diff --git a/0001-curl-7.61.1-test320-gnutls.patch b/0001-curl-7.61.1-test320-gnutls.patch deleted file mode 100644 index a9cbaac..0000000 --- a/0001-curl-7.61.1-test320-gnutls.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 4 Oct 2018 15:34:13 +0200 -Subject: [PATCH] test320: strip out more HTML when comparing - -To make the test case work with different gnutls-serv versions better. - -Reported-by: Kamil Dudka -Fixes #3093 -Closes #3094 - -Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3 -Signed-off-by: Kamil Dudka ---- - tests/data/test320 | 24 ++++-------------------- - 1 file changed, 4 insertions(+), 20 deletions(-) - -diff --git a/tests/data/test320 b/tests/data/test320 -index 457a11eb2..87311d4f2 100644 ---- a/tests/data/test320 -+++ b/tests/data/test320 -@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response - HTTP/1.0 200 OK - Content-type: text/html - -- -- --

This is GnuTLS

-- -- -- --
If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
--

Connected as user 'jsmith'.

--

-- -- -- -- -- --

Key Exchange:SRP
CompressionNULL
CipherAES-NNN-CBC
MACSHA1
CiphersuiteSRP_SHA_AES_NNN_CBC_SHA1
--


Your HTTP header was:

Host: %HOSTIP:%HTTPTLSPORT
-+FINE
- User-Agent: curl-test-suite
- Accept: */*
- 
--

-- -- - - --s/^

Session ID:.*// -+s/^

Connected as user 'jsmith'.*/FINE/ - s/Protocol version:.*[0-9]// - s/GNUTLS/GnuTLS/ - s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/ -+s/^<.*\n// -+s/^\n// - - - --- -2.17.1 - diff --git a/0002-curl-7.61.1-tlsv1.0-man.patch b/0002-curl-7.61.1-tlsv1.0-man.patch deleted file mode 100644 index f384366..0000000 --- a/0002-curl-7.61.1-tlsv1.0-man.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 7 Sep 2018 16:50:45 +0200 -Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0 - -... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 - -Closes #2955 - -Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/tlsv1.0.d | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d -index 8789025e0..54e259682 100644 ---- a/docs/cmdline-opts/tlsv1.0.d -+++ b/docs/cmdline-opts/tlsv1.0.d -@@ -3,4 +3,4 @@ Help: Use TLSv1.0 - Protocols: TLS - Added: 7.34.0 - --- --Forces curl to use TLS version 1.0 when connecting to a remote TLS server. -+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server. --- -2.17.1 - diff --git a/0003-curl-7.61.1-TLS-1.3-PHA.patch b/0003-curl-7.61.1-TLS-1.3-PHA.patch deleted file mode 100644 index 99273ac..0000000 --- a/0003-curl-7.61.1-TLS-1.3-PHA.patch +++ /dev/null @@ -1,46 +0,0 @@ -From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Fri, 21 Sep 2018 10:37:43 +0200 -Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth - -OpenSSL 1.1.1 requires clients to opt-in for post-handshake -authentication. - -Fixes: https://github.com/curl/curl/issues/3026 -Signed-off-by: Christian Heimes - -Closes https://github.com/curl/curl/pull/3027 - -Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index a487f55..78970d1 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void) - !defined(LIBRESSL_VERSION_NUMBER) && \ - !defined(OPENSSL_IS_BORINGSSL)) - #define HAVE_SSL_CTX_SET_CIPHERSUITES -+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH - #endif - - #if defined(LIBRESSL_VERSION_NUMBER) -@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) - } - #endif - -+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH -+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ -+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1); -+#endif -+ - #ifdef USE_TLS_SRP - if(ssl_authtype == CURL_TLSAUTH_SRP) { - char * const ssl_username = SSL_SET_OPTION(username); --- -2.17.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 532980e..613106d 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -22,7 +22,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -143,32 +143,17 @@ while test $# -gt 0; do +@@ -155,32 +155,17 @@ while test $# -gt 0; do ;; --libs) diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch index bbb253f..495fe63 100644 --- a/0102-curl-7.36.0-debug.patch +++ b/0102-curl-7.36.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; } +@@ -16421,18 +16421,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.59.0-python3.patch b/0103-curl-7.59.0-python3.patch index f66b6c0..56485fe 100644 --- a/0103-curl-7.59.0-python3.patch +++ b/0103-curl-7.59.0-python3.patch @@ -1,88 +1,23 @@ -From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 15 Mar 2018 13:21:40 +0100 -Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3 - ---- - tests/http_pipe.py | 4 ++-- - tests/runtests.pl | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/http_pipe.py b/tests/http_pipe.py -index bc32173..75ac165 100755 ---- a/tests/http_pipe.py -+++ b/tests/http_pipe.py -@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler): - self.request.setblocking(True) - if not new_data: - return -- new_requests = self._request_parser.ParseAdditionalData(new_data) -+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8')) - self._response_builder.QueueRequests( - new_requests, self._request_parser.were_all_requests_http_1_1) - self._num_queued += len(new_requests) - self._last_queued_time = time.time() - elif fileno in wlist: -- num_bytes_sent = self.request.send(self._send_buffer[0:4096]) -+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8')) - self._send_buffer = self._send_buffer[num_bytes_sent:] - time.sleep(0.05) - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index d6aa5ca..4d395ef 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -1439,7 +1439,7 @@ sub runhttpserver { - elsif($alt eq "pipe") { - # basically the same, but another ID - $idnum = 3; -- $exe = "python $srcdir/http_pipe.py"; -+ $exe = "python3 $srcdir/http_pipe.py"; - $verbose_flag .= "1 "; - } - elsif($alt eq "unix") { --- -2.14.3 - - From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 15 Mar 2018 14:49:56 +0100 -Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3 +Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3 Unfortunately, smbserver.py does not work with Python 3 because there is no 'impacket' module available for Python 3: https://github.com/CoreSecurity/impacket/issues/61 --- - tests/negtelnetserver.py | 12 ++++++------ - tests/smbserver.py | 4 ++-- - 2 files changed, 8 insertions(+), 8 deletions(-) + tests/negtelnetserver.py | 4 ++-- + tests/smbserver.py | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py index 8cfd409..72ee771 100755 --- a/tests/negtelnetserver.py +++ b/tests/negtelnetserver.py -@@ -23,7 +23,7 @@ IDENT = "NTEL" - - # The strings that indicate the test framework is checking our aliveness - VERIFIED_REQ = b"verifiedserver" --VERIFIED_RSP = b"WE ROOLZ: {pid}" -+VERIFIED_RSP = "WE ROOLZ: {pid}" - - - def telnetserver(options): -@@ -34,7 +34,7 @@ def telnetserver(options): - if options.pidfile: - pid = os.getpid() - with open(options.pidfile, "w") as f: -- f.write(b"{0}".format(pid)) -+ f.write("{0}".format(pid)) - - local_bind = (HOST, options.port) - log.info("Listening on %s", local_bind) @@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler): - response_data = VERIFIED_RSP.format(pid=os.getpid()) + response_data = response.encode('ascii') else: log.debug("Received normal request - echoing back") - response_data = data.strip() @@ -95,24 +30,6 @@ index 8cfd409..72ee771 100755 except IOError: log.exception("IOError hit during request") -@@ -132,7 +132,7 @@ class Negotiator(object): - return buffer - - def byte_to_int(self, byte): -- return struct.unpack(b'B', byte)[0] -+ return int(byte) - - def no_neg(self, byte, byte_int, buffer): - # Not negotiating anything thus far. Check to see if we -@@ -197,7 +197,7 @@ class Negotiator(object): - self.tcp.sendall(packed_message) - - def pack(self, arr): -- return struct.pack(b'{0}B'.format(len(arr)), *arr) -+ return struct.pack('{0}B'.format(len(arr)), *arr) - - def send_iac(self, arr): - message = [NegTokens.IAC] diff --git a/tests/smbserver.py b/tests/smbserver.py index 195ae39..b09cd44 100755 --- a/tests/smbserver.py diff --git a/curl-7.61.1.tar.xz.asc b/curl-7.61.1.tar.xz.asc deleted file mode 100644 index 6a1e664..0000000 --- a/curl-7.61.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAluPblgACgkQXMkI/bce -EsJynAgArST/gB9eVYIQTTAdXxCOSnArBK/Ne/UNW83QIgOawj0HvEpj9+1SNfTi -EwC5YSwymyMuKGTDLNswTnJ0MripRKylekfu1QGGzmIOkqovTiHz60xiFuWYI3vy -fYuAAse5MJz64GCVFwOM4me8SgEjtb/hIbhiCLqilOyXnqtocDm4FPCMAYQ1mTFy -RJBbwgDLwtktfBDCQyMXTeETGuk3bTrtvSwRv8+Rq8qehOt5s58Fqeztv8EVNi+B -Qzsi5NXMulgl3C0P3dN/cC81+OL75ehuE91AFXUmbNOnlYNTOxHR2dioaXaEyhKb -51KLH2D0G75wlfMbgMhX/rguuXT2rg== -=vM6i ------END PGP SIGNATURE----- diff --git a/curl-7.62.0.tar.xz.asc b/curl-7.62.0.tar.xz.asc new file mode 100644 index 0000000..230438a --- /dev/null +++ b/curl-7.62.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlvZT5wACgkQXMkI/bce +EsJG4gf+IY2RkT9d7SIBAanHOD2NeT4UtPAOVRVtpW8dD9TIJq4IKOqv8CpcCCRq +OZPJovdxM0qmXcrX2Dlf3zpPuY+bSzBW/xUYsKBBTTXhdUh5dv1Tz3HR6JzMHyT4 +hQm1mj6eFHFvayUKxoeQwiw3SkvW6WIlAySwEBzIzaE7icwvJ2dPO7xUOJWLXk/F +pDRCAuHqIIgNzNph0EKXkvLWz5poBzGaK9kpJxmeaS3aWpe0EZ4+N6ju2GfHK5jO +VQSuLWDHCZulv1eve+LOxgRjp/5kqQ/PPc3/99mEOxGRUxwCWVMEWGklAungn4bX +nBPWNGArGJq2+kMP7v5pr0onBz6wxg== +=CWQL +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index d3366ac..70e148e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,19 +1,10 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.61.1 -Release: 3%{?dist} +Version: 7.62.0 +Release: 1%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz -# test320: update expected output for gnutls-3.6.4 -Patch1: 0001-curl-7.61.1-test320-gnutls.patch - -# update the documentation of --tlsv1.0 in curl(1) man page -Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch - -# enable TLS 1.3 post-handshake auth in OpenSSL -Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -172,9 +163,6 @@ be installed. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 # Fedora patches %patch101 -p1 @@ -341,6 +329,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Oct 31 2018 Kamil Dudka - 7.62.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2018-16839 - SASL password overflow via integer overflow + CVE-2018-16840 - use-after-free in handle close + CVE-2018-16842 - warning message out-of-buffer read + * Thu Oct 11 2018 Kamil Dudka - 7.61.1-3 - enable TLS 1.3 post-handshake auth in OpenSSL - update the documentation of --tlsv1.0 in curl(1) man page diff --git a/sources b/sources index 717a22e..f127541 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (curl-7.61.1.tar.xz) = e6f82a7292c70841162480c8880d25046bcfa64058f4ff76f7d398c85da569af1c244442c9c58a3478d59264365ff8e39eed2fb564cb137118588f7862e64e9a +SHA512 (curl-7.62.0.tar.xz) = 3aace2fc85e1d5ac06a3208980f887b5f1de5e2a1460e130b15cff3f7e5700b958cbb8f296483290961ef41f550245590067f86558dbba25e3d3ac10cec1adcd