new upstream release - 7.83.0

Resolves: CVE-2022-27774 - curl credential leak on redirect
Resolves: CVE-2022-27776 - curl auth/cookie leak on redirect
Resolves: CVE-2022-27775 - curl bad local IPv6 connection reuse
Resolves: CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use

.gitignore

@@ -1,2 +1,2 @@
-/curl-[0-9.]*.tar.lzma
 /curl-[0-9.]*.tar.xz
+/curl-[0-9.]*.tar.xz.asc

0001-curl-7.82.0-openssl-spurious-oom.patch

@@ -1,36 +0,0 @@
-From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 8 Mar 2022 13:38:13 +0100
-Subject: [PATCH] openssl: fix CN check error code
-
-Due to a missing 'else' this returns error too easily.
-
-Regressed in: d15692ebb
-
-Reported-by: Kristoffer Gleditsch
-Fixes #8559
-Closes #8560
-
-Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/openssl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 616a510..1bafe96 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
-               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
-               peer_CN[peerlen] = '\0';
-             }
--            result = CURLE_OUT_OF_MEMORY;
-+            else
-+              result = CURLE_OUT_OF_MEMORY;
-           }
-         }
-         else /* not a UTF8 name */
--- 
-2.34.1
-

curl-7.82.0.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce
-EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4
-Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh
-DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C
-AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv
-yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq
-m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ==
-=/k1v
------END PGP SIGNATURE-----

curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.82.0
-Release: 2%{?dist}
+Version: 7.83.0
+Release: 1%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -10,9 +10,6 @@ Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
 # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
 Source2: mykey.asc
 
-# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
-Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch
-
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -188,7 +185,6 @@ be installed.
 %setup -q
 
 # upstream patches
-%patch1 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -415,6 +411,13 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Apr 27 2022 Kamil Dudka <kdudka@redhat.com> - 7.83.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2022-27774 - curl credential leak on redirect
+    CVE-2022-27776 - curl auth/cookie leak on redirect
+    CVE-2022-27775 - curl bad local IPv6 connection reuse
+    CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use
+
 * Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
 - openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
 

sources

@@ -1 +1,2 @@
-SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57
+SHA512 (curl-7.83.0.tar.xz) = be02bb2a8a3140eff3a9046f27cd4f872ed9ddaa644af49e56e5ef7dfec84a15b01db133469269437cddc937eda73953fa8c51bb758f7e98873822cd2290d3a9
+SHA512 (curl-7.83.0.tar.xz.asc) = 8fb90f9692f4fdb82ea49f0e5151219b2334da5d3910f28e787bb688fb055b8b028ccf75cdcc15cd9f86d780d479f88f902fef7d7b9e007a4b849cb25c6c13cc