Re: [security] Update www/curl to version 7.43.0

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi,

On 06/29/15 18:41, Alistair Crooks wrote:
> Despite the fact that the freeze is now over, I've been informed that
> there are problems with curl 7.43.0 caching "Content-Length" between
> requests on the same connection. Probably best to wait for a fixed
> version to come from upstream.

Is this really a new issue from this release?

All I could find was this, from 2003 or older:
http://curl.haxx.se/docs/knownbugs.html

> 5. libcurl doesn't treat the content-length of compressed data properly, as
>   it seems HTTP servers send the *uncompressed* length in that header and
>   libcurl thinks of it as the *compressed* length. Some explanations are here:
>   http://curl.haxx.se/mail/lib-2003-06/0146.html

Or is it something else?

Cheers,
-- khorben

> On 28 June 2015 at 12:03, Pierre Pronchery <khorben%defora.org@localhost> wrote:
>>                         Hi tech-pkg@,
>>
>> I am attaching a patch here that updates www/curl to version 7.43.0.
>> This new version, released on June 17th, corrects two security issues:
>> - CVE-2015-3236: lingering HTTP credentials in connection re-use
>> - CVE-2015-3237: SMB send off unrelated memory contents
>>
>> The full changelog is at http://curl.haxx.se/changes.html#7_43_0. It
>> also mentions "compilation fixes with old versions of NSS", among other
>> fixes.
>>
>> This patch deprecates patch-lib_http2.c, which seems to be obsolete in
>> 7.43.0 as documented. There is an issue with patch-aa (configure)
>> however, which does not apply anymore; someone else should review this,
>> or let me know how to handle this part.
>>
>> HTH,
>> --
>> khorben
> 


-- 
khorben