Summary: A utility for getting files from remote servers (FTP, HTTP, and others)

Name: curl

Version: 7.29.0

Release: 59%{?dist}.2

License: MIT

Group: Applications/Internet

Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma

Source2: curlbuild.h

# fix a SIGSEGV when closing an unused multi handle (#914411)

Patch1: 0001-curl-7.29.0-da3fc1ee.patch

# switch SSL socket into non-blocking mode after handshake

Patch2: 0002-curl-7.29.0-9d0af301.patch

# do not ignore poll() failures other than EINTR

Patch3: 0003-curl-7.29.0-491e026c.patch

# curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag

Patch4: 0004-curl-7.29.0-57ccdfa8.patch

# fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944)

Patch5: 0005-curl-7.29.0-2eb8dcf2.patch

# show proper host name on failed resolve (#957173)

Patch6: 0006-curl-7.29.0-25e577b3.patch

# prevent an artificial timeout event due to stale speed-check data (#906031)

Patch7: 0007-curl-7.29.0-b37b5233.patch

# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174)

Patch8: 0008-curl-7.29.0-192c4f78.patch

# mention all option listed in 'curl --help' in curl.1 man page

Patch9: 0009-curl-7.29.0-3a0e931f.patch

# FTP: when EPSV gets a 229 but fails to connect, retry with PASV (#1002815)

Patch10: 0010-curl-7.29.0-7cc00d9a.patch

# avoid a busy-loop in curl_easy_perform() 

Patch11: 0011-curl-7.29.0-0feeab78.patch

# avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686)

Patch12: 0012-curl-7.29.0-c639d725.patch

# allow to use ECC ciphers if NSS implements them (#1058776)

Patch13: 0013-curl-7.29.0-665c160f.patch

# re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015)

Patch14: 0014-curl-7.29.0-8ae35102.patch

# allow to use TLS > 1.0 if built against recent NSS (#1036789)

Patch15: 0015-curl-7.29.0-7fc9325a.patch

# use proxy name in error message when proxy is used (#1042831)

Patch16: 0016-curl-7.29.0-1cf71bd7.patch

# refresh expired cookie in test172 from upstream test-suite (#1063693)

Patch17: 0017-curl-7.29.0-ffb8a21d.patch

# fix documentation of curl's options --tlsv1.[0-2] (#1066364)

Patch18: 0018-curl-7.29.0-03c28820.patch

# fix connection re-use when using different log-in credentials (CVE-2014-0138)

Patch19: 0019-curl-7.29.0-517b06d6.patch

# eliminate unnecessary delay when resolving host from /etc/hosts (#1130239)

Patch20: 0020-curl-7.29.0-d529f388.patch

# allow to enable/disable new AES cipher-suites (#1066065)

Patch21: 0021-curl-7.29.0-67061e3f.patch

# call PR_Cleanup() on curl tool exit if NSPR is used (#1071254)

Patch22: 0022-curl-7.29.0-24c3cdce.patch

# implement non-blocking TLS handshake (#1091429)

Patch23: 0023-curl-7.29.0-8868a226.patch

# fix limited connection re-use for unencrypted HTTP (#1101092)

Patch24: 0024-curl-7.29.0-68f0166a.patch

# disable libcurl-level downgrade to SSLv3 (#1154060)

Patch25: 0025-curl-7.29.0-3f430c9c.patch

# include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161182)

Patch26: 0026-curl-7.29.0-bc6037ed.patch

# ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1166264)

Patch27: 0027-curl-7.29.0-63a0bd42.patch

# use only full matches for hosts used as IP address in cookies (CVE-2014-3613)

Patch28: 0028-curl-7.29.0-CVE-2014-3613.patch

# fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)

Patch29: 0029-curl-7.29.0-CVE-2014-3707.patch

# reject CRLFs in URLs passed to proxy (CVE-2014-8150)

Patch30: 0030-curl-7.29.0-CVE-2014-8150.patch

# require credentials to match for NTLM re-use (CVE-2015-3143)

Patch31: 0031-curl-7.29.0-CVE-2015-3143.patch

# close Negotiate connections when done (CVE-2015-3148)

Patch32: 0032-curl-7.29.0-CVE-2015-3148.patch

# improve handling of timeouts and blocking direction to speed up FTP (#1218272)

Patch33: 0033-curl-7.29.0-29bf0598.patch

# prevent test46 from failing due to expired cookie (#1258834)

Patch34: 0034-curl-7.29.0-002d58f1.patch

# improve parsing of URL-encoded user name and password (#1260178)

Patch35: 0035-curl-7.29.0-2f1a0bc0.patch

# implement 'curl --unix-socket' and CURLOPT_UNIX_SOCKET_PATH (#1263318)

Patch36: 0036-curl-7.29.0-c8644d1f.patch

# SSH: do not require public key file for user authentication (#1275769)

Patch37: 0037-curl-7.29.0-fa7d04fe.patch

# prevent NSS from incorrectly re-using a session (#1269855)

Patch38: 0038-curl-7.29.0-958d2ffb.patch

# curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts (#1305974)

Patch39: 0039-curl-7.29.0-4ef6b2d6.patch

# prevent curl_multi_wait() from missing an event (#1347904)

Patch40: 0040-curl-7.29.0-513e587c.patch

# configure: improve detection of GCC's -fvisibility= flag

Patch41: 0041-curl-7.29.0-b2dcf034.patch

# fix TLS session resumption client cert bypass (CVE-2016-5419)

Patch42: 0042-curl-7.29.0-CVE-2016-5419.patch

# fix re-using connections with wrong client cert (CVE-2016-5420)

Patch43: 0043-curl-7.29.0-CVE-2016-5420.patch

# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)

Patch44:  0044-curl-7.29.0-CVE-2016-7167.patch

# curl -E: allow to escape ':' in cert nickname (#1376062)

Patch45:  0045-curl-7.29.0-865d4138.patch

# make libcurl recognize chacha20-poly1305 and SHA384 cipher-suites (#1374740)

Patch46:  0046-curl-7.29.0-049aa925.patch

# handle cookies with numerical IPv6 address (#1341503)

Patch47:  0047-curl-7.29.0-85b9dc80.patch

# fix tight loop in non-blocking TLS handhsake over proxy (#1388162)

Patch48:  0048-curl-7.29.0-eb84412b.patch

# make FTPS work with --proxytunnel (#1420327)

Patch49:  0049-curl-7.29.0-8fa54098.patch

# work around race condition in PK11_FindSlotByName() in NSS (#1404815)

Patch50:  0050-curl-7.29.0-3a5d5de9.patch

# nss: fix a possible use-after-free in SelectClientCert() (#1473158)

Patch51:  0051-curl-7.29.0-42a4cd4c.patch

# nss: do not leak PKCS #11 slot while loading a key (#1444860)

Patch52:  0052-curl-7.29.0-c8ea86f3.patch

# nss: fix a memory leak when CURLOPT_CRLFILE is used (#1427883)

Patch53:  0053-curl-7.29.0-52cd5ac2.patch

# curl --socks5-{basic,gssapi}: control socks5 auth (#1409208)

Patch54:  0054-curl-7.29.0-ce2c3ebd.patch

# fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257)

Patch55:  0055-curl-7.29.0-CVE-2017-1000257.patch

# reset authentication state when HTTP transfer is done (#1511523)

Patch56:  0056-curl-7.29.0-0afbcfd8.patch

# make NSS deallocate PKCS #11 objects early enough (#1510247)

Patch57:  0057-curl-7.29.0-nss-obj-leak.patch

# update certificates in the test-suite because they expire soon (#1572723)

Patch58:  0058-curl-7.29.0-test-certs.patch

# doc: --tlsauthtype works only if built with TLS-SRP support (#1542256)

Patch59:  0059-curl-7.29.0-tlsauthtype-doc.patch

# http: prevent custom Authorization headers in redirects (CVE-2018-1000007)

Patch60:  0060-curl-7.29.0-CVE-2018-1000007.patch

# fix RTSP RTP buffer over-read (CVE-2018-1000122)

Patch61:  0061-curl-7.29.0-CVE-2018-1000122.patch

# fix LDAP NULL pointer dereference (CVE-2018-1000121)

Patch62:  0062-curl-7.29.0-CVE-2018-1000121.patch

# fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120)

Patch63:  0063-curl-7.29.0-CVE-2018-1000120.patch

# fix RTSP bad headers buffer over-read (CVE-2018-1000301)

Patch64:  0064-curl-7.29.0-CVE-2018-1000301.patch

# make curl --speed-limit work with TFTP (#1584750)

Patch65:  0065-curl-7.29.0-tftp-speed-limit.patch

# backport options to force TLS 1.3 in curl and libcurl (#1672639)

Patch66:  0066-curl-7.29.0-tls13-opt.patch

# fix bad arithmetic when outputting warnings to stderr (CVE-2018-16842)

Patch67:  0067-curl-7.29.0-CVE-2018-16842.patch

# fix NTLM password overflow via integer overflow (CVE-2018-14618)

Patch68:  0068-curl-7.29.0-CVE-2018-14618.patch

# prevent curl --rate-limit from hanging on file URLs (#1281969)

Patch69:  0069-curl-7.29.0-file-limit-rate.patch

# fix TFTP receive buffer overflow (CVE-2019-5436)

Patch70:  0070-curl-7.29.0-CVE-2019-5436.patch

# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)

Patch71:  0071-curl-7.29.0-CVE-2019-5482.patch

# fix auth failure with duplicated WWW-Authenticate header (#1754736)

Patch72:  0072-curl-7.29.0-dup-auth-header.patch

# allow curl to POST from a char device (#1769307)

Patch73:  0073-curl-7.29.0-post-cdev.patch

# http: free protocol-specific struct in setup_connection callback (#1836773)

Patch74:  0074-curl-7.29.0-http-setup_connection.patch

# avoid overwriting a local file with -J (CVE-2020-8177)

Patch75:  0075-curl-7.29.0-CVE-2020-8177.patch

# fix HTTP Proxy deny use after free (CVE-2022-43552)

Patch76:  0076-curl-7.29.0-HTTP-proxy-deny-use-after-free.patch

# rebuild certs with 2048-bit RSA keys

Patch77:  0077-curl-7.29.0-rebuilt-certs.patch

# we need `git apply` to apply this patch

BuildRequires: git

# patch making libcurl multilib ready

Patch101: 0101-curl-7.29.0-multilib.patch

# prevent configure script from discarding -g in CFLAGS (#496778)

Patch102: 0102-curl-7.29.0-debug.patch

# use the default min/max TLS version provided by NSS (#1170339)

Patch103: 0103-curl-7.29.0-default-tls-version.patch

# use localhost6 instead of ip6-localhost in the curl test-suite

Patch104: 0104-curl-7.19.7-localhost6.patch

# disable valgrind for certain test-cases (libssh2 problem)

Patch106: 0106-curl-7.21.0-libssh2-valgrind.patch

# http://thread.gmane.org/gmane.comp.web.curl.library/40551/focus=40561

Patch105: 0105-curl-7.32.0-scp-upload.patch

# work around valgrind bug (#678518)

Patch107: 0107-curl-7.21.4-libidn-valgrind.patch

# Fix character encoding of docs, which are of mixed encoding originally so

# a simple iconv can't fix them

Patch108: 0108-curl-7.29.0-utf8.patch

Provides: webclient

URL: http://curl.haxx.se/

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)

BuildRequires: automake

BuildRequires: groff

BuildRequires: krb5-devel

BuildRequires: libidn-devel

BuildRequires: libssh2-devel

BuildRequires: nss-devel

BuildRequires: openldap-devel

BuildRequires: openssh-clients

BuildRequires: openssh-server

BuildRequires: pkgconfig

BuildRequires: stunnel

BuildRequires: zlib-devel

# perl modules used in the test suite

BuildRequires: perl(Cwd)

BuildRequires: perl(Digest::MD5)

BuildRequires: perl(Exporter)

BuildRequires: perl(File::Basename)

BuildRequires: perl(File::Copy)

BuildRequires: perl(File::Spec)

BuildRequires: perl(IPC::Open2)

BuildRequires: perl(MIME::Base64)

BuildRequires: perl(strict)

BuildRequires: perl(Time::Local)

BuildRequires: perl(Time::HiRes)

BuildRequires: perl(warnings)

BuildRequires: perl(vars)

# require valgrind to boost test coverage on i386 and x86_64

%ifarch %{ix86} x86_64

BuildRequires: valgrind

%endif

Requires: libcurl = %{version}-%{release}

# require at least the version of libssh2 that we were built against,

# to ensure that we have the necessary symbols available (#525002, #642796)

%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0)

%description

curl is a command line tool for transferring data with URL syntax, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP

uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer

resume, proxy tunneling and a busload of other useful tricks. 

%package -n libcurl

Summary: A library for getting files from web servers

Group: Development/Libraries

Requires: libssh2%{?_isa} >= %{libssh2_version}

# require a new enough version of nss-pem to avoid regression in yum (#1610998)

Requires: nss-pem%{?_isa} >= 1.0.3-5

%description -n libcurl

libcurl is a free and easy-to-use client-side URL transfer library, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,

FTP uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer

resume, http proxy tunneling and more.

%package -n libcurl-devel

Summary: Files needed for building applications with libcurl

Group: Development/Libraries

Requires: libcurl = %{version}-%{release}

# From Fedora 14, %%{_datadir}/aclocal is included in the filesystem package

%if 0%{?fedora} < 14

Requires: %{_datadir}/aclocal

%endif

# From Fedora 11, RHEL-6, pkgconfig dependency is auto-detected

%if 0%{?fedora} < 11 && 0%{?rhel} < 6

Requires: pkgconfig

%endif

Provides: curl-devel = %{version}-%{release}

Obsoletes: curl-devel < %{version}-%{release}

%description -n libcurl-devel

The libcurl-devel package includes header files and libraries necessary for

developing programs which use the libcurl library. It contains the API

documentation of the library, too.

%prep

%setup -q

# upstream patches

%patch1 -p1

%patch2 -p1

%patch3 -p1

%patch4 -p1

%patch5 -p1

%patch6 -p1

%patch7 -p1

%patch8 -p1

%patch9 -p1

%patch10 -p1

%patch11 -p1

%patch12 -p1

%patch13 -p1

%patch14 -p1

%patch15 -p1

%patch16 -p1

%patch17 -p1

%patch18 -p1

%patch105 -p1

%patch19 -p1

%patch20 -p1

%patch21 -p1

%patch22 -p1

%patch23 -p1

%patch24 -p1

%patch25 -p1

%patch26 -p1

%patch27 -p1

%patch28 -p1

%patch29 -p1

%patch30 -p1

%patch31 -p1

%patch32 -p1

%patch33 -p1

%patch34 -p1

%patch35 -p1

%patch36 -p1

%patch37 -p1

%patch38 -p1

%patch39 -p1

%patch40 -p1

# Fedora/RHEL patches

%patch101 -p1

%patch102 -p1

%patch103 -p1

%patch104 -p1

%patch106 -p1

%patch107 -p1

%patch108 -p1

# upstream patches

%patch41 -p1

%patch42 -p1

%patch43 -p1

%patch44 -p1

%patch45 -p1

%patch46 -p1

%patch47 -p1

%patch48 -p1

%patch49 -p1

%patch50 -p1

%patch51 -p1

%patch52 -p1

%patch53 -p1

%patch54 -p1

%patch55 -p1

%patch56 -p1

%patch57 -p1

%patch58 -p1

%patch59 -p1

%patch60 -p1

%patch61 -p1

%patch62 -p1

%patch63 -p1

%patch64 -p1

%patch65 -p1

%patch66 -p1

%patch67 -p1

%patch68 -p1

%patch69 -p1

%patch70 -p1

%patch71 -p1

%patch72 -p1

%patch73 -p1

%patch74 -p1

%patch75 -p1

%patch76 -p1

git init

git apply --whitespace=nowarn %{PATCH77}

# regenerate Makefile.in files

aclocal -I m4

automake

# replace hard wired port numbers in the test suite

cd tests/data/

sed -i s/899\\\([0-9]\\\)/%{?__isa_bits}9\\1/ test*

cd -

# avoid spurious failure of test1086 on s390(x) builders (#1072273)

sed -i 's/-m 7/-m 15/' tests/data/test1086

# disable test 1112 (#565305) and test 2032 (#1241168)

printf "1112\n2032\n" >> tests/data/DISABLED

# disable test 1319 on ppc64 (server times out)

%ifarch ppc64

echo "1319" >> tests/data/DISABLED

%endif

%build

[ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos"

%configure --disable-static \

    --enable-hidden-symbols \

    --enable-ipv6 \

    --enable-ldaps \

    --enable-manual \

    --enable-threaded-resolver \

    --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \

    --with-gssapi${KRB5_PREFIX} \

    --with-libidn \

    --with-libssh2 \

    --without-ssl --with-nss

#    --enable-debug

# use ^^^ to turn off optimizations, etc.

# Remove bogus rpath

sed -i \

    -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \

    -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool

make %{?_smp_mflags}

%check

LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}

export LD_LIBRARY_PATH

# uncomment to use the non-stripped library in tests

# LD_LIBRARY_PATH=$(dirname $(realpath $(find -name \*.so)))

cd tests

make %{?_smp_mflags}

# use different port range for 32bit and 64bit build, thus make it possible

# to run both in parallel on the same machine

./runtests.pl -a -b%{?__isa_bits}90 -p -v

%install

rm -rf $RPM_BUILD_ROOT

make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install

rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

install -d $RPM_BUILD_ROOT%{_datadir}/aclocal

install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal

# drop man page for a script we do not distribute

rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1

# Make libcurl-devel multilib-ready (bug #488922)

%if 0%{?__isa_bits} == 64

%define _curlbuild_h curlbuild-64.h

%else

%define _curlbuild_h curlbuild-32.h

%endif

mv $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h \

   $RPM_BUILD_ROOT%{_includedir}/curl/%{_curlbuild_h}

install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h

%clean

rm -rf $RPM_BUILD_ROOT

%post -n libcurl -p /sbin/ldconfig

%postun -n libcurl -p /sbin/ldconfig

%files

%defattr(-,root,root,-)

%doc CHANGES README* COPYING

%doc docs/BUGS docs/FAQ docs/FEATURES

%doc docs/MANUAL docs/RESOURCES

%doc docs/TheArtOfHttpScripting docs/TODO

%{_bindir}/curl

%{_mandir}/man1/curl.1*

%files -n libcurl

%defattr(-,root,root,-)

%{_libdir}/libcurl.so.*

%files -n libcurl-devel

%defattr(-,root,root,-)

%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS

%doc docs/CONTRIBUTE docs/libcurl/ABI

%{_bindir}/curl-config*

%{_includedir}/curl

%{_libdir}/*.so

%{_libdir}/pkgconfig/*.pc

%{_mandir}/man1/curl-config.1*

%{_mandir}/man3/*

%{_datadir}/aclocal/libcurl.m4

%changelog

* Tue Nov 07 2023 Jacek Migacz <jmigacz@redhat.com> - 7.29.0-59.el7_9.2

- fix HTTP proxy deny use after free (CVE-2022-43552)

- rebuild certs with 2048-bit RSA keys

* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.29.0-59.el7_9.1

- avoid overwriting a local file with -J (CVE-2020-8177)

* Tue Jun 02 2020 Kamil Dudka <kdudka@redhat.com> - 7.29.0-59

- http: free protocol-specific struct in setup_connection callback (#1836773)

* Mon Mar 23 2020 Kamil Dudka <kdudka@redhat.com> - 7.29.0-58

- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)

* Wed Nov 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-57

- allow curl to POST from a char device (#1769307)

* Tue Oct 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-56

- fix auth failure with duplicated WWW-Authenticate header (#1754736)

* Tue Aug 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-55

- fix TFTP receive buffer overflow (CVE-2019-5436)

* Mon Jun 03 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-54

- make `curl --tlsv1` backward compatible (#1672639)

* Mon May 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-53

- backport the --tls-max option of curl and TLS 1.3 ciphers (#1672639)

* Fri Mar 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.29.0-52

- prevent curl --rate-limit from hanging on file URLs (#1281969)

- fix NTLM password overflow via integer overflow (CVE-2018-14618)

- fix bad arithmetic when outputting warnings to stderr (CVE-2018-16842)

- backport options to force TLS 1.3 in curl and libcurl (#1672639)

- prevent curl --rate-limit from crashing on https URLs (#1683292)

* Wed Aug 08 2018 Kamil Dudka <kdudka@redhat.com> - 7.29.0-51

- require a new enough version of nss-pem to avoid regression in yum (#1610998)

* Thu Jun 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.29.0-50

- remove dead code, detected by Coverity Analysis

- remove unused variable, detected by GCC and Clang

* Wed Jun 06 2018 Kamil Dudka <kdudka@redhat.com> - 7.29.0-49

- make curl --speed-limit work with TFTP (#1584750)

* Wed May 30 2018 Kamil Dudka <kdudka@redhat.com> - 7.29.0-48

- fix RTSP bad headers buffer over-read (CVE-2018-1000301)

- fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120)

- fix LDAP NULL pointer dereference (CVE-2018-1000121)

- fix RTSP RTP buffer over-read (CVE-2018-1000122)

- http: prevent custom Authorization headers in redirects (CVE-2018-1000007)

- doc: --tlsauthtype works only if built with TLS-SRP support (#1542256)

- update certificates in the test-suite because they expire soon (#1572723)

* Fri Mar 02 2018 Kamil Dudka <kdudka@redhat.com> - 7.29.0-47

- make NSS deallocate PKCS #11 objects early enough (#1510247)

* Mon Dec 11 2017 Kamil Dudka <kdudka@redhat.com> - 7.29.0-46

- reset authentication state when HTTP transfer is done (#1511523)

* Mon Oct 23 2017 Kamil Dudka <kdudka@redhat.com> - 7.29.0-45

- fix buffer overflow while processing IMAP FETCH response (CVE-2017-1000257)

* Thu Sep 14 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-44

- drop 0109-curl-7.29.0-crl-valgrind.patch no longer needed (#1427883)

* Wed Sep 13 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-43

- curl --socks5-{basic,gssapi}: control socks5 auth (#1409208)

- nss: fix a memory leak when CURLOPT_CRLFILE is used (#1427883)

- nss: do not leak PKCS #11 slot while loading a key (#1444860)

- nss: fix a possible use-after-free in SelectClientCert() (#1473158)

* Wed Mar 29 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-42

- fix use of uninitialized variable detected by Covscan

* Wed Mar 29 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-41

- make FTPS work with --proxytunnel (#1420327)

* Mon Mar 27 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-40

- make FTPS work with --proxytunnel (#1420327)

* Wed Mar 01 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-39

- work around race condition in PK11_FindSlotByName() in NSS (#1404815)

* Thu Feb 09 2017 Kamil Dudka <kdudka@redhat.com> 7.29.0-38

- make FTPS work with --proxytunnel (#1420327)

* Thu Oct 06 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-37

- fix tight loop in non-blocking TLS handhsake over proxy (#1388162)

- handle cookies with numerical IPv6 address (#1341503)

- make libcurl recognize chacha20-poly1305 and SHA384 cipher-suites (#1374740)

- curl -E: allow to escape ':' in cert nickname (#1376062)

- run automake in %%prep to avoid patching Makefile.in files from now on

* Tue Sep 20 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-36

- reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)

* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-35

- fix incorrect use of a previously loaded certificate from file

  (related to CVE-2016-5420)

* Wed Aug 17 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-34

- acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option

  (required by the fix for CVE-2016-5419)

* Thu Aug 11 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-33

- fix re-using connections with wrong client cert (CVE-2016-5420)

- fix TLS session resumption client cert bypass (CVE-2016-5419)

* Mon Jun 20 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-32

- configure: improve detection of GCC's -fvisibility= flag

* Mon Jun 20 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-31

- prevent curl_multi_wait() from missing an event (#1347904)

* Tue Feb 16 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-30

- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts (#1305974)

* Fri Jan 15 2016 Kamil Dudka <kdudka@redhat.com> 7.29.0-29

- SSH: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL (#1275769)

* Mon Nov 02 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-28

- prevent NSS from incorrectly re-using a session (#1269855)

- call PR_Cleanup() in the upstream test-suite if NSPR is used (#1243324)

- disable unreliable upstream test-case 2032 (#1241168)

* Tue Oct 27 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-27

- SSH: do not require public key file for user authentication (#1275769)

* Tue Sep 08 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-26

- implement 'curl --unix-socket' and CURLOPT_UNIX_SOCKET_PATH (#1263318)

- improve parsing of URL-encoded user name and password (#1260178)

- prevent test46 from failing due to expired cookie (#1258834)

* Mon May 11 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-25

- fix spurious failure of test 1500 on ppc64le (#1218272)

* Tue May 05 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-24

- use the default min/max TLS version provided by NSS (#1170339)

- improve handling of timeouts and blocking direction to speed up FTP (#1218272)

* Mon Apr 27 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-23

- require credentials to match for NTLM re-use (CVE-2015-3143)

- close Negotiate connections when done (CVE-2015-3148)

* Thu Jan 08 2015 Kamil Dudka <kdudka@redhat.com> 7.29.0-22

- reject CRLFs in URLs passed to proxy (CVE-2014-8150)

* Thu Dec 18 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-21

- use only full matches for hosts used as IP address in cookies (CVE-2014-3613)

- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)

* Thu Nov 27 2014 Kamil Dudka <kdudka@redhat.com> 7.29.0-20

- eliminate unnecessary delay when resolving host from /etc/hosts (#1130239)