Commit Graph

560 Commits

Author SHA1 Message Date
Kamil Dudka
d8bddc669c tests: re-enable temporarily disabled test-cases 2023-04-21 18:11:12 +02:00
Kamil Dudka
2d313d8a46 tests: attempt to fix a conflict on port numbers
... where stunnel listens for legacy HTTPS and HTTP/2, which manifests
as a hard-to-explain failure of the following tests: 1630 1631 1632 1904
1941 1945 2050 2055 3028
```
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https_server.pid" --logfile "log/https_stunnel.log" --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 42917 --accept 24642
RUN: HTTPS server is PID 114398 port 24642
* pid https => 114398 114402
[...]
startnew: perl -I../../tests ../../tests/secureserver.pl --pidfile ".https2_server.pid" --logfile "log/https2_stunnel.log" --id 2 --ipv4 --proto https --stunnel "/usr/bin/stunnel" --srcdir "../../tests" --connect 36763 --accept 24642
startnew: child process has died, server might start up
Warning: http2 server unexpectedly alive
RUN: Process with pid 73992 signalled to die
RUN: Process with pid 73992 forced to die with SIGKILL
== Contents of files in the log/ dir after test 1630
=== Start of file http2_server.log
 14:01:21.881018 exit_signal_handler: 15
 14:01:21.881372 signalled to die
 14:01:21.881511 ========> IPv4 sws (port 36763 pid: 73992) exits with signal (15)
=== End of file http2_server.log
=== Start of file https2_stunnel.log
 [ ] Initializing inetd mode configuration
 [ ] Clients allowed=500
 [.] stunnel 5.69 on x86_64-redhat-linux-gnu platform
 [.] Compiled/running with OpenSSL 3.0.8 7 Feb 2023
 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
 [ ] errno: (*__errno_location ())
 [ ] Initializing inetd mode configuration
 [.] Reading configuration from file /builddir/build/BUILD/curl-8.0.1/build-minimal/tests/https_stunnel.conf
 [.] UTF-8 byte order mark not detected
 [.] FIPS mode disabled
 [ ] Compression disabled
 [ ] No PRNG seeding was required
 [ ] Initializing service [curltest]
 [ ] Using the default TLS minimum version as specified in crypto policies. Not setting explicitly.
 [ ] Using the default TLS maximum version as specified in crypto policies. Not setting explicitly
 [ ] stunnel default security level set: 2
 [ ] Ciphers: PROFILE=SYSTEM
 [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
 [ ] TLS options: 0x2100000 (+0x0, -0x0)
 [ ] Session resumption enabled
 [ ] Loading certificate from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Certificate loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Loading private key from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Private key loaded from file: /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Private key check succeeded
 [!] No trusted certificates found
 [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
 [ ] DH initialization
 [ ] Could not load DH parameters from /builddir/build/BUILD/curl-8.0.1/tests/stunnel.pem
 [ ] Using dynamic DH parameters
 [ ] ECDH initialization
 [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
 [.] Configuration successful
 [ ] Deallocating deployed section defaults
 [ ] Binding service [curltest]
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to 0.0.0.0:24642: Address already in use (98)
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to :::24642: Address already in use (98)
 [!] Binding service [curltest] failed
 [ ] Unbinding service [curltest]
 [ ] Service [curltest] closed
 [ ] Deallocating deployed section defaults
 [ ] Deallocating section [curltest]
 [ ] Initializing inetd mode configuration
=== End of file https2_stunnel.log
```
2023-04-21 18:05:52 +02:00
Kamil Dudka
fb877acc4b curl.spec: forgot to bump release 2023-04-21 14:41:58 +02:00
Kamil Dudka
449e5165fd curl.spec: apply patches automatically
... to ease maintenance and to avoid the following warning on Fedora
Rawhide:
```
warning: %patchN is deprecated (4 usages found), use %patch N (or %patch -P N)
```
2023-04-21 14:35:22 +02:00
Lukáš Zaoral
54363444c5
migrate to SPDX license 2023-03-21 15:46:58 +01:00
Kamil Dudka
c96705f9dc new upstream release - 8.0.1 2023-03-20 15:56:09 +01:00
Kamil Dudka
7b0a4d3dfc new upstream release - 8.0.0
Resolves: CVE-2023-27538 - SSH connection too eager reuse still
Resolves: CVE-2023-27537 - HSTS double-free
Resolves: CVE-2023-27536 - GSS delegation too eager connection re-use
Resolves: CVE-2023-27535 - FTP too eager connection reuse
Resolves: CVE-2023-27534 - SFTP path ~ resolving discrepancy
Resolves: CVE-2023-27533 - TELNET option IAC injection
2023-03-20 13:46:30 +01:00
Kamil Dudka
d5c1163ef3 new upstream release - 7.88.1 2023-02-20 14:42:32 +01:00
Kamil Dudka
13a96c9b8f http2: set drain on stream end
This is an attempt to fix the following issue in COPR:
https://pagure.io/fedora-infrastructure/issue/11133
2023-02-17 14:38:21 +01:00
Kamil Dudka
bdbf01f50c add glibc-langpack-en BR needed for test1560 to succeed
Suggested-by: Paul Howarth
2023-02-15 12:54:31 +01:00
Kamil Dudka
f3c2fe3549 do not fail on warnings in the upstream test driver 2023-02-15 10:46:00 +01:00
Kamil Dudka
98c91c9f34 new upstream release - 7.88.0
Resolves: CVE-2023-23916 - HTTP multi-header compression denial of service
Resolves: CVE-2023-23915 - HSTS amnesia with --parallel
Resolves: CVE-2023-23914 - HSTS ignored on multiple requests
2023-02-15 10:06:24 +01:00
Kamil Dudka
8ff989f4fd Resolves: #2162716 - fix regression in a public header file 2023-01-20 17:48:02 +01:00
Fedora Release Engineering
c3e870d57a Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 00:50:41 +00:00
Kamil Dudka
04ebed546a Related: #2143040 - test3012: temporarily disable valgrind 2023-01-11 09:00:16 +01:00
Kamil Dudka
0d0fa259a7 do not use stunnnel for testing on aarch64
The test 1561 intermittently fails when upstream test-suite runs
for the second time during the build:
```
 [ ] Initializing inetd mode configuration
 [ ] Clients allowed=500
 [.] stunnel 5.66 on aarch64-redhat-linux-gnu platform
 [.] Compiled/running with OpenSSL 3.0.5 5 Jul 2022
 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
 [ ] errno: (*__errno_location ())
 [ ] Initializing inetd mode configuration
 [.] Reading configuration from file /builddir/build/BUILD/curl-7.87.0/build-full/tests/https_stunnel.conf
 [.] UTF-8 byte order mark not detected
 [.] FIPS mode disabled
 [ ] Compression disabled
 [ ] No PRNG seeding was required
 [ ] Initializing service [curltest]
 [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly.
 [ ] Using the default TLS version as specified in OpenSSL crypto policies. Not setting explicitly
 [ ] stunnel default security level set: 2
 [ ] Ciphers: PROFILE=SYSTEM
 [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
 [ ] TLS options: 0x2100000 (+0x0, -0x0)
 [ ] Session resumption enabled
 [ ] Loading certificate from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Certificate loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Loading private key from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Private key loaded from file: /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Private key check succeeded
 [ ] DH initialization needed for DHE-RSA-AES256-GCM-SHA384
 [ ] DH initialization
 [ ] Could not load DH parameters from /builddir/build/BUILD/curl-7.87.0/tests/stunnel.pem
 [ ] Using dynamic DH parameters
 [ ] ECDH initialization
 [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384
 [.] Configuration successful
 [ ] Deallocating deployed section defaults
 [ ] Binding service [curltest]
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to 0.0.0.0:24847: Address already in use (98)
 [ ] Listening file descriptor created (FD=8)
 [ ] Setting accept socket options (FD=8)
 [ ] Option SO_REUSEADDR set on accept socket
 [.] Binding service [curltest] to :::24847: Address already in use (98)
 [!] Binding service [curltest] failed
 [ ] Unbinding service [curltest]
 [ ] Service [curltest] closed
 [ ] Deallocating deployed section defaults
 [ ] Deallocating section [curltest]
 [ ] Initializing inetd mode configuration
```
2022-12-21 16:45:28 +01:00
Kamil Dudka
60cc0c5574 new upstream release - 7.87.0
Resolves: CVE-2022-43552 - HTTP Proxy deny use-after-free
Resolves: CVE-2022-43551 - Another HSTS bypass via IDN
2022-12-21 13:51:32 +01:00
Kamil Dudka
aa9b0f2a8f Resolves: #2149224 - noproxy: tailmatch like in 7.85.0 and earlier 2022-11-29 12:07:37 +01:00
Kamil Dudka
7b44e0b7aa Related: #2144277 - enforce versioned libnghttp2 dependency for libcurl 2022-11-24 16:26:48 +01:00
Kamil Dudka
394bdcb956 fix regression in noproxy matching 2022-10-31 09:34:58 +01:00
Kamil Dudka
3501daee0b new upstream release - 7.86.0
Resolves: CVE-2022-42916 - HSTS bypass via IDN
Resolves: CVE-2022-42915 - HTTP proxy double-free
Resolves: CVE-2022-35260 - .netrc parser out-of-bounds access
Resolves: CVE-2022-32221 - POST following PUT confusion
2022-10-26 14:27:26 +02:00
Kamil Dudka
4bceeec6e1 curl.spec: fix the last change log entry 2022-10-26 14:16:26 +02:00
Kamil Dudka
1322e86ddb new upstream release - 7.85.0
Resolves: CVE-2022-35252 - control code in cookie denial of service
2022-09-01 14:13:21 +02:00
Kamil Dudka
f58874c271 tests: fix http2 tests to use CRLF headers
... to make it work with nghttp2-1.49.0
2022-08-25 13:22:29 +02:00
Fedora Release Engineering
2fded2f1a8 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-20 23:54:27 +00:00
Kamil Dudka
f052e58217 test3026: avoid pthread_create() failure due to resource exhaustion on i386 2022-06-28 09:04:19 +02:00
Kamil Dudka
9ba06cfc6e easy_lock.h: include sched.h if available to fix build 2022-06-27 17:52:30 +02:00
Kamil Dudka
768ce3965d test3026: disable valgrind
It fails on x86_64 with:
```
 Use --max-threads=INT to specify a larger number of threads
 and rerun valgrind
 valgrind: the 'impossible' happened:
    Max number of threads is too low
 host stacktrace:
 ==174357==    at 0x58042F5A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x58043087: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x580432EF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x58043310: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x58099E77: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x580E67E9: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x5809D59D: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x5809901A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x5809B0B6: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 ==174357==    by 0x580E4050: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
 sched status:
   running_tid=1
 Thread 1: status = VgTs_Runnable syscall 56 (lwpid 174357)
 ==174357==    at 0x4A07816: clone (in /usr/lib64/libc.so.6)
 ==174357==    by 0x4A08720: __clone_internal (in /usr/lib64/libc.so.6)
 ==174357==    by 0x4987ACF: create_thread (in /usr/lib64/libc.so.6)
 ==174357==    by 0x49885F6: pthread_create@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
 ==174357==    by 0x1093B5: test.part.0 (lib3026.c:64)
 ==174357==    by 0x492454F: (below main) (in /usr/lib64/libc.so.6)
 client stack range: [0x1FFEFFC000 0x1FFF000FFF] client SP: 0x1FFEFFC998
 valgrind stack range: [0x1002BAA000 0x1002CA9FFF] top usage: 11728 of 1048576
[...]
```
2022-06-27 17:00:18 +02:00
Kamil Dudka
a4ed273b19 new upstream release - 7.84.0
Resolves: CVE-2022-32207 - Unpreserved file permissions
Resolves: CVE-2022-32205 - Set-Cookie denial of service
Resolves: CVE-2022-32206 - HTTP compression denial of service
Resolves: CVE-2022-32208 - FTP-KRB bad message verification
2022-06-27 13:00:50 +02:00
Kamil Dudka
4ad1229e9d new upstream release - 7.83.1
Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections
Resolves: CVE-2022-27779 - do not accept cookies for TLD with trailing dot
Resolves: CVE-2022-27778 - do not remove wrong file on error
Resolves: CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names
Resolves: CVE-2022-27780 - reject percent-encoded path separator in URL host
2022-05-11 10:03:28 +02:00
Kamil Dudka
f17162c526 new upstream release - 7.83.0
Resolves: CVE-2022-27774 - curl credential leak on redirect
Resolves: CVE-2022-27776 - curl auth/cookie leak on redirect
Resolves: CVE-2022-27775 - curl bad local IPv6 connection reuse
Resolves: CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use
2022-04-27 13:52:54 +02:00
Kamil Dudka
cd99025ff8 curl.spec: bump release for the previous commit 2022-03-15 12:57:49 +01:00
Kamil Dudka
cbc7b73e10 openssl: fix incorrect CURLE_OUT_OF_MEMORY error
... on CN check failure, which was breaking the test-suite of pycurl.

Reported-by: Lukas Zaoral
2022-03-15 12:53:45 +01:00
Kamil Dudka
4f4da0817d new upstream release - 7.82.0 2022-03-05 11:17:52 +01:00
Kamil Dudka
cf3c14e497 enable IDN support also in libcurl-minimal
... as requested at fedora devel mailing-list:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/SH5WAIBVF7GVSKL2VPMSQKY7BB4QYEB5/
2022-02-24 09:50:19 +01:00
Zbigniew Jędrzejewski-Szmek
d768f3c814 Pull in libcurl-minimal if installing curl-minimal
curl-minimal has an automatically generated dependency on libcurl.so.4(), so it'd
pull in either libcurl or libcurl-minimal. Let's make the second one preferred.

$ sudo dnf install --releasever=rawhide --installroot=/var/tmp/f36-test --setopt install_weak_deps=False curl-minimal
...
Total download size: 21 M
Installed size: 64 M

$ sudo dnf install --releasever=rawhide --installroot=/var/tmp/f36-test --setopt install_weak_deps=False curl-minimal libcurl-minimal
...
Total download size: 18 M
Installed size: 57 M
2022-02-10 20:52:05 +01:00
Fedora Release Engineering
c3286199cb - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 00:08:37 +00:00
Kamil Dudka
3e801a6f9f new upstream release - 7.81.0 2022-01-05 09:35:58 +01:00
Paul Howarth
503307b687 sshserver.pl (used in test suite) now requires the Digest::SHA perl module 2021-11-14 17:06:12 +00:00
Kamil Dudka
ef0743b641 new upstream release - 7.80.0 2021-11-10 09:03:50 +01:00
Kamil Dudka
ac00a5bac0 temporarily disable tests 300{0,1} on x86_64
stunnel clashes with itself
2021-10-27 13:57:07 +02:00
Kamil Dudka
94a3e807dd Related: #2005874 - re-enable HSTS in libcurl-minimal
... as a security feature
2021-10-26 17:15:50 +02:00
Kamil Dudka
a0acb0cc77 Related: #2005874 - use correct bug ID in the change log 2021-10-04 12:29:42 +02:00
Kamil Dudka
d4c5b54bf3 run upstream tests for both curl-minimal and curl-full
As we made libcurl-minimal more minimal, it differs more from
libcurl-full and it should be tested separately.  On the other
hand, the test-suite for libcurl-minimal runs faster now because
more tests are skipped.
2021-10-04 09:55:13 +02:00
Kamil Dudka
5ebead952b Resolves: #1994521 - disable more protocols and features in libcurl-minimal
... to limit vulnerability exposure in case there is a CVE in curl
in some of the rarer protocols
2021-10-04 09:55:11 +02:00
Kamil Dudka
54117120e4 explicitly disable zstd while configuring curl
... in order to make local builds closer to what we get from Koji
2021-10-04 09:54:25 +02:00
Kamil Dudka
c2f61abc1c curl.spec: align the lists of configure options
... to make it easier to extend the lists
2021-10-04 09:54:25 +02:00
Kamil Dudka
407e3960e4 new upstream release - 7.79.1 2021-09-22 09:16:36 +02:00
Kamil Dudka
e2155b2695 fix regression in http2 implementation
... introduced in the last release
2021-09-16 12:26:16 +02:00
Sahana Prasad
f97c73e9d7 Rebuilt with OpenSSL 3.0.0 2021-09-16 12:23:37 +02:00