import curl-7.61.1-18.el8
This commit is contained in:
parent
324a6e1c46
commit
ff675e3286
143
SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
Normal file
143
SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
Normal file
@ -0,0 +1,143 @@
|
||||
From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 16 Aug 2020 11:34:35 +0200
|
||||
Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
|
||||
|
||||
CVE-2020-8231
|
||||
|
||||
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
|
||||
|
||||
Reported-by: Marc Aldorasi
|
||||
Closes #5824
|
||||
|
||||
Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/connect.c | 19 ++++++++++---------
|
||||
lib/easy.c | 3 +--
|
||||
lib/multi.c | 5 +++--
|
||||
lib/url.c | 2 +-
|
||||
lib/urldata.h | 2 +-
|
||||
5 files changed, 16 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/lib/connect.c b/lib/connect.c
|
||||
index 41f2202..f724646 100644
|
||||
--- a/lib/connect.c
|
||||
+++ b/lib/connect.c
|
||||
@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
|
||||
}
|
||||
|
||||
struct connfind {
|
||||
- struct connectdata *tofind;
|
||||
- bool found;
|
||||
+ long id_tofind;
|
||||
+ struct connectdata *found;
|
||||
};
|
||||
|
||||
static int conn_is_conn(struct connectdata *conn, void *param)
|
||||
{
|
||||
struct connfind *f = (struct connfind *)param;
|
||||
- if(conn == f->tofind) {
|
||||
- f->found = TRUE;
|
||||
+ if(conn->connection_id == f->id_tofind) {
|
||||
+ f->found = conn;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
|
||||
* - that is associated with a multi handle, and whose connection
|
||||
* was detached with CURLOPT_CONNECT_ONLY
|
||||
*/
|
||||
- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
|
||||
- struct connectdata *c = data->state.lastconnect;
|
||||
+ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
|
||||
+ struct connectdata *c;
|
||||
struct connfind find;
|
||||
- find.tofind = data->state.lastconnect;
|
||||
- find.found = FALSE;
|
||||
+ find.id_tofind = data->state.lastconnect_id;
|
||||
+ find.found = NULL;
|
||||
|
||||
Curl_conncache_foreach(data, data->multi_easy?
|
||||
&data->multi_easy->conn_cache:
|
||||
&data->multi->conn_cache, &find, conn_is_conn);
|
||||
|
||||
if(!find.found) {
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
return CURL_SOCKET_BAD;
|
||||
}
|
||||
|
||||
+ c = find.found;
|
||||
if(connp) {
|
||||
/* only store this if the caller cares for it */
|
||||
*connp = c;
|
||||
diff --git a/lib/easy.c b/lib/easy.c
|
||||
index 027d0be..fe61cdd 100644
|
||||
--- a/lib/easy.c
|
||||
+++ b/lib/easy.c
|
||||
@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
|
||||
|
||||
/* the connection cache is setup on demand */
|
||||
outcurl->state.conn_cache = NULL;
|
||||
-
|
||||
- outcurl->state.lastconnect = NULL;
|
||||
+ outcurl->state.lastconnect_id = -1;
|
||||
|
||||
outcurl->progress.flags = data->progress.flags;
|
||||
outcurl->progress.callback = data->progress.callback;
|
||||
diff --git a/lib/multi.c b/lib/multi.c
|
||||
index 0caf943..0f57fd5 100644
|
||||
--- a/lib/multi.c
|
||||
+++ b/lib/multi.c
|
||||
@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
|
||||
data->state.conn_cache = &data->share->conn_cache;
|
||||
else
|
||||
data->state.conn_cache = &multi->conn_cache;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
|
||||
#ifdef USE_LIBPSL
|
||||
/* Do the same for PSL. */
|
||||
@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
|
||||
/* the connection is no longer in use by this transfer */
|
||||
if(Curl_conncache_return_conn(conn)) {
|
||||
/* remember the most recently used connection */
|
||||
- data->state.lastconnect = conn;
|
||||
+ data->state.lastconnect_id = conn->connection_id;
|
||||
infof(data, "%s\n", buffer);
|
||||
}
|
||||
else
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
}
|
||||
|
||||
*connp = NULL; /* to make the caller of this function better detect that
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index dcc6cc8..d65d17d 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
|
||||
Curl_initinfo(data);
|
||||
|
||||
/* most recent connection is not yet defined */
|
||||
- data->state.lastconnect = NULL;
|
||||
+ data->state.lastconnect_id = -1;
|
||||
|
||||
data->progress.flags |= PGRS_HIDE;
|
||||
data->state.current_speed = -1; /* init to negative == impossible */
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index 67db3b2..4b70cc5 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1219,7 +1219,7 @@ struct UrlState {
|
||||
/* buffers to store authentication data in, as parsed from input options */
|
||||
struct curltime keeps_speed; /* for the progress meter really */
|
||||
|
||||
- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
|
||||
+ long lastconnect_id; /* The last connection, -1 if undefined */
|
||||
|
||||
char *headerbuff; /* allocated buffer to store headers in */
|
||||
size_t headersize; /* size of the allocation */
|
||||
--
|
||||
2.25.4
|
||||
|
291
SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
Normal file
291
SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
Normal file
@ -0,0 +1,291 @@
|
||||
From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 2 Dec 2019 10:45:55 +0100
|
||||
Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
|
||||
|
||||
Have intermediate certificates in the trust store be treated as
|
||||
trust-anchors, in the same way as self-signed root CA certificates
|
||||
are. This allows users to verify servers using the intermediate cert
|
||||
only, instead of needing the whole chain.
|
||||
|
||||
Other TLS backends already accept partial chains.
|
||||
|
||||
Reported-by: Jeffrey Walton
|
||||
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
|
||||
|
||||
Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/openssl.c | 26 +++++++++++++++++---------
|
||||
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index d8bcc4f..8e791b9 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
infof(data, " CRLfile: %s\n", ssl_crlfile);
|
||||
}
|
||||
|
||||
- /* Try building a chain using issuers in the trusted store first to avoid
|
||||
- problems with server-sent legacy intermediates.
|
||||
- Newer versions of OpenSSL do alternate chain checking by default which
|
||||
- gives us the same fix without as much of a performance hit (slight), so we
|
||||
- prefer that if available.
|
||||
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||
- */
|
||||
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||
if(verifypeer) {
|
||||
+ /* Try building a chain using issuers in the trusted store first to avoid
|
||||
+ problems with server-sent legacy intermediates. Newer versions of
|
||||
+ OpenSSL do alternate chain checking by default which gives us the same
|
||||
+ fix without as much of a performance hit (slight), so we prefer that if
|
||||
+ available.
|
||||
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||
+ */
|
||||
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||
X509_V_FLAG_TRUSTED_FIRST);
|
||||
- }
|
||||
#endif
|
||||
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||
+ /* Have intermediate certificates in the trust store be treated as
|
||||
+ trust-anchors, in the same way as self-signed root CA certificates
|
||||
+ are. This allows users to verify servers using the intermediate cert
|
||||
+ only, instead of needing the whole chain. */
|
||||
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||
+ X509_V_FLAG_PARTIAL_CHAIN);
|
||||
+#endif
|
||||
+ }
|
||||
|
||||
/* SSL always tries to verify the peer, this only says whether it should
|
||||
* fail to connect if the verification fails, or if it should continue
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
||||
From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 2 Dec 2019 10:55:33 +0100
|
||||
Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
|
||||
cert chains
|
||||
|
||||
Closes #4655
|
||||
|
||||
Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
|
||||
docs/libcurl/symbols-in-versions | 1 +
|
||||
include/curl/curl.h | 4 +++
|
||||
lib/setopt.c | 1 +
|
||||
lib/urldata.h | 1 +
|
||||
lib/vtls/openssl.c | 14 +++++----
|
||||
6 files changed, 36 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||
index d781434..6286a64 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||
@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
|
||||
|
||||
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
|
||||
.SH DESCRIPTION
|
||||
-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
|
||||
-
|
||||
-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
|
||||
-workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this
|
||||
-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
|
||||
-work-around for this flaw although it might cause interoperability problems
|
||||
-with some (older) SSL implementations. WARNING: avoiding this work-around
|
||||
-lessens the security, and by setting this option to 1 you ask for exactly that.
|
||||
-This option is only supported for DarwinSSL, NSS and OpenSSL.
|
||||
-
|
||||
-Added in 7.44.0:
|
||||
-
|
||||
-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
|
||||
-checks for those SSL backends where such behavior is present. \fBCurrently this
|
||||
-option is only supported for WinSSL (the native Windows SSL library), with an
|
||||
-exception in the case of Windows' Untrusted Publishers blacklist which it seems
|
||||
-can't be bypassed.\fP This option may have broader support to accommodate other
|
||||
-SSL backends in the future.
|
||||
-https://curl.haxx.se/docs/ssl-compared.html
|
||||
+Pass a long with a bitmask to tell libcurl about specific SSL
|
||||
+behaviors. Available bits:
|
||||
+.IP CURLSSLOPT_ALLOW_BEAST
|
||||
+Tells libcurl to not attempt to use any workarounds for a security flaw in the
|
||||
+SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
|
||||
+the SSL layer libcurl uses may use a work-around for this flaw although it
|
||||
+might cause interoperability problems with some (older) SSL
|
||||
+implementations. WARNING: avoiding this work-around lessens the security, and
|
||||
+by setting this option to 1 you ask for exactly that. This option is only
|
||||
+supported for DarwinSSL, NSS and OpenSSL.
|
||||
+.IP CURLSSLOPT_NO_REVOKE
|
||||
+Tells libcurl to disable certificate revocation checks for those SSL backends
|
||||
+where such behavior is present. This option is only supported for Schannel
|
||||
+(the native Windows SSL library), with an exception in the case of Windows'
|
||||
+Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
|
||||
+7.44.0)
|
||||
+.IP CURLSSLOPT_NO_PARTIALCHAIN
|
||||
+Tells libcurl to not accept "partial" certificate chains, which it otherwise
|
||||
+does by default. This option is only supported for OpenSSL and will fail the
|
||||
+certificate verification if the chain ends with an intermediate certificate
|
||||
+and not with a root cert. (Added in 7.68.0)
|
||||
.SH DEFAULT
|
||||
0
|
||||
.SH PROTOCOLS
|
||||
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
||||
index 3b3861f..54923d0 100644
|
||||
--- a/docs/libcurl/symbols-in-versions
|
||||
+++ b/docs/libcurl/symbols-in-versions
|
||||
@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL 7.34.0 - 7.38.1
|
||||
CURLSSLBACKEND_SCHANNEL 7.34.0
|
||||
CURLSSLBACKEND_WOLFSSL 7.49.0
|
||||
CURLSSLOPT_ALLOW_BEAST 7.25.0
|
||||
+CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
|
||||
CURLSSLOPT_NO_REVOKE 7.44.0
|
||||
CURLSSLSET_NO_BACKENDS 7.56.0
|
||||
CURLSSLSET_OK 7.56.0
|
||||
diff --git a/include/curl/curl.h b/include/curl/curl.h
|
||||
index 8f473e2..75f9384 100644
|
||||
--- a/include/curl/curl.h
|
||||
+++ b/include/curl/curl.h
|
||||
@@ -795,6 +795,10 @@ typedef enum {
|
||||
SSL backends where such behavior is present. */
|
||||
#define CURLSSLOPT_NO_REVOKE (1<<1)
|
||||
|
||||
+/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
|
||||
+ if possible. The OpenSSL backend has this ability. */
|
||||
+#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
|
||||
+
|
||||
/* The default connection attempt delay in milliseconds for happy eyeballs.
|
||||
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
|
||||
this value, keep them in sync. */
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 5c5f4b3..4f04962 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||
arg = va_arg(param, long);
|
||||
data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
|
||||
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||
+ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||
break;
|
||||
|
||||
case CURLOPT_PROXY_SSL_OPTIONS:
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index 4b70cc5..c70290a 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -235,6 +235,7 @@ struct ssl_config_data {
|
||||
bool enable_beast; /* especially allow this flaw for interoperability's
|
||||
sake*/
|
||||
bool no_revoke; /* disable SSL certificate revocation checks */
|
||||
+ bool no_partialchain; /* don't accept partial certificate chains */
|
||||
long certverifyresult; /* result from the certificate verification */
|
||||
char *CRLfile; /* CRL to check certificate revocation */
|
||||
char *issuercert;/* optional issuer certificate filename */
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 8e791b9..87f6c4c 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
X509_V_FLAG_TRUSTED_FIRST);
|
||||
#endif
|
||||
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||
- /* Have intermediate certificates in the trust store be treated as
|
||||
- trust-anchors, in the same way as self-signed root CA certificates
|
||||
- are. This allows users to verify servers using the intermediate cert
|
||||
- only, instead of needing the whole chain. */
|
||||
- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||
- X509_V_FLAG_PARTIAL_CHAIN);
|
||||
+ if(!SSL_SET_OPTION(no_partialchain)) {
|
||||
+ /* Have intermediate certificates in the trust store be treated as
|
||||
+ trust-anchors, in the same way as self-signed root CA certificates
|
||||
+ are. This allows users to verify servers using the intermediate cert
|
||||
+ only, instead of needing the whole chain. */
|
||||
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||
+ X509_V_FLAG_PARTIAL_CHAIN);
|
||||
+ }
|
||||
#endif
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
||||
From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 11 May 2020 23:00:31 +0200
|
||||
Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
|
||||
CURLSSLOPT_NO_PARTIALCHAIN
|
||||
|
||||
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
|
||||
|
||||
Reported-by: Michael Kaufmann
|
||||
Fixes #5374
|
||||
Closes #5376
|
||||
|
||||
Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
|
||||
lib/vtls/openssl.c | 8 ++++++--
|
||||
2 files changed, 14 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||
index 080caa7..f111585 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
|
||||
occurs during the SSL exchange.
|
||||
|
||||
When curl is built to use NSS or GnuTLS, there is no way to influence the use
|
||||
-of CRL passed to help in the verification process. When libcurl is built with
|
||||
-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
|
||||
-set, requiring CRL check against all the elements of the certificate chain if
|
||||
-a CRL file is passed.
|
||||
+of CRL passed to help in the verification process.
|
||||
+
|
||||
+When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
|
||||
+X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
|
||||
+elements of the certificate chain if a CRL file is passed. Also note that
|
||||
+\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
|
||||
+\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
|
||||
|
||||
This option makes sense only when used in combination with the
|
||||
\fICURLOPT_SSL_VERIFYPEER(3)\fP option.
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 87f6c4c..9476773 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
X509_V_FLAG_TRUSTED_FIRST);
|
||||
#endif
|
||||
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||
- if(!SSL_SET_OPTION(no_partialchain)) {
|
||||
+ if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
|
||||
/* Have intermediate certificates in the trust store be treated as
|
||||
trust-anchors, in the same way as self-signed root CA certificates
|
||||
are. This allows users to verify servers using the intermediate cert
|
||||
- only, instead of needing the whole chain. */
|
||||
+ only, instead of needing the whole chain.
|
||||
+
|
||||
+ Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
|
||||
+ cannot do partial chains with CRL check.
|
||||
+ */
|
||||
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||
X509_V_FLAG_PARTIAL_CHAIN);
|
||||
}
|
||||
--
|
||||
2.26.2
|
||||
|
208
SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
Normal file
208
SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
Normal file
@ -0,0 +1,208 @@
|
||||
From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 24 Nov 2020 14:56:57 +0100
|
||||
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
|
||||
|
||||
The command line tool also independently sets --ftp-skip-pasv-ip by
|
||||
default.
|
||||
|
||||
Ten test cases updated to adapt the modified --libcurl output.
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2020-8284.html
|
||||
CVE-2020-8284
|
||||
|
||||
Reported-by: Varnavas Papaioannou
|
||||
|
||||
Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
|
||||
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
|
||||
lib/url.c | 1 +
|
||||
src/tool_cfgable.c | 1 +
|
||||
tests/data/test1400 | 1 +
|
||||
tests/data/test1401 | 1 +
|
||||
tests/data/test1402 | 1 +
|
||||
tests/data/test1403 | 1 +
|
||||
tests/data/test1404 | 1 +
|
||||
tests/data/test1405 | 1 +
|
||||
tests/data/test1406 | 1 +
|
||||
tests/data/test1407 | 1 +
|
||||
tests/data/test1420 | 1 +
|
||||
13 files changed, 18 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
index da6ab11..4be8b43 100644
|
||||
--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||
@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
|
||||
will re-use the same IP address it already uses for the control
|
||||
connection.
|
||||
|
||||
+Since curl 7.74.0 this option is enabled by default.
|
||||
+
|
||||
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
index 4d3026a..4227ed6 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||
@@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
|
||||
number from the 227-response.
|
||||
|
||||
This option thus allows libcurl to work around broken server installations
|
||||
-that due to NATs, firewalls or incompetence report the wrong IP address back.
|
||||
+that due to NATs, firewalls or incompetence report the wrong IP address
|
||||
+back. Setting the option also reduces the risk for various sorts of client
|
||||
+abuse by malicious servers.
|
||||
|
||||
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||
.SH DEFAULT
|
||||
-0
|
||||
+1 since 7.74.0, was 0 before then.
|
||||
.SH PROTOCOLS
|
||||
FTP
|
||||
.SH EXAMPLE
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index e77f391..b18db25 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
|
||||
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
|
||||
set->ftp_filemethod = FTPFILE_MULTICWD;
|
||||
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
|
||||
|
||||
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
|
||||
|
||||
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
|
||||
index 81e16c1..110191e 100644
|
||||
--- a/src/tool_cfgable.c
|
||||
+++ b/src/tool_cfgable.c
|
||||
@@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
|
||||
config->proto_default = NULL;
|
||||
config->tcp_nodelay = TRUE; /* enabled by default */
|
||||
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
|
||||
+ config->ftp_skip_ip = TRUE;
|
||||
}
|
||||
|
||||
static void free_config_fields(struct OperationConfig *config)
|
||||
diff --git a/tests/data/test1400 b/tests/data/test1400
|
||||
index 10faef3..9d18a30 100644
|
||||
--- a/tests/data/test1400
|
||||
+++ b/tests/data/test1400
|
||||
@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1401 b/tests/data/test1401
|
||||
index f330931..99cb0cb 100644
|
||||
--- a/tests/data/test1401
|
||||
+++ b/tests/data/test1401
|
||||
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
|
||||
(long)CURLPROTO_FTP |
|
||||
diff --git a/tests/data/test1402 b/tests/data/test1402
|
||||
index 9a94283..ef55bd6 100644
|
||||
--- a/tests/data/test1402
|
||||
+++ b/tests/data/test1402
|
||||
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1403 b/tests/data/test1403
|
||||
index 79cdf49..78932c2 100644
|
||||
--- a/tests/data/test1403
|
||||
+++ b/tests/data/test1403
|
||||
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1404 b/tests/data/test1404
|
||||
index 9c6f2e7..8ea5e04 100644
|
||||
--- a/tests/data/test1404
|
||||
+++ b/tests/data/test1404
|
||||
@@ -144,6 +144,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1405 b/tests/data/test1405
|
||||
index 73769ee..5a83b6e 100644
|
||||
--- a/tests/data/test1405
|
||||
+++ b/tests/data/test1405
|
||||
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
|
||||
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1406 b/tests/data/test1406
|
||||
index 796dd22..c941e00 100644
|
||||
--- a/tests/data/test1406
|
||||
+++ b/tests/data/test1406
|
||||
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
|
||||
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
|
||||
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
|
||||
diff --git a/tests/data/test1407 b/tests/data/test1407
|
||||
index 9800eee..ddba7b7 100644
|
||||
--- a/tests/data/test1407
|
||||
+++ b/tests/data/test1407
|
||||
@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
diff --git a/tests/data/test1420 b/tests/data/test1420
|
||||
index a5e1c52..72fb353 100644
|
||||
--- a/tests/data/test1420
|
||||
+++ b/tests/data/test1420
|
||||
@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
|
||||
curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;UID=1");
|
||||
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||
|
||||
/* Here is a list of options the curl code used that cannot get generated
|
||||
--
|
||||
2.26.2
|
||||
|
258
SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
Normal file
258
SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
Normal file
@ -0,0 +1,258 @@
|
||||
From 22b3d1cf0216f4369f01678c587da265c2e465af Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 28 Nov 2020 00:27:21 +0100
|
||||
Subject: [PATCH] ftp: make wc_statemach loop instead of recurse
|
||||
|
||||
CVE-2020-8285
|
||||
|
||||
Fixes #6255
|
||||
Bug: https://curl.se/docs/CVE-2020-8285.html
|
||||
Reported-by: xnynx on github
|
||||
|
||||
Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ftp.c | 204 +++++++++++++++++++++++++++---------------------------
|
||||
1 file changed, 103 insertions(+), 101 deletions(-)
|
||||
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index 7dbf080..482ab3a 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -3786,130 +3786,132 @@ static CURLcode init_wc_data(struct connectdata *conn)
|
||||
return result;
|
||||
}
|
||||
|
||||
-/* This is called recursively */
|
||||
static CURLcode wc_statemach(struct connectdata *conn)
|
||||
{
|
||||
struct WildcardData * const wildcard = &(conn->data->wildcard);
|
||||
CURLcode result = CURLE_OK;
|
||||
|
||||
- switch(wildcard->state) {
|
||||
- case CURLWC_INIT:
|
||||
- result = init_wc_data(conn);
|
||||
- if(wildcard->state == CURLWC_CLEAN)
|
||||
- /* only listing! */
|
||||
- break;
|
||||
- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
|
||||
- break;
|
||||
+ for(;;) {
|
||||
+ switch(wildcard->state) {
|
||||
+ case CURLWC_INIT:
|
||||
+ result = init_wc_data(conn);
|
||||
+ if(wildcard->state == CURLWC_CLEAN)
|
||||
+ /* only listing! */
|
||||
+ return result;
|
||||
+ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
|
||||
+ return result;
|
||||
|
||||
- case CURLWC_MATCHING: {
|
||||
- /* In this state is LIST response successfully parsed, so lets restore
|
||||
- previous WRITEFUNCTION callback and WRITEDATA pointer */
|
||||
- struct ftp_wc *ftpwc = wildcard->protdata;
|
||||
- conn->data->set.fwrite_func = ftpwc->backup.write_function;
|
||||
- conn->data->set.out = ftpwc->backup.file_descriptor;
|
||||
- ftpwc->backup.write_function = ZERO_NULL;
|
||||
- ftpwc->backup.file_descriptor = NULL;
|
||||
- wildcard->state = CURLWC_DOWNLOADING;
|
||||
-
|
||||
- if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
|
||||
- /* error found in LIST parsing */
|
||||
- wildcard->state = CURLWC_CLEAN;
|
||||
- return wc_statemach(conn);
|
||||
- }
|
||||
- if(wildcard->filelist.size == 0) {
|
||||
- /* no corresponding file */
|
||||
- wildcard->state = CURLWC_CLEAN;
|
||||
- return CURLE_REMOTE_FILE_NOT_FOUND;
|
||||
+ case CURLWC_MATCHING: {
|
||||
+ /* In this state is LIST response successfully parsed, so lets restore
|
||||
+ previous WRITEFUNCTION callback and WRITEDATA pointer */
|
||||
+ struct ftp_wc *ftpwc = wildcard->protdata;
|
||||
+ conn->data->set.fwrite_func = ftpwc->backup.write_function;
|
||||
+ conn->data->set.out = ftpwc->backup.file_descriptor;
|
||||
+ ftpwc->backup.write_function = ZERO_NULL;
|
||||
+ ftpwc->backup.file_descriptor = NULL;
|
||||
+ wildcard->state = CURLWC_DOWNLOADING;
|
||||
+
|
||||
+ if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
|
||||
+ /* error found in LIST parsing */
|
||||
+ wildcard->state = CURLWC_CLEAN;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if(wildcard->filelist.size == 0) {
|
||||
+ /* no corresponding file */
|
||||
+ wildcard->state = CURLWC_CLEAN;
|
||||
+ return CURLE_REMOTE_FILE_NOT_FOUND;
|
||||
+ }
|
||||
+ continue;
|
||||
}
|
||||
- return wc_statemach(conn);
|
||||
- }
|
||||
|
||||
- case CURLWC_DOWNLOADING: {
|
||||
- /* filelist has at least one file, lets get first one */
|
||||
- struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||
- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
|
||||
+ case CURLWC_DOWNLOADING: {
|
||||
+ /* filelist has at least one file, lets get first one */
|
||||
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||
+ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
|
||||
|
||||
- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
|
||||
- if(!tmp_path)
|
||||
- return CURLE_OUT_OF_MEMORY;
|
||||
+ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
|
||||
+ if(!tmp_path)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
- /* switch default "state.pathbuffer" and tmp_path, good to see
|
||||
- ftp_parse_url_path function to understand this trick */
|
||||
- Curl_safefree(conn->data->state.pathbuffer);
|
||||
- conn->data->state.pathbuffer = tmp_path;
|
||||
- conn->data->state.path = tmp_path;
|
||||
-
|
||||
- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
|
||||
- if(conn->data->set.chunk_bgn) {
|
||||
- long userresponse;
|
||||
- Curl_set_in_callback(conn->data, true);
|
||||
- userresponse = conn->data->set.chunk_bgn(
|
||||
- finfo, wildcard->customptr, (int)wildcard->filelist.size);
|
||||
- Curl_set_in_callback(conn->data, false);
|
||||
- switch(userresponse) {
|
||||
- case CURL_CHUNK_BGN_FUNC_SKIP:
|
||||
- infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
|
||||
- finfo->filename);
|
||||
- wildcard->state = CURLWC_SKIP;
|
||||
- return wc_statemach(conn);
|
||||
- case CURL_CHUNK_BGN_FUNC_FAIL:
|
||||
- return CURLE_CHUNK_FAILED;
|
||||
+ /* switch default "state.pathbuffer" and tmp_path, good to see
|
||||
+ ftp_parse_url_path function to understand this trick */
|
||||
+ Curl_safefree(conn->data->state.pathbuffer);
|
||||
+ conn->data->state.pathbuffer = tmp_path;
|
||||
+ conn->data->state.path = tmp_path;
|
||||
+
|
||||
+ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
|
||||
+ if(conn->data->set.chunk_bgn) {
|
||||
+ long userresponse;
|
||||
+ Curl_set_in_callback(conn->data, true);
|
||||
+ userresponse = conn->data->set.chunk_bgn(
|
||||
+ finfo, wildcard->customptr, (int)wildcard->filelist.size);
|
||||
+ Curl_set_in_callback(conn->data, false);
|
||||
+ switch(userresponse) {
|
||||
+ case CURL_CHUNK_BGN_FUNC_SKIP:
|
||||
+ infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
|
||||
+ finfo->filename);
|
||||
+ wildcard->state = CURLWC_SKIP;
|
||||
+ continue;
|
||||
+ case CURL_CHUNK_BGN_FUNC_FAIL:
|
||||
+ return CURLE_CHUNK_FAILED;
|
||||
+ }
|
||||
}
|
||||
- }
|
||||
|
||||
- if(finfo->filetype != CURLFILETYPE_FILE) {
|
||||
- wildcard->state = CURLWC_SKIP;
|
||||
- return wc_statemach(conn);
|
||||
- }
|
||||
+ if(finfo->filetype != CURLFILETYPE_FILE) {
|
||||
+ wildcard->state = CURLWC_SKIP;
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
|
||||
- ftpc->known_filesize = finfo->size;
|
||||
+ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
|
||||
+ ftpc->known_filesize = finfo->size;
|
||||
|
||||
- result = ftp_parse_url_path(conn);
|
||||
- if(result)
|
||||
- return result;
|
||||
+ result = ftp_parse_url_path(conn);
|
||||
+ if(result)
|
||||
+ return result;
|
||||
|
||||
- /* we don't need the Curl_fileinfo of first file anymore */
|
||||
- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||
+ /* we don't need the Curl_fileinfo of first file anymore */
|
||||
+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||
|
||||
- if(wildcard->filelist.size == 0) { /* remains only one file to down. */
|
||||
- wildcard->state = CURLWC_CLEAN;
|
||||
- /* after that will be ftp_do called once again and no transfer
|
||||
- will be done because of CURLWC_CLEAN state */
|
||||
- return CURLE_OK;
|
||||
+ if(wildcard->filelist.size == 0) { /* remains only one file to down. */
|
||||
+ wildcard->state = CURLWC_CLEAN;
|
||||
+ /* after that will be ftp_do called once again and no transfer
|
||||
+ will be done because of CURLWC_CLEAN state */
|
||||
+ return CURLE_OK;
|
||||
+ }
|
||||
+ return result;
|
||||
}
|
||||
- } break;
|
||||
|
||||
- case CURLWC_SKIP: {
|
||||
- if(conn->data->set.chunk_end) {
|
||||
- Curl_set_in_callback(conn->data, true);
|
||||
- conn->data->set.chunk_end(conn->data->wildcard.customptr);
|
||||
- Curl_set_in_callback(conn->data, false);
|
||||
+ case CURLWC_SKIP: {
|
||||
+ if(conn->data->set.chunk_end) {
|
||||
+ Curl_set_in_callback(conn->data, true);
|
||||
+ conn->data->set.chunk_end(conn->data->wildcard.customptr);
|
||||
+ Curl_set_in_callback(conn->data, false);
|
||||
+ }
|
||||
+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||
+ wildcard->state = (wildcard->filelist.size == 0) ?
|
||||
+ CURLWC_CLEAN : CURLWC_DOWNLOADING;
|
||||
+ continue;
|
||||
}
|
||||
- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||
- wildcard->state = (wildcard->filelist.size == 0) ?
|
||||
- CURLWC_CLEAN : CURLWC_DOWNLOADING;
|
||||
- return wc_statemach(conn);
|
||||
- }
|
||||
|
||||
- case CURLWC_CLEAN: {
|
||||
- struct ftp_wc *ftpwc = wildcard->protdata;
|
||||
- result = CURLE_OK;
|
||||
- if(ftpwc)
|
||||
- result = Curl_ftp_parselist_geterror(ftpwc->parser);
|
||||
+ case CURLWC_CLEAN: {
|
||||
+ struct ftp_wc *ftpwc = wildcard->protdata;
|
||||
+ result = CURLE_OK;
|
||||
+ if(ftpwc)
|
||||
+ result = Curl_ftp_parselist_geterror(ftpwc->parser);
|
||||
|
||||
- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
|
||||
- } break;
|
||||
+ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
|
||||
+ return result;
|
||||
+ }
|
||||
|
||||
- case CURLWC_DONE:
|
||||
- case CURLWC_ERROR:
|
||||
- case CURLWC_CLEAR:
|
||||
- if(wildcard->dtor)
|
||||
- wildcard->dtor(wildcard->protdata);
|
||||
- break;
|
||||
+ case CURLWC_DONE:
|
||||
+ case CURLWC_ERROR:
|
||||
+ case CURLWC_CLEAR:
|
||||
+ if(wildcard->dtor)
|
||||
+ wildcard->dtor(wildcard->protdata);
|
||||
+ return result;
|
||||
+ }
|
||||
}
|
||||
-
|
||||
- return result;
|
||||
+ /* UNREACHABLE */
|
||||
}
|
||||
|
||||
/***********************************************************************
|
||||
--
|
||||
2.26.2
|
||||
|
129
SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
Normal file
129
SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From 2470bc91f62cc9b0ab1deac60a67f87b7cc95f6e Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 2 Dec 2020 23:01:11 +0100
|
||||
Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
|
||||
|
||||
CVE-2020-8286
|
||||
|
||||
Reported by anonymous
|
||||
|
||||
Bug: https://curl.se/docs/CVE-2020-8286.html
|
||||
|
||||
Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 54 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 9476773..35cd652 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -1659,6 +1659,11 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
OCSP_BASICRESP *br = NULL;
|
||||
X509_STORE *st = NULL;
|
||||
STACK_OF(X509) *ch = NULL;
|
||||
+ X509 *cert;
|
||||
+ OCSP_CERTID *id = NULL;
|
||||
+ int cert_status, crl_reason;
|
||||
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||
+ int ret;
|
||||
|
||||
long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
|
||||
|
||||
@@ -1727,43 +1732,63 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||
goto end;
|
||||
}
|
||||
|
||||
- for(i = 0; i < OCSP_resp_count(br); i++) {
|
||||
- int cert_status, crl_reason;
|
||||
- OCSP_SINGLERESP *single = NULL;
|
||||
-
|
||||
- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||
+ /* Compute the certificate's ID */
|
||||
+ cert = SSL_get_peer_certificate(BACKEND->handle);
|
||||
+ if(!cert) {
|
||||
+ failf(data, "Error getting peer certficate");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- single = OCSP_resp_get0(br, i);
|
||||
- if(!single)
|
||||
- continue;
|
||||
+ for(i = 0; i < sk_X509_num(ch); i++) {
|
||||
+ X509 *issuer = sk_X509_value(ch, i);
|
||||
+ if(X509_check_issued(issuer, cert) == X509_V_OK) {
|
||||
+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ X509_free(cert);
|
||||
|
||||
- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
|
||||
- &thisupd, &nextupd);
|
||||
+ if(!id) {
|
||||
+ failf(data, "Error computing OCSP ID");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||
- failf(data, "OCSP response has expired");
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- goto end;
|
||||
- }
|
||||
+ /* Find the single OCSP response corresponding to the certificate ID */
|
||||
+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
|
||||
+ &thisupd, &nextupd);
|
||||
+ OCSP_CERTID_free(id);
|
||||
+ if(ret != 1) {
|
||||
+ failf(data, "Could not find certificate ID in OCSP response");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- infof(data, "SSL certificate status: %s (%d)\n",
|
||||
- OCSP_cert_status_str(cert_status), cert_status);
|
||||
+ /* Validate the corresponding single OCSP response */
|
||||
+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||
+ failf(data, "OCSP response has expired");
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
+ }
|
||||
|
||||
- switch(cert_status) {
|
||||
- case V_OCSP_CERTSTATUS_GOOD:
|
||||
- break;
|
||||
+ infof(data, "SSL certificate status: %s (%d)\n",
|
||||
+ OCSP_cert_status_str(cert_status), cert_status);
|
||||
|
||||
- case V_OCSP_CERTSTATUS_REVOKED:
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ switch(cert_status) {
|
||||
+ case V_OCSP_CERTSTATUS_GOOD:
|
||||
+ break;
|
||||
|
||||
- failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||
- OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||
- goto end;
|
||||
+ case V_OCSP_CERTSTATUS_REVOKED:
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||
+ OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||
+ goto end;
|
||||
|
||||
- case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
- goto end;
|
||||
- }
|
||||
+ case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||
+ default:
|
||||
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
end:
|
||||
--
|
||||
2.26.2
|
||||
|
63
SOURCES/0028-curl-7.61.1-http-auth-payload.patch
Normal file
63
SOURCES/0028-curl-7.61.1-http-auth-payload.patch
Normal file
@ -0,0 +1,63 @@
|
||||
From 5a51924c2505c1d5616904aa732fdaedd74d3ffe Mon Sep 17 00:00:00 2001
|
||||
From: Marc Schlatter <mschlatter@gestour.com>
|
||||
Date: Mon, 11 Mar 2019 17:15:34 +0100
|
||||
Subject: [PATCH] http: send payload when (proxy) authentication is done
|
||||
|
||||
The check that prevents payload from sending in case of authentication
|
||||
doesn't check properly if the authentication is done or not.
|
||||
|
||||
They're cases where the proxy respond "200 OK" before sending
|
||||
authentication challenge. This change takes care of that.
|
||||
|
||||
Fixes #2431
|
||||
Closes #3669
|
||||
|
||||
Upstream-commit: dd8a19f8a05b59394d1ab33c09497e8db884742a
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/http.c | 3 ++-
|
||||
tests/data/test1097 | 5 +++--
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/http.c b/lib/http.c
|
||||
index e727ed8..26eb52d 100644
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -1991,7 +1991,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
- if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
|
||||
+ if(((data->state.authhost.multipass && !data->state.authhost.done)
|
||||
+ || (data->state.authproxy.multipass && !data->state.authproxy.done)) &&
|
||||
(httpreq != HTTPREQ_GET) &&
|
||||
(httpreq != HTTPREQ_HEAD)) {
|
||||
/* Auth is required and we are not authenticated yet. Make a PUT or POST
|
||||
diff --git a/tests/data/test1097 b/tests/data/test1097
|
||||
index 7512a2e..7eb7b5f 100644
|
||||
--- a/tests/data/test1097
|
||||
+++ b/tests/data/test1097
|
||||
@@ -60,7 +60,7 @@ http://test.a.galaxy.far.far.away.1097:%HTTPPORT/1097 --proxy http://%HOSTIP:%HT
|
||||
<strip>
|
||||
^User-Agent: curl/.*
|
||||
</strip>
|
||||
-<protocol>
|
||||
+<protocol nonewline="yes">
|
||||
CONNECT test.a.galaxy.far.far.away.1097:%HTTPPORT HTTP/1.1
|
||||
Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
|
||||
Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||
@@ -71,9 +71,10 @@ POST /1097 HTTP/1.1
|
||||
User-Agent: curl/7.19.5-CVS (i686-pc-linux-gnu) libcurl/7.19.5-CVS OpenSSL/0.9.8g zlib/1.2.3.3 c-ares/1.6.1-CVS libidn/1.12 libssh2/1.0.1_CVS
|
||||
Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
|
||||
Accept: */*
|
||||
-Content-Length: 0
|
||||
+Content-Length: 11
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
+dummy=value
|
||||
</protocol>
|
||||
|
||||
</verify>
|
||||
--
|
||||
2.26.2
|
||||
|
71
SOURCES/0105-curl-7.61.1-test-ports.patch
Normal file
71
SOURCES/0105-curl-7.61.1-test-ports.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From e6507a9abbfd4ac93ea3053c8f3385a2405f19d8 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Fri, 29 Jan 2021 11:34:49 +0100
|
||||
Subject: [PATCH] tests: do not hard-wire ports of test servers
|
||||
|
||||
---
|
||||
tests/data/test1448 | 4 ++--
|
||||
tests/data/test651 | 2 +-
|
||||
tests/data/test653 | 4 ++--
|
||||
3 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tests/data/test1448 b/tests/data/test1448
|
||||
index e04f47b..5022ef9 100644
|
||||
--- a/tests/data/test1448
|
||||
+++ b/tests/data/test1448
|
||||
@@ -17,7 +17,7 @@ HTTP/1.1 302 OK swsbounce
|
||||
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||
Content-Length: 9
|
||||
Content-Type: text/plain
|
||||
-Location: http://åäö.se:8990/14480001
|
||||
+Location: http://åäö.se:%HTTPPORT/14480001
|
||||
|
||||
redirect
|
||||
</data>
|
||||
@@ -52,7 +52,7 @@ Redirect following to UTF-8 IDN host name
|
||||
</name>
|
||||
|
||||
<command>
|
||||
-http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:8990:%HOSTIP:%HTTPPORT
|
||||
+http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:%HTTPPORT:%HOSTIP:%HTTPPORT
|
||||
</command>
|
||||
</client>
|
||||
|
||||
diff --git a/tests/data/test651 b/tests/data/test651
|
||||
index b00ca5d..8d47c9f 100644
|
||||
--- a/tests/data/test651
|
||||
+++ b/tests/data/test651
|
||||
@@ -57,7 +57,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
|
||||
# (5*12) == 60 bytes less
|
||||
<protocol>
|
||||
POST /651 HTTP/1.1
|
||||
-Host: 127.0.0.1:8990
|
||||
+Host: 127.0.0.1:%HTTPPORT
|
||||
Accept: */*
|
||||
Content-Length: 17139
|
||||
Content-Type: multipart/form-data; boundary=----------------------------
|
||||
diff --git a/tests/data/test653 b/tests/data/test653
|
||||
index d620b57..492d551 100644
|
||||
--- a/tests/data/test653
|
||||
+++ b/tests/data/test653
|
||||
@@ -67,7 +67,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
|
||||
# (5*12) == 60 bytes less
|
||||
<protocol>
|
||||
POST /653 HTTP/1.1
|
||||
-Host: 127.0.0.1:8990
|
||||
+Host: 127.0.0.1:%HTTPPORT
|
||||
Accept: */*
|
||||
Content-Length: 150
|
||||
Content-Type: multipart/form-data; boundary=----------------------------
|
||||
@@ -78,7 +78,7 @@ Content-Disposition: form-data; name="name"
|
||||
short value
|
||||
--------------------------------
|
||||
POST /653 HTTP/1.1
|
||||
-Host: 127.0.0.1:8990
|
||||
+Host: 127.0.0.1:%HTTPPORT
|
||||
Accept: */*
|
||||
Content-Length: 167
|
||||
Content-Type: multipart/form-data; boundary=----------------------------
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 14%{?dist}.1
|
||||
Release: 18%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -58,9 +58,27 @@ Patch20: 0020-curl-7.61.1-openssl-engines.patch
|
||||
# avoid overwriting a local file with -J (CVE-2020-8177)
|
||||
Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch
|
||||
|
||||
# libcurl: wrong connect-only connection (CVE-2020-8231)
|
||||
Patch22: 0022-curl-7.61.1-CVE-2020-8231.patch
|
||||
|
||||
# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
|
||||
Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch
|
||||
|
||||
# validate an ssl connection using an intermediate certificate (#1895355)
|
||||
Patch24: 0024-curl-7.61.1-openssl-partial-chain.patch
|
||||
|
||||
# curl: trusting FTP PASV responses (CVE-2020-8284)
|
||||
Patch25: 0025-curl-7.61.1-CVE-2020-8284.patch
|
||||
|
||||
# libcurl: FTP wildcard stack overflow (CVE-2020-8285)
|
||||
Patch26: 0026-curl-7.61.1-CVE-2020-8285.patch
|
||||
|
||||
# curl: Inferior OCSP verification (CVE-2020-8286)
|
||||
Patch27: 0027-curl-7.61.1-CVE-2020-8286.patch
|
||||
|
||||
# http: send payload when (proxy) authentication is done (#1918692)
|
||||
Patch28: 0028-curl-7.61.1-http-auth-payload.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -73,6 +91,9 @@ Patch103: 0103-curl-7.59.0-python3.patch
|
||||
# use localhost6 instead of ip6-localhost in the curl test-suite
|
||||
Patch104: 0104-curl-7.19.7-localhost6.patch
|
||||
|
||||
# tests: do not hard-wire ports of test servers
|
||||
Patch105: 0105-curl-7.61.1-test-ports.patch
|
||||
|
||||
Provides: curl-full = %{version}-%{release}
|
||||
Provides: webclient
|
||||
URL: https://curl.haxx.se/
|
||||
@ -204,7 +225,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
|
||||
Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
|
||||
Provides: libcurl = %{version}-%{release}
|
||||
Provides: libcurl%{?_isa} = %{version}-%{release}
|
||||
Conflicts: libcurl
|
||||
Conflicts: libcurl%{?_isa}
|
||||
RemovePathPostfixes: .minimal
|
||||
# needed for RemovePathPostfixes to work with shared libraries
|
||||
%undefine __brp_ldconfig
|
||||
@ -239,13 +260,24 @@ git apply %{PATCH4}
|
||||
%patch103 -p1
|
||||
%patch104 -p1
|
||||
|
||||
# use different port range for 32bit and 64bit builds, thus make it possible
|
||||
# to run both the builds in parallel on the same machine
|
||||
%patch105 -p1
|
||||
sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
|
||||
|
||||
# upstream patches
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
@ -338,7 +370,10 @@ export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
|
||||
export OPENSSL_CONF=
|
||||
|
||||
# run the upstream test-suite
|
||||
srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
|
||||
# use different port range for 32bit and 64bit builds, thus make it possible
|
||||
# to run both the builds in parallel on the same machine
|
||||
export srcdir=../../tests
|
||||
perl -I${srcdir} ${srcdir}/runtests.pl -b%{?__isa_bits}90 -a -p -v '!flaky'
|
||||
|
||||
%install
|
||||
# install and rename the library that will be packaged as libcurl-minimal
|
||||
@ -406,8 +441,21 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Mon Nov 23 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14.el8_3.1
|
||||
* Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18
|
||||
- http: send payload when (proxy) authentication is done (#1918692)
|
||||
- curl: Inferior OCSP verification (CVE-2020-8286)
|
||||
- libcurl: FTP wildcard stack overflow (CVE-2020-8285)
|
||||
- curl: trusting FTP PASV responses (CVE-2020-8284)
|
||||
|
||||
* Thu Nov 12 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-17
|
||||
- validate an ssl connection using an intermediate certificate (#1895355)
|
||||
|
||||
* Fri Nov 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-16
|
||||
- fix multiarch conflicts in libcurl-minimal (#1895391)
|
||||
|
||||
* Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15
|
||||
- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
|
||||
- libcurl: wrong connect-only connection (CVE-2020-8231)
|
||||
|
||||
* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
|
||||
- avoid overwriting a local file with -J (CVE-2020-8177)
|
||||
|
Loading…
Reference in New Issue
Block a user