new upstream release - 8.1.0

Resolves: CVE-2023-28321 - IDN wildcard match
Resolves: CVE-2023-28322 - more POST-after-PUT confusion
This commit is contained in:
Kamil Dudka 2023-05-17 09:28:55 +02:00
parent 65d0dfbac5
commit c0b70e927f
5 changed files with 16 additions and 110 deletions

View File

@ -38,7 +38,7 @@ index 1889c93..ea43a49 100644
--- a/tests/data/test3012 --- a/tests/data/test3012
+++ b/tests/data/test3012 +++ b/tests/data/test3012
@@ -56,5 +56,9 @@ Accept: */* @@ -56,5 +56,9 @@ Accept: */*
<file name="log/MMM%TESTNUMBERMMM"> <file name="%LOGDIR/MMM%TESTNUMBERMMM">
-foo- -foo-
</file> </file>
+ +

View File

@ -15,16 +15,16 @@ diff --git a/tests/runtests.pl b/tests/runtests.pl
index 71644ad18..0cf85c3fe 100755 index 71644ad18..0cf85c3fe 100755
--- a/tests/runtests.pl --- a/tests/runtests.pl
+++ b/tests/runtests.pl +++ b/tests/runtests.pl
@@ -75,8 +75,7 @@ BEGIN { @@ -55,8 +55,7 @@
} # given, this won't be a problem.
use strict; use strict;
-# Promote all warnings to fatal -# Promote all warnings to fatal
-use warnings FATAL => 'all'; -use warnings FATAL => 'all';
+use warnings; +use warnings;
use Cwd; use 5.006;
use Digest::MD5 qw(md5);
use MIME::Base64; # These should be the only variables that might be needed to get edited:
-- --
2.39.1 2.39.1

View File

@ -1,97 +0,0 @@
From c9a1d18e5f8f28b90c1b2fcc1f15699327067e59 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 21 Apr 2023 17:44:10 +0200
Subject: [PATCH] tests/runtests.pl: attempt to fix a conflict on port numbers
... where stunnel listens for legacy HTTPS and HTTP/2, which manifests
as a hard-to-explain failure of the following tests: 1630 1631 1632 1904
1941 1945 2050 2055 3028
```
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642
RUN: HTTPS server is PID 114398 port 24642
* pid https => 114398 114402
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642
startnew: child process has died, server might start up
Warning: http2 server unexpectedly alive
RUN: Process with pid 73992 signalled to die
RUN: Process with pid 73992 forced to die with SIGKILL
== Contents of files in the log/ dir after test 1630
=== Start of file http2_server.log
14:01:21.881018 exit_signal_handler: 15
14:01:21.881372 signalled to die
14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15)
=== End of file http2_server.log
=== Start of file https2_stunnel.log
[ ] Initializing inetd mode configuration
[ ] Clients allowed=500
[.] stunnel 5.69 on x86_64-redhat-linux-gnu platform
[.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[ ] Initializing inetd mode configuration
[.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [curltest]
[ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly.
[ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly
[ ] stunnel default security level set: 2
[ ] Ciphers: PROFILE=SYSTEM
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x2100000 (+0x0, -0x0)
[ ] Session resumption enabled
[ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
[ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
[ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
[ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
[ ] Private key check succeeded
[!] No trusted certificates found
[ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
[ ] DH initialization
[ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
[ ] Using dynamic DH parameters
[ ] ECDH initialization
[ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
[.] Configuration successful
[ ] Deallocating deployed section defaults
[ ] Binding service [curltest]
[ ] Listening file descriptor created (FD=8)
[ ] Setting accept socket options (FD=8)
[ ] Option SO_REUSEADDR set on accept socket
[.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98)
[ ] Listening file descriptor created (FD=8)
[ ] Setting accept socket options (FD=8)
[ ] Option SO_REUSEADDR set on accept socket
[.] Binding service [curltest] to :::24642: Address already in use (98)
[!] Binding service [curltest] failed
[ ] Unbinding service [curltest]
[ ] Service [curltest] closed
[ ] Deallocating deployed section defaults
[ ] Deallocating section [curltest]
[ ] Initializing inetd mode configuration
=== End of file https2_stunnel.log
```
---
tests/runtests.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/runtests.pl b/tests/runtests.pl
index 54f6923..bb362c9 100755
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@@ -1802,7 +1802,7 @@ sub runhttpsserver {
my $pid2;
my $httpspid;
- my $port = 24512; # start attempt
+ my $port = 24512 * $idnum; # start attempt
for (1 .. 10) {
$port += int(rand(600));
my $options = "$flags --accept $port";
--
2.39.2

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 8.0.1 Version: 8.1.0
Release: 3%{?dist} Release: 1%{?dist}
License: curl License: curl
Source0: https://curl.se/download/%{name}-%{version}.tar.xz Source0: https://curl.se/download/%{name}-%{version}.tar.xz
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@ -22,9 +22,6 @@ Patch103: 0103-curl-7.87.0-test3012.patch
# do not fail on warnings in the upstream test driver # do not fail on warnings in the upstream test driver
Patch104: 0104-curl-7.88.0-tests-warnings.patch Patch104: 0104-curl-7.88.0-tests-warnings.patch
# tests: attempt to fix a conflict on port numbers
Patch105: 0105-curl-8.0.1-tests-stunnel-port.patch
Provides: curl-full = %{version}-%{release} Provides: curl-full = %{version}-%{release}
Provides: webclient Provides: webclient
URL: https://curl.se/ URL: https://curl.se/
@ -84,6 +81,7 @@ BuildRequires: perl(File::Basename)
BuildRequires: perl(File::Copy) BuildRequires: perl(File::Copy)
BuildRequires: perl(File::Spec) BuildRequires: perl(File::Spec)
BuildRequires: perl(IPC::Open2) BuildRequires: perl(IPC::Open2)
BuildRequires: perl(Memoize)
BuildRequires: perl(MIME::Base64) BuildRequires: perl(MIME::Base64)
BuildRequires: perl(Time::Local) BuildRequires: perl(Time::Local)
BuildRequires: perl(Time::HiRes) BuildRequires: perl(Time::HiRes)
@ -407,6 +405,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Wed May 17 2023 Kamil Dudka <kdudka@redhat.com> - 8.1.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2023-28321 - IDN wildcard match
CVE-2023-28322 - more POST-after-PUT confusion
* Fri Apr 21 2023 Kamil Dudka <kdudka@redhat.com> - 8.0.1-3 * Fri Apr 21 2023 Kamil Dudka <kdudka@redhat.com> - 8.0.1-3
- tests: re-enable temporarily disabled test-cases - tests: re-enable temporarily disabled test-cases
- tests: attempt to fix a conflict on port numbers - tests: attempt to fix a conflict on port numbers

View File

@ -1,2 +1,2 @@
SHA512 (curl-8.0.1.tar.xz) = 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d SHA512 (curl-8.1.0.tar.xz) = b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d
SHA512 (curl-8.0.1.tar.xz.asc) = 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf SHA512 (curl-8.1.0.tar.xz.asc) = 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d