Commit Graph

62 Commits

Author SHA1 Message Date
Jacek Migacz dd1ed1db23 Lowercase the domain names before PSL checks
Resolves: RHEL-17600
2023-12-09 18:06:41 +01:00
Jacek Migacz 1582dc453e Cap SFTP packet size sent
Resolves: RHEL-14697
2023-11-28 11:17:05 +01:00
Jacek Migacz 06c4d34bb1 Fix cookie injection with none file
Resolves: RHEL-12692
2023-11-24 10:28:40 +01:00
Jacek Migacz 0783247f07 Return error if hostname too long for remote resolve
Resolves: RHEL-11467
2023-10-10 18:35:37 +02:00
Jacek Migacz c20fcd3e87 When keyboard-interactive auth fails; try password
Resolves: RHEL-3625
2023-09-14 21:27:58 +02:00
Jacek Migacz bb4d7d8d9f Resolves: CVE-2023-28321 - fix host name wildcard checking 2023-06-27 19:42:23 +02:00
Jacek Migacz d0d9c1f19b Resolves: CVE-2023-28322 - unify the upload/method handling 2023-06-12 00:07:07 +02:00
Kamil Dudka 40387c061f Resolves: CVE-2023-27535 - adapt the fix for RHEL 9 curl
... where USE_SSH is not defined.  The problem with the backport was
detected by OpenScanHub:

https://cov01.lab.eng.brq2.redhat.com/covscanhub/task/279249//log/added.html
2023-04-12 16:52:10 +02:00
Kamil Dudka d35c512f12 Resolves: CVE-2023-27538 - fix SSH connection too eager reuse still 2023-03-24 15:47:56 +01:00
Kamil Dudka 9d1931d0ec Resolves: CVE-2023-27536 - fix GSS delegation too eager connection re-use 2023-03-24 15:44:26 +01:00
Kamil Dudka bd2517cc9b Resolves: CVE-2023-27535 - fix FTP too eager connection reuse 2023-03-24 15:40:12 +01:00
Kamil Dudka 2a890c9910 Resolves: CVE-2023-27534 - fix SFTP path ~ resolving discrepancy 2023-03-24 15:34:12 +01:00
Kamil Dudka 798eff6a99 Resolves: CVE-2023-27533 - fix TELNET option IAC injection 2023-03-24 15:26:51 +01:00
Kamil Dudka 27cd064020 Resolves: CVE-2023-23916 - fix HTTP multi-header compression denial of service 2023-02-16 13:38:22 +01:00
Kamil Dudka eab48830b3 Resolves: CVE-2022-43552 - smb/telnet: fix use-after-free when HTTP proxy denies tunnel 2022-12-21 16:11:04 +01:00
Kamil Dudka 09780ef69d Related: CVE-2022-32221 - temporarily disable tests 2034 2037 2041 on aarch64
They consistently fail on CentOS Koji for no apparent reason.  All the
tests first succeed while testing libcurl-minimal but they subsequently
fail while testing libcurl-full.  I suspect some failed cleanup issue
in the upstream test-suite which manifests on CentOS aarch64 builders
only.
2022-10-27 16:29:43 +02:00
Kamil Dudka f618f2c219 Resolves: CVE-2022-32221 - fix POST following PUT confusion 2022-10-27 10:14:52 +02:00
Kamil Dudka 641c248102 Resolves: CVE-2022-35252 - control code in cookie denial of service 2022-09-20 13:56:11 +02:00
Kamil Dudka 6333bbf495 Related: CVE-2022-32207 - fix build failure caused by openldap rebase
[...]
make[2]: Leaving directory '/builddir/build/BUILD/curl-7.76.1/build-full/lib'
../../lib/openldap.c:83:17: error: conflicting types for 'ldap_connect'; have 'CURLcode(struct Curl_easy *, _Bool *)'
   83 | static CURLcode ldap_connect(struct Curl_easy *data, bool *done);
      |                 ^~~~~~~~~~~~
In file included from ../../lib/openldap.c:39:
/usr/include/ldap.h:1555:1: note: previous declaration of 'ldap_connect' with type 'int(LDAP *)' {aka 'int(struct ldap *)'}
 1555 | ldap_connect( LDAP *ld );
      | ^~~~~~~~~~~~
2022-06-29 17:44:35 +02:00
Kamil Dudka 22475de7fb Resolves: CVE-2022-32207 - fix unpreserved file permissions 2022-06-29 15:47:31 +02:00
Kamil Dudka 2e18ec1da4 Resolves: CVE-2022-32206 - fix HTTP compression denial of service 2022-06-29 14:53:47 +02:00
Kamil Dudka 0d71fe9a40 Resolves: CVE-2022-32208 - fix FTP-KRB bad message verification 2022-06-29 14:53:14 +02:00
Kamil Dudka d613827bea Related: CVE-2022-27782 - make upstream tests work with openssh-8.7p1 2022-05-11 15:06:48 +02:00
Kamil Dudka 8c425de1b3 Resolves: CVE-2022-27782 - fix too eager reuse of TLS and SSH connections 2022-05-11 14:13:31 +02:00
Kamil Dudka 36d4ce9e14 Resolves: CVE-2022-27774 - fix leak of SRP credentials in redirects 2022-05-02 10:34:03 +02:00
Kamil Dudka 858e381746 Related: CVE-2022-27774 - add missing tests to Makefile 2022-04-29 14:47:02 +02:00
Kamil Dudka 8929aa4b81 Resolves: CVE-2022-27774 - fix credential leak on redirect 2022-04-28 13:35:41 +02:00
Kamil Dudka 0a149a1ed9 Resolves: CVE-2022-27776 - fix auth/cookie leak on redirect 2022-04-28 13:35:30 +02:00
Kamil Dudka ebff9aa2cc Resolves: CVE-2022-27775 - fix bad local IPv6 connection reuse 2022-04-28 13:35:10 +02:00
Kamil Dudka 7c695ff325 Resolves: CVE-2022-22576 - fix OAUTH2 bearer bypass in connection re-use 2022-04-28 13:34:45 +02:00
Kamil Dudka a3da9b9ac3 Related: #2005874 - re-disable HSTS in libcurl
... as an experimental feature
2021-10-26 17:35:49 +02:00
Kamil Dudka 64fed6be02 Related: #2005874 - run upstream tests for both curl-minimal and curl-full
As we made libcurl-minimal more minimal, it differs more from
libcurl-full and it should be tested separately.  On the other
hand, the test-suite for libcurl-minimal runs faster now because
more tests are skipped.
2021-10-06 13:44:09 +02:00
Kamil Dudka 91252b5be5 Resolves: #2005874 - disable more protocols and features in libcurl-minimal
... to limit vulnerability exposure in case there is a CVE in curl
in some of the rarer protocols
2021-10-06 13:42:01 +02:00
Kamil Dudka 6f12b4a106 Related: #2005874 - explicitly disable zstd while configuring curl
... in order to make local builds closer to what we get from Koji
2021-10-06 13:41:57 +02:00
Kamil Dudka b4895633ac Related: #2005874 - curl.spec: align the lists of configure options
... to make it easier to extend the lists
2021-10-06 13:41:44 +02:00
Kamil Dudka 18dc6a0508 Resolves: CVE-2021-22947 - fix STARTTLS protocol injection via MITM 2021-09-17 10:35:40 +02:00
Kamil Dudka 29681cbdd7 Resolves: CVE-2021-22946 - fix protocol downgrade required TLS bypass 2021-09-17 10:35:38 +02:00
Kamil Dudka f58185cd40 Resolves: CVE-2021-22945 - fix use-after-free and double-free in MQTT sending 2021-09-17 10:35:29 +02:00
Mohan Boddu e32e427920 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 19:44:44 +00:00
Florian Weimer f2c10b31eb Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
Related: #1984097
2021-07-28 11:50:14 +02:00
Kamil Dudka a1aeccc458 Related: CVE-2021-22924 - make explicit dependency on openssl work
... with alpha/beta builds of openssl

Reported-by: Daniel Rusek
2021-07-23 17:37:28 +02:00
Kamil Dudka ad77edcfa4 Related: CVE-2021-22924 - bump release to pick gating.yaml
Ideally such commits and builds should not be needed.  The following
ticket asks for an extension of OSCI to avoid them in the future:

https://issues.redhat.com/browse/OSCI-2320 - unable to apply a new test configuration on an existing brew build
2021-07-23 15:56:43 +02:00
Kamil Dudka 62ea6c3a17 Resolves: CVE-2021-22925 - fix TELNET stack contents disclosure again 2021-07-22 09:30:56 +02:00
Kamil Dudka 422b232978 Resolves: CVE-2021-22924 - fix bad connection reuse due to flawed path name checks 2021-07-22 09:30:43 +02:00
Mohan Boddu d580cec333 - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-15 20:29:00 +00:00
Kamil Dudka 05f59553df Resolves: #1967213 - build the curl tool without metalink support
Today curl upstream announced that they are going to completely remove
support for metalink from curl already in the next release of curl due
to a number of difficult to fix security issues:

    https://curl.se/mail/archive-2021-06/0006.html
    https://github.com/curl/curl/pull/7176
2021-06-03 08:18:46 +02:00
Kamil Dudka 469a44d0c1 Resolves: #1941925 - fix SIGSEGV upon disconnect of a ldaps:// transfer 2021-06-02 15:49:30 +02:00
Kamil Dudka bc006791a4 Resolves: CVE-2021-22901 - fix TLS session caching disaster 2021-05-26 13:10:45 +02:00
Kamil Dudka aa689a0f22 Resolves: CVE-2021-22898 - fix TELNET stack contents disclosure 2021-05-26 13:10:43 +02:00
Kamil Dudka 2461a58681 Resolves: #1938699 - http2: fix resource leaks detected by Coverity 2021-05-03 20:49:06 +02:00