCII control characters and space in host names + * examples/rtsp: clear RANGE again after use + * connect: improve the bind error message + * make: fix "make distclean" + * connect: add support for new TCP Fast Open API on Linux + * metalink: fix memory-leak and NULL pointer dereference + * URL: update "file:" URL handling + * ssh: remove check for a NULL pointer + * global_init: ignore CURL_GLOBAL_SSL's absense + +------------------------------------------------------------------- curl.changes: same change Old: ---- curl-7.56.1.tar.gz curl-7.56.1.tar.gz.asc New: ---- curl-7.57.0.tar.gz curl-7.57.0.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ curl-mini.spec ++++++ --- /var/tmp/diff_new_pack.25lt8z/_old 2017-12-03 10:09:37.807259217 +0100 +++ /var/tmp/diff_new_pack.25lt8z/_new 2017-12-03 10:09:37.811259072 +0100 @@ -32,7 +32,7 @@ %endif Name: curl-mini -Version: 7.56.1 +Version: 7.57.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl ++++++ curl.spec ++++++ --- /var/tmp/diff_new_pack.25lt8z/_old 2017-12-03 10:09:37.835258199 +0100 +++ /var/tmp/diff_new_pack.25lt8z/_new 2017-12-03 10:09:37.835258199 +0100 @@ -30,7 +30,7 @@ %endif Name: curl -Version: 7.56.1 +Version: 7.57.0 Release: 0 Summary: A Tool for Transferring Data from URLs License: curl ++++++ curl-7.56.1.tar.gz -> curl-7.57.0.tar.gz ++++++ ++++ 55956 lines of diff (skipped)