new upstream release - 7.83.0
Resolves: CVE-2022-27774 - curl credential leak on redirect Resolves: CVE-2022-27776 - curl auth/cookie leak on redirect Resolves: CVE-2022-27775 - curl bad local IPv6 connection reuse Resolves: CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use
This commit is contained in:
parent
cd99025ff8
commit
f17162c526
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
/curl-[0-9.]*.tar.lzma
|
|
||||||
/curl-[0-9.]*.tar.xz
|
/curl-[0-9.]*.tar.xz
|
||||||
|
/curl-[0-9.]*.tar.xz.asc
|
||||||
|
@ -1,36 +0,0 @@
|
|||||||
From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Tue, 8 Mar 2022 13:38:13 +0100
|
|
||||||
Subject: [PATCH] openssl: fix CN check error code
|
|
||||||
|
|
||||||
Due to a missing 'else' this returns error too easily.
|
|
||||||
|
|
||||||
Regressed in: d15692ebb
|
|
||||||
|
|
||||||
Reported-by: Kristoffer Gleditsch
|
|
||||||
Fixes #8559
|
|
||||||
Closes #8560
|
|
||||||
|
|
||||||
Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/vtls/openssl.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
||||||
index 616a510..1bafe96 100644
|
|
||||||
--- a/lib/vtls/openssl.c
|
|
||||||
+++ b/lib/vtls/openssl.c
|
|
||||||
@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
|
|
||||||
memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
|
|
||||||
peer_CN[peerlen] = '\0';
|
|
||||||
}
|
|
||||||
- result = CURLE_OUT_OF_MEMORY;
|
|
||||||
+ else
|
|
||||||
+ result = CURLE_OUT_OF_MEMORY;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else /* not a UTF8 name */
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce
|
|
||||||
EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4
|
|
||||||
Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh
|
|
||||||
DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C
|
|
||||||
AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv
|
|
||||||
yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq
|
|
||||||
m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ==
|
|
||||||
=/k1v
|
|
||||||
-----END PGP SIGNATURE-----
|
|
15
curl.spec
15
curl.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.82.0
|
Version: 7.83.0
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||||
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||||
@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
|||||||
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
||||||
Source2: mykey.asc
|
Source2: mykey.asc
|
||||||
|
|
||||||
# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
|
|
||||||
Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch
|
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -188,7 +185,6 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -415,6 +411,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 27 2022 Kamil Dudka <kdudka@redhat.com> - 7.83.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2022-27774 - curl credential leak on redirect
|
||||||
|
CVE-2022-27776 - curl auth/cookie leak on redirect
|
||||||
|
CVE-2022-27775 - curl bad local IPv6 connection reuse
|
||||||
|
CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use
|
||||||
|
|
||||||
* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
|
* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
|
||||||
- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
|
- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
|
||||||
|
|
||||||
|
3
sources
3
sources
@ -1 +1,2 @@
|
|||||||
SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57
|
SHA512 (curl-7.83.0.tar.xz) = be02bb2a8a3140eff3a9046f27cd4f872ed9ddaa644af49e56e5ef7dfec84a15b01db133469269437cddc937eda73953fa8c51bb758f7e98873822cd2290d3a9
|
||||||
|
SHA512 (curl-7.83.0.tar.xz.asc) = 8fb90f9692f4fdb82ea49f0e5151219b2334da5d3910f28e787bb688fb055b8b028ccf75cdcc15cd9f86d780d479f88f902fef7d7b9e007a4b849cb25c6c13cc
|
||||||
|
Loading…
Reference in New Issue
Block a user