head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2012.01.28.14.41.15; author wiz; state dead; branches; next 1.1; 1.1 date 2012.01.26.11.25.55; author drochner; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2012.01.26.11.25.55; author sbd; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2012.01.28.06.26.19; author sbd; state Exp; branches; next ; desc @@ 1.2 log @Update to 7.24.0: Fixed in 7.24.0 - January 24 2012 Release contains security-related bug fix Changes: * CURLOPT_QUOTE: SFTP supports the '*'-prefix now * CURLOPT_DNS_SERVERS: set name servers if possible * Add support for using nettle instead of gcrypt as gnutls backend * CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes * Added CURLOPT_ACCEPTTIMEOUT_MS * configure: add symbols versioning option --enable-versioned-symbols Bugfixes: * curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036 * curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL * SSL session share: move the age counter to the share object * -J -O: use -O name if no Content-Disposition header comes! * protocol_connect: show verbose connect and set connect time * query-part: ignore the URI part for given protocols * gnutls: only translate winsock errors for old versions * POP3: fix end of body detection * POP3: detect when LIST returns no mails * TELNET: improved treatment of options * configure: add support for pkg-config detection of libidn * CyaSSL 2.0+ library initialization adjustment * multi interface: only use non-NULL socker function pointer * call opensocket callback properly for active FTP * don't call close socket callback for sockets created with accept() * differentiate better between host/proxy errors * SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 * multi: handle timeouts on DNS servers by checking for new sockets * CURLOPT_DNS_SERVERS: fix return code * POP3: fixed escaped dot not being stripped out * OpenSSL: check for the SSLv2 function in configure * MakefileBuild: fix the static build * create_conn: don't switch to HTTP protocol if tunneling is enabled * multi interface: fix block when CONNECT_ONLY option is used * Fix connection reuse for TLS upgraded connections * multiple file upload with -F and custom type * multi interface: active FTP connections are no longer blocking * Android build fix * timer: restore PRETRANSFER timing * libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM * appconnect time fixed for non-blocking connect ssl backends * do not include SSL handshake into time spent waiting for 100-continue * handle dns cache case insensitive * use new host name casing for subsequent HTTP requests * CURLOPT_RESOLVE: avoid adding already present host names * SFTP mkdir: use correct permission * resolve: don't leak pre-populated dns entries * --retry: Retry transfers on timeout and DNS errors * negotiate with SSPI backend: use the correct buffer for input * SFTP dir: increase buffer size counter to avoid cut off file names * TFTP: fix resending (again) * c-ares: don't include getaddrinfo-using code * FTP: CURLE_PARTIAL_FILE will not close the control channel * win32-threaded-resolver: stop using a dummy socket * OpenSSL: remove reference to openssl internal struct * OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled * OpenSSL: fix PKCS#12 certificate parsing related memory leak * OpenLDAP: fix LDAP connection phase memory leak * Telnet: Use correct file descriptor for telnet upload * Telnet: Remove bogus optimisation of telnet upload * URL parse: user name with ipv6 numerical address * polarssl: show cipher suite name correctly with 1.1.0 * polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure * gnutls: enforced use of SSLv3 @ text @$NetBSD: patch-bd,v 1.1 2012/01/26 11:25:55 drochner Exp $ CVE-2012-0036 --- lib/pop3.c.orig 2011-11-04 22:32:56.000000000 +0000 +++ lib/pop3.c @@@@ -899,11 +899,7 @@@@ static CURLcode pop3_parse_url_path(stru const char *path = data->state.path; /* url decode the path and use this mailbox */ - pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); - if(!pop3c->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ @ 1.1 log @add patches from upstream to fix 2 security problems: -data injection attack for certain protocols (CVE-2012-0036) -SSL CBC IV vulnerability (OpenSSL related, CVE-2011-3389) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-bd was added on branch pkgsrc-2011Q4 on 2012-01-28 06:26:19 +0000 @ text @d1 19 @ 1.1.2.2 log @Pullup ticket #3663 - requested by drochner www/curl security update Revisions pulled up: - www/curl/Makefile 1.110 - www/curl/distinfo 1.73 - www/curl/patches/patch-ba 1.1 - www/curl/patches/patch-bb 1.1 - www/curl/patches/patch-bc 1.1 - www/curl/patches/patch-bd 1.1 - www/curl/patches/patch-be 1.1 - www/curl/patches/patch-bf 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Thu Jan 26 11:25:55 UTC 2012 Modified Files: pkgsrc/www/curl: Makefile distinfo Added Files: pkgsrc/www/curl/patches: patch-ba patch-bb patch-bc patch-bd patch-be patch-bf Log Message: add patches from upstream to fix 2 security problems: -data injection attack for certain protocols (CVE-2012-0036) -SSL CBC IV vulnerability (OpenSSL related, CVE-2011-3389) bump PKGREV @ text @a0 19 $NetBSD$ CVE-2012-0036 --- lib/pop3.c.orig 2011-11-04 22:32:56.000000000 +0000 +++ lib/pop3.c @@@@ -899,11 +899,7 @@@@ static CURLcode pop3_parse_url_path(stru const char *path = data->state.path; /* url decode the path and use this mailbox */ - pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); - if(!pop3c->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ @