new upstream release - 7.85.0
Resolves: CVE-2022-35252 - control code in cookie denial of service
This commit is contained in:
parent
f58874c271
commit
1322e86ddb
@ -1,32 +0,0 @@
|
||||
From 711902d9e591947d5d8ec9568beab0c7d36b7dd0 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 27 Jun 2022 08:46:21 +0200
|
||||
Subject: [PATCH] easy_lock.h: include sched.h if available to fix build
|
||||
|
||||
Patched-by: Harry Sintonen
|
||||
|
||||
Closes #9054
|
||||
|
||||
Upstream-commit: e2e7f54b7bea521fa8373095d0f43261a720cda0
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/easy_lock.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/lib/easy_lock.h b/lib/easy_lock.h
|
||||
index 819f50c..1f54289 100644
|
||||
--- a/lib/easy_lock.h
|
||||
+++ b/lib/easy_lock.h
|
||||
@@ -36,6 +36,9 @@
|
||||
|
||||
#elif defined (HAVE_ATOMIC)
|
||||
#include <stdatomic.h>
|
||||
+#if defined(HAVE_SCHED_YIELD)
|
||||
+#include <sched.h>
|
||||
+#endif
|
||||
|
||||
#define curl_simple_lock atomic_bool
|
||||
#define CURL_SIMPLE_LOCK_INIT false
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,156 +0,0 @@
|
||||
From 221905eca9fb4b82822b6a14ef6d82c98c5702d9 Mon Sep 17 00:00:00 2001
|
||||
From: Jay Satiro <raysatiro@yahoo.com>
|
||||
Date: Thu, 25 Aug 2022 03:46:42 -0400
|
||||
Subject: [PATCH] tests: fix http2 tests to use CRLF headers
|
||||
|
||||
Prior to this change some tests that rely on nghttpx proxy did not use
|
||||
CRLF headers everywhere. Recent changes in nghttp2 (??? ref here)
|
||||
requires curl's HTTP/1.1 test server to use CRLF headers.
|
||||
|
||||
Fixes https://github.com/curl/curl/issues/9364
|
||||
Closes https://github.com/curl/curl/pull/9365
|
||||
---
|
||||
tests/data/test1700 | 34 +++++++++++++++++-----------------
|
||||
tests/data/test1701 | 22 +++++++++++-----------
|
||||
tests/data/test358 | 16 ++++++++--------
|
||||
tests/data/test359 | 16 ++++++++--------
|
||||
4 files changed, 44 insertions(+), 44 deletions(-)
|
||||
|
||||
diff --git a/tests/data/test1700 b/tests/data/test1700
|
||||
index 8b1ef4ae3..7f78bcf5f 100644
|
||||
--- a/tests/data/test1700
|
||||
+++ b/tests/data/test1700
|
||||
@@ -11,26 +11,26 @@ HTTP/2
|
||||
# Server-side
|
||||
<reply>
|
||||
<data nocheck="yes">
|
||||
-HTTP/1.1 200 OK
|
||||
-Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
-Server: test-server/fake
|
||||
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
-ETag: "21025-dc7-39462498"
|
||||
-Accept-Ranges: bytes
|
||||
-Content-Length: 6
|
||||
-Connection: close
|
||||
-Content-Type: text/html
|
||||
-Funny-head: yesyes
|
||||
-
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
+ETag: "21025-dc7-39462498"
|
||||
+Accept-Ranges: bytes
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
-foo-
|
||||
</data>
|
||||
<data1>
|
||||
-HTTP/1.1 200 OK
|
||||
-Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
-Content-Length: 6
|
||||
-Connection: close
|
||||
-Content-Type: text/html
|
||||
-
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+
|
||||
-maa-
|
||||
</data1>
|
||||
</reply>
|
||||
diff --git a/tests/data/test1701 b/tests/data/test1701
|
||||
index 3c1a2bd0b..22f6147d0 100644
|
||||
--- a/tests/data/test1701
|
||||
+++ b/tests/data/test1701
|
||||
@@ -11,17 +11,17 @@ HTTP/2
|
||||
# Server-side
|
||||
<reply>
|
||||
<data nocheck="yes">
|
||||
-HTTP/1.1 200 OK
|
||||
-Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
-Server: test-server/fake
|
||||
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
-ETag: "21025-dc7-39462498"
|
||||
-Accept-Ranges: bytes
|
||||
-Content-Length: 6
|
||||
-Connection: close
|
||||
-Content-Type: text/html
|
||||
-Funny-head: yesyes
|
||||
-
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Server: test-server/fake
|
||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||
+ETag: "21025-dc7-39462498"
|
||||
+Accept-Ranges: bytes
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+
|
||||
-foo-
|
||||
</data>
|
||||
</reply>
|
||||
diff --git a/tests/data/test358 b/tests/data/test358
|
||||
index 8b4f66062..0f8a9801b 100644
|
||||
--- a/tests/data/test358
|
||||
+++ b/tests/data/test358
|
||||
@@ -12,14 +12,14 @@ HTTP/2
|
||||
# Server-side
|
||||
<reply>
|
||||
<data nocheck="yes">
|
||||
-HTTP/1.1 200 OK
|
||||
-Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
-Content-Length: 6
|
||||
-Connection: close
|
||||
-Content-Type: text/html
|
||||
-Funny-head: yesyes
|
||||
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
|
||||
-
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
|
||||
+
|
||||
-foo-
|
||||
</data>
|
||||
</reply>
|
||||
diff --git a/tests/data/test359 b/tests/data/test359
|
||||
index a5ba4e3ae..0e684e39e 100644
|
||||
--- a/tests/data/test359
|
||||
+++ b/tests/data/test359
|
||||
@@ -12,14 +12,14 @@ HTTP/2
|
||||
# Server-side
|
||||
<reply>
|
||||
<data nocheck="yes">
|
||||
-HTTP/1.1 200 OK
|
||||
-Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
-Content-Length: 6
|
||||
-Connection: close
|
||||
-Content-Type: text/html
|
||||
-Funny-head: yesyes
|
||||
-Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
|
||||
-
|
||||
+HTTP/1.1 200 OK
|
||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+Content-Type: text/html
|
||||
+Funny-head: yesyes
|
||||
+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0
|
||||
+
|
||||
-foo-
|
||||
</data>
|
||||
</reply>
|
||||
--
|
||||
2.37.1
|
||||
|
@ -44,7 +44,7 @@ index 150004d..95d0759 100644
|
||||
|
||||
--static-libs)
|
||||
- if test "X@ENABLE_STATIC@" != "Xno" ; then
|
||||
- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
|
||||
- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@
|
||||
- else
|
||||
- echo "curl was built with static libraries disabled" >&2
|
||||
- exit 1
|
||||
|
@ -34,8 +34,9 @@ It fails on x86_64 with:
|
||||
[...]
|
||||
```
|
||||
---
|
||||
tests/data/test3026 | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
tests/data/test3026 | 3 +++
|
||||
tests/libtest/lib3026.c | 4 ++--
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/data/test3026 b/tests/data/test3026
|
||||
index fb80cc8..01f2ba5 100644
|
||||
@ -50,16 +51,13 @@ index fb80cc8..01f2ba5 100644
|
||||
+</valgrind>
|
||||
</verify>
|
||||
</testcase>
|
||||
--
|
||||
2.35.3
|
||||
|
||||
diff --git a/tests/libtest/lib3026.c b/tests/libtest/lib3026.c
|
||||
index 43fe335..70cd7a4 100644
|
||||
--- a/tests/libtest/lib3026.c
|
||||
+++ b/tests/libtest/lib3026.c
|
||||
@@ -63,8 +63,8 @@ int test(char *URL)
|
||||
for(i = 0; i < tid_count; i++) {
|
||||
int res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
|
||||
@@ -123,8 +123,8 @@ int test(char *URL)
|
||||
results[i] = CURL_LAST; /* initialize with invalid value */
|
||||
res = pthread_create(&tids[i], NULL, run_thread, &results[i]);
|
||||
if(res) {
|
||||
- fprintf(stderr, "%s:%d Couldn't create thread, errno %d\n",
|
||||
- __FILE__, __LINE__, res);
|
||||
@ -68,3 +66,6 @@ index 43fe335..70cd7a4 100644
|
||||
tid_count = i;
|
||||
test_failure = -1;
|
||||
goto cleanup;
|
||||
--
|
||||
2.37.1
|
||||
|
||||
|
16
curl.spec
16
curl.spec
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.84.0
|
||||
Release: 3%{?dist}
|
||||
Version: 7.85.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
@ -10,12 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
||||
Source2: mykey.asc
|
||||
|
||||
# easy_lock.h: include sched.h if available to fix build
|
||||
Patch1: 0001-curl-7.84.0-sched-yield.patch
|
||||
|
||||
# tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0
|
||||
Patch2: 0002-curl-7.84.0-tests-http2.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -194,8 +188,6 @@ be installed.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -429,6 +421,10 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Thu Sep 01 2022 Kamil Dudka <kdudka@redhat.com> - 7.85.0-3
|
||||
- new upstream release, which fixes the following vulnerability
|
||||
CVE-2022-35252 - control code in cookie denial of service
|
||||
|
||||
* Thu Aug 25 2022 Kamil Dudka <kdudka@redhat.com> - 7.84.0-3
|
||||
- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0
|
||||
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (curl-7.84.0.tar.xz) = 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce
|
||||
SHA512 (curl-7.84.0.tar.xz.asc) = 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702
|
||||
SHA512 (curl-7.85.0.tar.xz) = b57cc31649a4f47cc4b482f56a85c86c8e8aaeaf01bc1b51b065fdb9145a9092bc52535e52a85a66432eb163605b2edbf5bc5c33ea6e40e50f26a69ad1365cbd
|
||||
SHA512 (curl-7.85.0.tar.xz.asc) = 7022daf84b330b24112d595edee715cdeb881a4ba8a4fa7eec23aed28292e5d943af778f03aadd036d44d875f9e226096ea142d18afe516b6bdbd475fcd3aca6
|
||||
|
Loading…
Reference in New Issue
Block a user