new upstream release - 7.62.0
Resolves: CVE-2018-16839 - SASL password overflow via integer overflow Resolves: CVE-2018-16840 - use-after-free in handle close Resolves: CVE-2018-16842 - warning message out-of-buffer read
This commit is contained in:
parent
9be316eea1
commit
34a4d8f848
@ -1,63 +0,0 @@
|
||||
From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 4 Oct 2018 15:34:13 +0200
|
||||
Subject: [PATCH] test320: strip out more HTML when comparing
|
||||
|
||||
To make the test case work with different gnutls-serv versions better.
|
||||
|
||||
Reported-by: Kamil Dudka
|
||||
Fixes #3093
|
||||
Closes #3094
|
||||
|
||||
Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/data/test320 | 24 ++++--------------------
|
||||
1 file changed, 4 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/tests/data/test320 b/tests/data/test320
|
||||
index 457a11eb2..87311d4f2 100644
|
||||
--- a/tests/data/test320
|
||||
+++ b/tests/data/test320
|
||||
@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
|
||||
HTTP/1.0 200 OK
|
||||
Content-type: text/html
|
||||
|
||||
-
|
||||
-<HTML><BODY>
|
||||
-<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GnuTLS</a></H1></CENTER>
|
||||
-
|
||||
-
|
||||
-
|
||||
-<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
|
||||
-<p>Connected as user 'jsmith'.</p>
|
||||
-<P>
|
||||
-<TABLE border=1><TR><TD></TD></TR>
|
||||
-<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
|
||||
-<TR><TD>Compression</TD><TD>NULL</TD></TR>
|
||||
-<TR><TD>Cipher</TD><TD>AES-NNN-CBC</TD></TR>
|
||||
-<TR><TD>MAC</TD><TD>SHA1</TD></TR>
|
||||
-<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_NNN_CBC_SHA1</TD></TR></p></TABLE>
|
||||
-<hr><P>Your HTTP header was:<PRE>Host: %HOSTIP:%HTTPTLSPORT
|
||||
+FINE
|
||||
User-Agent: curl-test-suite
|
||||
Accept: */*
|
||||
|
||||
-</PRE></P>
|
||||
-</BODY></HTML>
|
||||
-
|
||||
</file>
|
||||
<stripfile>
|
||||
-s/^<p>Session ID:.*//
|
||||
+s/^<p>Connected as user 'jsmith'.*/FINE/
|
||||
s/Protocol version:.*[0-9]//
|
||||
s/GNUTLS/GnuTLS/
|
||||
s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
|
||||
+s/^<.*\n//
|
||||
+s/^\n//
|
||||
</stripfile>
|
||||
</verify>
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,28 +0,0 @@
|
||||
From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 16:50:45 +0200
|
||||
Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0
|
||||
|
||||
... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
|
||||
|
||||
Closes #2955
|
||||
|
||||
Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
docs/cmdline-opts/tlsv1.0.d | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d
|
||||
index 8789025e0..54e259682 100644
|
||||
--- a/docs/cmdline-opts/tlsv1.0.d
|
||||
+++ b/docs/cmdline-opts/tlsv1.0.d
|
||||
@@ -3,4 +3,4 @@ Help: Use TLSv1.0
|
||||
Protocols: TLS
|
||||
Added: 7.34.0
|
||||
---
|
||||
-Forces curl to use TLS version 1.0 when connecting to a remote TLS server.
|
||||
+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,46 +0,0 @@
|
||||
From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Fri, 21 Sep 2018 10:37:43 +0200
|
||||
Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
|
||||
|
||||
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
|
||||
authentication.
|
||||
|
||||
Fixes: https://github.com/curl/curl/issues/3026
|
||||
Signed-off-by: Christian Heimes <christian@python.org>
|
||||
|
||||
Closes https://github.com/curl/curl/pull/3027
|
||||
|
||||
Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/openssl.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index a487f55..78970d1 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
|
||||
!defined(LIBRESSL_VERSION_NUMBER) && \
|
||||
!defined(OPENSSL_IS_BORINGSSL))
|
||||
#define HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||
#endif
|
||||
|
||||
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||
+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
|
||||
+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
|
||||
+#endif
|
||||
+
|
||||
#ifdef USE_TLS_SRP
|
||||
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||
char * const ssl_username = SSL_SET_OPTION(username);
|
||||
--
|
||||
2.17.1
|
||||
|
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
|
||||
;;
|
||||
|
||||
--prefix)
|
||||
@@ -143,32 +143,17 @@ while test $# -gt 0; do
|
||||
@@ -155,32 +155,17 @@ while test $# -gt 0; do
|
||||
;;
|
||||
|
||||
--libs)
|
||||
|
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
||||
index 8f079a3..53b4774 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
|
||||
@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; }
|
||||
gccvhi=`echo $gccver | cut -d . -f1`
|
||||
gccvlo=`echo $gccver | cut -d . -f2`
|
||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||
|
@ -1,88 +1,23 @@
|
||||
From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 13:21:40 +0100
|
||||
Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3
|
||||
|
||||
---
|
||||
tests/http_pipe.py | 4 ++--
|
||||
tests/runtests.pl | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tests/http_pipe.py b/tests/http_pipe.py
|
||||
index bc32173..75ac165 100755
|
||||
--- a/tests/http_pipe.py
|
||||
+++ b/tests/http_pipe.py
|
||||
@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler):
|
||||
self.request.setblocking(True)
|
||||
if not new_data:
|
||||
return
|
||||
- new_requests = self._request_parser.ParseAdditionalData(new_data)
|
||||
+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8'))
|
||||
self._response_builder.QueueRequests(
|
||||
new_requests, self._request_parser.were_all_requests_http_1_1)
|
||||
self._num_queued += len(new_requests)
|
||||
self._last_queued_time = time.time()
|
||||
elif fileno in wlist:
|
||||
- num_bytes_sent = self.request.send(self._send_buffer[0:4096])
|
||||
+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8'))
|
||||
self._send_buffer = self._send_buffer[num_bytes_sent:]
|
||||
time.sleep(0.05)
|
||||
|
||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||
index d6aa5ca..4d395ef 100755
|
||||
--- a/tests/runtests.pl
|
||||
+++ b/tests/runtests.pl
|
||||
@@ -1439,7 +1439,7 @@ sub runhttpserver {
|
||||
elsif($alt eq "pipe") {
|
||||
# basically the same, but another ID
|
||||
$idnum = 3;
|
||||
- $exe = "python $srcdir/http_pipe.py";
|
||||
+ $exe = "python3 $srcdir/http_pipe.py";
|
||||
$verbose_flag .= "1 ";
|
||||
}
|
||||
elsif($alt eq "unix") {
|
||||
--
|
||||
2.14.3
|
||||
|
||||
|
||||
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
|
||||
From: Kamil Dudka <kdudka@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 14:49:56 +0100
|
||||
Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3
|
||||
Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
|
||||
|
||||
Unfortunately, smbserver.py does not work with Python 3 because
|
||||
there is no 'impacket' module available for Python 3:
|
||||
|
||||
https://github.com/CoreSecurity/impacket/issues/61
|
||||
---
|
||||
tests/negtelnetserver.py | 12 ++++++------
|
||||
tests/smbserver.py | 4 ++--
|
||||
2 files changed, 8 insertions(+), 8 deletions(-)
|
||||
tests/negtelnetserver.py | 4 ++--
|
||||
tests/smbserver.py | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
|
||||
index 8cfd409..72ee771 100755
|
||||
--- a/tests/negtelnetserver.py
|
||||
+++ b/tests/negtelnetserver.py
|
||||
@@ -23,7 +23,7 @@ IDENT = "NTEL"
|
||||
|
||||
# The strings that indicate the test framework is checking our aliveness
|
||||
VERIFIED_REQ = b"verifiedserver"
|
||||
-VERIFIED_RSP = b"WE ROOLZ: {pid}"
|
||||
+VERIFIED_RSP = "WE ROOLZ: {pid}"
|
||||
|
||||
|
||||
def telnetserver(options):
|
||||
@@ -34,7 +34,7 @@ def telnetserver(options):
|
||||
if options.pidfile:
|
||||
pid = os.getpid()
|
||||
with open(options.pidfile, "w") as f:
|
||||
- f.write(b"{0}".format(pid))
|
||||
+ f.write("{0}".format(pid))
|
||||
|
||||
local_bind = (HOST, options.port)
|
||||
log.info("Listening on %s", local_bind)
|
||||
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
|
||||
response_data = VERIFIED_RSP.format(pid=os.getpid())
|
||||
response_data = response.encode('ascii')
|
||||
else:
|
||||
log.debug("Received normal request - echoing back")
|
||||
- response_data = data.strip()
|
||||
@ -95,24 +30,6 @@ index 8cfd409..72ee771 100755
|
||||
|
||||
except IOError:
|
||||
log.exception("IOError hit during request")
|
||||
@@ -132,7 +132,7 @@ class Negotiator(object):
|
||||
return buffer
|
||||
|
||||
def byte_to_int(self, byte):
|
||||
- return struct.unpack(b'B', byte)[0]
|
||||
+ return int(byte)
|
||||
|
||||
def no_neg(self, byte, byte_int, buffer):
|
||||
# Not negotiating anything thus far. Check to see if we
|
||||
@@ -197,7 +197,7 @@ class Negotiator(object):
|
||||
self.tcp.sendall(packed_message)
|
||||
|
||||
def pack(self, arr):
|
||||
- return struct.pack(b'{0}B'.format(len(arr)), *arr)
|
||||
+ return struct.pack('{0}B'.format(len(arr)), *arr)
|
||||
|
||||
def send_iac(self, arr):
|
||||
message = [NegTokens.IAC]
|
||||
diff --git a/tests/smbserver.py b/tests/smbserver.py
|
||||
index 195ae39..b09cd44 100755
|
||||
--- a/tests/smbserver.py
|
||||
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce
|
||||
EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi
|
||||
EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy
|
||||
fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy
|
||||
RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B
|
||||
Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb
|
||||
51KLH2D0G75wlfMbgMhX/rguuXT2rg==
|
||||
=vM6i
|
||||
-----END PGP SIGNATURE-----
|
11
curl-7.62.0.tar.xz.asc
Normal file
11
curl-7.62.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce
|
||||
EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq
|
||||
OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4
|
||||
hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F
|
||||
pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO
|
||||
VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX
|
||||
nBPWNGArGJq2+kMP7v5pr0onBz6wxg==
|
||||
=CWQL
|
||||
-----END PGP SIGNATURE-----
|
22
curl.spec
22
curl.spec
@ -1,19 +1,10 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 3%{?dist}
|
||||
Version: 7.62.0
|
||||
Release: 1%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
# test320: update expected output for gnutls-3.6.4
|
||||
Patch1: 0001-curl-7.61.1-test320-gnutls.patch
|
||||
|
||||
# update the documentation of --tlsv1.0 in curl(1) man page
|
||||
Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
|
||||
|
||||
# enable TLS 1.3 post-handshake auth in OpenSSL
|
||||
Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -172,9 +163,6 @@ be installed.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -341,6 +329,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1
|
||||
- new upstream release, which fixes the following vulnerabilities
|
||||
CVE-2018-16839 - SASL password overflow via integer overflow
|
||||
CVE-2018-16840 - use-after-free in handle close
|
||||
CVE-2018-16842 - warning message out-of-buffer read
|
||||
|
||||
* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
|
||||
- enable TLS 1.3 post-handshake auth in OpenSSL
|
||||
- update the documentation of --tlsv1.0 in curl(1) man page
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a
|
||||
SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd
|
||||
|
Loading…
Reference in New Issue
Block a user