From 5416a993a2af8d1294832b2855ef676496634425 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 02:06:11 -0500 Subject: [PATCH] import curl-7.61.1-25.el8 --- .../0042-curl-7.61.1-ssh-known-hosts.patch | 43 +++++++++++++++++++ SPECS/curl.spec | 15 ++++--- 2 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch diff --git a/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch new file mode 100644 index 0000000..02ad592 --- /dev/null +++ b/SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch @@ -0,0 +1,43 @@ +From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Felix=20H=C3=A4dicke?= +Date: Wed, 23 Jan 2019 23:10:39 +0100 +Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and + CURLOPT_SSH_KEYFUNCTION for libssh + +CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for +libssh as well. So accepting these options only when compiling with +libssh2 is wrong here. + +Fixes #3493 +Closes #3494 + +Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index b07ccfe..88a05ff 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5], + va_arg(param, char *)); + break; +-#ifdef HAVE_LIBSSH2_KNOWNHOST_API ++ + case CURLOPT_SSH_KNOWNHOSTS: + /* + * Store the file name to read known hosts from. +@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + */ + data->set.ssh_keyfunc_userp = va_arg(param, void *); + break; +-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */ + #endif /* USE_LIBSSH2 */ + + case CURLOPT_HTTP_TRANSFER_DECODING: +-- +2.34.1 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 996a372..29634bd 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 22%{?dist}.4 +Release: 25%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -118,6 +118,9 @@ Patch40: 0040-curl-7.61.1-CVE-2022-32208.patch # fix HTTP compression denial of service (CVE-2022-32206) Patch41: 0041-curl-7.61.1-CVE-2022-32206.patch +# setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) +Patch42: 0042-curl-7.61.1-ssh-known-hosts.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -332,6 +335,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch39 -p1 %patch40 -p1 %patch41 -p1 +%patch42 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -494,17 +498,16 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Wed Jun 29 2022 Kamil Dudka - 7.61.1-22.el8_6.4 +* Wed Jun 29 2022 Kamil Dudka - 7.61.1-25 +- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) -* Wed May 11 2022 Kamil Dudka - 7.61.1-22.el8_6.3 +* Wed May 11 2022 Kamil Dudka - 7.61.1-24 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782) - -* Tue May 04 2022 Kamil Dudka - 7.61.1-22.el8_6.2 - fix invalid type in printf() argument detected by Coverity -* Thu Apr 28 2022 Kamil Dudka - 7.61.1-22.el8_6.1 +* Thu Apr 28 2022 Kamil Dudka - 7.61.1-23 - fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)