Commit Graph

624 Commits

Author SHA1 Message Date
Jacek Migacz
15f06cda53 Add gating configuration for C10S/RHEL10
Resolves: RHEL-52103
2024-08-06 12:06:27 +02:00
Jacek Migacz
81fc40841c Rebase to version 8.9.1
Resolves: RHEL-50806
2024-08-01 13:02:11 +02:00
Jacek Migacz
d008daad04 Disable OpenSSL Engine API support in RHEL 10
Resolves: RHEL-30436
2024-07-09 23:11:46 +02:00
Jacek Migacz
62464f90e4 setopt: Fix disabling all protocols (CVE-2024-2004)
Resolves: RHEL-30465
2024-07-09 20:58:10 +02:00
Jacek Migacz
816b245734 http2: push headers better cleanup (CVE-2024-2398)
Resolves: RHEL-30462
2024-07-09 19:18:10 +02:00
Troy Dawson
6e4c862df9 Bump release for June 2024 mass rebuild 2024-06-24 08:39:45 -07:00
Jan Macku
e58b8f772b spec: use printf to populate tests/data/DISABLED with a newline 2024-02-12 17:34:59 +01:00
Jan Macku
cbc7f6603c spec: use echo -e to populate tests/data/DISABLED with a newline 2024-02-12 17:13:40 +01:00
Jan Macku
cbd939da23 spec: don't suggests libcurl-minimal
it might break existing setups, tests, etc.

Also fedora documentation about suggests is not right about meaning of Suggests macro.
2024-02-12 16:24:35 +01:00
Jan Macku
685f0d3645 temporarily disable test 0313
```
test 0313...[CRL test]
../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet
--leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16
--log-file=log/valgrind313 ../src/curl --output log/curl313.out  --include
--trace-ascii log/trace313 --trace-time --cacert
../../tests/certs/EdelCurlRoot-ca.crt --crlfile
../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 >
log/stdout313 2> log/stderr313
CMD (15360): ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck
--quiet --leak-check=yes --suppressions=../../tests/valgrind.supp
--num-callers=16 --log-file=log/valgrind313 ../src/curl --output
log/curl313.out  --include --trace-ascii log/trace313 --trace-time --cacert
../../tests/certs/EdelCurlRoot-ca.crt --crlfile
../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 >
log/stdout313 2> log/stderr313
 valgrind ERROR ==89628== 1,795 (248 direct, 1,547 indirect) bytes in 1 blocks
are definitely lost in loss record 32 of 32
==89628==    at 0x484280F: malloc (vg_replace_malloc.c:442)
==89628==    by 0x4D71B20: CRYPTO_malloc (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4D71BD4: CRYPTO_zalloc (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4C67FD3: ??? (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4C69B00: ??? (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4C69E3F: ASN1_item_d2i_ex (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4D944C0: PEM_ASN1_read_bio (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4DD3C31: X509_load_crl_file (in
/usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x48B6D48: UnknownInlinedFun (openssl.c:3284)
==89628==    by 0x48B6D48: Curl_ssl_setup_x509_store (openssl.c:3437)
==89628==    by 0x48B7445: ossl_bio_cf_in_read (openssl.c:776)
==89628==    by 0x4C6DB32: ??? (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4C71C16: ??? (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4C71DAA: BIO_read (in /usr/lib64/libcrypto.so.3.2.1)
==89628==    by 0x4B9BE92: ??? (in /usr/lib64/libssl.so.3.2.1)
==89628==    by 0x4BA0B4A: ??? (in /usr/lib64/libssl.so.3.2.1)
==89628==    by 0x4B9B099: ??? (in /usr/lib64/libssl.so.3.2.1)
==89628==
== Contents of files in the log/ dir after test 313
=== Start of file commands.log
 ../libtool --mode=execute /usr/bin/valgrind --tool=memcheck --quiet
--leak-check=yes --suppressions=../../tests/valgrind.supp --num-callers=16
--log-file=log/valgrind313 ../src/curl --output log/curl313.out  --include
--trace-ascii log/trace313 --trace-time --cacert
../../tests/certs/EdelCurlRoot-ca.crt --crlfile
../../tests/certs/Server-localhost-sv.crl https://localhost:37247/313 >
log/stdout313 2> log/stderr313
=== End of file commands.log
```

Related: openssl #2263877

a
2024-02-12 16:24:31 +01:00
Jan Macku
9c77cd7c46 vtls: revert "receive max buffer" + add test case
It breaks the test suite of pycurl
2024-02-12 14:06:34 +01:00
Jan Macku
31bc86593e curl-full: add Provides to curl-minimal 2024-02-12 13:50:03 +01:00
Jan Macku
8cec2e9cc7 drop curl-minimal subpackage in favor of curl-full
The reason for maintaining two separate packages for curl is no longer valid.
The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal.

Resolves: #2262096
2024-02-07 13:05:39 +01:00
Jan Macku
ec3f7ae8ee fix: ignore response body to HEAD requests
Discovered/Reported by: @lis in FEDORA-2024-634a6662aa
2024-02-05 10:49:10 +01:00
Kamil Dudka
be5d7739cf deduplicate the --disable-manual configure option
No change in behavior intended.

Related: #2262373
Closes: https://src.fedoraproject.org/rpms/curl/pull-request/22
2024-02-02 12:04:20 +01:00
Jan Macku
6730b754a9 don't build curl manual feature use man 1 curl instead
Resolves: #2262373
2024-02-02 10:22:12 +01:00
Jan Macku
98780da3f8 new upstream release - 8.6.0
Resolves: CVE-2024-0853 - OCSP verification bypass with TLS session reuse
2024-02-01 15:11:39 +01:00
Fedora Release Engineering
3c4671bd88 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-19 16:32:26 +00:00
Jan Macku
7d149f66f5 new upstream release - 8.5.0
Resolves: CVE-2023-46218 - cookie mixed case PSL bypass
Resolves: CVE-2023-46219 - HSTS long file name clears contents
2023-12-06 12:29:18 +01:00
Jan Macku
cb17cbc66a new upstream release - 8.4.0
Resolves: CVE-2023-38545 - SOCKS5 heap buffer overflow
Resolves: CVE-2023-38546 - cookie injection with none file
2023-10-11 15:36:19 +02:00
Lukáš Zaoral
554e13f798
tests: use newer Fedora URLs for testing
... because F36 URLs are no longer available.
2023-10-09 10:48:08 +02:00
Jan Macku
dd8c36f3ea new upstream release - 8.3.0
Resolves: CVE-2023-38039 - HTTP headers eat all memory
2023-09-13 10:33:22 +02:00
Jan Macku
76f5788cab enable websockets
Resolves: #2224651
2023-08-10 12:44:06 +02:00
Lukáš Zaoral
b64627ff52
new upstream release - 8.2.1
Resolves: rhbz#2226659
2023-07-26 12:40:15 +02:00
Jan Macku
de1364bf2c new upstream release - 8.2.0
Resolves: CVE-2023-32001 - fopen race condition
2023-07-19 13:44:49 +02:00
Jan Macku
f91221e9d7 new upstream release - 8.1.2
Resolves: #2210976
2023-05-30 10:05:35 +02:00
Jan Macku
d31965bf5b new upstream release - 8.1.1
Resolves: #2209217
2023-05-23 10:07:28 +02:00
Paul Howarth
dc1838de58 Additional test suite dependencies 2023-05-17 13:14:43 +01:00
Paul Howarth
6beac07229 Ignore lzma-compressed tarballs from old releases 2023-05-17 13:13:21 +01:00
Kamil Dudka
fa58a15ce6 add BR for perl(base) needed by the test-suite 2023-05-17 12:11:00 +02:00
Kamil Dudka
4da3349c05 drop 0103-curl-7.87.0-test3012.patch
The related valgrind bug has been fixed
https://bugzilla.redhat.com/2143040
2023-05-17 09:55:40 +02:00
Kamil Dudka
c0b70e927f new upstream release - 8.1.0
Resolves: CVE-2023-28321 - IDN wildcard match
Resolves: CVE-2023-28322 - more POST-after-PUT confusion
2023-05-17 09:42:41 +02:00
Kamil Dudka
65d0dfbac5 changelog: trim entries that predate curl-7.29.0
... which RHEL-7 builds of curl are based on

Closes: https://src.fedoraproject.org/rpms/curl/pull-request/16
2023-04-21 18:30:49 +02:00
Kamil Dudka
d8bddc669c tests: re-enable temporarily disabled test-cases 2023-04-21 18:11:12 +02:00
Kamil Dudka
2d313d8a46 tests: attempt to fix a conflict on port numbers
... where stunnel listens for legacy HTTPS and HTTP/2, which manifests
as a hard-to-explain failure of the following tests: 1630 1631 1632 1904
1941 1945 2050 2055 3028
```
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642
RUN: HTTPS server is PID 114398 port 24642
* pid https => 114398 114402
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642
startnew: child process has died, server might start up
Warning: http2 server unexpectedly alive
RUN: Process with pid 73992 signalled to die
RUN: Process with pid 73992 forced to die with SIGKILL
== Contents of files in the log/ dir after test 1630
=== Start of file http2_server.log
 14:01:21.881018 exit_signal_handler: 15
 14:01:21.881372 signalled to die
 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15)
=== End of file http2_server.log
=== Start of file https2_stunnel.log
 [ ] Initializing inetd mode configuration
 [ ] Clients allowed=500
 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform
 [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023
 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
 [ ] errno: (*__errno_location ())
 [ ] Initializing inetd mode configuration
 [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf
 [.] UTF-8 byte order mark not detected
 [.] FIPS mode disabled
 [ ] Compression disabled
 [ ] No PRNG seeding was required
 [ ] Initializing service [curltest]
 [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly.
 [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly
 [ ] stunnel default security level set: 2
 [ ] Ciphers: PROFILE=SYSTEM
 [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
 [ ] TLS options: 0x2100000 (+0x0, -0x0)
 [ ] Session resumption enabled
 [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Private key check succeeded
 [!] No trusted certificates found
 [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
 [ ] DH initialization
 [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Using dynamic DH parameters
 [ ] ECDH initialization
 [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
 [.] Configuration successful
 [ ] Deallocating deployed section defaults
 [ ] Binding service [curltest]
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98)
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to :::24642: Address already in use (98)
 [!] Binding service [curltest] failed
 [ ] Unbinding service [curltest]
 [ ] Service [curltest] closed
 [ ] Deallocating deployed section defaults
 [ ] Deallocating section [curltest]
 [ ] Initializing inetd mode configuration
=== End of file https2_stunnel.log
```
2023-04-21 18:05:52 +02:00
Kamil Dudka
fb877acc4b curl.spec: forgot to bump release 2023-04-21 14:41:58 +02:00
Kamil Dudka
449e5165fd curl.spec: apply patches automatically
... to ease maintenance and to avoid the following warning on Fedora
Rawhide:
```
warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N)
```
2023-04-21 14:35:22 +02:00
Lukáš Zaoral
54363444c5
migrate to SPDX license 2023-03-21 15:46:58 +01:00
Kamil Dudka
c96705f9dc new upstream release - 8.0.1 2023-03-20 15:56:09 +01:00
Kamil Dudka
7b0a4d3dfc new upstream release - 8.0.0
Resolves: CVE-2023-27538 - SSH connection too eager reuse still
Resolves: CVE-2023-27537 - HSTS double-free
Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use
Resolves: CVE-2023-27535 - FTP too eager connection reuse
Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy
Resolves: CVE-2023-27533 - TELNET option IAC injection
2023-03-20 13:46:30 +01:00
Kamil Dudka
d5c1163ef3 new upstream release - 7.88.1 2023-02-20 14:42:32 +01:00
Kamil Dudka
13a96c9b8f http2: set drain on stream end
This is an attempt to fix the following issue in COPR:
https://pagure.io/fedora-infrastructure/issue/11133
2023-02-17 14:38:21 +01:00
Kamil Dudka
bdbf01f50c add glibc-langpack-en BR needed for test1560 to succeed
Suggested-by: Paul Howarth
2023-02-15 12:54:31 +01:00
Kamil Dudka
f3c2fe3549 do not fail on warnings in the upstream test driver 2023-02-15 10:46:00 +01:00
Kamil Dudka
98c91c9f34 new upstream release - 7.88.0
Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service
Resolves: CVE-2023-23915 - HSTS amnesia with --parallel
Resolves: CVE-2023-23914 - HSTS ignored on multiple requests
2023-02-15 10:06:24 +01:00
Kamil Dudka
8ff989f4fd Resolves: #2162716 - fix regression in a public header file 2023-01-20 17:48:02 +01:00
Fedora Release Engineering
c3e870d57a Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 00:50:41 +00:00
Kamil Dudka
04ebed546a Related: #2143040 - test3012: temporarily disable valgrind 2023-01-11 09:00:16 +01:00
Kamil Dudka
0d0fa259a7 do not use stunnnel for testing on aarch64
The test 1561 intermittently fails when upstream test-suite runs
for the second time during the build:
```
 [ ] Initializing inetd mode configuration
 [ ] Clients allowed=500
 [.] stunnel 5.66 on aarch64-redhat-linux-gnu platform
 [.] Compiled/running with OpenSSL 3.0.5 5 Jul 2022
 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
 [ ] errno: (*__errno_location ())
 [ ] Initializing inetd mode configuration
 [.] Reading configuration from file /builddir/build/BUILD/curl-7.87.0/build-full/tests/https_stunnel.conf
 [.] UTF-8 byte order mark not detected
 [.] FIPS mode disabled
 [ ] Compression disabled
 [ ] No PRNG seeding was required
 [ ] Initializing service [curltest]
 [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly.
 [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly
 [ ] stunnel default security level set: 2
 [ ] Ciphers: PROFILE=SYSTEM
 [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
 [ ] TLS options: 0x2100000 (+0x0, -0x0)
 [ ] Session resumption enabled
 [ ] Loading certificate from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Certificate loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Loading private key from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Private key loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Private key check succeeded
 [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
 [ ] DH initialization
 [ ] Could not load DH parameters from /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Using dynamic DH parameters
 [ ] ECDH initialization
 [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
 [.] Configuration successful
 [ ] Deallocating deployed section defaults
 [ ] Binding service [curltest]
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to 0.0.0.0:24847: Address already in use (98)
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to :::24847: Address already in use (98)
 [!] Binding service [curltest] failed
 [ ] Unbinding service [curltest]
 [ ] Service [curltest] closed
 [ ] Deallocating deployed section defaults
 [ ] Deallocating section [curltest]
 [ ] Initializing inetd mode configuration
```
2022-12-21 16:45:28 +01:00
Kamil Dudka
60cc0c5574 new upstream release - 7.87.0
Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free
Resolves: CVE-2022-43551 - Another HSTS bypass via IDN
2022-12-21 13:51:32 +01:00