new upstream release - 7.56.0 (fixes CVE-2017-1000254)

0001-curl-7.55.1-zsh-completion.patch

@@ -1,67 +0,0 @@
-From 918eb4c10b60a58ea6b14bea7b9fbfba4d29598c Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 14 Aug 2017 16:13:32 +0200
-Subject: [PATCH] zsh.pl: produce a working completion script again
-
-Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
-to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
-produce a broken completion script:
-
-% curl --<TAB>
-_curl:10: no such file or directory: seconds
-
-Closes #1779
-
-Upstream-commit: ab2a7079cd2a1ec279b1e6b587ba48e50c155e91
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/cmdline-opts/cacert.d | 2 +-
- scripts/zsh.pl             | 5 +++--
- src/tool_help.c            | 2 +-
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/docs/cmdline-opts/cacert.d b/docs/cmdline-opts/cacert.d
-index 04e1139..b2ecf90 100644
---- a/docs/cmdline-opts/cacert.d
-+++ b/docs/cmdline-opts/cacert.d
-@@ -1,5 +1,5 @@
- Long: cacert
--Arg: <CA certificate>
-+Arg: <file>
- Help: CA certificate to verify peer against
- Protocols: TLS
- ---
-diff --git a/scripts/zsh.pl b/scripts/zsh.pl
-index f0d8c19..82b4d9f 100755
---- a/scripts/zsh.pl
-+++ b/scripts/zsh.pl
-@@ -54,10 +54,11 @@ sub parse_main_opts {
-         $option .= '}' if defined $short;
-         $option .= '\'[' . trim($desc) . ']\'' if defined $desc;
- 
--        $option .= ":$arg" if defined $arg;
-+        $option .= ":'$arg'" if defined $arg;
- 
-         $option .= ':_files'
--            if defined $arg and ($arg eq 'FILE' || $arg eq 'DIR');
-+            if defined $arg and ($arg eq '<file>' || $arg eq '<filename>'
-+                || $arg eq '<dir>');
- 
-         push @list, $option;
-     }
-diff --git a/src/tool_help.c b/src/tool_help.c
-index 42dc779..a5bfaba 100644
---- a/src/tool_help.c
-+++ b/src/tool_help.c
-@@ -54,7 +54,7 @@ static const struct helptxt helptext[] = {
-    "Append to target file when uploading"},
-   {"    --basic",
-    "Use HTTP Basic Authentication"},
--  {"    --cacert <CA certificate>",
-+  {"    --cacert <file>",
-    "CA certificate to verify peer against"},
-   {"    --capath <dir>",
-    "CA directory to verify peer against"},
--- 
-2.9.5
-

0002-curl-7.55.1-proxy-connect.patch

@@ -1,40 +0,0 @@
-From 74dac344b2feb2e0f4baddb70532dc8e45d2d817 Mon Sep 17 00:00:00 2001
-From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
-Date: Fri, 18 Aug 2017 10:43:02 +0200
-Subject: [PATCH] http: Don't wait on CONNECT when there is no proxy
-
-Since curl 7.55.0, NetworkManager almost always failed its connectivity
-check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
-CONNECT process entirely non-blocking).
-
-This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
-which returns false if the CONNECT state was left uninitialized and lets
-the connection continue.
-
-Closes #1803
-Fixes #1804
-
-Also-fixed-by: Gergely Nagy
-
-Upstream-commit: 74dac344b2feb2e0f4baddb70532dc8e45d2d817
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/http.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 35c7c3d43..3e3313278 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -1371,7 +1371,7 @@ CURLcode Curl_http_connect(struct connectdata *conn, bool *done)
-   if(CONNECT_FIRSTSOCKET_PROXY_SSL())
-     return CURLE_OK; /* wait for HTTPS proxy SSL initialization to complete */
- 
--  if(!Curl_connect_complete(conn))
-+  if(Curl_connect_ongoing(conn))
-     /* nothing else to do except wait right now - we're not done here. */
-     return CURLE_OK;
- 
--- 
-2.13.5
-

0102-curl-7.36.0-debug.patch

@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -17079,18 +17079,11 @@ $as_echo "yes" >&6; }
+@@ -20351,18 +20351,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`

0103-curl-7.55.1-system-crypto-policy.patch

@@ -1,27 +0,0 @@
-From 7271547cb46a4dc28004febaea19e5edaa2250d2 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 22 Aug 2017 17:02:26 +0200
-Subject: [PATCH] openssl: utilize system wide crypto policies
-
-... unless explicitly overridden via libcurl API
----
- lib/vtls/openssl.h | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
-index b9648d5..48036e1 100644
---- a/lib/vtls/openssl.h
-+++ b/lib/vtls/openssl.h
-@@ -119,8 +119,7 @@ bool Curl_ossl_cert_status_request(void);
- #endif
- #define curlssl_cert_status_request() Curl_ossl_cert_status_request()
- 
--#define DEFAULT_CIPHER_SELECTION \
--  "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
-+#define DEFAULT_CIPHER_SELECTION "PROFILE=SYSTEM"
- 
- #endif /* USE_OPENSSL */
- #endif /* HEADER_CURL_SSLUSE_H */
--- 
-2.9.5
-

curl-7.55.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlmRPboACgkQXMkI/bce
-EsIxOAf9GPx5uj4rzy5VW8UhHgZXJl97S9mEVt8I6DnwpLrlCsV7jf4CHpys0Ymt
-kaRoqudjCfjfm2BRtoTZq9ZmWv6vMwuwKrfGwQSmtyNiVFnCZ2hX4QEErMDP27pn
-yJnlxO0MQVXCpKAxvmx2yRQ/qoGX18dGENBGe5USBOzh3QWArIN8vIaGsINvCmcM
-StMzgzNs+x4MP75xt6Wf+MH2biMfyXoq4zFsVKRYDlwZyr495uT9Zms4HzxPLlap
-LPotKQTj1ZcmC0tVLGDWXEx/aE65tLhsJjyLrIlIx+VvkKPwxN8rBntAAC8jh6az
-5bhonUTL94v5XnKySk7srhNP7ds8qQ==
-=3zTB
------END PGP SIGNATURE-----

curl-7.56.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlnUd8QACgkQXMkI/bce
+EsLXpgf/RNe897KrWq4s9H/ycobJXt4UEHXMbpjxQwEggNO4n0EwZ7Mt7WZ1aYR9
+q0ELx4mYS0/Lr9u1v5RxtMiG9L91B9nSdhFzL3/hhiTubTyhxgleGJMc94iTFMQY
+FjZYWZKHtBQlS8rjzTy2f7ESBIAs7zDPgWCfUlm0iuawSPx/Rw8ZrxC4yULvRubV
+2wZgjOZeVnhTt6CyNihY9+xrNgEOLAd2b0zjDJSoS0iQmZ5QYZKP+XeD9imQvLLF
+O0yhlE9PgCJTGCfjoehQop9rR7CtzDTT65A+syab5mQY+YbphL+8MfjKtoeWA78I
+JzW//7fC4iCORd3D/HJ1lOa442cfCA==
+=qKHn
+-----END PGP SIGNATURE-----

curl.spec

@@ -1,26 +1,17 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.55.1
+Version: 7.56.0
-Release: 5%{?dist}
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# make zsh completion work again
-Patch1:   0001-curl-7.55.1-zsh-completion.patch
-
-# http: Don't wait on CONNECT when there is no proxy (#1485702)
-Patch2:   0002-curl-7.55.1-proxy-connect.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
 # prevent configure script from discarding -g in CFLAGS (#496778)
 Patch102: 0102-curl-7.36.0-debug.patch
 
-# utilize system wide crypto policies for TLS (#1483972)
-Patch103: 0103-curl-7.55.1-system-crypto-policy.patch
-
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch
 
@@ -158,13 +149,10 @@ be installed.
 %setup -q
 
 # upstream patches
-%patch1 -p1
-%patch2 -p1
 
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
-%patch103 -p1
 %patch104 -p1
 
 # regenerate Makefile.in files
@@ -314,6 +302,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 
 %changelog
+* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1
+- new upstream release (fixes CVE-2017-1000254)
+
 * Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5
 - apply the patch for the previous commit and fix its name (#1485702)
 

sources

@@ -1 +1 @@
-SHA512 (curl-7.55.1.tar.xz) = 69f906655064b9cfef5b8763a893a658b25fcc4e595141ef122ac2b12158c5dc3b9535cb392f6f5af8346b6d495eb0609a08b5a6e638d4b10b82a15a0e8a7517
+SHA512 (curl-7.56.0.tar.xz) = a6bd5c56cd3a939a31b755bee3733df6670eec3d65b81b6c3e32ef9df110e3e748adc2cee81b1eb29f81cdf344230314c7ac1a2ed8f329f41c8352f920de3bfe