new upstream release - 7.88.0
Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service Resolves: CVE-2023-23915 - HSTS amnesia with --parallel Resolves: CVE-2023-23914 - HSTS ignored on multiple requests
This commit is contained in:
parent
8ff989f4fd
commit
98c91c9f34
@ -1,55 +0,0 @@
|
|||||||
From 613d3c45879636e88b88fcebee48dc77de345291 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Patrick Monnerat <patrick@monnerat.net>
|
|
||||||
Date: Fri, 23 Dec 2022 15:35:27 +0100
|
|
||||||
Subject: [PATCH] typecheck: accept expressions for option/info parameters
|
|
||||||
|
|
||||||
As expressions can have side effects, evaluate only once.
|
|
||||||
|
|
||||||
To enable deprecation reporting only once, get rid of the __typeof__
|
|
||||||
use to define the local temporary variable and use the target type
|
|
||||||
(CURLoption/CURLINFO). This also avoids multiple reports on type
|
|
||||||
conflicts (if some) by the curlcheck_* macros.
|
|
||||||
|
|
||||||
Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
|
|
||||||
their values: a curl_easy_setopt call with an integer constant as option
|
|
||||||
will never report a deprecation.
|
|
||||||
|
|
||||||
Reported-by: Thomas Klausner
|
|
||||||
Fixes #10148
|
|
||||||
Closes #10149
|
|
||||||
|
|
||||||
Upstream-commit: e2aed004302e51cfa5b6ce8c8ab65ef92aa83196
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
include/curl/typecheck-gcc.h | 6 ++----
|
|
||||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h
|
|
||||||
index bf655bb..85aa8b7 100644
|
|
||||||
--- a/include/curl/typecheck-gcc.h
|
|
||||||
+++ b/include/curl/typecheck-gcc.h
|
|
||||||
@@ -42,9 +42,8 @@
|
|
||||||
*/
|
|
||||||
#define curl_easy_setopt(handle, option, value) \
|
|
||||||
__extension__({ \
|
|
||||||
- CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \
|
|
||||||
+ CURLoption _curl_opt = (option); \
|
|
||||||
if(__builtin_constant_p(_curl_opt)) { \
|
|
||||||
- (void) option; \
|
|
||||||
CURL_IGNORE_DEPRECATION( \
|
|
||||||
if(curlcheck_long_option(_curl_opt)) \
|
|
||||||
if(!curlcheck_long(value)) \
|
|
||||||
@@ -120,9 +119,8 @@
|
|
||||||
/* wraps curl_easy_getinfo() with typechecking */
|
|
||||||
#define curl_easy_getinfo(handle, info, arg) \
|
|
||||||
__extension__({ \
|
|
||||||
- CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \
|
|
||||||
+ CURLINFO _curl_info = (info); \
|
|
||||||
if(__builtin_constant_p(_curl_info)) { \
|
|
||||||
- (void) info; \
|
|
||||||
CURL_IGNORE_DEPRECATION( \
|
|
||||||
if(curlcheck_string_info(_curl_info)) \
|
|
||||||
if(!curlcheck_arr((arg), char *)) \
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
14
curl.spec
14
curl.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.87.0
|
Version: 7.88.0
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||||
@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
|||||||
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
||||||
Source2: mykey.asc
|
Source2: mykey.asc
|
||||||
|
|
||||||
# fix regression in a public header file (#2162716)
|
|
||||||
Patch1: 0001-curl-7.87.0-header-file-regression.patch
|
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -200,7 +197,6 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -435,6 +431,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.88.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2023-23916 - HTTP multi-header compression denial of service
|
||||||
|
CVE-2023-23915 - HSTS amnesia with --parallel
|
||||||
|
CVE-2023-23914 - HSTS ignored on multiple requests
|
||||||
|
|
||||||
* Fri Jan 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.87.0-4
|
* Fri Jan 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.87.0-4
|
||||||
- fix regression in a public header file (#2162716)
|
- fix regression in a public header file (#2162716)
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (curl-7.87.0.tar.xz) = aa125991592667280dce3788aabe81487cf8c55b0afc59d675cc30b76055bb7114f5380b4a0e3b6461a8f81bf9812fa26d493a85f7e01d84263d484a0d699ee7
|
SHA512 (curl-7.88.0.tar.xz) = 2008cbc67694f746b7449f087a19b2a9a4950333d6bac1cdc7d80351aa38d8d9b442087dedbc7b0909a419d3b10f510521c942aac012d04a53c32bdb15dce5f0
|
||||||
SHA512 (curl-7.87.0.tar.xz.asc) = 0bcc12bafc4ae50d80128af2cf4bf1a1ec6018ebb8d5b9c49f52b51c0c25acc77e820858965656549ef43c1f923f4e5fe75b0a3523623154b4cfb9dc8a1d76e4
|
SHA512 (curl-7.88.0.tar.xz.asc) = 6f3d9a5f8fcec64652f872adf994ff3d0162fba1b483a0e359522173bf29ef3d26eeda7c328207fa1fa974a45e62674a3a8ebec21830ab3981b56851d5804ade
|
||||||
|
Loading…
Reference in New Issue
Block a user