Summary: A utility for getting files from remote servers (FTP, HTTP, and others)

Name: curl

Version: 7.61.1

Release: 18%{?dist}.1

License: MIT

Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

# test320: update expected output for gnutls-3.6.4

Patch1:   0001-curl-7.61.1-test320-gnutls.patch

# update the documentation of --tlsv1.0 in curl(1) man page (#1620217)

Patch2:   0002-curl-7.61.1-tlsv1.0-man.patch

# enable TLS 1.3 post-handshake auth in OpenSSL (#1636900)

Patch3:   0003-curl-7.61.1-TLS-1.3-PHA.patch

# fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)

Patch4:   0004-curl-7.61.1-CVE-2018-16842.patch

# we need `git apply` to apply this patch

BuildRequires: git

# fix use-after-free in handle close (CVE-2018-16840)

Patch5:   0005-curl-7.61.1-CVE-2018-16840.patch

# SASL password overflow via integer overflow (CVE-2018-16839)

Patch6:   0006-curl-7.61.1-CVE-2018-16839.patch

# curl -J: do not append to the destination file (#1660827)

Patch7:   0007-curl-7.63.0-JO-preserve-local-file.patch

# xattr: strip credentials from any URL that is stored (CVE-2018-20483)

Patch8:   0008-curl-7.61.1-CVE-2018-20483.patch

# fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)

Patch9:   0009-curl-7.61.1-CVE-2018-16890.patch

# fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822)

Patch10:  0010-curl-7.61.1-CVE-2019-3822.patch

# fix SMTP end-of-response out-of-bounds read (CVE-2019-3823)

Patch11:  0011-curl-7.61.1-CVE-2019-3823.patch

# do not let libssh create a new socket for SCP/SFTP (#1669156)

Patch14:  0014-curl-7.61.1-libssh-socket.patch

# fix TFTP receive buffer overflow (CVE-2019-5436)

Patch17:  0017-curl-7.64.0-CVE-2019-5436.patch

# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)

Patch18:  0018-curl-7.65.3-CVE-2019-5482.patch

# double free due to subsequent call of realloc() (CVE-2019-5481)

Patch19:  0019-curl-7.65.3-CVE-2019-5481.patch

# load built-in openssl engines (#1854369)

Patch20:  0020-curl-7.61.1-openssl-engines.patch

# avoid overwriting a local file with -J (CVE-2020-8177)

Patch21:  0021-curl-7.61.1-CVE-2020-8177.patch

# libcurl: wrong connect-only connection (CVE-2020-8231)

Patch22:  0022-curl-7.61.1-CVE-2020-8231.patch

# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)

Patch23:  0023-curl-7.61.1-no-https-proxy-crash.patch

# validate an ssl connection using an intermediate certificate (#1895355)

Patch24:  0024-curl-7.61.1-openssl-partial-chain.patch

# curl: trusting FTP PASV responses (CVE-2020-8284)

Patch25:  0025-curl-7.61.1-CVE-2020-8284.patch

# libcurl: FTP wildcard stack overflow (CVE-2020-8285)

Patch26:  0026-curl-7.61.1-CVE-2020-8285.patch

# curl: Inferior OCSP verification (CVE-2020-8286)

Patch27:  0027-curl-7.61.1-CVE-2020-8286.patch

# http: send payload when (proxy) authentication is done (#1918692)

Patch28:  0028-curl-7.61.1-http-auth-payload.patch

# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)

Patch31:  0031-curl-7.61.1-CVE-2021-22924.patch

# patch making libcurl multilib ready

Patch101: 0101-curl-7.32.0-multilib.patch

# prevent configure script from discarding -g in CFLAGS (#496778)

Patch102: 0102-curl-7.36.0-debug.patch

# migrate tests/http_pipe.py to Python 3

Patch103: 0103-curl-7.59.0-python3.patch

# use localhost6 instead of ip6-localhost in the curl test-suite

Patch104: 0104-curl-7.19.7-localhost6.patch

# tests: do not hard-wire ports of test servers

Patch105: 0105-curl-7.61.1-test-ports.patch

Provides: curl-full = %{version}-%{release}

Provides: webclient

URL: https://curl.haxx.se/

BuildRequires: automake

BuildRequires: brotli-devel

BuildRequires: coreutils

BuildRequires: gcc

BuildRequires: groff

BuildRequires: krb5-devel

BuildRequires: libidn2-devel

BuildRequires: libnghttp2-devel

BuildRequires: libpsl-devel

BuildRequires: libssh-devel

BuildRequires: make

BuildRequires: openldap-devel

BuildRequires: openssh-clients

BuildRequires: openssh-server

BuildRequires: openssl-devel

BuildRequires: pkgconfig

BuildRequires: python3-devel

BuildRequires: sed

BuildRequires: stunnel

BuildRequires: zlib-devel

# needed to compress content of tool_hugehelp.c after changing curl.1 man page

BuildRequires: perl(IO::Compress::Gzip)

# gnutls-serv is used by the upstream test-suite

BuildRequires: gnutls-utils

# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite

BuildRequires: nghttp2

# perl modules used in the test suite

BuildRequires: perl(Cwd)

BuildRequires: perl(Digest::MD5)

BuildRequires: perl(Exporter)

BuildRequires: perl(File::Basename)

BuildRequires: perl(File::Copy)

BuildRequires: perl(File::Spec)

BuildRequires: perl(IPC::Open2)

BuildRequires: perl(MIME::Base64)

BuildRequires: perl(strict)

BuildRequires: perl(Time::Local)

BuildRequires: perl(Time::HiRes)

BuildRequires: perl(warnings)

BuildRequires: perl(vars)

# The test-suite runs automatically through valgrind if valgrind is available

# on the system.  By not installing valgrind into mock's chroot, we disable

# this feature for production builds on architectures where valgrind is known

# to be less reliable, in order to avoid unnecessary build failures (see RHBZ

# #810992, #816175, and #886891).  Nevertheless developers are free to install

# valgrind manually to improve test coverage on any architecture.

%ifarch x86_64 %{ix86}

BuildRequires: valgrind

%endif

# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION

Requires: libcurl%{?_isa} >= %{version}-%{release}

# require at least the version of libpsl that we were built against,

# to ensure that we have the necessary symbols available (#1631804)

%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)

# require at least the version of libssh that we were built against,

# to ensure that we have the necessary symbols available (#525002, #642796)

%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)

# require at least the version of openssl-libs that we were built against,

# to ensure that we have the necessary symbols available (#1462184, #1462211)

%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)

%description

curl is a command line tool for transferring data with URL syntax, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP

uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer

resume, proxy tunneling and a busload of other useful tricks. 

%package -n libcurl

Summary: A library for getting files from web servers

Requires: libpsl%{?_isa} >= %{libpsl_version}

Requires: libssh%{?_isa} >= %{libssh_version}

Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}

Provides: libcurl-full = %{version}-%{release}

Provides: libcurl-full%{?_isa} = %{version}-%{release}

%description -n libcurl

libcurl is a free and easy-to-use client-side URL transfer library, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,

FTP uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer

resume, http proxy tunneling and more.

%package -n libcurl-devel

Summary: Files needed for building applications with libcurl

Requires: libcurl%{?_isa} = %{version}-%{release}

Provides: curl-devel = %{version}-%{release}

Provides: curl-devel%{?_isa} = %{version}-%{release}

Obsoletes: curl-devel < %{version}-%{release}

%description -n libcurl-devel

The libcurl-devel package includes header files and libraries necessary for

developing programs which use the libcurl library. It contains the API

documentation of the library, too.

%package -n curl-minimal

Summary: Conservatively configured build of curl for minimal installations

Provides: curl = %{version}-%{release}

Conflicts: curl

RemovePathPostfixes: .minimal

# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION

Requires: libcurl%{?_isa} >= %{version}-%{release}

%description -n curl-minimal

This is a replacement of the 'curl' package for minimal installations.  It

comes with a limited set of features compared to the 'curl' package.  On the

other hand, the package is smaller and requires fewer run-time dependencies to

be installed.

%package -n libcurl-minimal

Summary: Conservatively configured build of libcurl for minimal installations

Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}

Provides: libcurl = %{version}-%{release}

Provides: libcurl%{?_isa} = %{version}-%{release}

Conflicts: libcurl%{?_isa}

RemovePathPostfixes: .minimal

# needed for RemovePathPostfixes to work with shared libraries

%undefine __brp_ldconfig

%description -n libcurl-minimal

This is a replacement of the 'libcurl' package for minimal installations.  It

comes with a limited set of features compared to the 'libcurl' package.  On the

other hand, the package is smaller and requires fewer run-time dependencies to

be installed.

%prep

%setup -q

# upstream patches

%patch1 -p1

%patch2 -p1

%patch3 -p1

git init

git apply %{PATCH4}

%patch5 -p1

%patch6 -p1

%patch7 -p1

%patch8 -p1

%patch9 -p1

%patch10 -p1

%patch11 -p1

%patch14 -p1

# Fedora patches

%patch101 -p1

%patch102 -p1

%patch103 -p1

%patch104 -p1

# use different port range for 32bit and 64bit builds, thus make it possible

# to run both the builds in parallel on the same machine

%patch105 -p1

sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448

# upstream patches

%patch17 -p1

%patch18 -p1

%patch19 -p1

%patch20 -p1

%patch21 -p1

%patch22 -p1

%patch23 -p1

%patch24 -p1

%patch25 -p1

%patch26 -p1

%patch27 -p1

%patch28 -p1

%patch31 -p1

# make tests/*.py use Python 3

sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py

# regenerate Makefile.in files

aclocal -I m4

automake

# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed

# with errno 98: Address already in use' in Koji environment), and test 1801

# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>

# and test 1900, which is flaky and covers a deprecated feature of libcurl

# <https://github.com/curl/curl/pull/2705>

printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED

# disable test 1319 on ppc64 (server times out)

%ifarch ppc64

echo "1319" >> tests/data/DISABLED

%endif

# temporarily disable test 582 on s390x (client times out)

%ifarch s390x

echo "582" >> tests/data/DISABLED

%endif

# adapt test 323 for updated OpenSSL

sed -e 's/^35$/35,52/' -i tests/data/test323

%build

mkdir build-{full,minimal}

export common_configure_opts=" \

    --cache-file=../config.cache \

    --disable-static \

    --enable-symbol-hiding \

    --enable-ipv6 \

    --enable-threaded-resolver \

    --without-libmetalink \

    --with-gssapi \

    --with-nghttp2 \

    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"

%global _configure ../configure

# configure minimal build

(

    cd build-minimal

    %configure $common_configure_opts \

        --disable-ldap \

        --disable-ldaps \

        --disable-manual \

        --without-brotli \

        --without-libidn2 \

        --without-libpsl \

        --without-libssh

)

# configure full build

(

    cd build-full

    %configure $common_configure_opts \

        --enable-ldap \

        --enable-ldaps \

        --enable-manual \

        --with-brotli \

        --with-libidn2 \

        --with-libpsl \

        --with-libssh

)

# avoid using rpath

sed -e 's/^runpath_var=.*/runpath_var=/' \

    -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \

    -i build-{full,minimal}/libtool

make %{?_smp_mflags} V=1 -C build-minimal

make %{?_smp_mflags} V=1 -C build-full

%check

# we have to override LD_LIBRARY_PATH because we eliminated rpath

LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"

export LD_LIBRARY_PATH

# compile upstream test-cases

cd build-full/tests

make %{?_smp_mflags} V=1

# relax crypto policy for the test-suite to make it pass again (#1611712)

export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX

export OPENSSL_CONF=

# run the upstream test-suite

# use different port range for 32bit and 64bit builds, thus make it possible

# to run both the builds in parallel on the same machine

export srcdir=../../tests

perl -I${srcdir} ${srcdir}/runtests.pl -b%{?__isa_bits}90 -a -p -v '!flaky'

%install

# install and rename the library that will be packaged as libcurl-minimal

make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib

rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}

for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do

    mv -v $i $i.minimal

done

# install and rename the executable that will be packaged as curl-minimal

make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src

mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}

# install libcurl.m4

install -d $RPM_BUILD_ROOT%{_datadir}/aclocal

install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal

# install the executable and library that will be packaged as curl and libcurl

cd build-full

make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install

# install zsh completion for curl

# (we have to override LD_LIBRARY_PATH because we eliminated rpath)

LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \

    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts

rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

%ldconfig_scriptlets -n libcurl

%ldconfig_scriptlets -n libcurl-minimal

%files

%doc CHANGES README*

%doc docs/BUGS docs/FAQ docs/FEATURES

%doc docs/MANUAL docs/RESOURCES

%doc docs/TheArtOfHttpScripting docs/TODO

%{_bindir}/curl

%{_mandir}/man1/curl.1*

%{_datadir}/zsh/site-functions

%files -n libcurl

%license COPYING

%{_libdir}/libcurl.so.4

%{_libdir}/libcurl.so.4.[0-9].[0-9]

%files -n libcurl-devel

%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md

%doc docs/CONTRIBUTE.md docs/libcurl/ABI

%{_bindir}/curl-config*

%{_includedir}/curl

%{_libdir}/*.so

%{_libdir}/pkgconfig/*.pc

%{_mandir}/man1/curl-config.1*

%{_mandir}/man3/*

%{_datadir}/aclocal/libcurl.m4

%files -n curl-minimal

%{_bindir}/curl.minimal

%{_mandir}/man1/curl.1*

%files -n libcurl-minimal

%license COPYING

%{_libdir}/libcurl.so.4.minimal

%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

%changelog

* Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18.el8_4.1

- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)

- disable metalink support to fix the following vulnerabilities

    CVE-2021-22923 - metalink download sends credentials

    CVE-2021-22922 - wrong content via metalink not discarded

* Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18

- http: send payload when (proxy) authentication is done (#1918692)

- curl: Inferior OCSP verification (CVE-2020-8286)

- libcurl: FTP wildcard stack overflow (CVE-2020-8285)

- curl: trusting FTP PASV responses (CVE-2020-8284)

* Thu Nov 12 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-17

- validate an ssl connection using an intermediate certificate (#1895355)

* Fri Nov 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-16

- fix multiarch conflicts in libcurl-minimal (#1895391)

* Tue Nov 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-15

- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)

- libcurl: wrong connect-only connection (CVE-2020-8231)

* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14

- avoid overwriting a local file with -J (CVE-2020-8177)

* Wed Jul 15 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-13

- load built-in openssl engines (#1854369)

* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-12

- double free due to subsequent call of realloc() (CVE-2019-5481)

- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)

- fix TFTP receive buffer overflow (CVE-2019-5436)

* Mon May 13 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-11

- rebuild with updated annobin to prevent Execshield RPMDiff check from failing

* Fri May 10 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-10

- fix SMTP end-of-response out-of-bounds read (CVE-2019-3823)

- fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822)

- fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)

- xattr: strip credentials from any URL that is stored (CVE-2018-20483)

* Mon Feb 18 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-9

- do not let libssh create a new socket for SCP/SFTP (#1669156)

* Fri Jan 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.61.1-8

- curl -J: do not append to the destination file (#1660827)

* Thu Nov 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-7

- make the patch for CVE-2018-16842 apply properly (CVE-2018-16842)

* Mon Nov 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-6

- SASL password overflow via integer overflow (CVE-2018-16839)

- fix use-after-free in handle close (CVE-2018-16840)

- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)

* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-5

- enable TLS 1.3 post-handshake auth in OpenSSL (#1636900)

* Mon Oct 08 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-4

- make the built-in manual compressed again (#1620217)

* Mon Oct 08 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3

- update the documentation of --tlsv1.0 in curl(1) man page (#1620217)

* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2

- enforce versioned libpsl dependency for libcurl (#1631804)

* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1

- test320: update expected output for gnutls-3.6.4

- new upstream release (#1625677)

* Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5

- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)

* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4

- relax crypto policy for the test-suite to make it pass again (#1611712)

* Tue Jul 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-3

- disable flaky test 1900, which covers deprecated HTTP pipelining

- adapt test 323 for updated OpenSSL

* Tue Jul 17 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-2

- rebuild against against brotli-1.0.5

* Wed Jul 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-1

- new upstream release, which fixes the following vulnerability

    CVE-2018-0500 - SMTP send heap buffer overflow

* Tue Jul 10 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-3

- enable support for brotli compression in libcurl-full

* Wed Jul 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-2

- do not hard-wire path of the Python 3 interpreter

* Wed May 16 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2018-1000300 - FTP shutdown response buffer overflow

    CVE-2018-1000301 - RTSP bad headers buffer over-read

* Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3

- make the test-suite use Python 3

* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2

- ftp: fix typo in recursive callback detection for seeking

* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write

    CVE-2018-1000121 - LDAP NULL pointer dereference

    CVE-2018-1000122 - RTSP RTP buffer over-read

* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8

- http2: mark the connection for close on GOAWAY

* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-7

- Add explicity-used build requirements

- Fix libcurl soname version number in %%files list to avoid accidental soname

  bumps

* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-6

- switch to %%ldconfig_scriptlets

- drop legacy BuildRoot: and Group: tags

- enforce versioned libssh dependency for libcurl

* Tue Feb 13 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-5

- drop temporary workaround for #1540549

* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.58.0-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Wed Jan 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-3

- temporarily work around internal compiler error on x86_64 (#1540549)

- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again

* Wed Jan 24 2018 Andreas Schneider <asn@redhat.com> - 7.58.0-2

- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483)

* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read

    CVE-2018-1000007 - curl: HTTP authentication leak in redirects

* Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow

    CVE-2017-8817 - curl: FTP wildcard out of bounds read

    CVE-2017-8818 - curl: SSL out of buffer access

* Mon Oct 23 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.1-1

- new upstream release (fixes CVE-2017-1000257)

* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1

- new upstream release (fixes CVE-2017-1000254)

* Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5

- apply the patch for the previous commit and fix its name (#1485702)

* Mon Aug 28 2017 Bastien Nocera <bnocera@redhat.com> - 7.55.1-4

- Fix NetworkManager connectivity check not working (#1485702)

* Tue Aug 22 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-3

- utilize system wide crypto policies for TLS (#1483972)

* Tue Aug 15 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-2

- make zsh completion work again

* Mon Aug 14 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-1

- new upstream release

* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.55.0-1

- drop multilib fix for libcurl header files no longer needed

- new upstream release, which fixes the following vulnerabilities

    CVE-2017-1000099 - FILE buffer read out of bounds

    CVE-2017-1000100 - TFTP sends more than buffer size

    CVE-2017-1000101 - URL globbing out of bounds read

* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-8

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Fri Jul 28 2017 Florian Weimer <fweimer@redhat.com> - 7.54.1-7

- Rebuild with fixed binutils (#1475636)

* Fri Jul 28 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 7.54.1-6

- Enable separate debuginfo back

* Thu Jul 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-5

- rebuild to fix broken linkage of cmake on ppc64le

* Wed Jul 26 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-4

- avoid build failure caused broken RPM code that produces debuginfo packages

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Mon Jun 19 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-2

- enforce versioned openssl-libs dependency for libcurl (#1462184)

* Wed Jun 14 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-1

- new upstream release

* Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-5

- add *-full provides for curl and libcurl to make them explicitly installable

* Thu May 04 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-4

- make curl-minimal require a new enough version of libcurl

* Thu Apr 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-3

- switch the TLS backend back to OpenSSL (#1445153)

* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2

- nss: use libnssckbi.so as the default source of trust

- nss: do not leak PKCS #11 slot while loading a key (#1444860)

* Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1

- new upstream release (fixes CVE-2017-7468)

* Thu Apr 13 2017 Paul Howarth <paul@city-fan.org> 7.53.1-7

- add %%post and %%postun scriptlets for libcurl-minimal

- libcurl-minimal provides both libcurl and libcurl%%{?_isa}

- remove some legacy spec file cruft

* Wed Apr 12 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-6

- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl

* Mon Apr 10 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-5

- disable upstream test 2033 (flaky test for HTTP/1 pipelining)

* Fri Apr 07 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-4

- fix out of bounds read in curl --write-out (CVE-2017-7407)

* Mon Mar 06 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3

- make the dependency on nss-pem arch-specific (#1428550)

* Thu Mar 02 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-2

- re-enable valgrind on ix86 because sqlite is fixed (#1428286)

* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-1

- new upstream release

* Wed Feb 22 2017 Kamil Dudka <kdudka@redhat.com> 7.53.0-1

- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)

- new upstream release (fixes CVE-2017-2629)

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.52.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1

- new upstream release (fixes CVE-2016-9586)

* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3

- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)

* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2

- stricter host name checking for file:// URLs

- ssh: check md5 fingerprints case insensitively

* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1

- temporarily disable failing libidn2 test-cases

- new upstream release, which fixes the following vulnerabilities

    CVE-2016-8615 - Cookie injection for other servers

    CVE-2016-8616 - Case insensitive password comparison

    CVE-2016-8617 - Out-of-bounds write via unchecked multiplication

    CVE-2016-8618 - Double-free in curl_maprintf

    CVE-2016-8619 - Double-free in krb5 code

    CVE-2016-8620 - Glob parser write/read out of bounds

    CVE-2016-8621 - curl_getdate out-of-bounds read

    CVE-2016-8622 - URL unescape heap overflow via integer truncation

    CVE-2016-8623 - Use-after-free via shared cookies

    CVE-2016-8624 - Invalid URL parsing with '#'

    CVE-2016-8625 - IDNA 2003 makes curl use wrong host

* Thu Oct 20 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-3

- drop 0103-curl-7.50.0-stunnel.patch no longer needed