Summary: A utility for getting files from remote servers (FTP, HTTP, and others)

Name: curl

Version: 7.76.1

Release: 14%{?dist}.4

License: MIT

Source: https://curl.se/download/%{name}-%{version}.tar.xz

# http2: fix resource leaks detected by Coverity

Patch1:   0001-curl-7.76.1-resource-leaks.patch

# fix TELNET stack contents disclosure (CVE-2021-22898)

Patch2:   0002-curl-7.76.1-CVE-2021-22898.patch

# fix TLS session caching disaster (CVE-2021-22901)

Patch3:   0003-curl-7.76.1-CVE-2021-22901.patch

# fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)

Patch4:   0004-curl-7.76.1-ldaps-segv.patch

# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)

Patch5:   0005-curl-7.76.1-CVE-2021-22924.patch

# fix TELNET stack contents disclosure again (CVE-2021-22925)

Patch6:   0006-curl-7.76.1-CVE-2021-22925.patch

# fix use-after-free and double-free in MQTT sending (CVE-2021-22945)

Patch7:   0007-curl-7.76.1-CVE-2021-22945.patch

# fix protocol downgrade required TLS bypass (CVE-2021-22946)

Patch8:   0008-curl-7.76.1-CVE-2021-22946.patch

# fix STARTTLS protocol injection via MITM (CVE-2021-22947)

Patch9:   0009-curl-7.76.1-CVE-2021-22947.patch

# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)

Patch10:  0010-curl-7.76.1-CVE-2022-22576.patch

# fix auth/cookie leak on redirect (CVE-2022-27776)

Patch12:  0012-curl-7.76.1-CVE-2022-27776.patch

# fix credential leak on redirect (CVE-2022-27774)

Patch13:  0013-curl-7.76.1-CVE-2022-27774.patch

# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)

Patch14:  0014-curl-7.76.1-CVE-2022-27782.patch

# make upstream tests work with openssh-8.7p1

Patch15:  0015-curl-7.76.1-tests-openssh.patch

# patch making libcurl multilib ready

Patch101: 0101-curl-7.32.0-multilib.patch

# prevent configure script from discarding -g in CFLAGS (#496778)

Patch102: 0102-curl-7.36.0-debug.patch

# prevent valgrind from reporting false positives on x86_64

Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch

Provides: curl-full = %{version}-%{release}

Provides: webclient

URL: https://curl.se/

BuildRequires: automake

BuildRequires: brotli-devel

BuildRequires: coreutils

BuildRequires: gcc

BuildRequires: groff

BuildRequires: krb5-devel

BuildRequires: libidn2-devel

BuildRequires: libnghttp2-devel

BuildRequires: libpsl-devel

BuildRequires: libssh-devel

BuildRequires: libtool

BuildRequires: make

BuildRequires: openldap-devel

BuildRequires: openssh-clients

BuildRequires: openssh-server

BuildRequires: openssl-devel

BuildRequires: perl-interpreter

BuildRequires: pkgconfig

BuildRequires: python-unversioned-command

BuildRequires: python3-devel

BuildRequires: sed

BuildRequires: zlib-devel

# needed to compress content of tool_hugehelp.c after changing curl.1 man page

BuildRequires: perl(IO::Compress::Gzip)

# needed for generation of shell completions

BuildRequires: perl(Getopt::Long)

BuildRequires: perl(Pod::Usage)

BuildRequires: perl(strict)

BuildRequires: perl(warnings)

# gnutls-serv is used by the upstream test-suite

BuildRequires: gnutls-utils

# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot

BuildRequires: hostname

# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite

BuildRequires: nghttp2

# perl modules used in the test suite

BuildRequires: perl(Cwd)

BuildRequires: perl(Digest::MD5)

BuildRequires: perl(Exporter)

BuildRequires: perl(File::Basename)

BuildRequires: perl(File::Copy)

BuildRequires: perl(File::Spec)

BuildRequires: perl(IPC::Open2)

BuildRequires: perl(MIME::Base64)

BuildRequires: perl(Time::Local)

BuildRequires: perl(Time::HiRes)

BuildRequires: perl(vars)

%if 0%{?fedora}

# needed for upstream test 1451

BuildRequires: python3-impacket

%endif

# The test-suite runs automatically through valgrind if valgrind is available

# on the system.  By not installing valgrind into mock's chroot, we disable

# this feature for production builds on architectures where valgrind is known

# to be less reliable, in order to avoid unnecessary build failures (see RHBZ

# #810992, #816175, and #886891).  Nevertheless developers are free to install

# valgrind manually to improve test coverage on any architecture.

%ifarch x86_64

BuildRequires: valgrind

%endif

# stunnel is used by upstream tests but it does not seem to work reliably

# on s390x and occasionally breaks some tests (mainly 1561 and 1562)

%ifnarch s390x

BuildRequires: stunnel

%endif

# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION

Requires: libcurl%{?_isa} >= %{version}-%{release}

# require at least the version of libpsl that we were built against,

# to ensure that we have the necessary symbols available (#1631804)

%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)

# require at least the version of libssh that we were built against,

# to ensure that we have the necessary symbols available (#525002, #642796)

%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)

# require at least the version of openssl-libs that we were built against,

# to ensure that we have the necessary symbols available (#1462184, #1462211)

# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)

%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|')

%description

curl is a command line tool for transferring data with URL syntax, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP

uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer

resume, proxy tunneling and a busload of other useful tricks. 

%package -n libcurl

Summary: A library for getting files from web servers

Requires: libpsl%{?_isa} >= %{libpsl_version}

Requires: libssh%{?_isa} >= %{libssh_version}

Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}

Provides: libcurl-full = %{version}-%{release}

Provides: libcurl-full%{?_isa} = %{version}-%{release}

%description -n libcurl

libcurl is a free and easy-to-use client-side URL transfer library, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,

FTP uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer

resume, http proxy tunneling and more.

%package -n libcurl-devel

Summary: Files needed for building applications with libcurl

Requires: libcurl%{?_isa} = %{version}-%{release}

Provides: curl-devel = %{version}-%{release}

Provides: curl-devel%{?_isa} = %{version}-%{release}

Obsoletes: curl-devel < %{version}-%{release}

%description -n libcurl-devel

The libcurl-devel package includes header files and libraries necessary for

developing programs which use the libcurl library. It contains the API

documentation of the library, too.

%package -n curl-minimal

Summary: Conservatively configured build of curl for minimal installations

Provides: curl = %{version}-%{release}

Conflicts: curl

RemovePathPostfixes: .minimal

# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION

Requires: libcurl%{?_isa} >= %{version}-%{release}

%description -n curl-minimal

This is a replacement of the 'curl' package for minimal installations.  It

comes with a limited set of features compared to the 'curl' package.  On the

other hand, the package is smaller and requires fewer run-time dependencies to

be installed.

%package -n libcurl-minimal

Summary: Conservatively configured build of libcurl for minimal installations

Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}

Provides: libcurl = %{version}-%{release}

Provides: libcurl%{?_isa} = %{version}-%{release}

Conflicts: libcurl%{?_isa}

RemovePathPostfixes: .minimal

# needed for RemovePathPostfixes to work with shared libraries

%undefine __brp_ldconfig

%description -n libcurl-minimal

This is a replacement of the 'libcurl' package for minimal installations.  It

comes with a limited set of features compared to the 'libcurl' package.  On the

other hand, the package is smaller and requires fewer run-time dependencies to

be installed.

%prep

%setup -q

# upstream patches

%patch1 -p1

%patch2 -p1

%patch3 -p1

%patch4 -p1

%patch5 -p1

%patch6 -p1

%patch7 -p1

%patch8 -p1

%patch9 -p1

%patch10 -p1

%patch12 -p1

%patch13 -p1

%patch14 -p1

%patch15 -p1

# Fedora patches

%patch101 -p1

%patch102 -p1

%patch105 -p1

# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed

# with errno 98: Address already in use' in Koji environment), and test 1801

# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>

printf "1112\n1455\n1592\n1801\n" >> tests/data/DISABLED

# disable test 1319 on ppc64 (server times out)

%ifarch ppc64

echo "1319" >> tests/data/DISABLED

%endif

# temporarily disable test 582 on s390x (client times out)

%ifarch s390x

echo "582" >> tests/data/DISABLED

%endif

# temporarily disable tests 702 703 716 on armv7hl (#1829180)

%ifarch armv7hl

printf "702\n703\n716\n" >> tests/data/DISABLED

%endif

# adapt test 323 for updated OpenSSL

sed -e 's|^35$|35,52|' -i tests/data/test323

# use localhost6 instead of ip6-localhost in the curl test-suite

(

    # avoid glob expansion in the trace output of `bash -x`

    { set +x; } 2>/dev/null

    cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*"

    printf "+ %s\n" "$cmd" >&2

    eval "$cmd"

)

# regenerate the configure script and Makefile.in files

autoreconf -fiv

%build

mkdir build-{full,minimal}

export common_configure_opts="          \

    --cache-file=../config.cache        \

    --disable-hsts                      \

    --disable-static                    \

    --enable-ipv6                       \

    --enable-symbol-hiding              \

    --enable-threaded-resolver          \

    --without-libmetalink               \

    --without-zstd                      \

    --with-gssapi                       \

    --with-nghttp2                      \

    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"

%global _configure ../configure

# configure minimal build

(

    cd build-minimal

    %configure $common_configure_opts   \

        --disable-dict                  \

        --disable-gopher                \

        --disable-imap                  \

        --disable-ldap                  \

        --disable-ldaps                 \

        --disable-manual                \

        --disable-mqtt                  \

        --disable-ntlm                  \

        --disable-ntlm-wb               \

        --disable-pop3                  \

        --disable-rtsp                  \

        --disable-smb                   \

        --disable-smtp                  \

        --disable-telnet                \

        --disable-tftp                  \

        --disable-tls-srp               \

        --without-brotli                \

        --without-libidn2               \

        --without-libpsl                \

        --without-libssh

)

# configure full build

(

    cd build-full

    %configure $common_configure_opts   \

        --enable-dict                   \

        --enable-gopher                 \

        --enable-imap                   \

        --enable-ldap                   \

        --enable-ldaps                  \

        --enable-manual                 \

        --enable-mqtt                   \

        --enable-ntlm                   \

        --enable-ntlm-wb                \

        --enable-pop3                   \

        --enable-rtsp                   \

        --enable-smb                    \

        --enable-smtp                   \

        --enable-telnet                 \

        --enable-tftp                   \

        --enable-tls-srp                \

        --with-brotli                   \

        --with-libidn2                  \

        --with-libpsl                   \

        --with-libssh

)

# avoid using rpath

sed -e 's/^runpath_var=.*/runpath_var=/' \

    -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \

    -i build-{full,minimal}/libtool

%make_build V=1 -C build-minimal

%make_build V=1 -C build-full

%check

# compile upstream test-cases

%make_build V=1 -C build-minimal/tests

%make_build V=1 -C build-full/tests

# relax crypto policy for the test-suite to make it pass again (#1610888)

export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX

export OPENSSL_CONF=

# make runtests.pl work for out-of-tree builds

export srcdir=../../tests

# prevent valgrind from being extremely slow (#1662656)

# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault

unset DEBUGINFOD_URLS

# run the upstream test-suite for both curl-minimal and curl-full

for size in minimal full; do (

    cd build-${size}

    # we have to override LD_LIBRARY_PATH because we eliminated rpath

    export LD_LIBRARY_PATH="${PWD}/lib/.libs"

    cd tests

    perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'

)

done

%install

# install and rename the library that will be packaged as libcurl-minimal

%make_install -C build-minimal/lib

rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}

for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do

    mv -v $i $i.minimal

done

# install and rename the executable that will be packaged as curl-minimal

%make_install -C build-minimal/src

mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}

# install libcurl.m4

install -d $RPM_BUILD_ROOT%{_datadir}/aclocal

install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal

# install the executable and library that will be packaged as curl and libcurl

cd build-full

%make_install

# install zsh completion for curl

# (we have to override LD_LIBRARY_PATH because we eliminated rpath)

LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \

    %make_install -C scripts

# do not install /usr/share/fish/completions/curl.fish which is also installed

# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict

rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish

rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la

%ldconfig_scriptlets -n libcurl

%ldconfig_scriptlets -n libcurl-minimal

%files

%doc CHANGES

%doc README

%doc docs/BUGS.md

%doc docs/FAQ

%doc docs/FEATURES.md

%doc docs/TODO

%doc docs/TheArtOfHttpScripting.md

%{_bindir}/curl

%{_mandir}/man1/curl.1*

%{_datadir}/zsh

%files -n libcurl

%license COPYING

%{_libdir}/libcurl.so.4

%{_libdir}/libcurl.so.4.[0-9].[0-9]

%files -n libcurl-devel

%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md

%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md

%{_bindir}/curl-config*

%{_includedir}/curl

%{_libdir}/*.so

%{_libdir}/pkgconfig/*.pc

%{_mandir}/man1/curl-config.1*

%{_mandir}/man3/*

%{_datadir}/aclocal/libcurl.m4

%files -n curl-minimal

%{_bindir}/curl.minimal

%{_mandir}/man1/curl.1*

%files -n libcurl-minimal

%license COPYING

%{_libdir}/libcurl.so.4.minimal

%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

%changelog

* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.4

- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)

* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.3

- fix leak of SRP credentials in redirects (CVE-2022-27774)

* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.2

- add missing tests to Makefile

* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.1

- fix credential leak on redirect (CVE-2022-27774)

- fix auth/cookie leak on redirect (CVE-2022-27776)

- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)

* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14

- re-disable HSTS in libcurl as an experimental feature (#2005874)

* Mon Oct 04 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-13

- disable more protocols and features in libcurl-minimal (#2005874)

* Fri Sep 17 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-12

- fix STARTTLS protocol injection via MITM (CVE-2021-22947)

- fix protocol downgrade required TLS bypass (CVE-2021-22946)

- fix use-after-free and double-free in MQTT sending (CVE-2021-22945)

* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-11

- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags

  Related: rhbz#1991688

* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 7.76.1-10

- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)

* Fri Jul 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-9

- make explicit dependency on openssl work with alpha/beta builds of openssl

* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-8

- fix TELNET stack contents disclosure again (CVE-2021-22925)

- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)

* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.76.1-6

- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065

* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-5

- build the curl tool without metalink support (#1967213)

* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-4

- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)

* Wed May 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-3

- fix TLS session caching disaster (CVE-2021-22901)

- fix TELNET stack contents disclosure (CVE-2021-22898)

* Mon May 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-2

- http2: fix resource leaks detected by Coverity

* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-1

- new upstream release

* Fri Apr 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup

    CVE-2021-22876 - Automatic referer leaks credentials

* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.75.0-4

- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Wed Mar 24 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-3

- fix SIGSEGV upon disconnect of a ldaps:// transfer (#1941925)

* Tue Feb 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-2

- build-require python3-impacket only on Fedora

* Wed Feb 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-1

- new upstream release

* Tue Jan 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.74.0-4

- do not use stunnel for tests on s390x builds to avoid spurious failures

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.74.0-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-2

- do not rewrite shebangs in test-suite to use python3 explicitly

* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2020-8286 - curl: Inferior OCSP verification

    CVE-2020-8285 - libcurl: FTP wildcard stack overflow

    CVE-2020-8284 - curl: trusting FTP PASV responses

* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-2

- prevent upstream test 1451 from being skipped

* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-1

- new upstream release

* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.72.0-2

- fix multiarch conflicts in libcurl-minimal (#1877671)

* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1

- new upstream release, which fixes the following vulnerability

    CVE-2020-8231 - libcurl: wrong connect-only connection

* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5

- setopt: unset NOBODY switches to GET if still HEAD

* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3

- Use make macros

- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro

* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2

- curl: make the --krb option work again (#1833193)

* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1

- new upstream release

* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect

    CVE-2020-8177 - curl: overwrite local file with -J

* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1

- new upstream release

* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3

- SSH: use new ECDSA key types to check known hosts (#1824926)

* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2

- Prevent discarding of -g when compiling with clang

* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1

- new upstream release

* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2

- make Flatpak work again (#1810989)

* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1

- new upstream release

* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1

- new upstream release

* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2

- fix infinite loop on upload using a glob (#1771025)

* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1

- new upstream release

* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2019-5481 - double free due to subsequent call of realloc()

    CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()

* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4

- avoid reporting spurious error in the HTTP2 framing layer (#1690971)

* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3

- improve handling of gss_init_sec_context() failures

* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.65.3-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Sat Jul 20 2019 Paul Howarth <paul@city-fan.org> - 7.65.3-1

- new upstream release

* Wed Jul 17 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.2-1

- new upstream release

* Wed Jun 05 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.1-1

- new upstream release

* Thu May 30 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-2

- fix spurious timeout events with speed-limit (#1714893)

* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2019-5436 - TFTP receive buffer overflow

    CVE-2019-5435 - integer overflows in curl_url_set()

* Thu May 09 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-2

- do not treat failure of gss_init_sec_context() with --negotiate as fatal

* Wed Mar 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-1

- new upstream release

* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6

- remove verbose "Expire in" ... messages (#1690971)

* Thu Mar 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-5

- avoid spurious "Could not resolve host: [host name]" error messages

* Wed Feb 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-4

- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676)

* Mon Feb 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-3

- prevent NetworkManager from leaking file descriptors (#1680198)

* Mon Feb 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-2

- make zsh completion work again

* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2019-3823 - SMTP end-of-response out-of-bounds read

    CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow

    CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read

* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7

- prevent valgrind from reporting false positives on x86_64

* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.63.0-6

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-5

- xattr: strip credentials from any URL that is stored (CVE-2018-20483)

* Fri Jan 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-4

- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch

* Wed Dec 19 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-3

- curl -J: do not append to the destination file (#1658574)

* Fri Dec 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-2

- revert an upstream commit that broke `fedpkg new-sources` (#1659329)

* Wed Dec 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-1

- new upstream release

* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1

- new upstream release, which fixes the following vulnerabilities

    CVE-2018-16839 - SASL password overflow via integer overflow

    CVE-2018-16840 - use-after-free in handle close

    CVE-2018-16842 - warning message out-of-buffer read

* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3

- enable TLS 1.3 post-handshake auth in OpenSSL

- update the documentation of --tlsv1.0 in curl(1) man page

* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2

- enforce versioned libpsl dependency for libcurl (#1631804)

- test320: update expected output for gnutls-3.6.4

- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594)

* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1

- new upstream release, which fixes the following vulnerability

    CVE-2018-14618 - NTLM password overflow via integer overflow

* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8

- make the --tls13-ciphers option work

* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7

- tests: make ssh-keygen always produce PEM format (#1622594)

* Wed Aug 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-6

- scp/sftp: fix infinite connect loop on invalid private key (#1595135)