Hi,
For details see: https://curl.haxx.se/changes.html
This came rather unexpected - if I'd known, I'd have waited with 7.63.0.
"Changes: cookies: leave secure cookies alone hostip: support wildcard hosts http: Implement trailing headers for chunked transfers http: added options for allowing HTTP/0.9 responses timeval: Use high resolution timestamps on Windows
Bugfixes: CVE-2018-16890: NTLM type-2 out-of-bounds buffer read CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow CVE-2019-3823: SMTP end-of-response out-of-bounds read FAQ: remove mention of sourceforge for github OS400: handle memory error in list conversion OS400: upgrade ILE/RPG binding. README: add codacy code quality badge Revert http_negotiate: do not close connection THANKS: added several missing names from year <= 2000 build: make 'tidy' target work for metalink builds cmake: added checks for variadic macros cmake: updated check for HAVE_POLL_FINE to match autotools cmake: use lowercase for function name like the rest of the code configure: detect xlclang separately from clang configure: fix recv/send/select detection on Android configure: rewrite --enable-code-coverage conncache_unlock: avoid indirection by changing input argument type cookie: fix comment typo cookies: allow secure override when done over HTTPS cookies: extend domain checks to non psl builds cookies: skip custom cookies when redirecting cross-site curl --xattr: strip credentials from any URL that is stored curl -J: refuse to append to the destination file curl/urlapi.h: include "curl.h" first curl_multi_remove_handle() don't block terminating c-ares requests darwinssl: accept setting max-tls with default min-tls disconnect: separate connections and easy handles better disconnect: set conn->data for protocol disconnect docs/version.d: mention MultiSSL docs: fix the --tls-max description docs: use $(INSTALL_DATA) to install man page docs: use meaningless port number in CURLOPT_LOCALPORT example gopher: always include the entire gopher-path in request http2: clear pause stream id if it gets closed if2ip: remove unused function Curl_if_is_interface_name libssh: do not let libssh create socket libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh libssh: free sftp_canonicalize_path() data correctly libtest/stub_gssapi: use "real" snprintf mbedtls: use VERIFYHOST multi: multiplexing improvements multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time ntlm: fix NTMLv2 compliance ntlm_sspi: add support for channel binding openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated openssl: fix the SSL_get_tlsext_status_ocsp_resp call openvms: fix OpenSSL discovery on VAX openvms: fix typos in documentation os400: add a missing closing bracket os400: fix extra parameter syntax error pingpong: change default response timeout to 120 seconds pingpong: ignore regular timeout in disconnect phase printf: fix format specifiers runtests.pl: Fix perl call to include srcdir schannel: fix compiler warning schannel: preserve original certificate path parameter schannel: stop calling it "winssl" sigpipe: if mbedTLS is used, ignore SIGPIPE smb: fix incorrect path in request if connection reused ssh: log the libssh2 error message when ssh session startup fails test1558: verify CURLINFO_PROTOCOL on file:// transfer test1561: improve test name test1653: make it survive torture tests tests: allow tests to pass by 2037-02-12 tests: move objnames-* from lib into tests timediff: fix math for unsigned time_t timeval: Disable MSVC Analyzer GetTickCount warning tool_cb_prg: avoid integer overflow travis: added cmake build for osx urlapi: Fix port parsing of eol colon urlapi: distinguish possibly empty query urlapi: fix parsing ipv6 with zone index urldata: rename easy_conn to just conn winbuild: conditionally use /DZLIB_WINAPI wolfssl: fix memory-leak in threaded use spnego_sspi: add support for channel binding"
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- config/rootfiles/common/curl | 3 +++ lfs/curl | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/common/curl b/config/rootfiles/common/curl index 5c616f8da..1eb9f6f37 100644 --- a/config/rootfiles/common/curl +++ b/config/rootfiles/common/curl @@ -170,6 +170,7 @@ usr/lib/libcurl.so.4.5.0 #usr/share/man/man3/CURLOPT_HEADERDATA.3 #usr/share/man/man3/CURLOPT_HEADERFUNCTION.3 #usr/share/man/man3/CURLOPT_HEADEROPT.3 +#usr/share/man/man3/CURLOPT_HTTP09_ALLOWED.3 #usr/share/man/man3/CURLOPT_HTTP200ALIASES.3 #usr/share/man/man3/CURLOPT_HTTPAUTH.3 #usr/share/man/man3/CURLOPT_HTTPGET.3 @@ -340,6 +341,8 @@ usr/lib/libcurl.so.4.5.0 #usr/share/man/man3/CURLOPT_TLSAUTH_PASSWORD.3 #usr/share/man/man3/CURLOPT_TLSAUTH_TYPE.3 #usr/share/man/man3/CURLOPT_TLSAUTH_USERNAME.3 +#usr/share/man/man3/CURLOPT_TRAILERDATA.3 +#usr/share/man/man3/CURLOPT_TRAILERFUNCTION.3 #usr/share/man/man3/CURLOPT_TRANSFERTEXT.3 #usr/share/man/man3/CURLOPT_TRANSFER_ENCODING.3 #usr/share/man/man3/CURLOPT_UNIX_SOCKET_PATH.3 diff --git a/lfs/curl b/lfs/curl index f00677b5e..e57bbbf45 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@
include Config
-VER = 7.63.0 +VER = 7.64.0
THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 6121427a7199cd6094fc48c9e31e8992 +$(DL_FILE)_MD5 = a026740d599a32bcbbe6e70679397899
install : $(TARGET)
Thank you. Merged.
On 9 Feb 2019, at 09:37, Matthias Fischer matthias.fischer@ipfire.org wrote:
Hi,
For details see: https://curl.haxx.se/changes.html
This came rather unexpected - if I'd known, I'd have waited with 7.63.0.
"Changes: cookies: leave secure cookies alone hostip: support wildcard hosts http: Implement trailing headers for chunked transfers http: added options for allowing HTTP/0.9 responses timeval: Use high resolution timestamps on Windows
Bugfixes: CVE-2018-16890: NTLM type-2 out-of-bounds buffer read CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow CVE-2019-3823: SMTP end-of-response out-of-bounds read FAQ: remove mention of sourceforge for github OS400: handle memory error in list conversion OS400: upgrade ILE/RPG binding. README: add codacy code quality badge Revert http_negotiate: do not close connection THANKS: added several missing names from year <= 2000 build: make 'tidy' target work for metalink builds cmake: added checks for variadic macros cmake: updated check for HAVE_POLL_FINE to match autotools cmake: use lowercase for function name like the rest of the code configure: detect xlclang separately from clang configure: fix recv/send/select detection on Android configure: rewrite --enable-code-coverage conncache_unlock: avoid indirection by changing input argument type cookie: fix comment typo cookies: allow secure override when done over HTTPS cookies: extend domain checks to non psl builds cookies: skip custom cookies when redirecting cross-site curl --xattr: strip credentials from any URL that is stored curl -J: refuse to append to the destination file curl/urlapi.h: include "curl.h" first curl_multi_remove_handle() don't block terminating c-ares requests darwinssl: accept setting max-tls with default min-tls disconnect: separate connections and easy handles better disconnect: set conn->data for protocol disconnect docs/version.d: mention MultiSSL docs: fix the --tls-max description docs: use $(INSTALL_DATA) to install man page docs: use meaningless port number in CURLOPT_LOCALPORT example gopher: always include the entire gopher-path in request http2: clear pause stream id if it gets closed if2ip: remove unused function Curl_if_is_interface_name libssh: do not let libssh create socket libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh libssh: free sftp_canonicalize_path() data correctly libtest/stub_gssapi: use "real" snprintf mbedtls: use VERIFYHOST multi: multiplexing improvements multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time ntlm: fix NTMLv2 compliance ntlm_sspi: add support for channel binding openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated openssl: fix the SSL_get_tlsext_status_ocsp_resp call openvms: fix OpenSSL discovery on VAX openvms: fix typos in documentation os400: add a missing closing bracket os400: fix extra parameter syntax error pingpong: change default response timeout to 120 seconds pingpong: ignore regular timeout in disconnect phase printf: fix format specifiers runtests.pl: Fix perl call to include srcdir schannel: fix compiler warning schannel: preserve original certificate path parameter schannel: stop calling it "winssl" sigpipe: if mbedTLS is used, ignore SIGPIPE smb: fix incorrect path in request if connection reused ssh: log the libssh2 error message when ssh session startup fails test1558: verify CURLINFO_PROTOCOL on file:// transfer test1561: improve test name test1653: make it survive torture tests tests: allow tests to pass by 2037-02-12 tests: move objnames-* from lib into tests timediff: fix math for unsigned time_t timeval: Disable MSVC Analyzer GetTickCount warning tool_cb_prg: avoid integer overflow travis: added cmake build for osx urlapi: Fix port parsing of eol colon urlapi: distinguish possibly empty query urlapi: fix parsing ipv6 with zone index urldata: rename easy_conn to just conn winbuild: conditionally use /DZLIB_WINAPI wolfssl: fix memory-leak in threaded use spnego_sspi: add support for channel binding"
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
config/rootfiles/common/curl | 3 +++ lfs/curl | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/common/curl b/config/rootfiles/common/curl index 5c616f8da..1eb9f6f37 100644 --- a/config/rootfiles/common/curl +++ b/config/rootfiles/common/curl @@ -170,6 +170,7 @@ usr/lib/libcurl.so.4.5.0 #usr/share/man/man3/CURLOPT_HEADERDATA.3 #usr/share/man/man3/CURLOPT_HEADERFUNCTION.3 #usr/share/man/man3/CURLOPT_HEADEROPT.3 +#usr/share/man/man3/CURLOPT_HTTP09_ALLOWED.3 #usr/share/man/man3/CURLOPT_HTTP200ALIASES.3 #usr/share/man/man3/CURLOPT_HTTPAUTH.3 #usr/share/man/man3/CURLOPT_HTTPGET.3 @@ -340,6 +341,8 @@ usr/lib/libcurl.so.4.5.0 #usr/share/man/man3/CURLOPT_TLSAUTH_PASSWORD.3 #usr/share/man/man3/CURLOPT_TLSAUTH_TYPE.3 #usr/share/man/man3/CURLOPT_TLSAUTH_USERNAME.3 +#usr/share/man/man3/CURLOPT_TRAILERDATA.3 +#usr/share/man/man3/CURLOPT_TRAILERFUNCTION.3 #usr/share/man/man3/CURLOPT_TRANSFERTEXT.3 #usr/share/man/man3/CURLOPT_TRANSFER_ENCODING.3 #usr/share/man/man3/CURLOPT_UNIX_SOCKET_PATH.3 diff --git a/lfs/curl b/lfs/curl index f00677b5e..e57bbbf45 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@
include Config
-VER = 7.63.0 +VER = 7.64.0
THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 6121427a7199cd6094fc48c9e31e8992 +$(DL_FILE)_MD5 = a026740d599a32bcbbe6e70679397899
install : $(TARGET)
-- 2.18.0