diff --git a/0042-curl-7.61.1-ssh-known-hosts.patch b/0042-curl-7.61.1-ssh-known-hosts.patch new file mode 100644 index 0000000000000000000000000000000000000000..02ad59201ac620cc53dc725e0e1f215d6fc688da --- /dev/null +++ b/0042-curl-7.61.1-ssh-known-hosts.patch @@ -0,0 +1,43 @@ +From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Felix=20H=C3=A4dicke?= +Date: Wed, 23 Jan 2019 23:10:39 +0100 +Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and + CURLOPT_SSH_KEYFUNCTION for libssh + +CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for +libssh as well. So accepting these options only when compiling with +libssh2 is wrong here. + +Fixes #3493 +Closes #3494 + +Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb +Signed-off-by: Kamil Dudka +--- + lib/setopt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index b07ccfe..88a05ff 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5], + va_arg(param, char *)); + break; +-#ifdef HAVE_LIBSSH2_KNOWNHOST_API ++ + case CURLOPT_SSH_KNOWNHOSTS: + /* + * Store the file name to read known hosts from. +@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, + */ + data->set.ssh_keyfunc_userp = va_arg(param, void *); + break; +-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */ + #endif /* USE_LIBSSH2 */ + + case CURLOPT_HTTP_TRANSFER_DECODING: +-- +2.34.1 + diff --git a/curl.spec b/curl.spec index e4ae8fec58a523fb467f3aa0e4e395f89ac2143a..64d504a0bddcbd3300632854dab8f490fa441c53 100644 --- a/curl.spec +++ b/curl.spec @@ -2,7 +2,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.61.1 -Release: 22%{anolis_release}%{?dist}.4 +Release: 25%{anolis_release}%{?dist} License: MIT Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -119,6 +119,9 @@ Patch40: 0040-curl-7.61.1-CVE-2022-32208.patch # fix HTTP compression denial of service (CVE-2022-32206) Patch41: 0041-curl-7.61.1-CVE-2022-32206.patch +# setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) +Patch42: 0042-curl-7.61.1-ssh-known-hosts.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -343,6 +346,7 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6} %patch39 -p1 %patch40 -p1 %patch41 -p1 +%patch42 -p1 # make tests/*.py use Python 3 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py @@ -506,20 +510,19 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %doc docs/TheArtOfHttpScripting docs/TODO %changelog -* Thu Sep 22 2022 Weisson - 7.61.1-22.0.1.el8_6.4 +* Tue Jan 03 2023 Weisson - 7.61.1-25.0.1 - Add doc sub package -* Wed Jun 29 2022 Kamil Dudka - 7.61.1-22.el8_6.4 +* Wed Jun 29 2022 Kamil Dudka - 7.61.1-25 +- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703) - fix HTTP compression denial of service (CVE-2022-32206) - fix FTP-KRB bad message verification (CVE-2022-32208) -* Wed May 11 2022 Kamil Dudka - 7.61.1-22.el8_6.3 +* Wed May 11 2022 Kamil Dudka - 7.61.1-24 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782) - -* Tue May 04 2022 Kamil Dudka - 7.61.1-22.el8_6.2 - fix invalid type in printf() argument detected by Coverity -* Thu Apr 28 2022 Kamil Dudka - 7.61.1-22.el8_6.1 +* Thu Apr 28 2022 Kamil Dudka - 7.61.1-23 - fix credential leak on redirect (CVE-2022-27774) - fix auth/cookie leak on redirect (CVE-2022-27776) - fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) diff --git a/dist b/dist index 0ee7539a2292be885eb3a6caf1a4ee4666e5e99f..9c0e36ec42a2d9bfefacb21ac6354c9ddd910533 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8