[security] Update www/curl to version 7.43.0

To: tech-pkg%netbsd.org@localhost
Subject: [security] Update www/curl to version 7.43.0
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Sun, 28 Jun 2015 21:03:06 +0200

			Hi tech-pkg@,

I am attaching a patch here that updates www/curl to version 7.43.0.
This new version, released on June 17th, corrects two security issues:
- CVE-2015-3236: lingering HTTP credentials in connection re-use
- CVE-2015-3237: SMB send off unrelated memory contents

The full changelog is at http://curl.haxx.se/changes.html#7_43_0. It
also mentions "compilation fixes with old versions of NSS", among other
fixes.

This patch deprecates patch-lib_http2.c, which seems to be obsolete in
7.43.0 as documented. There is an issue with patch-aa (configure)
however, which does not apply anymore; someone else should review this,
or let me know how to handle this part.

HTH,
-- 
khorben

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/Makefile,v
retrieving revision 1.150
diff -p -u -r1.150 Makefile
--- Makefile	12 Jun 2015 10:51:49 -0000	1.150
+++ Makefile	28 Jun 2015 19:09:04 -0000
@@ -1,7 +1,6 @@
 # $NetBSD: Makefile,v 1.150 2015/06/12 10:51:49 wiz Exp $
 
-DISTNAME=	curl-7.42.1
-PKGREVISION=	2
+DISTNAME=	curl-7.43.0
 CATEGORIES=	www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/
Index: PLIST
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/PLIST,v
retrieving revision 1.49
diff -p -u -r1.49 PLIST
--- PLIST	3 May 2015 10:11:55 -0000	1.49
+++ PLIST	28 Jun 2015 19:09:04 -0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.49 2015/05/03 10:11:55 wiz Exp $
+@comment $NetBSD$
 bin/curl
 bin/curl-config
 include/curl/curl.h
@@ -140,6 +140,7 @@ man/man3/CURLOPT_OPENSOCKETFUNCTION.3
 man/man3/CURLOPT_PASSWORD.3
 man/man3/CURLOPT_PATH_AS_IS.3
 man/man3/CURLOPT_PINNEDPUBLICKEY.3
+man/man3/CURLOPT_PIPEWAIT.3
 man/man3/CURLOPT_PORT.3
 man/man3/CURLOPT_POST.3
 man/man3/CURLOPT_POSTFIELDS.3
@@ -160,6 +161,7 @@ man/man3/CURLOPT_PROXYPORT.3
 man/man3/CURLOPT_PROXYTYPE.3
 man/man3/CURLOPT_PROXYUSERNAME.3
 man/man3/CURLOPT_PROXYUSERPWD.3
+man/man3/CURLOPT_PROXY_SERVICE_NAME.3
 man/man3/CURLOPT_PROXY_TRANSFER_MODE.3
 man/man3/CURLOPT_PUT.3
 man/man3/CURLOPT_QUOTE.3
@@ -181,6 +183,7 @@ man/man3/CURLOPT_RTSP_TRANSPORT.3
 man/man3/CURLOPT_SASL_IR.3
 man/man3/CURLOPT_SEEKDATA.3
 man/man3/CURLOPT_SEEKFUNCTION.3
+man/man3/CURLOPT_SERVICE_NAME.3
 man/man3/CURLOPT_SHARE.3
 man/man3/CURLOPT_SOCKOPTDATA.3
 man/man3/CURLOPT_SOCKOPTFUNCTION.3
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/distinfo,v
retrieving revision 1.105
diff -p -u -r1.105 distinfo
--- distinfo	3 Jun 2015 12:00:06 -0000	1.105
+++ distinfo	28 Jun 2015 19:09:04 -0000
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.105 2015/06/03 12:00:06 fhajny Exp $
+$NetBSD$
 
-SHA1 (curl-7.42.1.tar.bz2) = f65708915875b8cb35edb51d8dd31440dc02fbd3
-RMD160 (curl-7.42.1.tar.bz2) = 76d5b23fae60356342e2bac2e4c706ed544d4adf
-Size (curl-7.42.1.tar.bz2) = 3327304 bytes
-SHA1 (patch-aa) = 59ec0be3ac90470fdc5935881da6a14dbab9d378
+SHA1 (curl-7.43.0.tar.bz2) = d821ea39610b7f1122f1f574a4d8e20e81b3c561
+RMD160 (curl-7.43.0.tar.bz2) = 404481695a8f79cbf9a245bfa9c06140d1cdbf11
+Size (curl-7.43.0.tar.bz2) = 3363770 bytes
+SHA1 (patch-aa) = 1c8fdbbeae9f61e010fd18c6501a5dfafff4e644
 SHA1 (patch-curl-config.in) = fd87c97b601a6b9269f67fbc066604ee7e22570e
-SHA1 (patch-lib_hostcheck.c) = 9faf94f44703c7d37377fd3af319ca5c27df34c2
-SHA1 (patch-lib_http2.c) = 4ba0164ffdba714c620daccbf80eedd51562acf4
+SHA1 (patch-lib_hostcheck.c) = 8e772d3f91cdafae17281cc19004269ece0cf308
Index: patches/patch-aa
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/patches/patch-aa,v
retrieving revision 1.30
diff -p -u -r1.30 patch-aa
--- patches/patch-aa	22 Apr 2015 14:35:21 -0000	1.30
+++ patches/patch-aa	28 Jun 2015 19:09:04 -0000
@@ -3,17 +3,9 @@ $NetBSD: patch-aa,v 1.30 2015/04/22 14:3
 builtin krb5-config in platforms such as solaris do not support
 the gssapi option, and need an explicit -lgss
 
---- configure.orig	2015-04-21 07:21:35.000000000 +0000
+--- configure.orig	2015-06-28 18:16:51.000000000 +0000
 +++ configure
-@@ -3703,6 +3703,7 @@ $as_echo "$as_me: $xc_bad_var_msg librar
-         ;;
-     esac
-   done
-+  xc_bad_var_cflags=no
-   if test $xc_bad_var_cflags = yes; then
-     { $as_echo "$as_me:${as_lineno-$LINENO}: using CFLAGS: $CFLAGS" >&5
- $as_echo "$as_me: using CFLAGS: $CFLAGS" >&6;}
-@@ -16682,7 +16683,7 @@ squeeze() {
+@@ -16689,7 +16689,7 @@ squeeze() {
  
  
        #
@@ -22,19 +14,7 @@ the gssapi option, and need an explicit 
      #
      if test "$compiler_id" = "GNU_C" ||
        test "$compiler_id" = "CLANG"; then
-@@ -21131,6 +21132,11 @@ $as_echo "yes" >&6; }
-         GSSAPI_INCS=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --cflags gssapi`
-      elif test -f "$GSSAPI_ROOT/bin/krb5-config"; then
-         GSSAPI_INCS=`$GSSAPI_ROOT/bin/krb5-config --cflags gssapi`
-+        if $GSSAPI_ROOT/bin/krb5-config --cflags gssapi 2>&1 | grep "Unknown option" >/dev/null; then
-+            GSSAPI_INCS=`$GSSAPI_ROOT/bin/krb5-config --cflags`
-+        else
-+            GSSAPI_INCS=`$GSSAPI_ROOT/bin/krb5-config --cflags gssapi`
-+        fi
-      elif test -f "$KRB5CONFIG"; then
-         GSSAPI_INCS=`$KRB5CONFIG --cflags gssapi`
-      elif test "$GSSAPI_ROOT" != "yes"; then
-@@ -21305,7 +21311,7 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
+@@ -21310,7 +21310,7 @@ $as_echo "#define HAVE_GSSAPI 1" >>confd
          LIBS="-lgss $LIBS"
          ;;
       *)
@@ -43,12 +23,3 @@ the gssapi option, and need an explicit 
          ;;
       esac
    fi
-@@ -24264,7 +24270,7 @@ _ACEOF
-     { $as_echo "$as_me:${as_lineno-$LINENO}: result: $capath (capath)" >&5
- $as_echo "$capath (capath)" >&6; }
-   fi
--  if test "x$ca" == "xno" && test "x$capath" == "xno"; then
-+  if test "x$ca" = "xno" && test "x$capath" = "xno"; then
-     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
- $as_echo "no" >&6; }
-   fi
Index: patches/patch-lib_hostcheck.c
===================================================================
RCS file: /cvsroot/pkgsrc/www/curl/patches/patch-lib_hostcheck.c,v
retrieving revision 1.1
diff -p -u -r1.1 patch-lib_hostcheck.c
--- patches/patch-lib_hostcheck.c	31 Mar 2014 08:45:21 -0000	1.1
+++ patches/patch-lib_hostcheck.c	28 Jun 2015 19:09:04 -0000
@@ -3,9 +3,9 @@ $NetBSD: patch-lib_hostcheck.c,v 1.1 201
 Add missing header for DragonflyBSD.
 PR 48691 by David Shao.
 
---- lib/hostcheck.c.orig	2014-03-25 22:01:37.000000000 +0000
+--- lib/hostcheck.c.orig	2015-06-03 07:38:20.000000000 +0000
 +++ lib/hostcheck.c
-@@ -31,6 +31,13 @@
+@@ -34,6 +34,13 @@
  #include "inet_pton.h"
  
  #include "curl_memory.h"

Follow-Ups:
- Re: [security] Update www/curl to version 7.43.0
  - From: Alistair Crooks

Prev by Date: Re: System Integrity Protection in Mac OS El Capitan
Next by Date: Re: suitable shells for bootstrapping pkgsrc
Previous by Thread: daily pkgsrc CVS update output
Next by Thread: Re: [security] Update www/curl to version 7.43.0
Indexes:

Home | Main Index | Thread Index | Old Index