Pullup ticket #6435 - requested by leot
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.240
- www/curl/PLIST 1.85
- www/curl/distinfo 1.169
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: leot
Date: Wed Mar 31 09:52:31 UTC 2021
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
curl: Update to 7.76.0
Changes:
7.76.0
===
This release includes the following changes:
o cookies: Support multiple -b parameters
o curl: add --fail-with-body
o doh: add options to disable ssl verification
o http: add support to read and store the referrer header
o sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
o vtls: initial implementation of rustls backend
This release includes the following bugfixes:
o CVE-2021-22876: strip credentials from the auto-referer header field
o CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
o asyn-ares: use consistent resolve error message
o BUG-BOUNTY: removed the cooperation mention
o build: delete unused feature guards
o build: fix --disable-dateparse
o build: fix --disable-http-auth
o build: remove all traces of USE_BLOCKING_SOCKETS
o c-hyper: Remove superfluous pointer check
o c-hyper: support automatic content-encoding
o CI/azure: disable test 433 on azure-ubuntu
o CI/azure: replace python-impacket with python3-impacket
o ci: stop building on freebsd-12-1
o cmake: fix import library name for non-MS compiler on Windows
o cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
o cmake: support WinIDN
o config: fix building SMB with configure using Win32 Crypto
o config: fix detection of restricted Windows App environment
o configure: fail if --with-quiche is used and quiche isn't found
o configure: make AC_TRY_* into AC_*_IFELSE
o configure: make hyper opt-in, and fail if missing
o configure: only add OpenSSL paths if they are defined
o configure: provide Largefile feature for curl-config
o configure: remove use of deprecated macros
o configure: s/AC_HELP_STRING/AS_HELP_STRING
o cookies: Fix potential NULL pointer deref with PSL
o curl: set CURLOPT_NEW_FILE_PERMS if requested
o curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
o curl_multibyte: always return a heap-allocated copy of string
o curl_multibyte: fall back to local code page stat/access on Windows
o Curl_timeleft: check both timeouts during connect
o curl_url_set.3: mention CURLU_PATH_AS_IS
o CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
o docs/HTTP2: remove the outdated remark about multiplexing for the tool
o docs/Makefile.inc: format to be update-friendly
o docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
o docs: add missing Arg tag to --stderr
o docs: Add SSL backend names to CURL_SSL_BACKEND
o docs: clarify timeouts for queued transfers in multi API
o docs: Explain DOH transfers inherit some SSL settings
o docs: fix FILE example url in --metalink documentation
o docs: make gen.pl support *italic* and **bold**
o doh: Fix sharing user's resolve list with DOH handles
o doh: Inherit CURLOPT_STDERR from user's easy handle
o dynbuf: bump the max HTTP request to 1MB
o examples: Remove threaded-shared-conn.c due to bug
o file: Support unicode urls on windows
o ftp: add 'list_only' to the transfer state struct
o ftp: add 'prefer_ascii' to the transfer state struct
o FTP: allow SIZE to fail when doing (resumed) upload
o ftp: avoid SIZE when asking for a TYPE A file
o ftp: fix Codacy/cppcheck warning about null pointer arithmetic
o ftp: fix memory leak in ftp_done
o ftp: never set data->set.ftp_append outside setopt
o gen.pl: quote "bare" minuses in the nroff curl.1
o github: add torture-ftp for FTP-only torture testing
o gnutls: assume nettle crypto support
o gskit: correct the gskit_send() prototype
o hostip: fix build with sync resolver
o hostip: fix crash in sync resolver builds that use DOH
o hsts: remove unused defines
o http2: don't set KEEP_SEND when there's no more data to be sent
o http2: fail if connection terminated without END_STREAM
o http: cap body data amount during send speed limiting
o http: do not add a referrer header with empty value
o http: make 416 not fail with resume + CURLOPT_FAILONERRROR
o http: remove superfluous NULL assign
o http: strip default port from URL sent to proxy
o http: use credentials from transfer, not connection
o ldap: use correct memory free function
o lib1536: check ptr against NULL before dereferencing it
o lib1537: check ptr against NULL before dereferencing it
o lib: remove 'conn->data' completely
o libssh2: kdb_callback: get the right struct pointer
o libssh2:ssh_connect: clear session pointer after free
o memdebug: close debug logfile explicitly on exit
o mingw: enable using strcasecmp()
o multi: close the connection when h2=>h1 downgrading
o multi: do once-per-transfer inits in before_perform in DID state
o multi: rename the multi transfer states
o multi: update pending list when removing handle
o ngtcp2: adapt to the new recv_datagram callback
o ngtcp2: clarify calculation precedence
o ngtcp2: Fix build error due to change in ngtcp2_addr_init
o ngtcp2: sync with recent API updates
o openldap: avoid NULL pointer dereferences
o openssl: adapt to v3's new const for a few API calls
o openssl: ensure to check SSL_CTX_set_alpn_protos return values
o openssl: remove get_ssl_version_txt in favor of SSL_get_version
o openssl: set the transfer pointer for logging early
o OS400: update for CURLOPT_AWS_SIGV4
o parse_proxy: fix a memory leak in the OOM path
o pathhelp.pm: fix use of pwd -L in Msys environment
o projects: Update VS projects for OpenSSL 1.1.x
o quiche: fix build error: use 'int' for port number
o quiche: fix crash when failing to connect
o retry-all-errors.d: Explain curl errors versus HTTP response errors
o retry.d: Clarify transient 5xx HTTP response codes
o runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
o runtests.pl: add a -P option to specify an external proxy
o runtests.pl: kill processes locking test log files
o setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
o test1188: change error to check for: --fail HTTP status
o test220/314: adjust to run with Hyper
o test304: header CRLF cleanup to work with Hyper
o test306: make it not run with Hyper
o tests: disable .curlrc in more environments
o tests: use %TESTNUMBER instead of fixed number
o tftp: remove the 3600 second default timeout
o time: enable 64-bit time_t in supported mingw environments
o tool_help: add missing argument for --create-file-mode
o tool_help: Increase space between option and description
o tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
o travis: add a rustls build
o travis: bump wolfssl to 4.7.0
o travis: only build wolfssl when needed
o travis: split "torture" into a separate "events" build
o travis: switch ngtcp2 build over to quictls
o travis: use ubuntu nghttp2 package instead of build our own
o url.c: use consistent error message for failed resolve
o url: fix memory leak if OOM in the HSTS handling
o url: fix possible use-after-free in default protocol
o urldata: don't touch data->set.httpversion at run-time
o urldata: fix build without HTTP and MQTT
o urldata: make 'actions[]' use unsigned char instead of int
o urldata: merge "struct DynamicStatic" into "struct UrlState"
o urldata: remove the 'rtspversion' field
o urldata: remove the _ORIG suffix from string names
o version.d: Add missing features to the features list
o wolfssl: don't store a NULL sessionid
To generate a diff of this commit:
cvs rdiff -u -r1.239 -r1.240 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.84 -r1.85 pkgsrc/www/curl/PLIST
cvs rdiff -u -r1.168 -r1.169 pkgsrc/www/curl/distinfo
(spz)
diff -r1.239 -r1.239.2.1 pkgsrc/www/curl/Makefile| @@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.239 2021/03/01 23:31:30 gdt Exp $ | 1 | # $NetBSD: Makefile,v 1.239.2.1 2021/04/04 13:22:06 spz Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= curl-7.75.0 | 3 | DISTNAME= curl-7.76.0 | |
| 4 | CATEGORIES= www | 4 | CATEGORIES= www | |
| 5 | MASTER_SITES= https://curl.haxx.se/download/ | 5 | MASTER_SITES= https://curl.haxx.se/download/ | |
| 6 | EXTRACT_SUFX= .tar.xz | 6 | EXTRACT_SUFX= .tar.xz | |
| 7 | 7 | |||
| 8 | MAINTAINER= leot@NetBSD.org | 8 | MAINTAINER= leot@NetBSD.org | |
| 9 | HOMEPAGE= https://curl.haxx.se/ | 9 | HOMEPAGE= https://curl.haxx.se/ | |
| 10 | COMMENT= Client that groks URLs | 10 | COMMENT= Client that groks URLs | |
| 11 | # not completely, but near enough | 11 | # not completely, but near enough | |
| 12 | LICENSE= mit | 12 | LICENSE= mit | |
| 13 | 13 | |||
| 14 | BUILD_DEFS+= IPV6_READY | 14 | BUILD_DEFS+= IPV6_READY | |
| 15 | 15 | |||
| 16 | TEST_DEPENDS+= ${PYPKGPREFIX}-impacket-[0-9]*:../../net/py-impacket | 16 | TEST_DEPENDS+= ${PYPKGPREFIX}-impacket-[0-9]*:../../net/py-impacket |
| @@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
| 1 | @comment $NetBSD: PLIST,v 1.84 2021/02/03 13:17:18 adam Exp $ | 1 | @comment $NetBSD: PLIST,v 1.84.2.1 2021/04/04 13:22:06 spz Exp $ | |
| 2 | bin/curl | 2 | bin/curl | |
| 3 | bin/curl-config | 3 | bin/curl-config | |
| 4 | include/curl/curl.h | 4 | include/curl/curl.h | |
| 5 | include/curl/curlver.h | 5 | include/curl/curlver.h | |
| 6 | include/curl/easy.h | 6 | include/curl/easy.h | |
| 7 | include/curl/mprintf.h | 7 | include/curl/mprintf.h | |
| 8 | include/curl/multi.h | 8 | include/curl/multi.h | |
| 9 | include/curl/options.h | 9 | include/curl/options.h | |
| 10 | include/curl/stdcheaders.h | 10 | include/curl/stdcheaders.h | |
| 11 | include/curl/system.h | 11 | include/curl/system.h | |
| 12 | include/curl/typecheck-gcc.h | 12 | include/curl/typecheck-gcc.h | |
| 13 | include/curl/urlapi.h | 13 | include/curl/urlapi.h | |
| 14 | lib/libcurl.la | 14 | lib/libcurl.la | |
| @@ -47,26 +47,27 @@ man/man3/CURLINFO_OS_ERRNO.3 | @@ -47,26 +47,27 @@ man/man3/CURLINFO_OS_ERRNO.3 | |||
| 47 | man/man3/CURLINFO_PRETRANSFER_TIME.3 | 47 | man/man3/CURLINFO_PRETRANSFER_TIME.3 | |
| 48 | man/man3/CURLINFO_PRETRANSFER_TIME_T.3 | 48 | man/man3/CURLINFO_PRETRANSFER_TIME_T.3 | |
| 49 | man/man3/CURLINFO_PRIMARY_IP.3 | 49 | man/man3/CURLINFO_PRIMARY_IP.3 | |
| 50 | man/man3/CURLINFO_PRIMARY_PORT.3 | 50 | man/man3/CURLINFO_PRIMARY_PORT.3 | |
| 51 | man/man3/CURLINFO_PRIVATE.3 | 51 | man/man3/CURLINFO_PRIVATE.3 | |
| 52 | man/man3/CURLINFO_PROTOCOL.3 | 52 | man/man3/CURLINFO_PROTOCOL.3 | |
| 53 | man/man3/CURLINFO_PROXYAUTH_AVAIL.3 | 53 | man/man3/CURLINFO_PROXYAUTH_AVAIL.3 | |
| 54 | man/man3/CURLINFO_PROXY_ERROR.3 | 54 | man/man3/CURLINFO_PROXY_ERROR.3 | |
| 55 | man/man3/CURLINFO_PROXY_SSL_VERIFYRESULT.3 | 55 | man/man3/CURLINFO_PROXY_SSL_VERIFYRESULT.3 | |
| 56 | man/man3/CURLINFO_REDIRECT_COUNT.3 | 56 | man/man3/CURLINFO_REDIRECT_COUNT.3 | |
| 57 | man/man3/CURLINFO_REDIRECT_TIME.3 | 57 | man/man3/CURLINFO_REDIRECT_TIME.3 | |
| 58 | man/man3/CURLINFO_REDIRECT_TIME_T.3 | 58 | man/man3/CURLINFO_REDIRECT_TIME_T.3 | |
| 59 | man/man3/CURLINFO_REDIRECT_URL.3 | 59 | man/man3/CURLINFO_REDIRECT_URL.3 | |
| 60 | man/man3/CURLINFO_REFERER.3 | |||
| 60 | man/man3/CURLINFO_REQUEST_SIZE.3 | 61 | man/man3/CURLINFO_REQUEST_SIZE.3 | |
| 61 | man/man3/CURLINFO_RESPONSE_CODE.3 | 62 | man/man3/CURLINFO_RESPONSE_CODE.3 | |
| 62 | man/man3/CURLINFO_RETRY_AFTER.3 | 63 | man/man3/CURLINFO_RETRY_AFTER.3 | |
| 63 | man/man3/CURLINFO_RTSP_CLIENT_CSEQ.3 | 64 | man/man3/CURLINFO_RTSP_CLIENT_CSEQ.3 | |
| 64 | man/man3/CURLINFO_RTSP_CSEQ_RECV.3 | 65 | man/man3/CURLINFO_RTSP_CSEQ_RECV.3 | |
| 65 | man/man3/CURLINFO_RTSP_SERVER_CSEQ.3 | 66 | man/man3/CURLINFO_RTSP_SERVER_CSEQ.3 | |
| 66 | man/man3/CURLINFO_RTSP_SESSION_ID.3 | 67 | man/man3/CURLINFO_RTSP_SESSION_ID.3 | |
| 67 | man/man3/CURLINFO_SCHEME.3 | 68 | man/man3/CURLINFO_SCHEME.3 | |
| 68 | man/man3/CURLINFO_SIZE_DOWNLOAD.3 | 69 | man/man3/CURLINFO_SIZE_DOWNLOAD.3 | |
| 69 | man/man3/CURLINFO_SIZE_DOWNLOAD_T.3 | 70 | man/man3/CURLINFO_SIZE_DOWNLOAD_T.3 | |
| 70 | man/man3/CURLINFO_SIZE_UPLOAD.3 | 71 | man/man3/CURLINFO_SIZE_UPLOAD.3 | |
| 71 | man/man3/CURLINFO_SIZE_UPLOAD_T.3 | 72 | man/man3/CURLINFO_SIZE_UPLOAD_T.3 | |
| 72 | man/man3/CURLINFO_SPEED_DOWNLOAD.3 | 73 | man/man3/CURLINFO_SPEED_DOWNLOAD.3 | |
| @@ -134,26 +135,29 @@ man/man3/CURLOPT_CURLU.3 | @@ -134,26 +135,29 @@ man/man3/CURLOPT_CURLU.3 | |||
| 134 | man/man3/CURLOPT_CUSTOMREQUEST.3 | 135 | man/man3/CURLOPT_CUSTOMREQUEST.3 | |
| 135 | man/man3/CURLOPT_DEBUGDATA.3 | 136 | man/man3/CURLOPT_DEBUGDATA.3 | |
| 136 | man/man3/CURLOPT_DEBUGFUNCTION.3 | 137 | man/man3/CURLOPT_DEBUGFUNCTION.3 | |
| 137 | man/man3/CURLOPT_DEFAULT_PROTOCOL.3 | 138 | man/man3/CURLOPT_DEFAULT_PROTOCOL.3 | |
| 138 | man/man3/CURLOPT_DIRLISTONLY.3 | 139 | man/man3/CURLOPT_DIRLISTONLY.3 | |
| 139 | man/man3/CURLOPT_DISALLOW_USERNAME_IN_URL.3 | 140 | man/man3/CURLOPT_DISALLOW_USERNAME_IN_URL.3 | |
| 140 | man/man3/CURLOPT_DNS_CACHE_TIMEOUT.3 | 141 | man/man3/CURLOPT_DNS_CACHE_TIMEOUT.3 | |
| 141 | man/man3/CURLOPT_DNS_INTERFACE.3 | 142 | man/man3/CURLOPT_DNS_INTERFACE.3 | |
| 142 | man/man3/CURLOPT_DNS_LOCAL_IP4.3 | 143 | man/man3/CURLOPT_DNS_LOCAL_IP4.3 | |
| 143 | man/man3/CURLOPT_DNS_LOCAL_IP6.3 | 144 | man/man3/CURLOPT_DNS_LOCAL_IP6.3 | |
| 144 | man/man3/CURLOPT_DNS_SERVERS.3 | 145 | man/man3/CURLOPT_DNS_SERVERS.3 | |
| 145 | man/man3/CURLOPT_DNS_SHUFFLE_ADDRESSES.3 | 146 | man/man3/CURLOPT_DNS_SHUFFLE_ADDRESSES.3 | |
| 146 | man/man3/CURLOPT_DNS_USE_GLOBAL_CACHE.3 | 147 | man/man3/CURLOPT_DNS_USE_GLOBAL_CACHE.3 | |
| 148 | man/man3/CURLOPT_DOH_SSL_VERIFYHOST.3 | |||
| 149 | man/man3/CURLOPT_DOH_SSL_VERIFYPEER.3 | |||
| 150 | man/man3/CURLOPT_DOH_SSL_VERIFYSTATUS.3 | |||
| 147 | man/man3/CURLOPT_DOH_URL.3 | 151 | man/man3/CURLOPT_DOH_URL.3 | |
| 148 | man/man3/CURLOPT_EGDSOCKET.3 | 152 | man/man3/CURLOPT_EGDSOCKET.3 | |
| 149 | man/man3/CURLOPT_ERRORBUFFER.3 | 153 | man/man3/CURLOPT_ERRORBUFFER.3 | |
| 150 | man/man3/CURLOPT_EXPECT_100_TIMEOUT_MS.3 | 154 | man/man3/CURLOPT_EXPECT_100_TIMEOUT_MS.3 | |
| 151 | man/man3/CURLOPT_FAILONERROR.3 | 155 | man/man3/CURLOPT_FAILONERROR.3 | |
| 152 | man/man3/CURLOPT_FILETIME.3 | 156 | man/man3/CURLOPT_FILETIME.3 | |
| 153 | man/man3/CURLOPT_FNMATCH_DATA.3 | 157 | man/man3/CURLOPT_FNMATCH_DATA.3 | |
| 154 | man/man3/CURLOPT_FNMATCH_FUNCTION.3 | 158 | man/man3/CURLOPT_FNMATCH_FUNCTION.3 | |
| 155 | man/man3/CURLOPT_FOLLOWLOCATION.3 | 159 | man/man3/CURLOPT_FOLLOWLOCATION.3 | |
| 156 | man/man3/CURLOPT_FORBID_REUSE.3 | 160 | man/man3/CURLOPT_FORBID_REUSE.3 | |
| 157 | man/man3/CURLOPT_FRESH_CONNECT.3 | 161 | man/man3/CURLOPT_FRESH_CONNECT.3 | |
| 158 | man/man3/CURLOPT_FTPPORT.3 | 162 | man/man3/CURLOPT_FTPPORT.3 | |
| 159 | man/man3/CURLOPT_FTPSSLAUTH.3 | 163 | man/man3/CURLOPT_FTPSSLAUTH.3 |
| @@ -1,8 +1,8 @@ | @@ -1,8 +1,8 @@ | |||
| 1 | $NetBSD: distinfo,v 1.168 2021/02/03 13:17:18 adam Exp $ | 1 | $NetBSD: distinfo,v 1.168.2.1 2021/04/04 13:22:06 spz Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (curl-7.75.0.tar.xz) = ae65d2140104f441b65b60c5e1d541d11dab80c6 | 3 | SHA1 (curl-7.76.0.tar.xz) = b4e7ee3c9b9d086a116c2f37f0969fc47cbf3ad0 | |
| 4 | RMD160 (curl-7.75.0.tar.xz) = 3b94b99c85e0cc61784f31d08b34f167d45e452c | 4 | RMD160 (curl-7.76.0.tar.xz) = a24268c5c860c374c892fa6ae2e9426da922484e | |
| 5 | SHA512 (curl-7.75.0.tar.xz) = 4c2fc6658379b8b93dd50665b70f3000b63d3bcafd2df60b7e651a8edf4735b3decb06c338b84cb22058191aa9f8f4dc85760a42f9987210b59300758304b746 | 5 | SHA512 (curl-7.76.0.tar.xz) = a67e5078b48150c6f5331e76b25a6b197f1e916be1db900bf9455b032b3af5a71610b47e607546ecbae510d196a0cfcb75a14dac549288797af1701b7b587ece | |
| 6 | Size (curl-7.75.0.tar.xz) = 2418816 bytes | 6 | Size (curl-7.76.0.tar.xz) = 2428552 bytes | |
| 7 | SHA1 (patch-configure) = 8dcc112bd2950e146a77bed7638e490e24a5aa71 | 7 | SHA1 (patch-configure) = 8dcc112bd2950e146a77bed7638e490e24a5aa71 | |
| 8 | SHA1 (patch-curl-config.in) = a58c777fc1a0a087776e62ed2e2a1e0a339716df | 8 | SHA1 (patch-curl-config.in) = a58c777fc1a0a087776e62ed2e2a1e0a339716df |