- autofs
-
- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
Fix off-by-one error in recursive map handling. (bsc#1209653)
- avahi
-
- Add avahi-CVE-2023-1981.patch: emit error if requested service
is not found (boo#1210328 CVE-2023-1981).
- cloud-init
-
- Sensitive data exposure (bsc#1210277, CVE-2023-1786)
+ Add hidesensitivedata
+ Add cloud-init-cve-2023-1786-redact-inst-data.patch
+ Do not expose sensitive data gathered from the CSP
- Add cloud-init-log-file-mode.patch (bsc#1183939)
+ Change log file creation mode to 640
- Add cloud-init-no-pwd-in-log.patch (bsc#1184758, CVE-2021-3429)
+ Do not write the generated password to the log file
- Add cloud-init-purge-cache-py-ver-change.patch
- Add cloud-init-bonding-opts.patch (bsc#1184085)
+ Write proper bonding option configuration for SLE/openSUSE
- Fix application and inclusion of
use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Add use_arroba_to_include_sudoers_directory-bsc_1181283.patchfix (bsc#1181283)
- Do not including sudoers.d directory twice
- cloud-regionsrv-client
-
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- cronie
-
- Let systemd finish jobs executed by cron after it gets killed, bsc#1211066
* cron.service
- cups
-
- cups-1.7.5-CVE-2023-32324.patch fixes CVE-2023-32324
"/Heap buffer overflow in cupsd"/
https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
bsc#1211643
- curl
-
- Security fixes:
* [bsc#1211230, CVE-2023-28319] use-after-free in SSH sha256
fingerprint check.
- Add curl-CVE-2023-28319.patch
* [bsc#1211231, CVE-2023-28320] siglongjmp race condition
- Add curl-CVE-2023-28320.patch
* [bsc#1211232, CVE-2023-28321] IDN wildcard matching
- Add curl-CVE-2023-28321.patch
* [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
- Add curl-CVE-2023-28322.patch
- Update to 8.0.1: [jsc#PED-2580]
* Remove the curl-mini package and associated files:
- curl-mini.changes curl-mini.spec pre_checkin.sh
* Rebase curl-use_DEFAULT_SUSE_cipher.patch
* Remove patches fixed in the update:
- curl-check-content-type.patch
- curl-fix-O_APPEND.patch
- curl-libssh-socket.patch
- curl-X509_V_FLAG_PARTIAL_CHAIN.patch
- curl-CVE-2018-0500.patch curl-CVE-2018-14618.patch
- curl-CVE-2018-16839.patch curl-CVE-2018-16840.patch
- curl-CVE-2018-16842.patch curl-CVE-2018-16890.patch
- curl-CVE-2019-3822.patch curl-CVE-2019-3823.patch
- curl-CVE-2019-5436.patch curl-CVE-2019-5481.patch
- curl-CVE-2019-5482.patch curl-CVE-2020-8177.patch
- curl-CVE-2020-8231.patch curl-CVE-2020-8284.patch
- curl-CVE-2020-8285.patch curl-CVE-2020-8286.patch
- curl-CVE-2021-22876.patch curl-CVE-2021-22876-URL-API.patch
- curl-CVE-2021-22898.patch curl-CVE-2021-22924.patch
- curl-CVE-2021-22925.patch curl-CVE-2021-22946.patch
- curl-CVE-2021-22947.patch curl-CVE-2023-27534-dynbuf.patch
- curl-CVE-2022-22576.patch curl-CVE-2022-27776.patch
- curl-CVE-2022-27781.patch curl-CVE-2022-27782.patch
- curl-CVE-2022-32206.patch curl-CVE-2022-32208.patch
- curl-CVE-2022-32221.patch curl-CVE-2022-35252.patch
- curl-CVE-2022-43552.patch curl-CVE-2023-23916.patch
- curl-CVE-2023-27533.patch curl-CVE-2023-27533-no-sscanf.patch
- curl-CVE-2023-27534.patch curl-CVE-2023-27535.patch
- curl-CVE-2023-27536.patch curl-CVE-2023-27538.patch
- Update to 8.0.1:
* Bugfixes:
- fix crash in curl_easy_cleanup
- Update to 8.0.0:
* Security fixes:
- TELNET option IAC injection [bsc#1209209, CVE-2023-27533]
- SFTP path ~ resolving discrepancy [bsc#1209210, CVE-2023-27534]
- FTP too eager connection reuse [bsc#1209211, CVE-2023-27535]
- GSS delegation too eager connection re-use [bsc#1209212, CVE-2023-27536]
- HSTS double-free [bsc#1209213, CVE-2023-27537]
- SSH connection too eager reuse still [bsc#1209214, CVE-2023-27538]
* Changes:
- build: remove support for curl_off_t < 8 bytes
* Bugfixes:
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
- BINDINGS: add Fortran binding
- cf-socket: use port 80 when resolving name for local bind
- cookie: don't load cookies again when flushing
- curl_path: create the new path with dynbuf
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
- ftp: active mode with SSL, add the filter
- hostip: avoid sscanf and extra buffer copies
- http2: fix for http2-prior-knowledge when reusing connections
- http2: fix handling of RST and GOAWAY to recognize partial transfers
- http: don't send 100-continue for short PUT requests
- http: fix unix domain socket use in https connects
- libssh: use dynbuf instead of realloc
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0
- sectransp: make read_cert() use a dynbuf when loading
- telnet: only accept option arguments in ascii
- telnet: parse telnet options without sscanf
- url: fix the SSH connection reuse check
- url: only reuse connections with same GSS delegation
- urlapi: '%' is illegal in host names
- ws: keep the socket non-blocking
* Rebase libcurl-ocloexec.patch
- Security fixes:
* [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
* [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
* [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
Add curl-CVE-2023-27535.patch
* [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
Add curl-CVE-2023-27536.patch
* [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
Add curl-CVE-2023-27538.patch
- Update to 7.88.1:
* Bugfix release
- Drop upstreamed patch:
* curl-fix-uninitialized-value-in-tests.patch
- Update to 7.88.0: [bsc#1207990, CVE-2023-23914]
[bsc#1207991, CVE-2023-23915] [bsc#1207992, CVE-2023-23916]
* Security fixes:
- CVE-2023-23914: HSTS ignored on multiple requests
- CVE-2023-23915: HSTS amnesia with --parallel
- CVE-2023-23916: HTTP multi-header compression denial of service
* Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
* Bugfixes:
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_log: for failf/infof and debug logging implementations
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- easyoptions: fix header printing in generation script
- haxproxy: send before TLS handhshake
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http: decode transfer encoding first
- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
- http_proxy: do not assign data->req.p.http use local copy
- lib: connect/h2/h3 refactor
- libssh2: try sha2 algos for hostkey methods
- md4: fix build with GnuTLS + OpenSSL v1
- ngtcp2: replace removed define and stop using removed function
- noproxy: support for space-separated names is deprecated
- nss: implement data_pending method
- openldap: fix missing sasl symbols at build in specific configs
- openssl: adapt to boringssl's error code type
- openssl: don't ignore CA paths when using Windows CA store (redux)
- openssl: don't log raw record headers
- openssl: make the BIO_METHOD a local variable in the connection filter
- openssl: only use CA_BLOB if verifying peer
- openssl: remove attached easy handles from SSL instances
- openssl: store the CA after first send (ClientHello)
- setopt: use >, not >=, when checking if uarg is larger than uint-max
- smb: return error on upload without size
- socketpair: allow localhost MITM sniffers
- strdup: name it Curl_strdup
- tool_getparam: fix hiding of command line secrets
- tool_operate: fix error codes on bad URL & OOM
- tool_operate: repair --rate
- transfer: break the read loop when RECV is cleared
- typecheck: accept expressions for option/info parameters
- urlapi: avoid Curl_dyn_addf() for hex outputs
- urlapi: skip path checks if path is just "//"/
- urlapi: skip the extra dedotdot alloc if no dot in path
- urldata: cease storing TLS auth type
- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
- urldata: make set.http200aliases conditional on HTTP being present
- urldata: move the cookefilelist to the 'set' struct
- urldata: remove unused struct fields, made more conditional
- vquic: stabilization and improvements
- vtls: fix hostname handling in filters
- vtls: manage current easy handle in nested cfilter calls
- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
* Rebase libcurl-ocloexec.patch
* Fix regression tests: f1d09231adfc695d15995b9ef2c8c6e568c28091
- runtests: fix "/uninitialized value $port"/
- Add curl-fix-uninitialized-value-in-tests.patch
- Update to 7.87.0:
* Security fixes:
- CVE-2022-43551, bsc#1206308: another HSTS bypass via IDN
- CVE-2022-43552, bsc#1206309: HTTP Proxy deny use-after-free
* Changes
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
* Bugfixes
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
- config-mac: define HAVE_SYS_IOCTL_H
- config-mac: fix typo: size_T -> size_t
- config-mac: remove HAVE_SYS_SELECT_H
- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
- configure: require fork for NTLM-WB
- contributors.sh: actually use $CURLWWW instead of just setting it
- cookie: compare cookie prefixes case insensitively
- cookie: expire cookies at once when max-age is negative
- cookie: open cookie jar as a binary file
- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
- curl-rustls.m4: on macOS, rustls also needs the Security framework
- curl.h: include <sys/select.h> on SerenityOS
- curl.h: name all public function parameters
- curl.h: reword comment to not use deprecated option
- curl: override the numeric locale and set "/C"/ by force
- curl: timeout in the read callback
- curl_endian: remove Curl_write64_le from header
- curl_get_line: allow last line without newline char
- curl_path: do not add '/' if homedir ends with one
- curl_url_get.3: remove spurious backtick
- curl_url_set.3: document CURLU_DISALLOW_USER
- curl_url_set.3: fix typo
- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
- CURLOPT_COOKIEFILE.3: advice => advise
- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "/raw"/
- CURLOPT_POST.3: Explain setting to 0 changes request type
- docs/curl_ws_send: Fixed typo in websocket docs
- docs/EARLY-RELEASE.md: how to determine an early release
- docs/examples: spell correction ('Retrieve')
- docs/INSTALL.md: expand on static builds
- docs/WEBSOCKET.md: explain the URL use
- docs: add missing parameters for --retry flag
- docs: add more "/SEE ALSO"/ links to CA related pages
- docs: explain the noproxy CIDR notation support
- docs: extend the dump-header documentation
- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
- examples/10-at-a-time: fix possible skipped final transfers
- examples: update descriptions
- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
- GHA: clarify workflows permissions, set least possible privilege
- GHA: NSS use clang instead of clang-9
- gnutls: use common gnutls init and verify code for ngtcp2
- headers: add endif comments
- HTTP-COOKIES.md: mention that http://localhost is a secure context
- HTTP-COOKIES.md: update the 6265bis link to draft-11
- http: do not send PROXY more than once
- http: fix the ::1 comparison for IPv6 localhost for cookies
- http: set 'this_is_a_follow' in the Location: logic
- http: use the IDN decoded name in HSTS checks
- hyper: classify headers as CONNECT and 1XX
- hyper: fix handling of hyper_task's when reusing the same address
- idn: remove Curl_win32_ascii_to_idn
- INSTALL: update operating systems and CPU archs
- KNOWN_BUGS: remove eight entries
- lib1560: add some basic IDN host name tests
- lib: connection filters (cfilter) addition to curl:
- lib: feature deprecation warnings in gcc >= 4.3
- lib: fix some type mismatches and remove unneeded typecasts
- lib: parse numbers with fixed known base 10
- lib: remove bad set.opt_no_body assignments
- lib: rewind BEFORE request instead of AFTER previous
- lib: sync guard for Curl_getaddrinfo_ex() definition and use
- lib: use size_t or int etc instead of longs
- libcurl-errors.3: remove duplicate word
- libssh2: return error when ssh_hostkeyfunc returns error
- limit-rate.d: see also --rate
- log2changes.pl: wrap long lines at 80 columns
- Makefile.mk: address minor issues
- Makefile.mk: improve a GNU Make hack
- Makefile.mk: portable Makefile.m32
- maketgz: set the right version in lib/libcurl.plist
- mime: relax easy/mime structures binding
- misc: Fix incorrect spelling
- misc: remove duplicated include files
- misc: typo and grammar fixes
- negtelnetserver.py: have it call its close() method
- netrc.d: provide mutext info
- netware: remove leftover traces
- noproxy: also match with adjacent comma
- noproxy: guard against empty hostnames in noproxy check
- noproxy: tailmatch like in 7.85.0 and earlier
- nroff-scan.pl: detect double highlights
- ntlm: improve comment for encrypt_des
- ntlm: silence ubsan warning about copying from null target_info pointer
- openssl/mbedtls: use %d for outputing port with failf (int)
- openssl: prefix errors with '[lib]/[version]: '
- os400: use platform socklen_t in Curl_getnameinfo_a
- page-header: grammar improvement (display transfer rate)
- proxy: refactor haproxy protocol handling as connection filter
- README.md: remove badges and xmas-tree garnish
- rtsp: fix RTSP auth
- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
- runtests: do CRLF replacements per section only
- scripts/checksrc.pl: detect duplicated include files
- sendf: change Curl_read_plain to wrap Curl_recv_plain
- sendf: remove unnecessary if condition
- setup: do not require __MRC__ defined for Mac OS 9 builds
- smb/telnet: do not free the protocol struct in *_done()
- socks: fix username max size is 255 (0xFF)
- spellcheck.words: remove 'github' as an accepted word
- ssl-reqd.d: clarify that this is for upgrading connections only
- strcase: use curl_str(n)equal for case insensitive matches
- styled-output.d: this option does not work on Windows
- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
- system.h: support 64-bit curl_off_t for NonStop 32-bit
- test1421: fix typo
- test3026: reduce runtime in legacy mingw builds
- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
- tests: add authorityInfoAccess to generated certs
- tests: add HTTP/3 test case, custom location for proper nghttpx
- tls: backends use connection filters for IO, enabling HTTPS-proxy
- tool: determine the correct fopen option for -D
- tool_cfgable: free the ssl_ec_curves on exit
- tool_cfgable: make socks5_gssapi_nec a boolean
- tool_formparse: avoid clobbering on function params
- tool_getparam: make --no-get work as the opposite of --get
- tool_operate: provide better errmsg for -G with bad URL
- tool_operate: when aborting, make sure there is a non-NULL error buffer
- tool_paramhlp: free the proto strings on exit
- url: move back the IDN conversion of proxy names
- urlapi: reject more bad letters from the host name: &+()
- urldata: change port num storage to int and unsigned short
- vms: remove SIZEOF_SHORT
- vtls: fix build without proxy support
- vtls: localization of state data in filters
- WEBSOCKET.md: fix broken link
- Websocket: fixes for partial frames and buffer updates
- websockets: fix handling of partial frames
- windows: fail early with a missing windres in autotools
- windows: fix linking .rc to shared curl with autotools
- winidn: drop WANT_IDN_PROTOTYPES
- ws: if no connection is around, return error
- ws: return CURLE_NOT_BUILT_IN when websockets not built in
- x509asn1: avoid freeing unallocated pointers
- Add 1.50.0 as the minimum libnghttp2 build requirement version as
a bandaid. Curl's 7.86.0 release introduces the use of
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation,
introduced by nghttp2 1.50.0 release, without introducing a check
for the function/right version in their build scripts. This will
make Zypper/cURL unusable in some corner cases where users
installing something that requires libcurl4 before doing full
system upgrade, thus updating the cURL stack, but not
libnghttp2's. Background: boo#1204983, Factory mailing list
threadd:
"/? broken dependency in curl and/or *zyp* ?"/, and forums thread:
Curl-is-broken-after-an-update-which-subsequently-breaks-zypper.
- Update to 7.86.0:
* Security fixes:
- POST following PUT confusion [bsc#1204383, CVE-2022-32221]
- .netrc parser out-of-bounds access [bsc#1204384, CVE-2022-35260]
- HTTP proxy double-free [bsc#1204385, CVE-2022-42915]
- HSTS bypass via IDN [bsc#1204386, CVE-2022-42916]
* Changes:
- NPN: remove support for and use of
- Websockets: initial support
* Bugfixes:
- altsvc: reject bad port numbers
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- cli tool: do not use disabled protocols
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- docs/libcurl/symbols-in-versions: add several missing symbols
- ftp: ignore a 550 response to MDTM
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- lib: add missing limits.h includes
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- libssh: if sftp_init fails, don't get the sftp error code
- mprintf: reject two kinds of precision for the same argument
- mqtt: return error for too long topic
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- resolve: make forced IPv4 resolve only use A queries
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool_main: exit at once if out of file descriptors
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_xattr: save the original URL, not the final redirected one
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: reject more bad characters from the host name field
* Remove patch upstream:
- connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Update connection info when using UNIX socket as endpoint
connect-fix-Curl_updateconninfo-for-TRNSPRT_UNIX.patch
- Change the deprecated configure option --enable-hidden-symbols
to the new --enable-symbol-hiding.
- Update to 7.85.0:
* Security fixes: [bsc#1202593, CVE-2022-35252]
- control code in cookie denial of service
* Changes:
- quic: add support via wolfSSL
- schannel: Add TLS 1.3 support
- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
* Bugfixes:
- asyn-thread: fix socket leak on OOM
- asyn-thread: make getaddrinfo_complete return CURLcode
- base64: base64url encoding has no padding
- configure: fix broken m4 syntax in TLS options
- configure: if asked to use TLS, fail if no TLS lib was detected
- connect: add quic connection information
- connect: set socktype/protocol correctly
- cookie: reject cookies with "/control bytes"/
- cookie: treat a blank domain in Set-Cookie: as non-existing
- curl: output warning when a cookie is dropped due to size
- Curl_close: call Curl_resolver_cancel to avoid memory-leak
- digest: fix memory leak, fix not quoted 'opaque'
- digest: fix missing increment of 'nc' value for auth-int
- digest: pass over leading spaces in qop values
- digest: reject broken header with session protocol but without qop
- doh: use https protocol by default
- easy_lock.h: include sched.h if available to fix build
- easy_lock.h: use __asm__ instead of asm to fix build
- easy_lock: switch to using atomic_int instead of bool
- ftp: use a correct expire ID for timer expiry
- h2h3: fix overriding the 'TE: Trailers' header
- hostip: resolve *.localhost to 127.0.0.1/::1
- HTTP3.md: update to msh3 v0.4.0
- hyper: use wakers for curl pause/resume
- lib3026: reduce the number of threads to 100
- libssh2: make atime/mtime date overflow return error
- libssh2: provide symlink name in SFTP dir listing
- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
- multi: use larger dns hash table for multi interface
- multi_wait: fix skipping to populate revents for extra_fds
- netrc: Use the password from lines without login
- ngtcp2: Fix build error due to change in nghttp3 prototypes
- ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
- ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
- openssl: add 'CURL_BORINGSSL_VERSION' to identify BoringSSL
- openssl: add cert path in error message
- openssl: add details to "/unable to set client certificate"/ error
- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
- select: do not return fatal error on EINTR from poll()
- sendf: fix paused header writes since after the header API
- sendf: skip storing HTTP headers if HTTP disabled
- url: really use the user provided in the url when netrc entry exists
- url: reject URLs with hostnames longer than 65535 bytes
- url: treat missing usernames in netrc as empty
- urldata: reduce size of several struct fields
- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
* Remove tests-for-32bit.patch fixed in the update
* Rebase libcurl-ocloexec.patch
- add tests-for-32bit.patch to fix testsuite on 32bit platforms
- Update to 7.84.0:
* Security fixes:
- (bsc#1200737, CVE-2022-32208): FTP-KRB bad message verification
- (bsc#1200736, CVE-2022-32207): Unpreserved file permissions
- (bsc#1200735, CVE-2022-32206): HTTP compression denial of service
- (bsc#1200734, CVE-2022-32205): Set-Cookie denial of service
* Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
* Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
- content_encoding: return error on too many compression steps
- cookie: address secure domain overlay
- cookie: apply limits
- copyright.pl: parse and use .reuse/dep5 for skips
- copyright: make repository REUSE compliant
- curl.1: add a few see also --tls-max
- curl.1: mention exit code zero too
- curl: re-enable --no-remote-name
- curl_easy_pause.3: remove explanation of progress function
- curl_getdate.3: document that some illegal dates pass through
- Curl_parsenetrc: don't access local pwbuf outside of scope
- curl_url_set.3: clarify by default using known schemes only
- CURLOPT_ALTSVC.3: document the file format
- CURLOPT_FILETIME.3: fix the protocols this works with
- CURLOPT_HTTPHEADER.3: improve comment in example
- CURLOPT_NETRC.3: document the .netrc file format
- CURLOPT_PORT.3: We discourage using this option
- CURLOPT_RANGE.3: remove ranged upload advice
- digest: added detection of more syntax error in server headers
- digest: tolerate missing "/realm"/
- digest: unquote realm and nonce before processing
- DISABLED: disable 1021 for hyper again
- docs/cmdline-opts: add copyright and license identifier to each file
- docs/CONTRIBUTE.md: document the 'needs-votes' concept
- docs: clarify data replacement policy for MIME API
- doh: remove UNITTEST macro definition
- examples/crawler.c: use the curl license
- examples: remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
- fopen: add Curl_fopen() for better overwriting of files
- ftp: restore protocol state after http proxy CONNECT
- ftp: when failing to do a secure GSSAPI login, fail hard
- GHA/hyper: enable debug in the build
- gssapi: improve handling of errors from gss_display_status
- gssapi: initialize gss_buffer_desc strings
- headers api: remove EXPERIMENTAL tag
- http2: always debug print stream id in decimal with %u
- http2: reject overly many push-promise headers
- http: restore header folding behavior
- hyper: use 'alt-used'
- krb5: return error properly on decode errors
- lib: make more protocol specific struct fields #ifdefed
- libcurl-security.3: add "/Secrets in memory"/
- libcurl-security.3: document CRLF header injection
- libssh: skip the fake-close when libssh does the right thing
- links: update dead links to the curl-wiki
- log2changes: do not indent empty lines [ci skip]
- macos9: remove partial support
- Makefile.am: fix portability issues
- Makefile.m32: delete obsolete options, improve -On [ci skip]
- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
- max-time.d: clarify max-time sets max transfer time
- mprintf: ignore clang non-literal format string
- netrc: check %USERPROFILE% as well on Windows
- netrc: support quoted strings
- ngtcp2: allow curl to send larger UDP datagrams
- ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
- ngtcp2: enable Linux GSO
- ngtcp2: extend QUIC transport parameters buffer
- ngtcp2: fix alert_read_func return value
- ngtcp2: fix typo in preprocessor condition
- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
- ngtcp2: send appropriate connection close error code
- ngtcp2: support boringssl crypto backend
- ngtcp2: use helper funcs to simplify TLS handshake integration
- ntlm: provide a fixed fake host name
- projects: fix third-party SSL library build paths for Visual Studio
- quic: add Curl_quic_idle
- quiche: support ca-fallback
- rand: stop detecting /dev/urandom in cross-builds
- remote-name.d: mention --output-dir
- runtests.pl: add the --repeat parameter to the --help output
- runtests: fix skipping tests not done event-based
- runtests: skip starting the ssh server if user name is lacking
- scripts/copyright.pl: fix the exclusion to not ignore man pages
- sectransp: check for a function defined when __BLOCKS__ is undefined
- select: return error from "/lethal"/ poll/select errors
- server/sws: support spaces in the HTTP request path
- speed-limit/time.d: mention these affect transfers in either direction
- strcase: some optimisations
- test 2081: add a valid reply for the second request
- test 675: add missing CR so the test passes when run through Privoxy
- test414: add the '--resolve' keyword
- test681: verify --no-remote-name
- tests 266, 116 and 1540: add a small write delay
- tests/data/test1501: kill ftp server after slow LIST response
- tests/getpart: fix getpartattr to work with "/data"/ and "/data2"/
- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: add "/HTTP proxy"/ keywords
- tool_getparam: fix --parallel-max maximum value constraint
- tool_operate: make sure --fail-with-body works with --retry
- transfer: fix potential NULL pointer dereference
- transfer: maintain --path-as-is after redirects
- transfer: upload performance; avoid tiny send
- url: free old conn better on reuse
- url: remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
- urlapi: support CURLU_URLENCODE for curl_url_get()
- urldata: reduce size of a few struct fields
- urldata: remove three unused booleans from struct UserDefined
- urldata: store tcp_keepidle and tcp_keepintvl as ints
- version: allow stricmp() for sorting the feature list
- vtls: make curl_global_sslset thread-safe
- wolfssh.h: removed
- wolfssl: correct the failf() message when a handle can't be made
- wolfSSL: explicitly use compatibility layer
- x509asn1: mark msnprintf return as unchecked
- Update to 7.83.1:
* Security fixes:
- (bsc#1199225, CVE-2022-30115) HSTS bypass via trailing dot
- (bsc#1199224, CVE-2022-27782) TLS and SSH connection too eager reuse
- (bsc#1199223, CVE-2022-27781) CERTINFO never-ending busy-loop
- (bsc#1199222, CVE-2022-27780) percent-encoded path separator in URL host
- (bsc#1199221, CVE-2022-27779) cookie for trailing dot TLD
- (bsc#1199220, CVE-2022-27778) removes wrong file on error
* Bugfixes:
- altsvc: fix host name matching for trailing dots
- cirrus: Update to FreeBSD 12.3
- cirrus: Use pip for Python packages on FreeBSD
- conn: fix typo 'connnection' -> 'connection' in two function names
- cookies: make bad_domain() not consider a trailing dot fine
- curl: free resource in error path
- curl: guard against size_t wraparound in no-clobber code
- CURLOPT_DOH_URL.3: mention the known bug
- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
- CURLOPT_SSH_AUTH_TYPES.3: fix the default
- data/test376: set a proper name
- GHA/mbedtls: enabled nghttp2 in the build
- gha: build msh3
- gskit: fixed bogus setsockopt calls
- gskit: remove unused function set_callback
- hsts: ignore trailing dots when comparing hosts names
- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
- http: move Curl_allow_auth_to_host()
- http_proxy/hyper: handle closed connections
- hyper: fix test 357
- Makefile: fix "/make ca-firefox"/
- mbedtls: bail out if rng init fails
- mbedtls: fix compile when h2-enabled
- mbedtls: fix some error messages
- misc: use "/autoreconf -fi"/ instead buildconf
- msh3: get msh3 version from MsH3Version
- msh3: print boolean value as text representation
- msh3: psss remote_port to MsH3ConnectionOpen
- ngtcp2: add ca-fallback support for OpenSSL backend
- nss: return error if seemingly stuck in a cert loop
- openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
- post_per_transfer: remove the updated file name
- sectransp: bail out if SSLSetPeerDomainName fails
- tests/server: declare variable 'reqlogfile' static
- tests: fix markdown formatting in README
- test{898,974,976}: add 'HTTP proxy' keywords
- tls: check more TLS details for connection reuse
- url: check SSH config match on connection reuse
- urlapi: address (harmless) UndefinedBehavior sanitizer warning
- urlapi: reject percent-decoding host name into separator bytes
- x509asn1: make do_pubkey handle EC public keys
- Patches rework:
* Refreshed all patches as -p1.
* Use autopatch macro.
* Renamed:
- dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch
* Removed (already upstream):
- curl-fix-verifyhost.patch
- Update to 7.83.0:
* Security fixes:
- (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect
- (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse
- (bsc#1198608, CVE-2022-27774) Credential leak on redirect
- (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use
* Changes:
- curl: add %header{name} experimental support in -w handling
- curl: add %{header_json} experimental support in -w handling
- curl: add --no-clobber
- curl: add --remove-on-error
- header api: add curl_easy_header and curl_easy_nextheader
- msh3: add support for QUIC and HTTP/3 using msh3
* Bugfixes:
- appveyor: add Cygwin build
- appveyor: only add MSYS2 to PATH where required
- BearSSL: add CURLOPT_SSL_CIPHER_LIST support
- BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
- BINDINGS.md: add Hollywood binding
- CI: Do not use buildconf. Instead, just use: autoreconf -fi
- CI: install Python package impacket to run SMB test 1451
- configure.ac: move -pthread CFLAGS setting back where it used to be
- configure: bump the copyright year range int the generated output
- conncache: include the zone id in the "/bundle"/ hashkey
- connecache: remove duplicate connc->closure_handle check
- connect: make Curl_getconnectinfo work with conn cache from share handle
- connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
- cookie.d: clarify when cookies are sent
- cookies: improve errorhandling for reading cookiefile
- curl/system.h: update ifdef condition for MCST-LCC compiler
- curl: error out if -T and -d are used for the same URL
- curl: error out when options need features not present in libcurl
- curl: escape '?' in generated --libcurl code
- curl: fix segmentation fault for empty output file names.
- curl_easy_header: fix typos in documentation
- CURLINFO_PRIMARY_PORT.3: clarify which port this is
- CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
- CURLOPT_PROGRESSFUNCTION.3: fix typo in example
- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
- docs/HYPER.md: updated to reflect current hyper build needs
- docs/opts: Mention Schannel client cert type is P12
- docs: Fix missing semicolon in example code
- docs: lots of minor language polish
- English: use American spelling consistently
- fail.d: tweak the description
- firefox-db2pem.sh: make the shell script safer
- ftp: fix error message for partial file upload
- gen.pl: change wording for mutexed options
- GHA: add openssl3 jobs moved over from zuul
- GHA: build hyper with nightly rustc
- GHA: move bearssl jobs over from zuul
- gha: move the event-based test over from Zuul
- gtls: fix build for disabled TLS-SRP
- http2: handle DONE called for the paused stream
- http2: RST the stream if we stop it on our own will
- http: avoid auth/cookie on redirects same host diff port
- http: close the stream (not connection) on time condition abort
- http: reject header contents with nul bytes
- http: return error on colon-less HTTP headers
- http: streamclose "/already downloaded"/
- hyper: fix status_line() return code
- hyper: fix tests 580 and 581 for hyper
- hyper: no h2c support
- infof: consistent capitalization of warning messages
- ipv4/6.d: clarify that they are about using IP addresses
- json.d: fix typo (overriden -> overridden)
- keepalive-time.d: It takes many probes to detect brokenness
- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
- lib670: avoid double check result
- lib: #ifdef on USE_HTTP2 better
- lib: fix some misuse of curlx_convert_wchar_to_UTF8
- lib: remove exclamation marks
- libssh2: compare sha256 strings case sensitively
- libssh2: make the md5 comparison fail if wrong length
- libssh: fix build with old libssh versions
- libssh: fix double close
- libssh: Improve fix for missing SSH_S_ stat macros
- libssh: unstick SFTP transfers when done event-based
- macos: set .plist version in autoconf
- mbedtls: remove 'protocols' array from backend when ALPN is not used
- mbedtls: remove server_fd from backend
- mk-ca-bundle.pl: Use stricter logic to process the certificates
- mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
- mlc_config.json: add file to ignore known troublesome URLs
- mqtt: better handling of TCP disconnect mid-message
- ngtcp2: add client certificate authentication for OpenSSL
- ngtcp2: avoid busy loop in low CWND situation
- ngtcp2: deal with sub-millisecond timeout
- ngtcp2: disconnect the QUIC connection proper
- ngtcp2: enlarge H3_SEND_SIZE
- ngtcp2: fix HTTP/3 upload stall and avoid busy loop
- ngtcp2: fix memory leak
- ngtcp2: fix QUIC_IDLE_TIMEOUT
- ngtcp2: make curl 1ms faster
- ngtcp2: remove remote_addr which is not used in a meaningful way
- ngtcp2: update to work after recent ngtcp2 updates
- ngtcp2: use token when detecting :status header field
- nonblock: restore setsockopt method to curlx_nonblock
- openssl: check SSL_get_peer_cert_chain return value
- openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
- openssl: fix CN check error code
- options: remove mistaken space before paren in prototype
- perl: removed a double semicolon at end of line
- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
- projects/README: converted to markdown
- projects: Update VC version names for VS2017, VS2022
- rtsp: don't let CSeq error override earlier errors
- runtests: add 'bearssl' as testable feature
- runtests: make 'oldlibssh' be before 0.9.4
- schannel: remove dead code that will never run
- scripts/copyright.pl: ignore the new mlc_config.json file
- scripts: move three scripts from lib/ to scripts/
- test1135: sync with recent API updates
- test1459: disable for oldlibssh
- test375: fix line endings on Windows
- test386: Fix an incorrect test markup tag
- test718: edited slightly to return better HTTP
- tests/server/util.h: align WIN32 condition with util.c
- tests: refactor server/socksd.c to support --unix-socket
- timediff.[ch]: add curlx helper functions for timeval conversions
- tls: make mbedtls and NSS check for h2, not nghttp2
- tool and tests: force flush of all buffers at end of program
- tool_cb_hdr: Turn the Location: into a terminal hyperlink
- tool_getparam: error out on missing -K file
- tool_listhelp.c: uppercase URL
- tool_operate: fix a scan-build warning
- tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
- transfer: redirects to other protocols or ports clear auth
- unit1620: call global_init before calling Curl_open
- url: check sasl additional parameters for connection reuse.
- vtls: provide a unified APLN-disagree string for all backends
- vtls: use a backend standard message for "/ALPN: offers %s"/
- vtls: use a generic "/ALPN, server accepted"/ message
- winbuild/README.md: fixup dead link
- winbuild: Add a Visual Studio example to the README
- wolfssl: fix compiler error without IPv6
- Fix: openssl: fix CN check error code
* Add curl-fix-verifyhost.patch
- Update to 7.82.0:
* curl: add --json command line option
* curl: make it so that sensitive command line arguments do not
show as easily in the output of ps(1)
* curl_multi_socket.3: remove callback and typical usage descriptions
* ftp: provide error message for control bytes in path
* ldap: return CURLE_URL_MALFORMAT for bad URL
* lib: remove support for CURL_DOES_CONVERSIONS
* mqtt: plug some memory leaks
* multi: allow user callbacks to call curl_multi_assign
* multi: remember connection_id before returning connection to pool
* multi: set in_callback for multi interface callbacks
* netware: remove support
* ngtcp2: adapt to changed end of headers callback proto
* openldap: implement SASL authentication
* openssl: return error if TLS 1.3 is requested when not supported
* sectransp: mark a 3DES cipher as weak
* smb: pass socket for writing and reading data instead of FIRSTSOCKET
* tool_getparam: DNS options that need c-ares now fail without it
* TPF: drop support
* url: given a user in the URL, find pwd for that user in netrc
* url: keep trailing dot in host name
* urlapi: handle "/redirects"/ smarter
* urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
* urldata: remove conn->bits.user_passwd
- update to 7.81.0:
* mime: use percent-escaping for multipart form field and file names
* asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
* azure: make the "/w/o HTTP/SMTP/IMAP"/ build disable SSL proper
* BINDINGS: add cURL client for PostgreSQL
* BINDINGS: add one from Everything curl and update a link
* checksrc: detect more kinds of NULL comparisons we avoid
* CI: build examples for additional code verification
* CI: bump job to use mbedtls 3.1.0
* cmake: don't set _USRDLL on a static Windows build
* cmake: prevent dev warning due to mismatched arg
* cmake: private identifiers use CURL_ instead of CMAKE_ prefix
* config.d: update documentation to match the path search
* configure: add -lm to configure for rustls build.
* configure: better diagnostics if hyper is built wrong
* configure: don't enable TLS when --without-* flags are used
* configure: fix runtime-lib detection on macOS
* curl.1: require "/see also"/ for every documented option
* curl: improve error message for --head with -J
* curl_easy_cleanup.3: remove from multi handle first
* curl_easy_escape.3: call curl_easy_cleanup in example
* curl_easy_unescape.3: call curl_easy_cleanup in example
* curl_multi_init.3: fix EXAMPLE formatting
* curl_multi_perform/socket_action.3: clarify what errors mean
* curl_share_setopt.3: split out options into their own manpages
* CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
* digest: compute user:realm:pass digest w/o userhash
* docs/checksrc: Add documentation for STRERROR
* docs/cmdline-opts: do not say "/protocols: all"/
* docs/examples: workaround broken -Wno-pedantic-ms-format
* docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
* docs/INSTALL.md: typo fix : added missing "/get"/ verb
* docs/URL-SYNTAX.md: space is not fine in a given URL
* docs: add known bugs list to HTTP3.md
* docs: address proselint nits
* docs: consistent manpage SYNOPSIS
* docs: fix dead links, remove ECH.md
* docs: fix typo in OpenSSL 3 build instructions
* docs: Update the Reducing Size section
* example/progressfunc: remove code for old libcurls
* examples/multi-single.c: remove WAITMS()
* FAQ: typo fix : "/yout"/ ➤ "/your"/
* ftp: disable warning 4706 in MSVC
* gen.pl: improve example output format
* github workflow: add wolfssl (removed from zuul)
* github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
* gtls: check return code for gnutls_alpn_set_protocols
* hash: lazy-alloc the table in Curl_hash_add()
* http2:set_transfer_url() return early on OOM
* HTTP3: update quiche build instructions
* http: enable haproxy support for hyper backend
* http: Fix CURLOPT_HTTP200ALIASES
* http_proxy: don't close the socket (too early)
* insecure.d: detail its use for SFTP and SCP as well
* insecure.d: expand and clarify
* libcurl-multi.3: "/SOCKS proxy handshakes"/ are not blocking
* libcurl-security.3: mention address and URL mitigations
* libssh2: fix error message for sha256 mismatch
* libtest: avoid "/assignment within conditional expression"/
* lift: ignore is a deprecated config option, use ignoreRules
* linkcheck.yml: add CI job that checks markdown links
* m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
* Makefile.m32: rename -winssl option to -schannel and tidy up
* mbedTLS: add support for CURLOPT_CAINFO_BLOB
* mbedtls: fix CURLOPT_SSLCERT_BLOB
* mbedtls: fix private member designations for v3.1.0
* misc: remove unused doh flags when CURL_DISABLE_DOH is defined
* misc: s/e-mail/email
* multi: cleanup the socket hash when destroying it
* multi: handle errors returned from socket/timer callbacks
* multi: shut down CONNECT in Curl_detach_connnection
* netrc.d: edit the .netrc example to look nicer
* ngtcp2: verify the server cert on connect (quictls)
* ngtcp2: verify the server certificate for the gnutls case
* nss:set_cipher don't clobber the cipher list
* openldap: implement STARTTLS
* openldap: process search query response messages one by one
* openldap: several minor improvements
* openldap: simplify ldif generation code
* openssl: check the return value of BIO_new()
* openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
* openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
* openssl: remove usage of deprecated `SSL_get_peer_certificate`
* openssl: use non-deprecated API to read key parameters
* page-footer: add a mention of how to report bugs to the man page
* page-footer: document more environment variables
* request.d: refer to 'method' rather than 'command'
* retry-all-errors.d: make the example complete
* runtests: make the SSH library a testable feature
* rustls: read of zero bytes might be okay
* rustls: remove comment about checking handshaking
* rustls: remove incorrect EOF check
* sha256/md5: return errors when init fails
* socks5: use appropriate ATYP for numerical IP address host names
* test1156: enable for hyper
* test1156: fixup the stdout check for Windows
* test1525: tweaked for hyper
* test1526: enable for hyper
* test1527: enable for hyper
* test1528: enable for hyper
* test1554: adjust for hyper
* test1556: adjust for hyper
* test302[12]: run only with the libssh2 backend
* test661: enable for hyper
* tests/CI.md: add more information on CI environments
* tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
* tftp: mark protocol as not possible to do over CONNECT
* tool_findfile: updated search for a file in the homedir
* tool_operate: only set SSH related libcurl options for SSH URLs
* tool_operate: warn if too many output arguments were found
* url.c: fix the SIGPIPE comment for Curl_close
* url: check ssl_config when re-use proxy connection
* url: reduce ssl backend count for CURL_DISABLE_PROXY builds
* urlapi: accept port number zero
* urlapi: if possible, shorten given numerical IPv6 addresses
* urlapi: provide more detailed return codes
* urlapi: reject short file URLs
* version_win32: Check build number and platform id
* vtls/rustls: adapt to the updated rustls_version proto
* writeout: fix %{http_version} for HTTP/3
* x509asn1: return early on errors
* zuul.d: update rustls-ffi to version 0.8.2
* zuul: fix quiche build pointing to wrong Cargo
- Update to 7.80.0:
* Changes:
- CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
- CURLOPT_PREREQFUNCTION: add new callback
- libssh2: add SHA256 fingerprint support
- urlapi: add curl_url_strerror()
* Bugfixes:
- aws-sigv4: make signature work when post data is binary
- c-hyper: don't abort CONNECT responses early when auth-in-progress
- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
- cmake: add CURL_ENABLE_SSL option
- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
- configure.ac: replace krb5-config with pkg-config
- configure: when hyper is selected, deselect nghttp2
- curl-confopts.m4: remove --enable/disable-hidden-symbols
- curl-openssl.m4: modify library order for openssl linking
- curl_ntlm_core: use OpenSSL only if DES is available
- Curl_updateconninfo: store addresses for QUIC connections too
- ftp: make the MKD retry to retry once per directory
- http: fix Basic auth with empty name field in URL
- http: reject HTTP response codes < 100
- http: remove assert that breaks hyper
- http: set content length earlier
- imap: display quota information
- libssh2: Get the version at runtime if possible
- md5: fix compilation with OpenSSL 3.0 API
- ngtcp2: advertise h3 as well as h3-29
- ngtcp2: compile with the latest nghttp3
- ngtcp2: use latest QUIC TLS RFC9001
- NTLM: use DES_set_key_unchecked with OpenSSL
- openssl: if verifypeer is not requested, skip the CA loading
- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
- schannel: fix memory leak due to failed SSL connection
- sendf: accept zero-length data in Curl_client_write()
- sha256: use high-level EVP interface for OpenSSL
- sws: fix memory leak on exit
- tool_operate: a failed etag save now only fails that transfer
- url: check the return value of curl_url()
- url: set "/k->size"/ -1 at start of request
- urlapi: skip a strlen(), pass in zero
- urlapi: URL decode percent-encoded host names
- vtls: Fix a memory leak if an SSL session cannot be added to the cache
- wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
* Use --with-openssl configure option, --with-ssl is now deprecated
- Update to 7.79.1:
* Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable: https://github.com/curl/curl/issues/7725
- tests/sshserver.pl: make it work with openssh-8.7p1
- Temporarily disable flaky test 1184
* See https://github.com/curl/curl/issues/7725
- Update to 7.79.0: [bsc#1190213, CVE-2021-22945]
[bsc#1190373, CVE-2021-22946] [bsc#1190374, CVE-2021-22947]
* Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
* Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "/dumping"/ 1xx HTTP responses
- curl-openssl.m4: show correct output for OpenSSL v3
- docs/MQTT: update state of username/password support
- docs: the security list is reached at security at curl.se now
- getparameter: fix the --local-port number parser
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- ngtcp2: remove the acked_crypto_offset struct field init
- ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
- ngtcp2: reset the oustanding send buffer again when drained
- ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
- ngtcp2: stop buffering crypto data
- ngtcp2: utilize crypto API functions to simplify
- openssl: when creating a new context, there cannot be an old one
- scripts: invoke interpreters through /usr/bin/env
- tests/runtests.pl: cleanup copy&paste mistakes and unused code
- tests: be explicit about using 'python3' instead of 'python'
- tool/tests: fix potential year 2038 issues
- tool_operate: Fix --fail-early with parallel transfers
- x509asn1: fix heap over-read when parsing x509 certificates
* Rebase libcurl-ocloexec.patch
- Update to 7.78.0:
[bsc#1188217, CVE-2021-22922][bsc#1188218, CVE-2021-22923]
[bsc#1188219, CVE-2021-22924][bsc#1188220, CVE-2021-22925]
* Changes:
- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
- CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
- hostip: make 'localhost' return fixed values
- mbedtls: add support for cert and key blob options
- metalink: remove all support for it
- mqtt: add support for username and password
* Bugfixes:
- ares: always store IPv6 addresses first
- c-hyper: abort CONNECT response reading early on non 2xx responses
- c-hyper: add support for transfer-encoding in the request
- c-hyper: bail on too long response headers
- c-hyper: clear NTLM auth buffer when request is issued
- c-hyper: fix NTLM on closed connection tested with test159
- conncache: lowercase the hash key for better match
- curl_multibyte: Remove local encoding fallbacks
- Curl_ntlm_core_mk_nt_hash: fix OOM in error path
- Curl_ssl_getsessionid: fail if no session cache exists
- easy: during upkeep, attach Curl_easy to connections in the cache
- gnutls: set the preferred TLS versions in correct order
- hsts: ignore numberical IP address hosts
- HSTS: not experimental anymore
- http2: init recvbuf struct for pushed streams
- http: fix crash in rate-limited upload
- http: make the haproxy support work with unix domain sockets
- http_proxy: deal with non-200 CONNECT response with Hyper
- lib: don't compare fd to FD_SETSIZE when using poll
- lib: fix compiler warnings with CURL_DISABLE_NETRC
- lib: fix type of len passed to *printf's %*s
- lib: more %u for port and int for %*s fixes
- lib: use %u instead of %ld for port number printf
- libssh2: limit time a disconnect can take to 1 second
- mqtt: detect illegal and too large file size
- msnprintf: return number of printed characters excluding null byte
- multi: add scan-build-6 work-around in curl_multi_fdset
- multi: alter transfer timeout ordering
- multi: do not switch off connect_only flag when closing
- multi: fix crash in curl_multi_wait / curl_multi_poll
- ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
- openssl: avoid static variable for seed flag
- openssl: don't remove session id entry in disassociate
- socketpair: fix potential hangs
- socks4: scan for the IPv4 address in resolve results
- ssl: read pending close notify alert before closing the connection
- telnet: fix option parser to not send uninitialized contents
- TLS: prevent shutdown loops to get stuck
- vtls: exit addsessionid if no cache is inited
- vtls: fix connection reuse checks for issuer cert and case sensitivity
- Update to 7.77.0: [bsc#1186114, CVE-2021-22898]
[bsc#1186115, bsc#1185579, CVE-2021-22901]
* Security fixes:
- CVE-2021-22297: schannel cipher selection surprise
- CVE-2021-22298: TELNET stack contents disclosure
- CVE-2021-22901: TLS session caching disaster
* Changes:
- configure: make the TLS library choice(s) explicit
- curl: ignore options asking for SSLv2 or SSLv3
- hsts: enable by default
- SSL: support in-memory CA certs for some backends
- vtls: refuse setting any SSL version
* Bugfixes:
- configure: provide --with-openssl, deprecate --with-ssl
- cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
- curl: include libmetalink version in --version output
- data_pending: check only SECONDARY socket for FTP(S) transfers
- gnutls: don't allow TLS 1.3 for versions that don't support it
- gnutls: make setting only the MAX TLS allowed version work
- http2: fix resource leaks in set_transfer_url() and push_promise()
- http: limit the initial send amount to used upload buffer size
- rustls: only return CURLE_AGAIN when TLS session is fully drained
- rustls: use ALPN
- schannel: Disable auto credentials; add an option to enable it
- schannel: Support strong crypto option
- sectransp: allow cipher name to be specified
- sockfilt: avoid getting stuck waiting for writable socket
- update to 7.76.1:
- ngtcp2: Use ALPN h3-29 for now
- TODO: remove 18.22 --fail-with-body
- Update to 7.76.0
* Security fixes:
- [bsc#1183933, CVE-2021-22876]: strip credentials from the
auto-referer header field
- [bsc#1183934, CVE-2021-22890]: add 'isproxy' argument to
Curl_ssl_get/addsessionid()
* Changes:
- cookies: Support multiple -b parameters
- curl: add --fail-with-body
- doh: add options to disable ssl verification
- http: add support to read and store the referrer header
- sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
- vtls: initial implementation of rustls backend
* Bugfixes:
- CVE-2021-22876: strip credentials from the auto-referer header field
- CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
- c-hyper: support automatic content-encoding
- configure: only add OpenSSL paths if they are defined
- configure: provide Largefile feature for curl-config
- curl: set CURLOPT_NEW_FILE_PERMS if requested
- doh: Fix sharing user's resolve list with DOH handles
- doh: Inherit CURLOPT_STDERR from user's easy handle
- dynbuf: bump the max HTTP request to 1MB
- ftp: add 'list_only' to the transfer state struct
- ftp: add 'prefer_ascii' to the transfer state struct
- ftp: allow SIZE to fail when doing (resumed) upload
- ftp: avoid SIZE when asking for a TYPE A file
- ftp: fix memory leak in ftp_done
- ftp: never set data->set.ftp_append outside setopt
- gnutls: assume nettle crypto support
- http2: don't set KEEP_SEND when there's no more data to be sent
- http2: fail if connection terminated without END_STREAM
- http: do not add a referrer header with empty value
- http: strip default port from URL sent to proxy
- http: use credentials from transfer, not connection
- lib: remove 'conn->data' completely
- multi: close the connection when h2=>h1 downgrading
- multi: do once-per-transfer inits in before_perform in DID state
- multi: rename the multi transfer states
- multi: update pending list when removing handle
- ngtcp2: adapt to the new recv_datagram callback
- ngtcp2: clarify calculation precedence
- ngtcp2: sync with recent API updates
- openssl: adapt to v3's new const for a few API calls
- openssl: ensure to check SSL_CTX_set_alpn_protos return values
- openssl: remove get_ssl_version_txt in favor of SSL_get_version
- parse_proxy: fix a memory leak in the OOM path
- url: fix memory leak if OOM in the HSTS handling
- url: fix possible use-after-free in default protocol
- urldata: don't touch data->set.httpversion at run-time
- urldata: merge "/struct DynamicStatic"/ into "/struct UrlState"/
- urldata: remove the 'rtspversion' field
- urldata: remove the _ORIG suffix from string names
- wolfssl: don't store a NULL sessionid
- Harden build, enable full RELRO
- Never allow undefined symbols anywhere.
- Update to 7.75.0
* Changes:
- curl: add --create-file-mode [mode]
- curl: add new variables to --write-out
- dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
- gopher: implement secure gopher protocol
- http: add Hyper as new optional HTTP backend
- http: introduce AWS HTTP v4 Signature support
* Bugfixes:
- cmake: Add an option to disable libidn2
- cmake: enable gophers correctly in curl-config
- cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
- digest_sspi: Show InitializeSecurityContext errors in verbose mode
- getinfo: build with disabled HTTP support
- http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
- http_proxy: Fix CONNECT chunked encoding race condition
- httpauth: make multi-request auth work with custom port
- lib: pass in 'struct Curl_easy *' to most functions
- lib: remove Curl_ prefix from many static functions
- lib: save a bit of space with some structure packing
- libssh: avoid plain free() of libssh-memory
- mime: make sure setting MIMEPOST to NULL resets properly
- multi_runsingle: bail out early on data->conn == NULL
- ngtcp2: Fix http3 upload stall
- ngtcp2: Fix stack buffer overflow
- openssl: lowercase the hostname before using it for SNI
- socks: use the download buffer instead
- speedcheck: exclude paused transfers
- tooĺ_writeout: fix the -w time output units
- url: if IDNA conversion fails, fallback to Transitional
- Refresh libcurl-ocloexec.patch
- Enable zstd and brotli support
- Update to 7.74.0
* Changes:
hsts: add experimental support for Strict-Transport-Security
* Bugfixes:
- Inferior OCSP verification [bsc#1179593, CVE-2020-8286]
- FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285]
- trusting FTP PASV responses [bsc#1179398, CVE-2020-8284]
- Revert "/multi: implement wait using winsock events"/
- openssl: free mem_buf in error path
- ntlm: avoid malloc(0) on zero length user and domain
- ngtcp2: use the minimal version of QUIC supported by ngtcp2
- ngtcp2: advertise h3 ALPN unconditionally
- file: avoid duplicated code sequence
- openssl: guard against OOM on context creation
- docs: document the 8MB input string limit for curl_easy_escape
and curl_easy_setopt()
- hsts: add read/write callbacks
- hsts: add support for Strict-Transport-Security
- alt-svc: enable by default
- checksrc: warn on empty line before open brace
- connect: repair build without ipv6 availability
- curl.se: new home
- ftp: retry getpeername for FTP with TCP_FASTOPEN
- gnutls: fix memory leaks (certfields memory wasn't released)
- http: pass correct header size to debug callback for chunked post
- libssh2: fix transport over HTTPS proxy
- openssl: guard against OOM on context creation
- openssl: use OPENSSL_init_ssl() with >= 1.1.0
- Revert "/multi: implement wait using winsock events"/
- socks: check for DNS entries with the right port number
- tool_operate: --retry for HTTP 408 responses too
- tool_operate: bail out proper on errors during parallel transfers
- urlapi: don't accept blank port number field without scheme
- urlapi: URL encode a '+' in the query part
- vquic/ngtcp2.h: define local_addr as sockaddr_storage
- Update check section:
* runtests now supports dynamically base64 encoded sections in tests
* Replace env interpreter for perl and python3
- Remove curl-use_OPENSSL_config.patch since the OpenSSL initialization
has been updated to use OPENSSL_init_ssl() with >= 1.1.0
- Update patches to fix compiling warnings:
* curl-disabled-redirect-protocol-message.patch
* libcurl-ocloexec.patch
- Enable test 1165
- Update to 7.73.0
* Changes:
- curl: add --output-dir
- curl: support XDG_CONFIG_HOME to find .curlrc
- curl: update --help with categories
- curl_easy_option_*: new API for meta-data about easy options
- CURLE_PROXY: new error code
- mqtt: enable by default
- sftp: add new quote commands 'atime' and 'mtime'
- ssh: add the option CURLKHSTAT_FINE_REPLACE
- tls: add CURLOPT_SSL_EC_CURVES and --curves
* Bugfixes:
- base64: also build for smtp, pop3 and imap
- cleanups: avoid curl_ on local variables
- configure: let --enable-debug set -Wenum-conversion with gcc >= 10
- conn: check for connection being dead before reuse
- curl: in retry output don't call all problems "/transient"/
- curl: make checkpasswd, file2memory, file2string and
glob_match_url use dynbuf
- curl: retry delays in parallel mode no longer sleeps blocking
- curl: use curlx_dynbuf for realloc when loading config files
- curl:parallel_transfers: make sure retry readds the transfer
- curl_get_line: build only if cookies or alt-svc are enabled
- Curl_pgrsTime - return new time to avoid timeout integer overflow
- Curl_send: return error when pre_receive_plain can't malloc
- dynbuf: make sure Curl_dyn_tail() zero terminates
- etag: save and use the full received contents
- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
- ftp: avoid risk of reading uninitialized integers
- ftp: get rid of the PPSENDF macro
- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
- ftp: separate FTPS from FTP over "/HTTPS proxy"/
- HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
- http: consolidate nghttp2_session_mem_recv() call paths
- http_proxy: do not count proxy headers in the header bytecount
- http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
- imap: make imap_send use dynbuf for the send buffer management
- imap: set cselect_bits to CURL_CSELECT_IN initially
- lib1560: verify "/redirect"/ to double-slash leading URL
- lib: make Curl_gethostname accept a const pointer
- libssh2: handle the SSH protocols done over HTTPS proxy
- libssh2: pass on the error from ssh_force_knownhost_key_type
- memdebug: remove 9 year old unused debug function
- multi: expand pre-check for socket readiness
- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
- ngtcp2: adapt to the new pkt_info arguments
- openssl: avoid error conditions when importing native CA
- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
- parsedate: tune the date to epoch conversion
- pause: only trigger a reread if the unpause sticks
- pingpong: use a dynbuf for the *_pp_sendf() function
- runtests: allow creating files without newlines
- runtests: allow generating a binary sequence from hex
- runtests: clear pid variables when failing to start a server
- schannel: fix memory leak when using get_cert_location
- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
- sectransp: make it build with --disable-proxy
- select.h: make socket validation macros test for INVALID_SOCKET
- select: align poll emulation to return all relevant events
- select: fix poll-based check not detecting connect failure
- select: simplify return code handling for poll and select
- setopt: if the buffer exists, refuse the new BUFFERSIZE
- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
- socketpair: allow CURL_DISABLE_SOCKETPAIR
- sockfilt: handle FD_CLOSE winsock event on write socket
- symbian: drop support
- tests: remove pipelining tests
- tls: fix SRP detection by using the proper #ifdefs
- tls: provide the CApath verbose log on its own line
- tool_setopt: escape binary data to hex, not octal
- url: use blank credentials when using proxy w/o username and password
- urlapi: use more Curl_safefree
- vtls: deduplicate client certificates in ssl_config_data
- Update to 7.72.0 [bsc#1175109, CVE-2020-8231]
* Changes:
- content_encoding: add zstd decoding support
- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
- CURLINFO_EFFECTIVE_METHOD: added
* Bugfixes:
- CVE-2020-8231: libcurl: wrong connect-only connection
- curl-config: ignore REQUIRE_LIB_DEPS in --libs output
- curl: improve the existing file check with -J
- curl_multi_setopt: fix compiler warning "/result is always false"/
- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
- docs: Add video link to docs/CONTRIBUTE.md
- docs: clarify MAX_SEND/RECV_SPEED functionality
- ftp: don't do ssl_shutdown instead of ssl_close
- ftpserver: don't verify SMTP MAIL FROM names
- getinfo: reset retry-after value in initinfo
- gnutls: repair the build with 'CURL_DISABLE_PROXY'
- gtls: survive not being able to get name/issuer
- h2: repair trailer handling
- http2: close the http2 connection when no more requests may be sent
- http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
- libssh2: s/ssherr/sftperr/
- mprintf: Fix dollar string handling
- mprintf: Fix stack overflows
- multi_remove_handle: close unused connect-only connections
- ngtcp2: adapt to error code rename
- ngtcp2: adjust to recent sockaddr updates
- ngtcp2: update to modified qlog callback prototype
- ntlm: free target_info before (re-)malloc
- page-header: provide protocol details in the curl.1 man page
- quiche: handle calling disconnect twice
- setopt: unset NOBODY switches to GET if still HEAD
- smtp_parse_address: handle blank input string properly
- socks: use size_t for size variable
- tls-max.d: this option is only for TLS-using connections
- tlsv1.3.d. only for TLS-using connections
- tool_getparam: make --krb option work again
- transfer: fix data_pending for builds with both h2 and h3 enabled
- transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
- transfer: move retrycount from connect struct to easy handle
- url: fix CURLU and location following
- Update to 7.71.1
* Bugfixes:
- Curl_inet_ntop: always check the return code
- CURLOPT_READFUNCTION.3: provide the upload data size up front
- escape: make the URL decode able to reject only %00-bytes
- escape: zero length input should return a zero length output
- examples/multithread.c: call curl_global_cleanup()
- http2: set the correct URL in pushed transfers
- http: fix proxy auth with blank password
- mbedtls: fix build with disabled proxy support
- ngtcp2: sync with current master
- Revert "/multi: implement wait using winsock events"/
- sendf: improve the message on client write errors
- terminology: call them null-terminated strings
- tool_cb_hdr: Fix etag warning output and return code
- url: allow user + password to contain "/control codes"/ for HTTP(S)
- vtls: compare cert blob when finding a connection to reuse
- Update to 7.71.0 [bsc#1173026, CVE-2020-8169][bsc#1173027, CVE-2020-8177]
* Changes:
- CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
- setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
- setopt: support certificate options in memory with struct curl_blob
- tool: Add option --retry-all-errors to retry on any error
* Bugfixes:
- *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
- altsvc: bump to h3-29
- altsvc: fix 'dsthost' may be used uninitialized in this function
- altsvc: fix parser for lines ending with CRLF
- altsvc: remove the num field from the altsvc struct
- asyn-*: remove support for never-used NULL entry pointers
- azure: use matrix strategy to avoid configuration redundancy
- build: disable more code/data when built without proxy support
- buildconf: remove -print from the find command that removes files
- checksrc: enhance the ASTERISKSPACE and update code accordingly
- cirrus: disable SFTP and SCP tests
- CMake: add ENABLE_ALT_SVC option
- CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
- CMake: add libssh build support
- configure: fix pthread check with static boringssl
- configure: for wolfSSL, check for the DES func needed for NTLM
- configure: only strip first -L from LDFLAGS
- configure: repair the check if argv can be written to
- configure: the wolfssh backend does not provide SCP
- connect: improve happy eyeballs handling
- connect: make happy eyeballs work for QUIC (again)
- curl: remove -J "/informational"/ written on stdout
- Curl_addrinfo: use one malloc instead of three
- dynbuf: introduce internal generic dynamic buffer functions
- easy: fix dangling pointer on easy_perform fail
- examples/ephiperfifo: turn off interval when setting timerfd
- examples/http2-down/upload: add error checks
- FILEFORMAT: add more features that tests can depend on
- FILEFORMAT: describe verify/stderr
- ftp: make domore_getsock() return the secondary socket properly
- ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
- ftp: shut down the secondary connection properly when SSL is used
- GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
- hostip: make Curl_printable_address not return anything
- http2: keep trying to send pending frames after req.upload_done
- http2: simplify and clean up trailer handling
- http: move header storage to Curl_easy from connectdata
- libssh2: improved error output for wrong quote syntax
- libssh2: keep sftp errors as 'unsigned long'
- libssh2: set the expected total size in SCP upload init
- multi: add defensive check on data->multi->num_alive
- multi: implement wait using winsock events
- ngtcp2: cleanup memory when failing to connect
- ngtcp2: fix build with current ngtcp2 master implementing draft 28
- ngtcp2: fix happy eyeballs quic connect crash
- ngtcp2: introduce qlog support
- ngtcp2: never call fprintf() in lib code in release version
- ngtcp2: update with recent API changes
- ntlm: enable NTLM support with wolfSSL
- OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
- openssl: set FLAG_TRUSTED_FIRST unconditionally
- projects: Add crypt32.lib to dependencies for all OpenSSL configs
- quiche: clean up memory properly when failing to connect
- quiche: enable qlog output
- quiche: update SSLKEYLOGFILE support
- Revert "/ssh: ignore timeouts during disconnect"/
- select: fix overflow protection in Curl_socket_check
- sendf: make failf() use the mvsnprintf() return code
- server/sws: fix asan warning on use of uninitialized variable
- server/util: fix logmsg format using curl_off_t argument
- sha256: fixed potentially uninitialized variable
- share: don not set the share flag it something fails
- sockfilt: make select_ws stop waiting on exit signal event
- socks: detect connection close during handshake
- socks: fix expected length of SOCKS5 reply
- socks: remove unreachable breaks in socks.c and mime.c
- source cleanup: remove all custom typedef structs
- timeouts: change millisecond timeouts to timediff_t from time_t
- timeouts: move ms timeouts to timediff_t from int and long
- tool_cfgable: free login_options at exit
- tool_getparam: -i is not OK if -J is used
- tool_getparam: fix memory leak in parse_args
- tool_operate: fixed potentially uninitialized variables
- tool_paramhlp: fixed potentially uninitialized strtol() variable
- transfer: close connection after excess data has been read
- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
- url: accept "/any length"/ credentials for proxy auth
- url: alloc the download buffer at transfer start
- url: make the updated credentials URL-encoded in the URL
- url: reject too long input when parsing credentials
- url: sort the protocol schemes in rough popularity order
- urlapi: accept :: as a valid IPv6 address
- urldata: leave the HTTP method untouched in the set.* struct
- urlglob: treat literal IPv6 addresses with zone IDs as a host name
- user-agent.d: spell out what happens given a blank argument
- vauth/cleartext: fix theoretical integer overflow
- version.d: expanded and alpha-sorted
- vtls: Extract and simplify key log file handling from OpenSSL
- wolfssl: add SSLKEYLOGFILE support
- wording: avoid blacklist/whitelist stereotypes
- write-out.d: added "/response_code"/
- Change with-gssapi configure parameter: krb5 is changing location
in the future: ask krb5-config about the correct prefix values.
- Update to 7.70.0
* Changes:
- curl: add --ssl-revoke-best-effort to allow a "/best effort"/ revocation check
- mqtt: add new experimental protocol
- schannel: add "/best effort"/ revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT
- writeout: support to generate JSON output with '%{json}'
* Bugfixes:
- gnutls: Don't skip really long certificate fields
- gnutls: ensure TLS 1.3 when SRP isn't requested
- lib: never define CURL_CA_BUNDLE with a getenv
- libcurl-multi.3: added missing full stop
- libssh: avoid options override by configuration files
- libssh: Use new ECDSA key types to check known hosts
- tons of other fixes
- Update to 7.69.1
* Bugfixes:
- ares: store dns parameters for duphandle
- cirrus-ci: disable the FreeBSD 13 builds
- curl_share_setopt.3: Note sharing cookies doesn't enable the engine
- lib1564: reduce number of mid-wait wakeup calls
- libssh: Fix matching user-specified MD5 hex key
- MANUAL: update a dict-using command line
- mime: do not perform more than one read in a row
- mime: fix the binary encoder to handle large data properly
- mime: latch last read callback status
- multi: skip EINTR check on wakeup socket if it was closed
- pause: bail out on bad input
- pause: force a connection recheck after unpausing (take 2)
- pause: return early for calls that don't change pause state
- runtests.1: rephrase how to specify what tests to run
- runtests: fix missing use of exe_ext helper function
- seek: fix fall back for missing ftruncate on Windows
- sftp: fix segfault regression introduced by #4747 in 7.69.0
- sha256: Added SecureTransport implementation
- sha256: Added WinCrypt implementation
- socks4: fix host resolve regression
- socks5: host name resolv regression fix
- tests/server: fix missing use of exe_ext helper function
- tests: fix static ip:port instead of dynamic values being used
- tests: make sleeping portable by avoiding select
- unit1612: fix the inclusion and compilation of the HMAC unit test
- urldata: remove the 'stream_was_rewound' connectdata struct member
- version: make curl_version* thread-safe without using global context
- ignore_runtests_failure.patch: remove, no longer needed
- Update to 7.69.0
* Changes:
- polarssl: removed
- smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
- wolfSSH: new SSH backend
* Bugfixes:
- altsvc: improved header parser
- altsvc: keep a copy of the file name to survive handle reset
- altsvc: make saving the cache an atomic operation
- altsvc: use h3-27
- azure: disable brotli on the macos debug-builds
- build: remove all HAVE_OPENSSL_ENGINE_H defines
- cleanup: fix several comment typos
- cleanup: fix typos and wording in docs and comments
- cmake: add support for CMAKE_LTO option
- cmake: clean up and improve build procedures
- cmake: Show HTTPS-proxy in the features output
- cmake: use check_symbol_exists also for inet_pton
- configure.ac: fix comments about --with-quiche
- configure: disable metalink if mbedTLS is specified
- configure: disable metalink support for incompatible SSL/TLS
- conn: do not reuse connection if SOCKS proxy credentials differ
- conncache: removed unused Curl_conncache_bundle_size()
- connect: remove some spurious infof() calls
- connection reuse: respect the max_concurrent_streams limits
- cookie: check __Secure- and __Host- case sensitively
- cookies: make saving atomic with a rename
- create-dirs.d: mention the mode
- curl: avoid using strlen for testing if a string is empty
- curl: error on --alt-svc use w/o support
- curl: let -D merge headers in one file again
- curl: make #0 not output the full URL
- curl: make the -# spaceship bar not wrap the line
- curl: remove 'config' field from OutStruct
- curl:progressbarinit: ignore column width from terminals < 20
- curl_escape.3: add a link to curl_free
- curl_getenv.3: fix the memory handling description
- curl_global_init: assume the EINTR bit by default
- curl_global_init: move the IPv6 works status bool to multi handle
- CURLINFO_COOKIELIST.3: Fix example
- CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
- CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
- CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
- data.d: remove "/Multiple files can also be specified"/
- digest: do not quote algorithm in HTTP authorisation
- docs/HTTP3: add --enable-alt-svc to curl's configure
- docs/HTTP3: update the OpenSSL branch to use for ngtcp2
- docs: fix typo on CURLINFO_RETRY_AFTER
- easy: remove dead code
- form.d: fix two minor typos
- ftp: convert 'sock_accepted' to a plain boolean
- ftp: remove superfluous checking for crlf in user or pwd
- ftp: shrink temp buffers used for PORT
- github: Instructions to post "/uname -a"/ on Unix systems in issues
- GnuTLS: always send client cert
- gtls: fixed compilation when using GnuTLS < 3.5.0
- hostip: move code to resolve IP address literals to 'Curl_resolv'
- HTTP-COOKIES: describe the cookie file format
- HTTP-COOKIES: mention that a trailing newline is required
- http2: make pausing/unpausing set/clear local stream window
- http2: now requires nghttp2 >= 1.12.0
- http: added 417 response treatment
- http: increase EXPECT_100_THRESHOLD to 1Mb
- http: mark POSTs with no body as "/upload done"/ from the start
- http: move "/oauth_bearer"/ from connectdata to Curl_easy
- include: remove non-curl prefixed defines
- KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
- libssh2: add support for forcing a hostkey type
- libssh2: fix variable type
- libssh: improve known hosts handling
- llist: removed unused Curl_llist_move()
- location.d: the method change is from POST to GET only
- md4: fixed compilation issues when using GNU TLS gcrypt
- md4: use init/update/final functions in Secure Transport
- md5: added implementation for mbedTLS
- mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
- multi: change curl_multi_wait/poll to error on negative timeout
- multi: fix outdated comment
- multi: if Curl_readwrite sets 'comeback' use expire, not loop
- multi_done: if multiplexed, make conn->data point to another transfer
- multi_wait: stop loop when sread() returns zero
- ngtcp2: add error code for QUIC connection errors
- ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
- ngtcp2: update to git master and its draft-25 support
- ntlm: removed the dependency on the TLS libaries when using MD5
- ntlm_wb: use Curl_socketpair() for greater portability
- oauth2-bearer.d: works for HTTP too
- openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
- openssl: remove redundant assignment
- os400: fixed the build
- pause: force-drain the transfer on unpause
- quiche: update to draft-25
- README: mention that the docs is in docs/
- runtests: make random seed fixed for a month
- runtests: restore the command log
- schannel_verify: Fix alt names manual verify for UNICODE builds
- sha256: use crypto implementations when available
- singleuse.pl: support new API functions, fix curl_dbg_ handling
- smtp: support the SMTPUTF8 extension
- smtp: support UTF-8 based host names in MAIL FROM
- SOCKS: make the connect phase non-blocking
- strcase: turn Curl_raw_tolower into static
- strerror: increase STRERROR_LEN 128 -> 256
- test1323: added missing 'unit test' feature requirement
- tests: add a unit test for MD4 digest generation
- tests: add a unit test for SHA256 digest generation
- tests: add a unit test for the HMAC hash generation
- tests: deduce the tool name from the test case for unit tests
- tests: fix Python 3 compatibility of smbserver.py
- tool_dirhie: allow directory traversal during creation
- tool_homedir: change GetEnv() to use libcurl's curl_getenv()
- url: include the failure reason when curl_win32_idn_to_ascii() fails
- urlapi: guess scheme properly with credentials given
- urldata: do string enums without #ifdefs for build scripts
- vtls: refactor Curl_multissl_version to make the code clearer
- Refresh patches:
* curl-secure-getenv.patch
* libcurl-ocloexec.patch
- Eliminate curl-mini: The reason for this to exist was that cmake
pulled in curl into too many places, causing build cycles. A new
cmake-mini was generated, eliminating that need.
- Update to 7.68.0
* Changes:
- TLS: add BearSSL vtls implementation
- XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
- curl: add --etag-compare and --etag-save
- curl: add --parallel-immediate
- multi: add curl_multi_wakeup()
- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
* Bugfixes:
- CVE-2019-15601: file: on Windows, refuse paths that start with /
- Azure Pipelines: add several builds
- CMake: add support for building with the NSS vtls backend
- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
- CURLOPT_HEADERFUNCTION.3: Document that size is always 1
- CURLOPT_QUOTE.3: fix typos
- CURLOPT_READFUNCTION.3: fix the example
- CURLOPT_URL.3: "/curl supports SMB version 1 (only)"/
- CURLOPT_VERBOSE.3: see also ERRORBUFFER
- HISTORY: added cmake, HTTP/3 and parallel downloads with curl
- HISTORY: the SMB(S) support landed in 2014
- INSTALL.md: provide Android build instructions
- KNOWN_BUGS: Connection information when using TCP Fast Open
- KNOWN_BUGS: LDAP on Windows doesn't work correctly
- KNOWN_BUGS: TLS session cache doesn't work with TFO
- OPENSOCKETFUNCTION.3: correct the purpose description
- TrackMemory tests: always remove CR before LF
- altsvc: bump to h3-24
- altsvc: make the save function ignore NULL filenames
- build: Disable Visual Studio warning "/conditional expression is constant"/
- build: fix for CURL_DISABLE_DOH
- checksrc.bat: Add a check for vquic and vssh directories
- checksrc: repair the copyrightyear check
- cirrus-ci: enable clang sanitizers on freebsd 13
- cirrus: Drop the FreeBSD 10.4 build
- config-win32: cpu-machine-OS for Windows on ARM
- configure: avoid unportable `==' test(1) operator
- configure: enable IPv6 support without `getaddrinfo`
- configure: fix typo in help text
- conncache: CONNECT_ONLY connections assumed always in-use
- conncache: fix multi-thread use of shared connection cache
- copyrights: fix copyright year range
- create_conn: prefer multiplexing to using new connections
- curl -w: handle a blank input file correctly
- curl.h: add two missing defines for "/pre ISO C"/ compilers
- curl/parseconfig: fix mem-leak
- curl/parseconfig: use curl_free() to free memory allocated by libcurl
- curl: cleanup multi handle on failure
- curl: fix --upload-file . hangs if delay in STDIN
- curl: fix -T globbing
- curl: improved cleanup in upload error path
- curl: make a few char pointers point to const char instead
- curl: properly free mimepost data
- curl: show better error message when no homedir is found
- curl: show error for --http3 if libcurl lacks support
- curl_setup_once: consistently use WHILE_FALSE in macros
- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
- docs: Change 'experiemental' to 'experimental'
- docs: TLS SRP doesn't work with TLS 1.3
- docs: fix several typos
- docs: mention CURL_MAX_INPUT_LENGTH restrictions
- doh: improved both encoding and decoding
- doh: make it behave when built without proxy support
- examples/postinmemory.c: Call curl_global_cleanup always
- examples/url2file.c: corrected erroneous comment
- examples: add multi-poll.c
- global_init: undo the "/intialized"/ bump in case of failure
- hostip: suppress compiler warning
- http_ntlm: Remove duplicate NSS initialisation
- lib: Move lib/ssh.h -> lib/vssh/ssh.h
- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
- lib: fix warnings found when porting to NuttX
- lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
- lib: remove erroneous +x file permission on some c files
- libssh2: add support for ECDSA and ed25519 knownhost keys
- multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
- multi: free sockhash on OOM
- multi_poll: avoid busy-loop when called without easy handles attached
- ngtcp2: Support the latest update key callback type
- ngtcp2: fix thread-safety bug in error-handling
- ngtcp2: free used resources on disconnect
- ngtcp2: handle key updates as ngtcp2 master branch tells us
- ngtcp2: increase QUIC window size when data is consumed
- ngtcp2: use overflow buffer for extra HTTP/3 data
- ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
- ntlm_wb: fix double-free in OOM
- openssl: Revert to less sensitivity for SYSCALL errors
- openssl: improve error message for SYSCALL during connect
- openssl: prevent recursive function calls from ctx callbacks
- openssl: retrieve reported LibreSSL version at runtime
- openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
- parsedate: offer a getdate_capped() alternative
- pause: avoid updating socket if done was already called
- projects: Fix Visual Studio projects SSH builds
- projects: Fix Visual Studio wolfSSL configurations
- quiche: reject HTTP/3 headers in the wrong order
- remove_handle: clear expire timers after multi_done()
- runtests: --repeat=[num] to repeat tests
- runtests: introduce --shallow to reduce huge torture tests
- schannel: fix --tls-max for when min is --tlsv1 or default
- setopt: Fix ALPN / NPN user option when built without HTTP2
- strerror: Add Curl_winapi_strerror for Win API specific errors
- strerror: Fix an error looking up some Windows error strings
- strerror: Fix compiler warning "/empty expression"/
- system.h: fix for MCST lcc compiler
- test/sws: search for "/Testno:"/ header unconditionally if no testno
- test1175: verify symbols-in-versions and libcurl-errors.3 in sync
- test1270: a basic -w redirect_url test
- test1456: remove the use of a fixed local port number
- test1558: use double slash after file:
- test1560: require IPv6 for IPv6 aware URL parsing
- tests/lib1557: fix mem-leak in OOM
- tests/lib1559: fix mem-leak in OOM
- tests/lib1591: free memory properly on OOM, in the trailers callback
- tests/unit1607: fix mem-leak in OOM
- tests/unit1609: fix mem-leak in OOM
- tests/unit1620: fix bad free in OOM
- tests: Change NTLM tests to require SSL
- tests: Fix bounce requests with truncated writes
- tests: fix build with `CURL_DISABLE_DOH`
- tests: fix permissions of ssh keys in WSL
- tests: make it possible to set executable extensions
- tests: make sure checksrc runs on header files too
- tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
- tests: use DoH feature for DoH tests
- tests: use rn for log messages in WSL
- tool_operate: fix mem leak when failed config parse
- travis: Fix error detection
- travis: abandon coveralls, it is not reliable
- travis: build ngtcp2 with --enable-lib-only
- travis: export the CC/CXX variables when set
- vtls: make BearSSL possible to set with CURL_SSL_BACKEND
- winbuild: Define CARES_STATICLIB when WITH_CARES=static
- winbuild: Document CURL_STATICLIB requirement for static libcurl
- Remove curl-expire-clear.patch
- Fix segfault in zypper ref: [bsc#1156481]
* remove_handle: clear expire timers after multi_done()
* Add patch curl-expire-clear.patch
- Update spec file with spec-cleaner
- Update to 7.67.0
* Changes:
- curl: added --no-progress-meter
- setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
- urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
* Bugfixes:
- BINDINGS: five new bindings addded
- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
- CURLOPT_TIMEOUT.3: remove the mention of "/minutes"/
- ESNI: initial build/setup support
- FTP: FTPFILE_NOCWD: avoid redundant CWDs
- FTP: allow "/rubbish"/ prepended to the SIZE response
- FTP: remove trailing slash from path for LIST/MLSD
- FTP: skip CWD to entry dir when target is absolute
- FTP: url-decode path before evaluation
- HTTP3.md: move -p for mkdir, remove -j for make
- HTTP3: fix invalid use of sendto for connected UDP socket
- HTTP3: fix prefix parameter for ngtcp2 build
- HTTP3: show an --alt-svc using example too
- INSTALL: add missing space for configure commands
- INSTALL: add vcpkg installation instructions
- altsvc: accept quoted ma and persist values
- altsvc: both backends run h3-23 now
- appveyor: Add MSVC ARM64 build
- appveyor: Use two parallel compilation on appveyor with CMake
- appveyor: add --disable-proxy autotools build
- appveyor: publish artifacts on appveyor
- appveyor: upgrade VS2017 to VS2019
- asyn-thread: make use of Curl_socketpair() where available
- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
- build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
- checksrc: fix uninitialized variable warning
- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
- cirrus: switch off blackhole status on the freebsd CI machines
- cleanups: 21 various PVS-Studio warnings
- configure: only say ipv6 enabled when the variable is set
- configure: remove all cyassl references
- conn-reuse: requests wanting NTLM can reuse non-NTLM connections
- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
- connect: silence sign-compare warning
- cookie: avoid harmless use after free
- cookie: pass in the correct cookie amount to qsort()
- cookies: change argument type for Curl_flush_cookies
- cookies: using a share with cookies shouldn't enable the cookie engine
- copyrights: update copyright notices to 2019
- curl: create easy handles on-demand and not ahead of time
- curl: ensure HTTP 429 triggers --retry
- curl: exit the create_transfers loop on errors
- curl: fix memory leaked by parse_metalink()
- curl: load large files with -d @ much faster
- docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
- docs: added multi-event.c example
- docs: disambiguate CURLUPART_HOST is for host name (ie no port)
- docs: note on failed handles not being counted by curl_multi_perform
- doh: allow only http and https in debug mode
- doh: avoid truncating DNS QTYPE to lower octet
- doh: clean up dangling DOH memory on easy close
- doh: fix (harmless) buffer overrun
- doh: fix undefined behaviour and open up for gcc and clang optimization
- doh: return early if there is no time left
- examples/sslbackend: fix -Wchar-subscripts warning
- gnutls: make gnutls_bye() not wait for response on shutdown
- http2: expire a timeout at end of stream
- http2: prevent dup'ed handles to send dummy PRIORITY frames
- http2: relax verification of :authority in push promise requests
- http2_recv: a closed stream trumps pause state
- http: lowercase headernames for HTTP/2 and HTTP/3
- ldap: Stop using wide char version of ldapp_err2string
- ldap: fix OOM error on missing query string
- mbedtls: add error message for cert validity starting in the future
- mime: when disabled, avoid C99 macro
- ngtcp2: adapt to API change
- ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
- ngtcp2: remove fprintf() calls
- openssl: close_notify on the FTP data connection doesn't mean closure
- openssl: use strerror on SSL_ERROR_SYSCALL
- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
- parsedate: fix date parsing disabled builds
- quiche: don't close connection at end of stream
- quiche: persist connection details (fixes -I with --http3)
- quiche: set 'drain' when returning without having drained the queues
- quiche: update HTTP/3 config creation to new API
- redirect: handle redirects to absolute URLs containing spaces
- runtests: get textaware info from curl instead of perl
- schannel: reverse the order of certinfo insertions
- schannel_verify: Fix concurrent openings of CA file
- security: silence conversion warning
- setopt: handle ALTSVC set to NULL
- setopt: make it easier to add new enum values
- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
- smb: check for full size message before reading message details
- smbserver: fix Python 3 compatibility
- socks: Fix destination host shown on SOCKS5 error
- test1162: disable MSYS2's POSIX path conversion
- test1591: fix spelling of http feature
- tests: add 'connect to non-listen' keywords
- tests: fix narrowing conversion warnings
- tests: fix the test 3001 cert failures
- tests: makes tests succeed when using --disable-proxy
- tests: use %FILE_PWD for file:// URLs
- tests: use port 2 instead of 60000 for a safer non-listening port
- tool_operate: Fix retry sleep time shown to user when Retry-After
- url: Curl_free_request_state() should also free doh handles
- url: don't set appconnect time for non-ssl/non-ssh connections
- url: fix the NULL hostname compiler warning
- url: normalize CURLINFO_EFFECTIVE_URL
- url: only reuse TLS connections with matching pinning
- urlapi: avoid index underflow for short ipv6 hostnames
- urlapi: fix URL encoding when setting a full URL
- urlapi: question mark within fragment is still fragment
- urldata: use 'bool' for the bit type on MSVC compilers
- vtls: fix narrowing conversion warnings
- Update to 7.66.0 [bsc#1149496, CVE-2019-5482][bsc#1149495, CVE-2019-5481]
* Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
* Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "/"/ file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- asyn-thread: create a socketpair to wait on
- cleanup: move functions out of url.c and make them static
- cleanup: remove the 'numsocks' argument used in many places
- configure: avoid undefined check_for_ca_bundle
- curl.h: add CURL_HTTP_VERSION_3 to the version enum
- curl: cap the maximum allowed values for retry time arguments
- curl: handle a libcurl build without netrc support
- curl: make use of CURLINFO_RETRY_AFTER when retrying
- curl: use CURLINFO_PROTOCOL to check for HTTP(s)
- curl_global_init_mem.3: mention it was added in 7.12.0
- curl_version: bump string buffer size to 250
- curl_version_info.3: mentioned ALTSVC and HTTP3
- curl_version_info: offer quic (and h3) library info
- curl_version_info: provide nghttp2 details
- defines: avoid underscore-prefixed defines
- docs/ALTSVC: remove what works and the experimental explanation
- docs/EXPERIMENTAL: explain what it means and what's experimental now
- docs/MANUAL.md: converted to markdown from plain text
- docs/examples/curlx: fix errors
- docs: s/curl_debug/curl_dbg_debug in comments and docs
- easy: resize receive buffer on easy handle reset
- examples: Avoid reserved names in hiperfifo examples
- examples: add http3.c, altsvc.c and http3-present.c
- http09: disable HTTP/0.9 by default in both tool and library
- http2: when marked for closure and wanted to close == OK
- http2_recv: trigger another read when the last data is returned
- http: fix use of credentials from URL when using HTTP proxy
- http_negotiate: improve handling of gss_init_sec_context() failures
- md4: Use our own MD4 when no crypto libraries are available
- multi: call detach_connection before Curl_disconnect
- nss: use TLSv1.3 as default if supported
- openssl: build warning free with boringssl
- openssl: use SSL_CTX_set__proto_version() when available
- plan9: add support for running on Plan 9
- progress: reset download/uploaded counter between transfers
- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
- scp: fix directory name length used in memcpy
- smb: init *msg to NULL in smb_send_and_recv()
- smtp: check for and bail out on too short EHLO response
- source: remove names from source comments
- spnego_sspi: add typecast to fix build warning
- src/makefile: fix uncompressed hugehelp.c generation
- ssh-libssh: do not specify O_APPEND when not in append mode
- ssh: move code into vssh for SSH backends
- sspi: fix memory leaks
- tests: Replace outdated test case numbering documentation
- tftp: return error when packet is too small for options
- timediff: make it 64 bit (if possible) even with 32 bit time_t
- travis: reduce number of torture tests in 'coverage'
- url: make use of new HTTP version if alt-svc has one
- urlapi: verify the IPv6 numerical address
- urldata: avoid 'generic', use dedicated pointers
- vauth: Use CURLE_AUTH_ERROR for auth function errors
- Update to 7.65.3
* progress: make the progress meter appear again
- Update to 7.65.2
* Bugfixes:
- CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
- CMake: Fix finding Brotli on case-sensitive file systems
- CURLOPT_RANGE.3: Caution against using it for HTTP PUT
- CURLOPT_SEEKDATA.3: fix variable name
- bindlocal: detect and avoid IP version mismatches in bind()
- build: fix Codacy warnings
- c-ares: honor port numbers in CURLOPT_DNS_SERVERS
- config-os400: add getpeername and getsockname defines
- configure: --disable-progress-meter
- configure: fix --disable-code-coverage
- configure: more --disable switches to toggle off individual features
- configure: remove CURL_DISABLE_TLS_SRP
- conn_maxage: move the check to prune_dead_connections()
- curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
- docs: Explain behavior change in --tlsv1. options since 7.54
- docs: Fix links to OpenSSL docs
- docs: fix string suggesting HTTP/2 is not the default
- headers: Remove no longer exported functions
- http2: call done_sending on end of upload
- http2: don't call stream-close on already closed streams
- http2: remove CURL_DISABLE_TYPECHECK define
- http: allow overriding timecond with custom header
- http: clarify header buffer size calculation
- krb5: fix compiler warning
- lib: Use UTF-8 encoding in comments
- libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
- multi: enable multiplexing by default (again)
- multi: fix the transfer hashes in the socket hash entries
- multi: make sure 'data' can present in several sockhash entries
- netrc: Return the correct error code when out of memory
- nss: don't set unused parameter
- nss: inspect returnvalue of token check
- nss: only cache valid CRL entries
- openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
- openssl: fix pubkey/signature algorithm detection in certinfo
- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
- quote.d: asterisk prefix works for SFTP as well
- runtests: keep logfiles around by default
- runtests: report single test time + total duration
- test1165: verify that CURL_DISABLE_ symbols are in sync
- test1521: adapt to SLISTPOINT
- test1523: test CURLOPT_LOW_SPEED_LIMIT
- test153: fix content-length to avoid occasional hang
- test188/189: fix Content-Length
- tests: have runtests figure out disabled features
- tests: support non-localhost HOSTIP for dict/smb servers
- tests: update fixed IP for hostip/clientip split
- tool_cb_prg: Fix integer overflow in progress bar
- typecheck: CURLOPT_CONNECT_TO takes an slist too
- typecheck: add 3 missing strings and a callback data pointer
- unit1654: cleanup on memory failure
- unpause: trigger a timeout for event-based transfers
- url: Fix CURLOPT_MAXAGE_CONN time comparison
- Rebased patch curl-use_OPENSSL_config.patch
- Disable new added failing test1165
- Update to 7.65.1
* Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "/multipass"/ state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "/bundles"/ per host name when doing proxy tunnels
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "/openssl-only"/ comments for supported backends
- tests: add HAProxy keywords
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
- Update to 7.65.0 [bsc#1135176, CVE-2019-5435][bsc#1135170, CVE-2019-5436]
* Changes:
- CURLOPT_DNS_USE_GLOBAL_CACHE: removed
- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
- pipelining: removed
* Bugfixes:
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- --config: clarify that initial : and = might need quoting
- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
- CURLOPT_ADDRESS_SCOPE: fix range check and more
- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
- CURL_MAX_INPUT_LENGTH: largest acceptable string input size
- Curl_disconnect: treat all CONNECT_ONLY connections as "/dead"/
- OS400/ccsidcurl: replace use of Curl_vsetopt
- OpenSSL: Report -fips in version if OpenSSL is built with FIPS
- WRITEFUNCTION: add missing set_in_callback around callback
- altsvc: Fix building with cookies disabled
- auth: Rename the various authentication clean up functions
- base64: build conditionally if there are users
- cmake: avoid linking executable for some tests with cmake 3.6+
- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
- cmake: set SSL_BACKENDS
- configure: avoid unportable '==' test(1) operator
- configure: error out if OpenSSL wasn't detected when asked for
- configure: fix default location for fish completions
- cookie: Guard against possible NULL ptr deref
- curl: make code work with protocol-disabled libcurl
- curl: report error for "/--no-"/ on non-boolean options
- curlver.h: use parenthesis in CURL_VERSION_BITS macro
- docs/INSTALL: fix broken link
- doh: acknowledge CURL_DISABLE_DOH
- doh: disable DOH for the cases it doesn't work
- examples: remove unused variables
- ftplistparser: fix LGTM alert "/Empty block without comment"/
- hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
- http: acknowledge CURL_DISABLE_HTTP_AUTH
- http: mark bundle as not for multiuse on < HTTP/2 response
- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
- http_negotiate: do not treat failure of gss_init_sec_context() as fatal
- http_ntlm: Corrected the name of the include guard
- http_ntlm_wb: Handle auth for only a single request
- http_ntlm_wb: Return the correct error on receiving an empty auth message
- lib509: add missing include for strdup
- lib557: initialize variables
- mbedtls: enable use of EC keys
- mime: acknowledge CURL_DISABLE_MIME
- multi: improved HTTP_1_1_REQUIRED handling
- netrc: acknowledge CURL_DISABLE_NETRC
- nss: allow fifos and character devices for certificates
- nss: provide more specific error messages on failed init
- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
- openssl: mark connection for close on TLS close_notify
- openvms: Remove pre-processor for SecureTransport
- parse_proxy: use the URL parser API
- parsedate: disabled on CURL_DISABLE_PARSEDATE
- pingpong: disable more when no pingpong protocols are enabled
- polarssl_threadlock: remove conditionally unused code
- progress: acknowledge CURL_DISABLE_PROGRESS_METER
- proxy: acknowledge DISABLE_PROXY more
- resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
- revert "/multi: support verbose conncache closure handle"/
- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
- sasl: only enable if there's a protocol enabled using it
- singleipconnect: show port in the verbose "/Trying ..."/ message
- socks5: user name and passwords must be shorter than 256
- socks: fix error message
- socksd: new SOCKS 4+5 server for tests
- spnego_gssapi: fix return code on gss_init_sec_context() failure
- ssh-libssh: remove unused variable
- ssh: define USE_SSH if SSH is enabled (any backend)
- ssh: move variable declaration to where it's used
- test1002: correct the name
- test2100: Fix typos in test description
- tests: Run global cleanup at end of tests
- tests: make Impacket (SMB server) Python 3 compatible
- tool_cb_wrt: fix bad-function-cast warning
- tool_formparse: remove redundant assignment
- tool_help: Warn if curl and libcurl versions do not match
- tool_help: include for strcasecmp
- url: always clone the CUROPT_CURLU handle
- url: convert the zone id from a IPv6 URL to correct scope id
- urlapi: add CURLUPART_ZONEID to set and get
- urlapi: increase supported scheme length to 40 bytes
- urlapi: require a non-zero host name length when parsing URL
- urlapi: stricter CURLUPART_PORT parsing
- urlapi: strip off zone id from numerical IPv6 addresses
- urlapi: urlencode characters above 0x7f correctly
- vauth/cleartext: update the PLAIN login to match RFC 4616
- vauth/oauth2: Fix OAUTHBEARER token generation
- vauth: Fix incorrect function description for Curl_auth_user_contains_domain
- vtls: fix potential ssl_buffer stack overflow
- wildcard: disable from build when FTP isn't present
- xattr: skip unittest on unsupported platforms
- Install curl.fish completions file from curl rather than from the fish package
- update to version 7.64.1
* Changes:
- alt-svc: experiemental support added
- configure: add --with-amissl
* Bugfixes:
- AppVeyor: switch VS 2015 builds to VS 2017 image
- CURLU: fix NULL dereference when used over proxy
- Curl_easy: remove req.maxfd - never used!
- Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
- DoH: inherit some SSL options from user's easy handle
- Secure Transport: no more "/darwinssl"/
- Secure Transport: tvOS 11 is required for ALPN support
- cirrus: Added FreeBSD builds using Cirrus CI
- cleanup: make local functions static
- cli tool: do not use mime.h private structures
- cmdline-opts/proxytunnel.d: the option tunnnels all protocols
- configure: add additional libraries to check for LDAP support
- configure: remove the unused fdopen macro
- configure: show features as well in the final summary
- conncache: use conn->data to know if a transfer owns it
- connection: never reuse CONNECT_ONLY connections
- connection_check: restore original conn->data after the check
- connection_check: set ->data to the transfer doing the check
- cookie: Add support for cookie prefixes
- cookies: dotless names can set cookies again
- cookies: fix NULL dereference if flushing cookies with no CookieInfo set
- curl.1: --user and --proxy-user are hidden from ps output
- curl.1: mark the argument to --cookie as
- curl.h: use __has_declspec_attribute for shared builds
- curl: display --version features sorted alphabetically
- curl: fix FreeBSD compiler warning in the --xattr code
- curl: remove MANUAL from -M output
- curl_easy_duphandle.3: clarify that a duped handle has no shares
- curl_multi_remove_handle.3: use at any time, just not from within callbacks
- curl_url.3: this API is not experimental anymore
- dns: release sharelock as soon as possible
- docs: update max-redirs.d phrasing
- examples/10-at-a-time.c: improve readability and simplify
- examples/cacertinmem.c: use multiple certificates for loading CA-chain
- examples/crawler: Fix the Accept-Encoding setting
- examples/ephiperfifo.c: various fixes
- examples/externalsocket: add missing close socket calls
- examples/http2-download: cleaned up
- examples/http2-serverpush: add some sensible error checks
- examples/http2-upload: cleaned up
- examples/httpcustomheader: Value stored to 'res' is never read
- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
- examples/sftpuploadresume: Value stored to 'result' is never read
- examples: only include
- examples: remove recursive calls to curl_multi_socket_action
- examples: remove superfluous null-pointer checks
- file: fix "/Checking if unsigned variable 'readcount' is less than zero."/
- fnmatch: disable if FTP is disabled
- gnutls: remove call to deprecated gnutls_compression_get_name
- gopher: remove check for path == NULL
- gssapi: fix deprecated header warnings
- hostip: make create_hostcache_id avoid alloc + free
- http2: multi_connchanged() moved from multi.c, only used for h2
- http2: verify :athority in push promise requests
- http: make adding a blank header thread-safe
- http: send payload when (proxy) authentication is done
- http: set state.infilesize when sending multipart formposts
- makefile: make checksrc and hugefile commands "/silent"/
- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
- mbedtls: release sessionid resources on error
- memdebug: log pointer before freeing its data
- memdebug: make debug-specific functions use curl_dbg_ prefix
- mime: put the boundary buffer into the curl_mime struct
- multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME
- multi: remove verbose "/Expire in"/ ... messages
- multi: removed unused code for request retries
- multi: support verbose conncache closure handle
- negotiate: fix for HTTP POST with Negotiate
- openssl: add support for TLS ASYNC state
- openssl: if cert type is ENG and no key specified, key is ENG too
- pretransfer: don't strlen() POSTFIELDS set for GET requests
- rand: Fix a mismatch between comments in source and header
- runtests: detect "/schannel"/ as an alias for "/winssl"/
- schannel: be quiet - remove verbose output
- schannel: close TLS before removing conn from cache
- schannel: support CALG_ECDH_EPHEM algorithm
- scripts/completion.pl: also generate fish completion file
- singlesocket: fix the 'sincebefore' placement
- source: fix two 'nread' may be used uninitialized warnings
- ssh: fix Condition '!status' is always true
- ssh: loop the state machine if not done and not blocking
- strerror: make the strerror function use local buffers
- test578: make it read data from the correct test
- tests: Fixed XML validation errors in some test files
- tests: add stderr comparison to the test suite
- tests: fix multiple may be used uninitialized warnings
- threaded-resolver: shutdown the resolver thread without error message
- tool_cb_wrt: fix writing to Windows null device NUL
- tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
- tool_operate: build on AmigaOS
- tool_operate: fix typecheck warning
- transfer.c: do not compute length of undefined hex buffer
- travis: add build using gnutls
- travis: add scan-build
- travis: bump the used wolfSSL version to 4.0.0
- travis: enable valgrind for the iconv tests
- travis: use updated compiler versions: clang 7 and gcc 8
- unit1307: require FTP support
- unit1651: survive curl_easy_init() fails
- url/idnconvert: remove scan for <= 32 ascii values
- url: change conn shutdown order to ensure SOCKETFUNCTION callbacks
- urlapi: reduce variable scope, remove unreachable 'break'
- urldata: convert bools to bitfields and move to end
- urldata: simplify bytecounters
- urlglob: Argument with 'nonnull' attribute passed null
- version.c: silent scan-build even when librtmp is not enabled
- vtls: rename some of the SSL functions
- wolfssl: stop custom-adding curves
- x509asn1: "/Dereference of null pointer"/
- x509asn1: cleanup and unify code layout
- zsh.pl: escape ':' character
- zsh.pl: update regex to better match curl -h output
- Dropped patches fixed upstream:
* 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
* 0002-connection_check-restore-original-conn-data-after-th.patch
* curl-singlesocket-sincebefore-placement.patch
- Fix variable placement that wasn't properly reset within a loop
missing to notify sockets. [bsc#1129083, bsc#1129470]
* Added curl-singlesocket-sincebefore-placement.patch
- Add patches to fix use-after-free (boo#1127849):
* 0001-connection_check-set-data-to-the-transfer-doing-the-.patch
* 0002-connection_check-restore-original-conn-data-after-th.patch
- BuildRequire libcurl4-mini for !bootstrap to avoid build cycles
due to cmake pulling libcurl4
- update to version 7.64.0
[bcs#1123371, CVE-2018-16890][bcs#1123377, CVE-2019-3822]
[bcs#1123378, CVE-2019-3823]
* Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
* Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year <= 2000
- build: make 'tidy' target work for metalink builds
- cmake: added checks for variadic macros
- cmake: updated check for HAVE_POLL_FINE to match autotools
- cmake: use lowercase for function name like the rest of the code
- configure: detect xlclang separately from clang
- configure: fix recv/send/select detection on Android
- configure: rewrite --enable-code-coverage
- conncache_unlock: avoid indirection by changing input argument type
- cookie: fix comment typo
- cookies: allow secure override when done over HTTPS
- cookies: extend domain checks to non psl builds
- cookies: skip custom cookies when redirecting cross-site
- curl --xattr: strip credentials from any URL that is stored
- curl -J: refuse to append to the destination file
- curl/urlapi.h: include "/curl.h"/ first
- curl_multi_remove_handle() don't block terminating c-ares requests
- darwinssl: accept setting max-tls with default min-tls
- disconnect: separate connections and easy handles better
- disconnect: set conn->data for protocol disconnect
- docs/version.d: mention MultiSSL
- docs: fix the --tls-max description
- docs: use $(INSTALL_DATA) to install man page
- docs: use meaningless port number in CURLOPT_LOCALPORT example
- gopher: always include the entire gopher-path in request
- http2: clear pause stream id if it gets closed
- if2ip: remove unused function Curl_if_is_interface_name
- libssh: do not let libssh create socket
- libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
- libssh: free sftp_canonicalize_path() data correctly
- libtest/stub_gssapi: use "/real"/ snprintf
- mbedtls: use VERIFYHOST
- multi: multiplexing improvements
- multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
- ntlm: fix NTMLv2 compliance
- ntlm_sspi: add support for channel binding
- openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
- openssl: fix the SSL_get_tlsext_status_ocsp_resp call
- openvms: fix OpenSSL discovery on VAX
- openvms: fix typos in documentation
- os400: add a missing closing bracket
- os400: fix extra parameter syntax error
- pingpong: change default response timeout to 120 seconds
- pingpong: ignore regular timeout in disconnect phase
- printf: fix format specifiers
- runtests.pl: Fix perl call to include srcdir
- schannel: fix compiler warning
- schannel: preserve original certificate path parameter
- schannel: stop calling it "/winssl"/
- sigpipe: if mbedTLS is used, ignore SIGPIPE
- smb: fix incorrect path in request if connection reused
- ssh: log the libssh2 error message when ssh session startup fails
- test1558: verify CURLINFO_PROTOCOL on file:// transfer
- test1561: improve test name
- test1653: make it survive torture tests
- tests: allow tests to pass by 2037-02-12
- tests: move objnames-* from lib into tests
- timediff: fix math for unsigned time_t
- timeval: Disable MSVC Analyzer GetTickCount warning
- tool_cb_prg: avoid integer overflow
- travis: added cmake build for osx
- urlapi: Fix port parsing of eol colon
- urlapi: distinguish possibly empty query
- urlapi: fix parsing ipv6 with zone index
- urldata: rename easy_conn to just conn
- winbuild: conditionally use /DZLIB_WINAPI
- wolfssl: fix memory-leak in threaded use
- spnego_sspi: add support for channel binding
- Fix wrong summary, curl is at version 7, not 4.
- Provide libcurl4 = %version in the mini library package
- Update to version 7.63.0
Changes:
* curl: add %{stderr} and %{stdout} for --write-out
* curl: add undocumented option --dump-module-paths for w32
* setopt: add CURLOPT_CURLU
Bugfixes:
* (lib)curl.rc: fixup for minor bugs
* CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
* CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis/desc
* CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
* Curl_follow: accept non-supported schemes for "/fake"/ redirects
* KNOWN_BUGS: add --proxy-any connection issue
* NTLM: Remove redundant ifdef USE_OPENSSL
* NTLM: force the connection to HTTP/1.1
* OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
* SECURITY-PROCESS: bountygraph shuts down again
* TODO: Have the URL API offer IDN decoding
* ares: remove fd from multi fd set when ares is about to close the fd
* axtls: removed
* checksrc: add COPYRIGHTYEAR check
* cmake: fix MIT/Heimdal Kerberos detection
* configure: include all libraries in ssl-libs fetch
* configure: show CFLAGS, LDFLAGS etc in summary
* connect: fix building for recent versions of Minix
* cookies: create the cookiejar even if no cookies to save
* cookies: expire "/Max-Age=0"/ immediately
* curl: --local-port range was not "/including"/
* curl: fix --local-port integer overflow
* curl: fix memory leak reading --writeout from file
* curl: fixed UTF-8 in current console code page (Win)
* curl_easy_perform: fix timeout handling
* curl_global_sslset(): id == -1 is not necessarily an error
* curl_multibyte: fix a malloc overcalculation
* curle: move deprecated error code to ifndef block
* docs: curl_formadd field and file names are now escaped
* docs: escape "/n"/ codes
* doh: fix memory leak in OOM situation
* doh: make it work for h2-disabled builds too
* examples/ephiperfifo: report error when epoll_ctl fails
* ftp: avoid unsigned int overflows in FTP listing parser
* host names: allow trailing dot in name resolve, then strip it
* http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
* http: don't set CURLINFO_CONDIITON_UNMET for http status code 204
* http: fix HTTP DIgest auth to include query in URI
* http_negotiate: do not close connection until negotiation is completed
* impacket: add LICENSE
* infof: clearly indicate truncation
* ldap: fix LDAP URL parsing regressions
* libcurl: stop reading from paused transfers
* mprintf: avoid unsigned integer overflow warning
* netrc: don't ignore the login name specified with "/--user"/
* nss: Fall back to latest supported SSL version
* nss: Fix compatibility with nss versions 3.14 to 3.15
* nss: fix fallthrough comment to fix picky compiler warning
* nss: remove version selecting dead code
* nss: set default max-tls to 1.3/1.2
* openssl: Remove SSLEAY leftovers
* openssl: do not log excess "/TLS app data"/ lines for TLS 1.3
* openssl: do not use file BIOs if not requested
* openssl: fix unused variable compiler warning with old openssl
* openssl: support session resume with TLS 1.3
* openvms: fix example name
* os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
* os400: add CURLOPT_CURLU to ILE/RPG binding
* os400: fix return type of curl_easy_pause() in ILE/RPG binding
* packages: remove old leftover files and dirs
* pop3: only do APOP with a valid timestamp
* runtests: use the local curl for verifying
* schannel: be consistent in Schannel capitalization
* schannel: better CURLOPT_CERTINFO support
* schannel: use Curl_prefix for global private symbols
* snprintf: renamed and now we only use msnprintf()
* ssl: fix compilation with OpenSSL 0.9.7
* ssl: replace all internal uses of CURLE_SSL_CACERT
* symbols-in-versions: add missing CURLU_symbols
* test328: verify Content-Encoding: none
* tests: disable SO_EXCLUSIVEADDRUSE for stunnel/Win
* tests: drop http_pipe.py script no longer used
* tests: drop http_pipe.py script no longer used
* tool_cb_wrt: Silence function cast compiler warning
* tool_doswin: Fix uninitialized field warning
* travis: build with clang sanitizers
* travis: remove curl before a normal build
* url: a short host name + port is not a scheme
* url: fix IPv6 numeral address parser
* urlapi: only skip encoding the first '=' with APPENDQUERY set
- refreshed curl-disabled-redirect-protocol-message.patch
- Update to version 7.62.0
Changes:
* multiplex: enable by default
* url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
* setopt: add CURLOPT_DOH_URL
* curl: --doh-url added
* setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
* imap: change from "/FETCH"/ to "/UID FETCH"/
* configure: add option to disable automatic OpenSSL config loading
* upkeep: add a connection upkeep API: curl_easy_upkeep()
* URL-API: added five new functions
* vtls: MesaLink is a new TLS backend
Bugfixes:
* CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758]
* CVE-2018-16840: use-after-free in handle close [bsc#1113029]
* CVE-2018-16842: warning message out-of-buffer read [bsc#1113660]
* CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
* Curl_dedotdotify(): always nul terminate returned string
* Curl_follow: Always free the passed new URL
* Curl_http2_done: fix memleak in error path
* Curl_retry_request: fix memory leak
* Curl_saferealloc: Fixed typo in docblock
* FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
* GnutTLS: TLS 1.3 support
* SECURITY-PROCESS: mention the bountygraph program
* VS projects: add USE_IPV6:
* certs: generate tests certs with sha256 digest algorithm
* checksrc: enable strict mode and warnings
* checksrc: handle zero scoped ignore commands
* cmake: Backport to work with CMake 3.0 again
* cmake: Improve config installation
* cmake: add support for transitive ZLIB target
* cmake: disable -Wpedantic-ms-format
* cmake: don't require OpenSSL if USE_OPENSSL=OFF
* cmake: fixed path used in generation of docs/tests
* cmake: remove unused *SOCKLEN_T variables
* cmake: suppress MSVC warning C4127 for libtest
* cmake: test and set missed defines during configuration
* config: Remove unused SIZEOF_VOIDP
* configure: force-use -lpthreads on HPUX
* configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
* configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
* cookies: Remove redundant expired check
* cookies: fix leak when writing cookies to file
* curl-config.in: remove dependency on bc
* curl.1: --ipv6 mutexes ipv4 (fixed typo)
* curl: update the documentation of --tlsv1.0
* curl_multi_wait: call getsock before figuring out timeout
* curl_ntlm_wb: check aprintf() return codes
* data-binary.d: clarify default content-type is x-www-form-urlencoded
* docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
* docs/CIPHERS: fix the TLS 1.3 cipher names
* docs/CIPHERS: mention the colon separation for OpenSSL
* docs/examples: URL updates
* docs: add "/see also"/ links for SSL options
* example/asiohiper: insert warning comment about its status
* example/htmltidy: fix include paths of tidy libraries
* examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
* examples/parseurl.c: show off the URL API
* examples: Fix memory leaks from realloc errors
* examples: do not wait when no transfers are running
* ftp: include command in Curl_ftpsend sendbuffer
* gskit: make sure to terminate version string
* gtls: Values stored to but never read
* hostip: fix check on Curl_shuffle_addr return value
* http2: fix memory leaks on error-path
* http: fix memleak in rewind error path
* krb5: fix memory leak in krb_auth
* memory: add missing curl_printf header
* memory: ensure to check allocation results
* multi: Fix error handling in the SENDPROTOCONNECT state
* multi: fix memory leak in content encoding related error path
* multi: make the closure handle "/inherit"/ CURLOPT_NOSIGNAL
* netrc: free temporary strings if memory allocation fails
* nss: try to connect even if libnssckbi.so fails to load
* ntlm_wb: Fix memory leaks in ntlm_wb_response
* ntlm_wb: bail out if the response gets overly large
* openssl: assume engine support in 0.9.8 or later
* openssl: enable TLS 1.3 post-handshake auth
* openssl: fix gcc8 warning
* openssl: load built-in engines too
* openssl: make 'done' a proper boolean
* openssl: output the correct cipher list on TLS 1.3 error
* openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
* openssl: show "/proper"/ version number for libressl builds
* pipelining: deprecated
* rand: add comment to skip a clang-tidy false positive
* rtmp: fix for compiling with lwIP
* runtests: ignore disabled even when ranges are given
* schannel: unified error code handling
* sendf: Fix whitespace in infof/failf concatenation
* ssh: free the session on init failures
* ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
* system.h: use proper setting with Sun C++ as well
* test1299: use single quotes around asterisk
* test1452: mark as flaky
* test1651: unit test Curl_extract_certinfo()
* test320: strip out more HTML when comparing
* tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
* tests: add unit tests for url.c
* tool_cb_hdr: handle failure of rename()
* travis: add a "/make tidy"/ build that runs clang-tidy
* travis: add build for "/configure --disable-verbose"/
* travis: bump the Secure Transport build to use xcode
* travis: make distcheck scan for BOM markers
* unit1300: fix stack-use-after-scope AddressSanitizer warning
* urldata: Fix "/connecting"/ comment
* urlglob: improve error message on bad globs
* vtls: fix ssl version "/or later"/ behavior change for many backends
* x509asn1: Fix SAN IP address verification
* x509asn1: always check return code from getASN1Element()
* x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
* x509asn1: suppress left shift on signed value
- Rebased patches after update:
* curl-disabled-redirect-protocol-message.patch
* curl-use_OPENSSL_config.patch
- Update to version 7.61.1
Bugfixes:
* CVE-2018-14618: NTLM password overflow via integer overflow (bsc#1106019)
* CURLINFO_SIZE_UPLOAD: fix missing counter update
* CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
* CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
* Curl_getoff_all_pipelines: improved for multiplexed
* DEPRECATE: remove release date from 7.62.0
* HTTP: Don't attempt to needlessly decompress redirect body
* INTERNALS: require GnuTLS >= 2.11.3
* README.md: add LGTM.com code quality grade for C/C++
* SSLCERTS: improve the openssl command line
* Silence GCC 8 cast-function-type warnings
* ares: check for NULL in completed-callback
* asyn-thread: Remove unused macro
* auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
* auth: pick Bearer authentication whenever a token is available
* cmake: CMake config files are defining CURL_STATICLIB for static builds
* cmake: Respect BUILD_SHARED_LIBS
* cmake: Update scripts to use consistent style
* cmake: bumped minimum version to 3.4
* cmake: link curl to the OpenSSL targets instead of lib absolute paths
* configure: conditionally enable pedantic-errors
* configure: fix for -lpthread detection with OpenSSL and pkg-config
* conn: remove the boolean 'inuse' field
* content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
* cookie tests: treat files as text
* cookies: support creation-time attribute for cookies
* curl: Fix segfault when -H @headerfile is empty
* curl: add http code 408 to transient list for --retry
* curl: fix time-of-check, time-of-use race in dir creation
* curl: use Content-Disposition before the "/URL end"/ for -OJ
* curl: warn the user if a given file name looks like an option
* curl_threads: silence bad-function-cast warning
* darwinssl: add support for ALPN negotiation
* docs/CURLOPT_URL: fix indentation
* docs/CURLOPT_WRITEFUNCTION: size is always 1
* docs/SECURITY-PROCESS: mention bounty, drop pre-notify
* docs/examples: add hiperfifo example using linux epoll/timerfd
* docs: add disallow-username-in-url.d and haproxy-protocol.d to dist
* docs: clarify NO_PROXY env variable functionality
* docs: improved the manual pages of some callbacks
* docs: mention NULL is fine input to several functions
* formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
* gopher: Do not translate `?' to `%09'
* header output: switch off all styles, not just unbold
* hostip: fix unused variable warning
* http2: Use correct format identifier for stream_id
* http2: abort the send_callback if not setup yet
* http2: avoid set_stream_user_data() before stream is assigned
* http2: check nghttp2_session_set_stream_user_data return code
* http2: clear the drain counter in Curl_http2_done
* http2: make sure to send after RST_STREAM
* http2: separate easy handle from connections better
* http: fix for tiny "/HTTP/0.9"/ response
* http_proxy: Remove unused macro SELECT_TIMEOUT
* lib/Makefile: only do symbol hiding if told to
* lib1502: fix memory leak in torture test
* lib1522: fix curl_easy_setopt argument type
* libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
* mime: check Curl_rand_hex's return code
* multi: always do the COMPLETED procedure/state
* openssl: assume engine support in 1.0.0 or later
* openssl: fix debug messages
* projects: Improve Windows perl detection in batch scripts
* retry: return error if rewind was necessary but didn't happen
* reuse_conn(): memory leak - free old_conn->options
* schannel: client certificate store opening fix
* schannel: enable CALG_TLS1PRF for w32api >= 5.1
* schannel: fix MinGW compile break
* sftp: don't send post-qoute sequence when retrying a connection
* smb: fix memory leak on early failure
* smb: fix memory-leak in URL parse error path
* smb_getsock: always wait for write socket too
* ssh-libssh: fix infinite connect loop on invalid private key
* ssh-libssh: reduce excessive verbose output about pubkey auth
* ssh-libssh: use FALLTHROUGH to silence gcc8
* ssl: set engine implicitly when a PKCS#11 URI is provided
* sws: handle EINTR when calling select()
* system_win32: fix version checking
* telnet: Remove unused macros TELOPTS and TELCMDS
* test1143: disable MSYS2's POSIX path conversion
* test1148: disable if decimal separator is not point
* test1307: (fnmatch testing) disabled
* test1422: add required file feature
* test1531: Add timeout
* test1540: Remove unused macro TEST_HANG_TIMEOUT
* test214: disable MSYS2's POSIX path conversion for URL
* test320: treat curl320.out file as binary
* tests/http_pipe.py: Use /usr/bin/env to find python
* tests: Don't use Windows path %PWD for SSH tests
* tests: fixes for Windows line endlings
* tool_operate: Fix setting proxy TLS 1.3 ciphers
* travis: build darwinssl on macos 10.12 to fix linker errors
* travis: execute "/set -eo pipefail"/ for coverage build
* travis: run a 'make checksrc' too
* travis: update to GCC-8
* travis: verify that man pages can be regenerated
* upload: allocate upload buffer on-demand
* upload: change default UPLOAD_BUFSIZE to 64KB
* urldata: remove unused pipe_broke struct field
* vtls: reinstantiate engine on duplicated handles
* windows: implement send buffer tuning
* wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
- Remove patch included upstream:
* curl-switch-off-all-styles.patch
- Added curl-switch-off-all-styles.patch: Fix output of wrong escape sequences,
which might mess up the terminal (bsc#1105624)
- Update to version 7.61.0
[bsc#1099793, CVE-2018-0500]
Changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
Bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "/version 1"/
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
* multi: provide a socket to wait for in Curl_protocol_getsock
* content_encoding: handle zlib versions too old for Z_BLOCK
* winbuild: only delete OUTFILE if it exists
* winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
* schannel: add failf calls for client certificate failures
* cmake: Fix the test for fsetxattr and strerror_r
* curl.1: Fix cmdline-opts reference errors
* cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
* cmake: check for getpwuid_r
* configure: fix ssh2 linking when built with a static mbedtls
* psl: use latest psl and refresh it periodically
* fnmatch: insist on escaped bracket to match
* KNOWN_BUGS: restore text regarding #2101
* INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
* configure: override AR_FLAGS to silence warning
* os400: implement mime api EBCDIC wrappers
* curl.rc: embed manifest for correct Windows version detection
* strictness: correct {infof, failf} format specifiers
* tests: update .gitignore for libtests
* configure: check for declaration of getpwuid_r
* fnmatch: use the system one if available
* CURLOPT_RESOLVE: always purge old entry first
* multi: remove a potentially bad DEBUGF()
* curl_addrinfo: use same #ifdef conditions in source as header
* build: remove the Borland specific makefiles
* axTLS: not considered fit for use
* cmdline-opts/cert-type.d: mention "/p12"/ as a recognized type
* system.h: add support for IBM xlc C compiler
* tests/libtest: Add lib1521 to nodist_SOURCES
* mk-ca-bundle.pl: leave certificate name untouched
* boringssl + schannel: undef X509_NAME in lib/schannel.h
* openssl: assume engine support in 1.0.1 or later
* cppcheck: fix warnings
* test 46: make test pass after year 2025
* schannel: support selecting ciphers
* Curl_debug: remove dead printhost code
* test 1455: unflakified
* Curl_init_do: handle NULL connection pointer passed in
* progress: remove a set of unused defines
* mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
* GOVERNANCE.md: explains how this project is run
* configure: use pkg-config for c-ares detection
* configure: enhance ability to build with static openssl
* maketgz: fix sed issues on OSX
* multi: fix memory leak when stopped during name resolve
* CURLOPT_INTERFACE.3: interface names not supported on Windows
* url: fix dangling conn->data pointer
* cmake: allow multiple SSL backends
* system.h: fix for gcc on 32 bit OpenServer
* ConnectionExists: make sure conn->data is set when "/taking"/ a connection
* multi: fix crash due to dangling entry in connect-pending list
* CURLOPT_SSL_VERIFYPEER.3: Add performance note
* netrc: use a larger buffer to support longer passwords
* url: check Curl_conncache_add_conn return code
* configure: Add dependent libraries after crypto
* easy_perform: faster local name resolves by using *multi_timeout()
* getnameinfo: not used, removed all configure checks
* travis: add a build using the synchronous name resolver
* CURLINFO_TLS_SSL_PTR.3: improve the example
* openssl: allow TLS 1.3 by default
* openssl: make the requested TLS version the *minimum* wanted
* openssl: Remove some dead code
* telnet: fix clang warnings
* DEPRECATE: new doc describing planned item removals
* example/crawler.c: simple crawler based on libxml2
* libssh: goto DISCONNECT state on error, not SESSION_FREE
* CMake: Remove unused functions
* darwinssl: allow High Sierra users to build the code using GCC
* scripts: include _curl as part of CLEANFILES
* examples: fix -Wformat warnings
* curl_setup: include <winerror.h> before <windows.h>
* schannel: make more cipher options conditional
* CMake: remove redundant and old end-of-block syntax
* post303.d: clarify that this is an RFC violation
- refreshed libcurl-ocloexec.patch
- dmidecode
-
4 dependencies from upstream to be able to apply one more fix:
- util-dont-leak-a-file-descriptor-in-read_file.patch: If memory
allocation fails, we should close the file descriptor before
returning the error.
- util-let-callers-pass-an-offset-to-read_file.patch: Make the
read_file() function more versatile.
- dmidecode-fix-reading-from-smbios-3-dump-files.patch: Use the
sysfs code path when reading from a dump file, as the
requirements are similar.
- util-dont-close-the-same-file-descriptor-twice.patch: Close file
descriptor once and only once on error
Fix a potential regression:
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
which would prevent root from using the --from-dump option since
the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
Clean up function dmi_table so that it does only one thing
(bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
- -dump-bin is used, write the whole dump file at once, instead of
opening and closing the file separately for the table and then
for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
Make sure that the file passed to option --dump-bin does not
already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
check on the type of the mem device file we are asked to read
from, if we are root (bsc#1210418).
4 dependencies from upstream to be able to apply the above fixes:
- avoid-sigbus-on-mmap-failure.patch: Prevent a crash when reading
non-existent portion of memory device file.
- fix-error-paths-in-mem_chunk.patch: Prevent a memory and file
descriptor leak.
- dmidecode-add-support-for-3-digit-versions.patch: Support
3-digit SMBIOS specification version comparison.
- dmidecode-only-scan-dev-mem-for-entry-point-on-x86.patch: Don't
attempt to read from /dev/mem on non-x86 systems.
6 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
the SMBIOS entry point is long enough to include all the fields
we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
name of DMI record type 33 even if we can't decode it.
- dmidecode-validate-structure-completeness-before-decoding.patch:
Ensure that the whole DMI structure fits in the announced table
length before performing any action on it.
- dmidecode-avoid-oob-read-on-invalid-entry-point-length.patch:
Don't let the entry point checksum verification run beyond the
end of the buffer holding it.
- dmioem-decode-hpe-uefi-type-219-misc-features.patch: Check the
correct bits to report UEFI support.
- dracut
-
- fix(dracut): do not read /proc/modules to get the host modules (bsc#1210910)
* add 0634-fix-dracut-do-not-read-proc-modules-to-get-the-host-.patch
- fix handling of omit_dracutmodules parameter (bsc#1208929)
* add 0633-fix-dracut.sh-omission-is-an-addition-to-other-omiss.patch
- fonts-config
-
- get the homedir from getpwuid when no $ENV{"/HOME"/} set
- added patches
fix bsc#1210700
+ fonts-config-homedir-getpwuid.patch
- glib2
-
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
Backported from upstream to fix regression on s390x.
(bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
from upstream to fix normal form handling in GVariant.
(CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
glgo#GNOME/glib!3125)
- grub2
-
- Fix error grub_file_filters not found in Azure virtual machine (bsc#1182012)
* 0001-Workaround-volatile-efi-boot-variable.patch
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
(bsc#1209234)
* 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
(bsc#1187810) (bsc#1209667) (bsc#1209372)
* 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
btrfs filesystem. (bsc#1209165)
* grub2-btrfs-05-grub2-mkconfig.patch
- kernel-default
-
- net: stmmac: don't log oversized frames (git-fixes).
- commit 02a1ae5
- net: stmmac: fix dropping of multi-descriptor RX frames
(git-fixes).
- commit 0c5e8a5
- bonding: show full hw address in sysfs for slave entries
(git-fixes).
- commit 4640084
- net: ibm: fix possible object reference leak (git-fixes).
- commit 2cab0bb
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
(git-fixes).
- commit 1cfa1c0
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level
case (git-fixes).
- commit 82bd47b
- sfc: suppress duplicate nvmem partition types in
efx_ef10_mtd_probe (git-fixes).
- commit 17c6719
- net: altera_tse: fix connect_local_phy error path (git-fixes).
- commit da2fa27
- blacklist.conf: add FSL_UCC_HDLC
- commit cbbd4dd
- net/mlx4_core: Fix return codes of unsupported operations
(git-fixes).
- commit b2c5ba8
- vrf: mark skb for multicast or link-local as enslaved to VRF
(git-fixes).
- commit 9630bdb
- net: dsa: bcm_sf2: Turn on PHY to allow successful registration
(git-fixes).
- commit 00680d2
- net: netxen: fix a missing check and an uninitialized use
(git-fixes).
- commit 76249f8
- net: hisilicon: remove unexpected free_netdev (git-fixes).
- commit fc72200
- net: amd: add missing of_node_put() (git-fixes).
- commit 72cfaff
- blacklist.conf: add faraday network driver
- commit 8453351
- net: faraday: fix return type of ndo_start_xmit function
(git-fixes).
- commit 079382e
- net: smsc: fix return type of ndo_start_xmit function
(git-fixes).
- commit 56bd9aa
- net: micrel: fix return type of ndo_start_xmit function
(git-fixes).
- commit 96160a1
- net: sun: fix return type of ndo_start_xmit function
(git-fixes).
- commit 59f94b5
- net: broadcom: fix return type of ndo_start_xmit function
(git-fixes).
- commit 77fb78e
- net: xilinx: fix return type of ndo_start_xmit function
(git-fixes).
- commit 80ef560
- net: toshiba: fix return type of ndo_start_xmit function
(git-fixes).
- commit dbdb0d6
- net: hns3: fix return type of ndo_start_xmit function
(git-fixes).
- commit 5ba4bbc
- net: qla3xxx: Remove overflowing shift statement (git-fixes).
- commit 7055766
- blacklist.conf: update blacklist
- commit 804cac4
- blacklist.conf: Add 4ef0c5c6b5ba kernel/sched: Fix sched_fork() access an invalid sched_task_group
- commit 5d65c2b
- netfilter: ebtables: convert BUG_ONs to WARN_ONs (git-fixes).
- commit 5f3d85f
- netfilter: ipt_CLUSTERIP: put config instead of freeing it
(git-fixes).
- commit 87f8afc
- netfilter: ipt_CLUSTERIP: put config struct if we can't
increment ct refcount (git-fixes).
- commit e675512
- net/tcp/illinois: replace broken algorithm reference link
(git-fixes).
- commit 1264c76
- sit: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 05e5b1a
- ip6_tunnel: fix IFLA_MTU ignored on NEWLINK (git-fixes).
- commit 678863c
- RDS: IB: Fix null pointer issue (git-fixes).
- commit 85f4095
- l2tp: remove l2specific_len dependency in l2tp_core (git-fixes).
- Refresh
patches.suse/l2tp-fix-reading-optional-fields-of-L2TPv3.patch.
- commit 80db1e0
- l2tp: remove configurable payload offset (git-fixes).
- Refresh
patches.suse/l2tp-reject-creation-of-non-PPP-sessions-on-L2TPv2-t.patch.
- commit e4e115d
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
(git-fixes).
- commit 2b478a1
- net: xfrm: allow clearing socket xfrm policies (git-fixes).
- commit cb50bb2
- sctp: avoid flushing unsent queue when doing asoc reset
(git-fixes).
- commit 271642c
- blacklist: add nvme fabrics git-fixes
The whole nvme fabrics part is missing fundamental changes which will
not be backported. Don't bother to port git-fixes for this part.
- commit f524f37
- blacklist.conf: update blacklist
- commit ec49bac
- blacklist.conf: add net/caif
- commit 7907ff7
- nvme-pci: fix a NULL pointer dereference in
nvme_alloc_admin_tags (git-fixes).
- nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
(git-fixes).
- nvme: free sq/cq dbbuf pointers when dbbuf set fails
(git-fixes).
- nvme: refine the Qemu Identify CNS quirk (git-fixes).
- nvme: Fix u32 overflow in the number of namespace list
calculation (git-fixes).
- nvme: remove the ifdef around nvme_nvm_ioctl (git-fixes).
- nvme-pci: unquiesce admin queue on shutdown (git-fixes).
- nvme-pci: use the same attributes when freeing
host_mem_desc_bufs (git-fixes).
- commit f8a43a3
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- scsi: storvsc: Parameterize number hardware queues
(bsc#1211622).
- commit f58838c
- scsi: qla2xxx: Replace all non-returning strlcpy() with
strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
(bsc#1211960).
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Replace all non-returning strlcpy() with
strscpy() (bsc#1211960).
- scsi: qla2xxx: Update version to 10.02.08.300-k (bsc#1211960).
- scsi: qla2xxx: Wait for io return on terminate rport
(bsc#1211960).
- scsi: qla2xxx: Fix mem access after free (bsc#1211960).
- scsi: qla2xxx: Fix hang in task management (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd fail due to unavailable
resource (bsc#1211960).
- scsi: qla2xxx: Fix task management cmd failure (bsc#1211960).
- scsi: qla2xxx: Multi-que support for TMF (bsc#1211960).
- scsi: qla2xxx: Declare SCSI host template const (bsc#1211960).
- scsi: qla2xxx: Refer directly to the qla2xxx_driver_template
(bsc#1211960).
- scsi: qla2xxx: Remove default fabric ops callouts (bsc#1211960).
- scsi: qla2xxx: Drop redundant pci_enable_pcie_error_reporting()
(bsc#1211960).
- commit 875f923
- kcm: Check if sk_user_data already set in kcm_attach
(git-fixes).
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 796ddfc
- ip6_tunnel: allow ip6gre dev mtu to be set below 1280
(git-fixes).
- Refresh
patches.suse/ip6_tunnel-remove-magic-mtu-value-0xFFF8.patch.
- commit 9359f96
- xfrm: Fix stack-out-of-bounds with misconfigured transport
mode policies (git-fixes).
- commit a397dd8
- sctp: fix the issue that a __u16 variable may overflow in
sctp_ulpq_renege (git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-rx-path.patch.
- commit dfdadd9
- fix kcm_clone() (git-fixes).
- Refresh
patches.suse/kcm-Fix-use-after-free-caused-by-clonned-sockets.patch.
- commit ff3266d
- blacklist.conf: update blacklist
- commit 6559dbc
- s390/uaccess: add missing earlyclobber annotations to __clear_user()
(LTC#202116 bsc#1209857 git-fixes).
- commit 466ebf1
- media: radio-shark: Add endpoint checks (git-fixes).
- commit 645a65c
- USB: sisusbvga: Add endpoint checks (git-fixes).
- commit 0086804
- USB: core: Add routines for endpoint checks in old drivers
(git-fixes).
- commit 9b3a4b6
- mac80211: drop multicast fragments (git-fixes).
- Refresh patches.kabi/cfg80211-kabi-workaround.patch.
- Refresh
patches.suse/mac80211-add-fragment-cache-to-sta_info.patch.
- commit dcf3ad7
- mac80211: choose first enabled channel for monitor (git-fixes).
- commit 9005ef1
- mac80211: pause TX while changing interface type (git-fixes).
- commit 2e9a9ca
- IB/mlx5: Fix initializing CQ fragments buffer (git-fixes)
- commit ab52722
- RDMA/core: Don't access cm_id after its destruction (git-fixes)
- commit 3e6a35e
- mac80211: fix fast-rx encryption check (git-fixes).
- commit 6dc3740
- blacklist.conf: breaks kABI in a pretty unfixable way
- commit f0b7d32
- RDMa/mthca: Work around -Wenum-conversion warning (git-fixes)
- commit 4ec5513
- RDMA/bnxt_re: Restrict the max_gids to 256 (git-fixes)
- commit 45f80d9
- RDMA/hns: Bugfix for querying qkey (git-fixes)
- commit 916464c
- RDMA/mlx5: Block delay drop to unprivileged users (git-fixes)
- commit b67e136
- IB/rdmavt: Add __init/__exit annotations to module init/exit funcs (git-fixes)
- commit aef401f
- RDMA/usnic: fix set-but-not-unused variable 'flags' warning (git-fixes)
- commit 410f136
- RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (git-fixes)
- commit 08b691c
- IB/hfi1: Assign npages earlier (git-fixes)
- commit 94a7a3d
- RDMA/srp: Move large values to a new enum for gcc13 (git-fixes)
- commit 21e4838
- RDMA/hfi1: Prevent panic when SDMA is disabled (git-fixes)
- commit 69d046f
- RDMA/cma: Fix rdma_resolve_route() memory leak (git-fixes)
- commit ebc12ea
- RDMA/cxgb4: Fix missing error code in create_qp() (git-fixes)
- commit 16a901d
- RDMA/rxe: Fix error type of mmap_offset (git-fixes)
- commit 78c6be8
- RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' (git-fixes)
- commit a8ed0c1
- RDMA/i40iw: Fix potential use after free (git-fixes)
- commit 078387e
- IB/iser: bound protection_sg size by data_sg size (git-fixes)
- commit c6057ed
- IB/mlx4: Fix memory leaks (git-fixes)
- commit 93dc3d9
- ipoib: correcly show a VF hardware address (git-fixes)
- commit b86fe95
- IB/mlx4: Increase the timeout for CM cache (git-fixes)
- commit bd695fb
- IB/usnic: Fix potential deadlock (git-fixes)
- commit 7517110
- RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer (git-fixes)
- commit ce8a13e
- mlx4: Use snprintf instead of complicated strcpy (git-fixes)
- commit 8357ea9
- rxe: IB_WR_REG_MR does not capture MR's iova field (git-fixes)
- commit 737703b
- RDMA/cma: Do not change route.addr.src_addr.ss_family (git-fixes)
- commit 0f21ca2
- seccomp: Set PF_SUPERPRIV when checking capability (git-fixes
bsc#1211816).
- commit f8e3006
- dm ioctl: fix nested locking in table_clear() to remove deadlock
concern (bsc#1210806, CVE-2023-2269).
- commit e962c83
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
CVE-2022-3566).
- commit 75b4182
- blacklist.conf: Add 9fc9e278a5c0 panic: Introduce warn_limit
- commit 43ad239
- blacklist.conf: Add 659c0ce1cb9e kernel/sys.c: fix and improve control flow in __sys_setres[ug]id()
- commit 28b437a
- ceph: force updating the msg pointer in non-split case
(bsc#1211801).
- commit ebc5c5b
- blacklist.conf: Append 'Revert "/fbcon: don't lose the console font across generic->chip driver switch"/'
- commit 0b0664b
- fbcon: Check font dimension limits (bsc#1154048)
Changes:
* rename drivers/video/fbdev/core to drivers/video/console
- commit 2e6300a
- fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() (bsc#1154048)
- commit 7a7fe7f
- backlight: lm3630a: Fix return code of .update_status() callback (bsc#1129770)
- commit 65a9461
- blacklist.conf: Append 'fbdev: udlfb: Fix endpoint check'
- commit c71f23c
- blacklist.conf: Append 'fbdev: arcfb: Fix error handling in arcfb_probe()'
- commit 3b8befa
- blacklist.conf: Append 'fbdev: au1200fb: Fix potential divide by zero'
- commit 99bcf68
- blacklist.conf: Append 'fbdev: lxfb: Fix potential divide by zero'
- commit 29ac883
- blacklist.conf: Append 'fbdev: intelfb: Fix potential divide by zero'
- commit c54aef0
- blacklist.conf: Append 'fbdev: nvidia: Fix potential divide by zero'
- commit 0180fb8
- blacklist.conf: Append 'fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks'
- commit 7424f1a
- blacklist.conf: Append 'fbdev: tgafb: Fix potential divide by zero'
- commit 3dfd2f8
- blacklist.conf: Append 'fbdev: omapfb: cleanup inconsistent indentation'
- commit e6f26fa
- blacklist.conf: Append 'fbdev: vermilion: decrease reference count in error path'
- commit bfe058e
- blacklist.conf: Append 'fbdev: via: Fix error in via_core_init()'
- commit 47cb95a
- blacklist.conf: Append 'fbdev: pm2fb: fix missing pci_disable_device()'
- commit 5d257c9
- blacklist.conf: Append 'fbdev: ssd1307fb: Drop optional dependency'
- commit 6cbf42c
- blacklist.conf: Append 'fbdev: cyber2000fb: fix missing pci_disable_device()'
- commit 06f0770
- blacklist.conf: Append 'fbdev: smscufx: Fix several use-after-free bugs'
- commit 62a32ff
- blacklist.conf: Append 'parisc: fbdev/stifb: Align graphics memory size to 4MB'
- commit 22da2c5
- blacklist.conf: Append 'fbdev: smscufx: Fix use-after-free in ufx_ops_open()'
- commit 02b683d
- blacklist.conf: Append 'fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()'
- commit 489652a
- blacklist.conf: Append 'video: fbdev: i740fb: Check the argument of i740_calc_vclk()'
- commit c7b03dd
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write'
- commit ccb235b
- blacklist.conf: Append 'video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()'
- commit 9dffdbd
- blacklist.conf: Append 'video: fbdev: sm712fb: Fix crash in smtcfb_write()'
- commit d1847f5
- blacklist.conf: Append 'video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()'
- commit ac6af46
- blacklist.conf: Append 'video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()'
- commit 5a2e2fe
- blacklist.conf: Append 'video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit'
- commit 9966c33
- blacklist.conf: Append 'video: fbdev: cirrusfb: check pixclock to avoid divide by zero'
- commit 9b4a739
- blacklist.conf: Append 'video: fbdev: w100fb: Reset global state'
- commit 8c331fe
- blacklist.conf: Append 'video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow'
- commit e521feb
- blacklist.conf: Append 'video: fbdev: riva: Error out if 'pixclock' equals zero'
- commit cd1778b
- blacklist.conf: Append 'video: fbdev: kyro: Error out if 'pixclock' equals zero'
- commit e680120
- blacklist.conf: Append 'video: fbdev: asiliantfb: Error out if 'pixclock' equals zero'
- commit 4eef362
- blacklist.conf: Append 'video: fbdev: kyro: fix a DoS bug by restricting user input'
- commit 4dfa6f9
- blacklist.conf: changes behavior in user space
- commit 8e76d7a
- blacklist.conf: breaks existing user space
- commit 8a0f9f8
- KVM: x86: emulator: update the emulation mode after CR0 write
(git-fixes).
- commit 45c60e8
- KVM: x86: emulator: introduce emulator_recalc_and_set_mode
(git-fixes).
- commit cd1c312
- KVM: x86: emulator: em_sysexit should update ctxt->mode
(git-fixes).
- commit e33b7a7
- KVM: x86: fix incorrect comparison in trace event (git-fixes).
- commit e7c7c64
- x86/kvm: Don't call kvm_spurious_fault() from .fixup
(git-fixes).
- commit 2994486
- x86: kvm: avoid constant-conversion warning (git-fixes).
- commit 785e3c9
- KVM: x86: avoid misreporting level-triggered irqs as
edge-triggered in tracing (git-fixes).
- commit 3a2f7bf
- ring-buffer: Sync IRQ works before buffer destruction
(git-fixes).
- commit 7f66fa1
- ring-buffer: Ensure proper resetting of atomic variables in
ring_buffer_reset_online_cpus (git-fixes).
- commit 05b01b4
- f2fs: Fix f2fs_truncate_partial_nodes ftrace event (git-fixes).
- commit c9aec28
- KVM: nSVM: clear events pending from svm_complete_interrupts()
when exiting to L1 (git-fixes).
- commit dea3e13
- KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
(git-fixes).
- commit e8ac19f
- x86/kvm/vmx: fix old-style function declaration (git-fixes).
- commit 60914fa
- KVM: x86: fix empty-body warnings (git-fixes).
- commit 1ff0909
- kvm: mmu: Don't read PDPTEs when paging is not enabled
(git-fixes).
- commit 0c9e6c3
- KVM: x86: Update the exit_qualification access bits while
walking an address (git-fixes).
- commit fb42639
- ipv6: sr: fix out-of-bounds read when setting HMAC data
(bsc#1211592).
- commit b97c30d
- Move upstreamed media fixes into sorted section
- commit 488e428
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
bsc#1205758).
- commit df5f28a
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
(CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
dvb_frontend (CVE-2022-45885 bsc#1205758).
- media: dvbdev: fix error logic at dvb_register_device()
(CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
(CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
implementation (CVE-2022-45884 bsc#1205756).
- commit f7cc9c8
- net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit a507e94
- i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit 3e58c3b
- net/iucv: Fix size of interrupt data (bsc#1211466).
- commit f3fc622
- blacklist.conf: update blacklist
- commit 6d6d566
- net: emac: fix fixed-link setup for the RTL8363SB switch (git-fixes).
- commit 9681063
- stmmac: fix valid numbers of unicast filter entries (git-fixes).
- commit ef24a07
- net: qca_spi: Fix log level if probe fails (git-fixes).
- commit 3f5bdc7
- net: davinci_emac: match the mdio device against its compatible if possible (git-fixes).
- commit bd607b2
- net: dsa: qca8k: Add support for QCA8334 switch (git-fixes).
- commit 7151502
- net: ethernet: ti: cpsw-phy-sel: check bus_find_device()
ret value (git-fixes).
- commit faf163d
- blacklist.conf: update blacklist
- commit ee5c63d
- blacklist.conf: update blacklist
- commit cb25c3b
- net: dsa: b53: Add BCM5389 support (git-fixes).
- commit 97f949b
- net: mvneta: fix enable of all initialized RXQs (git-fixes).
- commit c3670b0
- net: dsa: mt7530: fix module autoloading for OF platform drivers
(git-fixes).
- commit 5aa0e3c
- sunvnet: does not support GSO for sctp (git-fixes).
- commit 2c2cd3a
- net: qcom/emac: Use proper free methods during TX (git-fixes).
- commit 9e71f84
- net: Extra '_get' in declaration of
arch_get_platform_mac_address (git-fixes).
- commit a07f7ac
- net: arc_emac: fix arc_emac_rx() error paths (git-fixes).
- commit 055ed24
- net: mediatek: setup proper state for disabled GMAC on the
default (git-fixes).
- commit d4884c0
- blacklist.conf: update blacklist
- commit 3d40ef3
- sctp: fix erroneous inc of snmp SctpFragUsrMsgs (git-fixes).
- commit 1e6b878
- net: propagate dev_get_valid_name return code (git-fixes).
- commit 6c7e15c
- blacklist.conf: update blacklist
- commit 0b29eb6
- s390/kasan: fix early pgm check handler execution (git-fixes
bsc#1211360).
- s390: ctcm: fix ctcm_new_device error return code (git-fixes
bsc#1211361).
- s390/pci: fix sleeping in atomic during hotplug (git-fixes
bsc#1211364).
- s390/sysinfo: add missing #ifdef CONFIG_PROC_FS (git-fixes
bsc#1211366).
- s390/extmem: fix gcc 8 stringop-overflow warning (git-fixes
bsc#1211363).
- s390/scm_blk: correct numa_node in scm_blk_dev_setup (git-fixes
bsc#1211365).
- s390/dasd: correct numa_node in dasd_alloc_queue (git-fixes
bsc#1211362).
- commit eaf6fde
- netrom: Fix use-after-free caused by accept on already
connected socket (bsc#1211186 CVE-2023-32269).
- commit 5091773
- net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
(bsc#1209366 CVE-2023-28466).
- commit 6a60b30
- ACPI: processor: Fix evaluating _PDC method when running as
Xen dom0 (git-fixes).
- commit dc522b8
- xen/netback: use same error messages for same errors
(git-fixes).
- commit 4db5f86
- xen/netback: don't do grant copy across page boundary
(git-fixes).
- commit 1db009c
- Refresh patches.suse/arm64-Discard-.note.GNU-stack-section.patch.
Add note about required followups for the upstream version.
- commit 22f581b
- powerpc/rtas: use memmove for potentially overlapping buffer
copy (bsc#1065729).
- powerpc: Don't try to copy PPR for task with NULL pt_regs
(bsc#1065729).
- powerpc: Squash lines for simple wrapper functions
(bsc#1065729).
- commit 5b5254d
- blacklist.conf: workqueue: Cosmetic change. Not worth backporting (bsc#1211275)
- commit 75d9c4f
- ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
(git-fixes).
- commit 45358c3
- sctp: make use of pre-calculated len (git-fixes).
- commit 917a7de
- ipv6: icmp6: Allow icmp messages to be looped back (git-fixes).
- commit b8c6b46
- ipv4: ipv4_default_advmss() should use route mtu (git-fixes).
- commit b90f190
- net: ipv6: send NS for DAD when link operationally up
(git-fixes).
- commit 068ddeb
- blacklist.conf: update blacklist
- commit a62f4ec
- workqueue: Print backtraces from CPUs with hung CPU bound
workqueues (bsc#1211044).
- commit 9009e7b
- workqueue: Warn when a rescuer could not be created
(bsc#1211044).
- commit 729d6a5
- blacklist.conf: udapte blacklist
- commit 6f9c349
- blacklist.conf: update blacklist
- commit b77ff03
- workqueue: Interrupted create_worker() is not a repeated event
(bsc#1211044).
- commit 19f4343
- workqueue: Warn when a new worker could not be created
(bsc#1211044).
- commit 6849328
- workqueue: Fix hung time report of worker pools (bsc#1211044).
- commit 6603859
- blacklist.conf: dependencies cannot be met
- commit 719ca49
- wcn36xx: ensure pairing of init_scan/finish_scan and
start_scan/end_scan (git-fixes).
- commit 087dd65
- wcn36xx: Ensure finish scan is not requested before start scan
(git-fixes).
- commit caae985
- blacklist.conf: add one pci git-fixes
- commit 855c141
- wcn36xx: Specify ieee80211_rx_status.nss (git-fixes).
- commit 012d160
- wcn36xx: Fix warning due to bad rate_idx (git-fixes).
- commit a518de1
- wcn36xx: Disable bmps when encryption is disabled (git-fixes).
- commit ebc2371
- wcn36xx: Fix software-driven scan (git-fix).
- Refresh
patches.suse/wcn36xx-Channel-list-update-before-hardware-scan.patch.
- Refresh
patches.suse/wcn36xx-Move-hal_buf-allocation-to-devm_kmalloc-in-p.patch.
- commit 15a8b93
- wcn36xx: Use sequence number allocated by mac80211 (git-fixes).
- commit bb661ed
- wcn36xx: Fix TX data path (git-fixes).
- commit b77eb82
- wcn36xx: Increase number of TX retries (git-fixes).
- commit 97a8d22
- wcn36xx: Fix multiple AMPDU sessions support (git-fixes).
- commit 63b0807
- wcn36xx: Add ieee80211 rx status rate information (git-fixes).
- commit 4b6a254
- wcn36xx: fix spelling mistake "/to"/ -> "/too"/ (git-fixes).
- commit 7e6ee67
- wcn36xx: disable HW_CONNECTION_MONITOR (git-fixes).
- commit 4d8f867
- wcn36xx: fix typo (git-fixes).
- commit b5b95ed
- wcn36xx: remove unecessary return (git-fixes).
- commit 0eb75a5
- wcn36xx: use dma_zalloc_coherent instead of allocator/memset
(git-fixes).
- commit bbbad4b
- wcn36xx: Use kmemdup instead of duplicating it in
wcn36xx_smd_process_ptt_msg_rsp (git-fixes).
- commit aa805c7
- wcn36xx: Channel list update before hardware scan (git-fixes).
- commit fcf8c32
- wcn36xx: Add ability for wcn36xx_smd_dump_cmd_req to pass
two's complement (git-fixes).
- commit 39c25cd
- mwl8k: Fix a double Free in mwl8k_probe_hw (git-fixes).
- commit 9de04e1
- adm8211: fix error return code in adm8211_probe() (git-fixes).
- commit 8910841
- Documentation: Document sysfs interfaces purr, spurr, idle_purr,
idle_spurr (PED-3947 bsc#1210544 ltc#202303).
- powerpc/sysfs: Show idle_purr and idle_spurr for every CPU
(PED-3947 bsc#1210544 ltc#202303).
- powerpc/pseries: Account for SPURR ticks on idle CPUs (PED-3947
bsc#1210544 ltc#202303).
- powerpc/idle: Store PURR snapshot in a per-cpu global variable
(PED-3947 bsc#1210544 ltc#202303).
- powerpc: Move idle_loop_prolog()/epilog() functions to header
file (PED-3947 bsc#1210544 ltc#202303).
- cpuidle/powernv: avoid double irq enable coming out of idle
(PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: no memory barrier after break from idle
(PED-3947 bsc#1210544 ltc#202303).
- cpuidle: powerpc: read mostly for common globals (PED-3947
bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- cpuidle: powerpc: cpuidle set polling before enabling irqs
(PED-3947 bsc#1210544 ltc#202303).
- Refresh patches.suse/cpuidle-powernv-Fix-promotion-from-snooze-if-next-st.patch
- commit 964f26b
- usb: early: xhci-dbc: Fix a potential out-of-bound memory access
(git-fixes).
- commit ad8060e
- fotg210-udc: Add missing completion handler (git-fixes).
- commit 3c809e3
- blacklist.conf: kABI
- commit dcd54c2
- usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
(git-fixes).
- commit 9ea489a
- platform/x86: dell-smbios-wmi: Add missing kfree in error-exit
from run_smbios_call (git-fixes).
- commit bc58d39
- platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios
(git-fixes).
- commit 96326a4
- platform/x86: alienware-wmi: fix kfree on potentially
uninitialized pointer (git-fixes).
- commit 52b26a2
- platform/x86: alienware-wmi: fix format string overflow warning
(git-fixes).
- commit 9e6baf6
- platform/x86: alienware-wmi: constify attribute_group structures
(git-fixes).
- commit 804cedf
- platform/x86: alienware-wmi: Adjust instance of
wmi_evaluate_method calls to 0 (git-fixes).
- commit 17d45d2
- platform/x86: dell-laptop: fix rfkill functionality.
- commit 04ebc44
- wifi: brcmfmac: slab-out-of-bounds read in
brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 07a41fa
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878).
- commit 40e694d
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
bsc#1211105 CVE-2023-2513).
- commit a52726d
- net: qcom/emac: Fix use after free bug in emac_remove due to
race condition (bsc#1211037 CVE-2023-2483).
- commit 6c7d167
- usb: chipidea: fix missing goto in `ci_hdrc_probe` (git-fixes).
- commit 8371d59
- USB: dwc3: fix runtime pm imbalance on unbind (git-fixes).
- commit 3c78b91
- USB: dwc3: fix runtime pm imbalance on probe errors (git-fixes).
- commit 07dd465
- PCI: aardvark: Fix PCIe Max Payload Size setting (git-fixes).
- PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
- PCI: xilinx-nwl: Enable the clock through CCF (git-fixes).
- PCI: aardvark: Fix masking and unmasking legacy INTx interrupts
(git-fixes).
- PCI: aardvark: Configure PCIe resources from 'ranges' DT
property (git-fixes).
- PCI: aardvark: Increase polling delay to 1.5s while waiting
for PIO response (git-fixes).
- PCI: aardvark: Fix checking for PIO status (git-fixes).
- PCI: Add ACS quirks for Cavium multi-function devices
(git-fixes).
- PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure
(git-fixes).
- PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported
(git-fixes).
- PCI: Call Max Payload Size-related fixup quirks early
(git-fixes).
- commit 4ba05a4
- ipmi: fix SSIF not responding under certain cond (git-fixes).
- commit fd75dd9
- blacklist.conf: add one char git-fixes
- commit e967264
- wifi: ath5k: fix an off by one check in
ath5k_eeprom_read_freq_list() (git-fixes).
- commit e7e4a01
- xfs: verify buffer contents when we skip log replay (bsc#1210498
CVE-2023-2124).
- commit d228bcf
- kcm: Only allow TCP sockets to be attached to a KCM mux
(git-fixes).
- Refresh patches.suse/kcm-lock-lower-socket-in-kcm_attach.patch.
- commit 1c38f1b
- xhci: hide include of iommu.h (git-fixes).
- commit d4a90d2
- xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough
iommu (git-fixes).
- commit 25aa1f6
- struct ci_hdrc: hide new member at end (git-fixes).
- commit 10801c8
- usb: chipidea: core: fix possible concurrent when switch role
(git-fixes).
- commit b7e0f07
- x86/irq: Ensure PI wakeup handler is unregistered before module unload (git-fixes).
- commit 1ba0504
- x86/fpu: Prevent FPU state corruption (git-fixes).
- commit 7902778
- x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes).
- commit 7747d1d
- x86/tools/relocs: Fix non-POSIX regexp (git-fixes).
- commit bf7956d
- crypto: x86/ghash - fix unaligned access in ghash_setkey() (git-fixes).
- commit b2c2637
- x86/boot: Avoid using Intel mnemonics in AT&T syntax asm (git-fixes).
- commit 01320b7
- x86/virt: Mark flags and memory as clobbered by VMXOFF (git-fixes).
- commit 128b31b
- x86/virt: Eat faults on VMXOFF in reboot flows (git-fixes).
- commit d5a2713
- x86/tools: Fix objdump version check again (git-fixes).
- commit 2fac6b7
- x86/kprobes: Restore BTF if the single-stepping is cancelled (git-fixes).
- commit 675ef6d
- x86/kprobes: Fix to check non boostable prefixes correctly (git-fixes).
- commit 7707216
- blacklist.conf: Add a patch for kconfig option we don't have
- commit 133510f
- x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes).
- commit 08350f2
- blacklist.conf: add nvme git-fixes
- commit 763e434
- nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is
not RESETTING (git-fixes).
- commit 289f082
- x86/bugs: Add Cannon lake to RETBleed affected CPU list (git-fixes).
- commit 765cf23
- keys: Fix linking a duplicate key to a keyring's assoc_array
(bsc#1207088).
- commit fd3a7e5
- keys: Hoist locking out of __key_link_begin() (bsc#1207088).
- commit 9d4b000
- keys: Change keyring_serialise_link_sem to a mutex (bsc#1207088).
- commit d0f80a2
- scsi: qla2xxx: Fix memory leak in qla2x00_probe_one()
(git-fixes).
- scsi: qla2xxx: Perform lockless command completion in abort path
(git-fixes).
- commit 9283be1
- kabi/severities: ignore KABI for NVMe, except nvme-fc (bsc#1174777)
Exported symbols under drivers/nvme/host/ are only used by the
nvme subsystem itself, except for the nvme-fc symbols.
- commit c973bd8
- blacklist.conf: add nvme git-fixes
The nvme fabric part is not really supported in sle12 and touching this
code with proper a lot of testing has a high change of regressions.
The nvme core bits are also very dangerous to update without introducing
regression because sle12 is still using mixed single queue and
multiqueue block layers infrastructures. All this fixes are addressing
issues reported against multiqueue only setups
- commit 039b5e1
- blacklist.conf: irrelevant in all our configs
- commit 21e8e20
- blacklist.conf: irrelevant in all our configs
- commit 5d97024
- blacklist.conf: irrelevant in all our configs
- commit ed95b61
- blacklist.conf: cleanup
- commit 2328a0e
- blacklist.conf: kABI
- commit 5ede269
- blacklist.conf: irrelevant with the compiler options of SLE12
- commit 09fdb2d
- blacklist.conf: architecture not supported in SLE12
- commit 0f802d0
- blacklist.conf: alters behavior in a way that could cause regression
- commit 9198a95
- blacklist.conf: cosmetic
- commit 8c47024
- audit: improve audit queue handling when "/audit=1"/ on cmdline
(bsc#1209969).
- commit 05326be
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
(bsc#1209871 CVE-2023-1670).
- commit cab17d2
- nvme-pci: fix doorbell buffer value endianness (git-fixes).
- nvme: retain split access workaround for capability reads
(git-fixes).
- commit 664dfaa
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in
cpuset_cancel_attach() (bsc#1210827).
- commit c9ac567
- xfrm: policy: use hlist rcu variants on insert (git-fixes).
- commit 8f58d09
- blacklist.conf: update blacklist
- commit 94895b2
- powerpc/papr_scm: Update the NUMA distance table for the
target node (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
FATE#327775 git-fixes).
- powerpc/pseries: Consolidate different NUMA distance update
code paths (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509
FATE#327775 git-fixes).
- powerpc/pseries: Rename TYPE1_AFFINITY to FORM1_AFFINITY
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/pseries: rename min_common_depth to primary_domain_index
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Consider the max NUMA node for migratable LPAR
(bsc#1209999 ltc#202140 bsc#1190544 ltc#194520 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Detect support for coregroup (bsc#1209999
ltc#202140 bsc#1142685 ltc#179509 FATE#327775 git-fixes).
- powerpc/numa: Restrict possible nodes based on platform
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- powerpc/numa: Limit possible nodes to within num_possible_nodes
(bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 FATE#327775
git-fixes).
- commit 2690e67
- cred: allow get_cred() and put_cred() to be given NULL
(bsc#1209887).
- commit b20510e
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
ipaddress (bsc#1210647 CVE-2023-2162).
- commit eba27cd
- drivers: net: lmc: fix case value for target abort error
(git-fixes).
- commit 9328eea
- net: axienet: Fix double deregister of mdio (git-fixes).
- commit ceccbaf
- net: prevent ISA drivers from building on PPC32 (git-fixes).
- commit 1665091
- blacklist.conf: update blacklist
- commit c7d12aa
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 39d6889
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit e746751
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit 8101e86
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit b3ddeab
- blacklist.conf: add !CONFIG_SYSFS entry
- commit ea663e2
- l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
(git-fixes).
- commit a6de55d
- l2tp: clean up stale tunnel or session in pppol2tp_connect's
error path (git-fixes).
- commit ac0c4ce
- l2tp: fix pseudo-wire type for sessions created by
pppol2tp_connect() (git-fixes).
- commit 3cea0f6
- netfilter: nft_set_rbtree: fix parameter of
__nft_rbtree_lookup() (git-fixes).
- commit d139e7b
- netfilter: x_tables: Add note about how to free percpu counters
(git-fixes).
- commit 370ae8e
- net: core: dst: Add kernel-doc for 'net' parameter (git-fixes).
- commit f4bb4ad
- net: core: dst_cache_set_ip6: Rename 'addr' parameter to
'saddr' for consistency (git-fixes).
- commit d4c9c59
- x86/boot/compressed: Disable relocation relaxation (git-fixes).
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- kretprobe: Prevent triggering kretprobe from within
kprobe_flush_task (git-fixes).
- x86/speculation/mds: Mark mds_user_clear_cpu_buffers()
__always_inline (git-fixes).
- x86_64: Fix jiffies ODR violation (git-fixes).
- x86/mm: Stop printing BRK addresses (git-fixes).
- bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX
BPF_B (git-fixes).
- x86: Don't let pgprot_modify() change the page encryption bit
(git-fixes).
- x86/pkeys: Add check for pkey "/overflow"/ (git-fixes).
- commit e67532f
- watchdog: pcwd_usb: Fix attempting to access uninitialized
memory (git-fixes).
- commit d040be6
- powercap: fix possible name leak in powercap_register_zone()
(git-fixes).
- commit 31ce59d
- usb: storage: Add check for kcalloc (git-fixes).
- commit 610895c
- usb: typec: Check for ops->exit instead of ops->enter in
altmode_exit (git-fixes).
- commit b4c0f7a
- blacklist.conf: add some x86 git-fixes
- commit decff2c
- blacklist.conf: cleanup
- commit b4c83c2
- usb: dwc3: gadget: Don't set IMI for no_interrupt (git-fixes).
- commit 7500ab7
- ath10k: Fix missing frame timestamp for beacon/probe-resp
(git-fixes).
- commit b6a1dea
- x86/speculation: Allow enabling STIBP with legacy IBRS
(bsc#1210506 CVE-2023-1998).
- commit 82dbdfe
- cifs: fix negotiate context parsing (bsc#1210301).
- commit e970e4b
- blacklist.conf: not needed; added also the commit introducing the regression
on the blacklist to stay on the safe side
- commit 39430c3
- blacklist.conf: not worth the risk
- commit 581559c
- blacklist.conf: printk: cosmetic problem; wrong value shown in log
- commit 68309f1
- printk: Give error on attempt to set log buffer length to over
2G (bsc#1210534).
- commit 416f599
- tuntap: fix dividing by zero in ebpf queue selection
(git-fixes).
- commit c7fc31c
- net: phy: realtek: Use the dummy stubs for MMD register access
for rtl8211b (git-fixes).
- commit 8197f03
- blacklist.conf: update blacklist
- commit 1eb047f
- iwlwifi: Fix -EIO error code that is never returned (git-fixes).
- commit e2a6440
- iwlwifi: pcie: gen2: fix locking when "/HW not ready"/
(git-fixes).
- commit a192018
- iwlwifi: pcie: fix locking when "/HW not ready"/ (git-fixes).
- commit 34a2104
- blacklist.conf: upstream error
- commit 82a830a
- iwlwifi: pcie: reschedule in long-running memory reads
(git-fixes).
- commit e6380b0
- blacklist.conf: cleanup for specific compiler
- commit 0396363
- iwlwifi: fw: make pos static in iwl_sar_get_ewrd_table() loop
(git-fixes).
- commit c845c94
- blacklist.conf: feature and optimization, not a fix
- commit 9a8bf0b
- blacklist.conf: kABI
- commit 7b6dc5b
- ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
(git-fixes).
- commit a5c8a19
- ath10k: fix division by zero in send path (git-fixes).
- commit 995d86c
- ath10k: fix control-message timeout (git-fixes).
- commit 49a6469
- ath10k: add missing error return code in ath10k_pci_probe()
(git-fixes).
- commit 40313d2
- ath10k: Fix error handling in case of CE pipe init failure
(git-fixes).
- commit 29f18be
- struct wmi_svc_avail_ev_arg: new member to end (git-fixes).
- commit ace4238
- ath10k: Fix the parsing error in service available event
(git-fixes).
- commit 83c5772
- power: supply: da9150: Fix use after free bug in
da9150_charger_remove due to race condition (CVE-2023-30772
bsc#1210329).
- commit a67542a
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- git_sort: tests: Use correct SLE15 base container
- commit 698573d
- wq: handle VM suspension in stall detection (bsc#1210466).
- commit b6661b9
- git_sort: tests: Move docker files into one directory
Also accept build parameters like -q or --no-cache in run_all.sh
- commit 5b075af
- blacklist.conf: workqueue: Non-trivial reasoning why the change is correct.
Fixing a corner case.
- commit 5637e05
- workqueue: Fix missing kfree(rescuer) in destroy_workqueue()
(bsc#1210460).
- commit 3c2ae43
- workqueue: Fix spurious sanity check failures in
destroy_workqueue() (bsc#1210460).
- blacklist.conf: Remove the commit from the blacklist.
- commit dcf3af1
- cachefiles: Drop superfluous readpages aops NULL check
(bsc#1210430).
- cachefiles: Handle readpage error correctly (bsc#1210430).
- cachefiles: Fix race between read_waiter and read_copier
involving op->to_do (bsc#1210430).
- fscache, cachefiles: remove redundant variable 'cache'
(bsc#1210430).
- cachefiles: Fix page leak in cachefiles_read_backing_file
while vmscan is active (bsc#1210430).
- commit 08d094b
- blacklist.conf: cachefiles fix not applicable to 12SP5
- commit 76c59ea
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
due to race condition (CVE-2023-1855 bsc#1210202).
- commit 8e7b0ea
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit 636a7de
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 6ec02e1
- intel_pmc_ipc: restore ability to call functions with irq
enabled (git-fixes).
- commit 8b76237
- Refresh
patches.suse/platform-x86-intel_pmc_ipc-Use-spin_lock-to-protect-.patch.
Added additional commit ID
- commit 32b5de9
- platform/x86: intel_pmc_ipc: Use spin_lock to protect GCR
updates (git-fixes).
- commit 6fd8245
- platform/x86: intel_pmc_ipc: Use devm_* calls in driver probe
function (git-fixes).
- commit 66a8daf
- blacklist.conf: irrelevant in our configs
- commit 77369a1
- s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
(git-fixes).
- commit 1101ba6
- net: usb: qmi_wwan: add Telit 0x1080 composition (git-fixes).
- commit cc9a7d7
- Refresh
patches.suse/net-usb-cdc_mbim-avoid-altsetting-toggling-for-Telit.patch.
Added additional ID
- commit ec0740e
- blacklist.conf: Add 6a2cbc58d6c9 seq_buf: Make trace_seq_putmem_hex() support data longer than 8
- commit 3b72881
- usb: dwc3: core: fix kernel panic when do reboot (git-fixes).
- commit e2fbf46
- usb/ohci-platform: Fix a warning when hibernating (git-fixes).
- commit f004188
- blacklist.conf: not a fix
- commit 579db14
- blacklist.conf: hardware this is relevant for not supported in SLE12
- commit 9c1574c
- usb: host: ohci-pxa27x: Fix and & vs | typo (git-fixes).
- commit 8a04e90
- blacklist.conf: update blacklist
- commit 960fe5e
- sctp: return error if the asoc has been peeled off in
sctp_wait_for_sndbuf (git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit ec9bf28
- sctp: use the right sk after waking up from wait_buf sleep
(git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit 09b20fd
- sctp: do not free asoc when it is already dead in sctp_sendmsg
(git-fixes).
- Refresh
patches.suse/sctp-implement-memory-accounting-on-tx-path.patch.
- commit 064e118
- net/ncsi: Don't return error on normal response (git-fixes).
- commit 0448b7b
- blacklist.conf: update blacklist
- commit dd82a70
- scripts/tar-up.sh: Exclude directories and files left over from conflict
resolution when copyting rpm/
Directories are not used by obs, there is no point copying them.
Files resulting from conflict resolution needlessly add noise, they
should not be included in the package.
- commit 079558f
- run_oldconfig.sh: Set VANILLA_ONLY with vanilla source variant.
VANILLA_ONLY is no longer set in config.sh, instead variant is set ot
vanilla. Make run_oldconfig.sh reflect that.
- commit 0b52d46
- blacklist.conf: add an intrusive ftrace refinement
- commit 1b629dd
- ftrace: Mark get_lock_parent_ip() __always_inline (git-fixes).
- commit f82808a
- ring-buffer: Fix race while reader and writer are on the same
page (git-fixes).
- commit 68f2c8a
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
Fix a performance bug introduced by the backports bsc#1210124
- commit 98fde8e
- btrfs: fix race between quota disable and quota assign ioctls
(CVE-2023-1611 bsc#1209687).
- commit 5262625
- Define kernel-vanilla as source variant
The vanilla_only macro is overloaded. It is used for determining if
there should be two kernel sources built as well as for the purpose of
determmioning if vanilla kernel should be used for kernel-obs-build.
While the former can be determined at build time the latter needs to be
baked into the spec file template. Separate the two while also making
the latter more generic.
$build_dtbs is enabled on every single rt and azure branch since 15.3
when the setting was introduced, gate on the new $obs_build_variant
setting as well.
- commit 36ba909
- timekeeping: Prevent 32bit truncation in (git-fixes)
- commit b5eceb5
- ntp: Limit TAI-UTC offset (git-fixes)
- commit cb87f16
- x86/decoder: Add TEST opcode to Group3-2 (git-fixes).
- x86/sysfb: Fix check for bad VRAM size (git-fixes).
- x86/mm: Use the correct function type for native_set_fixmap()
(git-fixes).
- x86/ioapic: Prevent inconsistent state when moving an interrupt
(git-fixes).
- x86/mce: Lower throttling MCE messages' priority to warning
(git-fixes).
- x86/apic: Soft disable APIC before initializing it (git-fixes).
- x86/reboot: Always use NMI fallback when shutdown via reboot
vector IPI fails (git-fixes).
- uprobes/x86: Fix detection of 32-bit user mode (git-fixes).
- x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled
machines (git-fixes).
- x86/apic: Handle missing global clockevent gracefully (git-fixes
bsc#1142926).
- x86/lib/cpu: Address missing prototypes warning (git-fixes).
- x86, boot: Remove multiple copy of static function
sanitize_boot_params() (git-fixes).
- commit 439b087
- blacklist.conf: add some x86 git-fixes
- commit 048281c
- netlink: limit recursion depth in policy validation
(CVE-2020-36691 bsc#1209613).
- commit 519d73a
- scsi: qla2xxx: Synchronize the IOCB count to be in order
(bsc#1209292 bsc#1209684 bsc#1209556).
- commit 18dd273
- net: usb: lan78xx: Limit packet length to skb->len (git-fixes).
- commit 58a7e43
- net: usb: smsc95xx: Limit packet length to skb->len (git-fixes).
- commit 4061009
- net: usb: smsc75xx: Move packet length check to prevent kernel
panic in skb_pull (git-fixes).
- commit 904473f
- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- NFSv4: Fix hangs when recovering open state after a server reboot (git-fixes).
[iivanov] Fix Patch-mainline to v6.3-rc5
- commit f23280a
- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
CVE-2023-28772).
- commit 6692c8c
- x86/apic: Add name to irq chip (bsc#1206010).
- commit 89bba1e
- ipv4: route: fix inet_rtm_getroute induced crash (git-fixes).
- commit e25c3f6
- blacklist.conf: update blacklist
- commit ae3ef0f
- blacklist.conf: update blacklist
- commit 3e5530d
- x86/apic: Deinline x2apic functions (bsc#1181001 jsc#ECO-3191).
- x86/x2apic: Mark set_x2apic_phys_mode() as __init (bsc#1181001
jsc#ECO-3191).
- Refresh
patches.kabi/kABI-Fix-kABI-for-extended-APIC-ID-support.patch.
- Refresh
patches.suse/x86-msi-Force-affinity-setup-before-startup.patch.
Update to upstream patches.
Two easy cleanups added for simpler backports.
- commit 2c2baeb
- PCI: hv: Add a per-bus mutex state_lock (bsc#1207001).
- Revert "/PCI: hv: Fix a timing issue which causes kdump to fail
occasionally"/ (bsc#1207001).
- PCI: hv: Remove the useless hv_pcichild_state from struct
hv_pci_dev (bsc#1207001).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
cause panic (bsc#1207001).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
(bsc#1207001).
- commit e9cf69b
- x86/ioapic: Force affinity setup before startup (bsc#1193231).
- blacklist.conf: remove it from there as the prerequisities were
backported already
- commit 67a8716
- powerpc/btext: add missing of_node_put (bsc#1065729).
- commit 0e57c99
- kvm: initialize all of the kvm_debugregs structure before
sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit 27afda9
- powerpc/xics: fix refcount leak in icp_opal_init()
(bsc#1065729).
- commit f9aeabf
- powerpc/powernv/ioda: Skip unallocated resources when mapping
to PE (bsc#1065729).
- commit 12e8c49
- powerpc/rtas: ensure 4KB alignment for rtas_data_buf
(bsc#1065729).
- powerpc/pseries/lparcfg: add missing RTAS retry status handling
(bsc#1065729).
- powerpc/pseries/lpar: add missing RTAS retry status handling
(bsc#1109158 ltc#169177 git-fixes).
- commit 4d6673f
- Input: atmel_mxt_ts - fix double free in mxt_read_info_block
(git-fixes).
- commit bd0fc95
- sbitmap: Avoid lockups when waker gets preempted (bsc#1209118).
- commit 32c7f24
- blacklist.conf: driver not in SLE12
- commit 3fbe4df
- blacklist.conf: driver not present in SLE12
- commit dad4545
- s390/vfio-ap: fix memory leak in vfio_ap device driver
(git-fixes).
- commit 0efdc1f
- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
CVE-2023-28464).
- commit ee49c52
- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 007f267
- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
CVE-2023-1390).
- commit 91c876a
- bs-upload-kernel: Do not skip post-build-checks
- commit 5443633
- Update
patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455).
- Update
patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207036 CVE-2023-23454 bsc#1207125 CVE-2023-23455).
- commit 03cf48f
- timers: Clear timer_base::must_forward_clk with (bsc#1207890)
- commit 665e881
- arm64/cpufeature: Fix field sign for DIT hwcap detection (git-fixes)
- commit d6d271d
- arm64: cmpxchg_double*: hazard against entire exchange variable (git-fixes)
- commit a0c51f7
- net/sched: tcindex: update imperfect hash filters respecting
rcu (CVE-2023-1281 bsc#1209634).
- rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer()
(CVE-2023-1281 bsc#1209634).
- commit 79d6cb4
- crypto: arm64 - Fix unused variable compilation warnings of (git-fixes)
- commit 3f3dfdc
- arm64: fix oops in concurrently setting insn_emulation sysctls (git-fixes)
- commit 11f2537
- arm64: Do not forget syscall when starting a new thread. (git-fixes)
- commit 27dfefa
- arm64: Mark __stack_chk_guard as __ro_after_init (git-fixes)
- commit 551a661
- arm64/vdso: Discard .note.gnu.property sections in vDSO (git-fixes)
- commit b2f00e4
- blacklist.conf: ("/arm64: alternatives: Move length validation in alternative_{insn,"/)
- commit 750c32b
- KVM: arm64: Hide system instruction access to Trace registers (git-fixes)
- commit 2e3ed1c
- arm64: psci: Avoid printing in cpu_psci_cpu_die() (git-fixes)
- commit 66c3a8b
- blacklist.conf: ("/arm64: Change .weak to SYM_FUNC_START_WEAK_PI for"/)
- commit add4723
- arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE (git-fixes)
- commit 65bd4cc
- arm64/alternatives: move length validation inside the subsection (git-fixes)
- commit d2aefa8
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP (git-fixes)
- commit 2354853
- arm64/alternatives: don't patch up internal branches (git-fixes)
- commit 259ff6d
- arm64/alternatives: use subsections for replacement sequences (git-fixes)
- commit 206be22
- arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register (git-fixes)
Refresh patches.suse/arm64-cpufeature-Allow-different-PMU-versions-in-ID_DFR0_EL1.patch
- commit a0b4d86
- blacklist.conf: ("/arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]"/)
- commit 99d129d
- blacklist.conf: ("/arm64: Delete the space separator in __emit_inst"/)
- commit e989773
- blacklist.conf: ("/arm64: fix alternatives with LLVM's integrated assembler"/)
- commit eabb21e
- Revert "/arm64: dts: juno: add dma-ranges property"/ (git-fixes)
- commit 472652a
- arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() (git-fixes)
- commit 126253f
- blacklist.conf: ("/arm64: fix unreachable code issue with cmpxchg"/)
- commit 27e2384
- arm64: kpti: ensure patched kernel text is fetched from PoU (git-fixes)
- commit ed14da7
- arm64/mm: fix variable 'pud' set but not used (git-fixes)
- commit bb80a31
- arm64: unwind: Prohibit probing on return_address() (git-fixes)
- commit 84859a4
- blacklist.conf: ("/arm64/efi: Mark __efistub_stext_offset as an absolute symbol"/)
- commit 7448304
- arm64: Fix compiler warning from pte_unmap() with (git-fixes)
- commit f112362
- arm64: cpu_ops: fix a leaked reference by adding missing of_node_put (git-fixes)
- commit 80aa069
- arm64: kprobe: make page to RO mode when allocate it (git-fixes)
- commit 0375ba2
- usb: typec: altmodes/displayport: Fix probe pin assign check
(git-fixes).
- commit 5ce7845
- scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of
DID_REQUEUE (bsc#1199837).
- commit 2f806c6
- USB: misc: iowarrior: fix up header size for
USB_DEVICE_ID_CODEMERCS_IOW100 (git-fixes).
- commit 198956a
- netlink: prevent potential spectre v1 gadgets (bsc#1209547
CVE-2017-5753).
- commit 179a403
- ppc64le: HWPOISON_INJECT=m (bsc#1209572).
- commit 9bc607c
- tracing/hwlat: Replace sched_setaffinity with
set_cpus_allowed_ptr (git-fixes).
- commit 10ecebb
- ring-buffer: remove obsolete comment for free_buffer_page()
(git-fixes).
- commit fb36562
- ftrace: Fix invalid address access in lookup_rec() when index
is 0 (git-fixes).
- commit 2107853
- blacklist.conf: add not-relevant tracing fixes
- commit 89e5ff0
- net: usb: smsc75xx: Limit packet length to skb->len (git-fixes).
- commit 59b5ef4
- tracing: Add NULL checks for buffer in
ring_buffer_free_read_page() (git-fixes).
- commit 4ba90d9
- blacklist.conf: might break certifications
- commit bd7ab11
- blacklist.conf: kABI
- commit c99b186
- blacklist.conf: irrelevant in our configs
- commit e0f4fc3
- blacklist.conf: kABI
- commit 9748c72
- blacklist.conf: kABI
- commit abd6f40
- blacklist.conf: blacklist Documentation because we
will not updaten the documentation package in SLE12 anyway
- commit b4fe007
- Refresh
patches.suse/scsi-qla2xxx-Add-option-to-disable-FC2-Target-suppor.patch.
- commit 37fbfe8
- xen-netfront: Fix NULL sring after live migration (git-fixes).
- commit 739342e
- xen/netfront: stop tx queues during live migration (git-fixes).
- commit ac8b9c0
- xen-netfront: fix potential deadlock in xennet_remove()
(git-fixes).
- Refresh
patches.suse/xen-netfront-force-data-bouncing-when-backend-is-unt.patch.
- commit 9294dd7
- xen/netfront: fix waiting for xenbus state change (git-fixes).
- commit fe29b44
- xen-netfront: wait xenbus state change when load module manually
(git-fixes).
- commit 0c71330
- xen-netfront: Update features after registering netdev
(git-fixes).
- commit c77bad3
- xen-netfront: Fix mismatched rtnl_unlock (git-fixes).
- commit db4108c
- xen-netfront: Fix race between device setup and open
(git-fixes).
- Refresh
patches.suse/xen-netfront-don-t-trust-the-backend-response-data-b.patch.
- commit a087822
- blacklist.conf: add 9e6246518592 ("/xen/netback: don't call kfree_skb() under spin_lock_irqsave()"/)
- commit cae7fc6
- blacklist.conf: add 7dfa764e0223 ("/xen/netback: fix build warning"/)
- commit 31b3ee5
- blacklist.conf: add 5834e72eda0b ("/xen/netback: do some code cleanup"/)
- commit 6487e56
- x86/xen: Fix memory leak in xen_init_lock_cpu() (git-fixes).
- commit 4ce0c85
- x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
(git-fixes).
- commit 36249b4
- xen/platform-pci: add missing free_irq() in error path
(git-fixes).
- commit dd25a55
- xen-netfront: enable device after manual module load
(git-fixes).
- commit 6ce0b56
- blacklist.conf: add ce6f7d087e2b ("/Input: xen-kbdfront - fix multi-touch XenStore node's locations"/)
- commit 9866d94
- blacklist.conf: added 02a0d9216d4da ("/Input: xen-kbdfront - do not advertise multi-touch pressure support"/)
- commit 4d70cca
- x86/paravirt: Fix callee-saved function ELF sizes (git-fixes).
- Refresh
patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch.
- commit be50a99
- SUNRPC: Fix a server shutdown leak (git-fixes).
- commit b391b37
- Revert "/mei: me: enable asynchronous probing"/ (bsc#1208048,
bsc#1209126).
- commit 9a95c7f
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 6fa5ff4
- media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
(bsc#1209291 CVE-2023-28328).
- commit 0a0d765
- rpm/group-source-files.pl: Fix output difference when / is in location
While previous attempt to fix group-source-files.pl in 6d651362c38
"/rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"/
breaks the infinite loop, it does not properly address the issue. Having
prefixed and/or postfixed forward slash still result in different
output.
This commit changes the script to use the Perl core module File::Spec
for proper path manipulation to give consistent output.
- commit 4161bf9
- Bluetooth: btusb: Add VID:PID 13d3:3529 for Realtek RTL8821CE
(git-fixes).
- commit a77868e
- Bluetooth: btusb: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 0b2e609
- blacklist.conf: false positive
- commit 7dfc594
- ima: Fix function name error in comment (git-fixes).
- commit 889bacc
- kfifo: fix ternary sign extension bugs (git-fixes).
- commit efc9af2
- blacklist.conf: irrelevant in our configurations
- commit fcaf3c0
- blacklist.conf: kABI
- commit 5f50816
- blacklist.conf: changes exported defaults
- commit 6e19056
- PM: hibernate: flush swap writer after marking (git-fixes).
- commit d5d514d
- blacklist.conf: false positive
- commit bcee6d7
- blacklist.conf: kABI
- commit ee8665f
- blacklist.conf: false positive
- commit 38a7585
- kgdb: Drop malformed kernel doc comment (git-fixes).
- commit 16f0840
- blacklist.conf: kABI
- commit 836cdb8
- dt-bindings: reset: meson8b: fix duplicate reset IDs
(git-fixes).
- commit 758f2cb
- timers/sched_clock: Prevent generic sched_clock wrap caused
by tick_freeze() (git-fixes).
- commit c1996c6
- blacklist.conf: irrelevant documentation
- commit 14b48ad
- blacklist.conf: false positive
- commit 24553f6
- usb: dwc3: gadget: Stop processing more requests on IMI
(git-fixes).
- commit 1e1ba8c
- Update patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch.
- fix a mistake in the CVE-2023-0590 / bsc#1207795 backport
- commit 005c9da
- Require suse-kernel-rpm-scriptlets at all times.
The kernel packages call scriptlets for each stage, add the dependency
to make it clear to libzypp that the scriptlets are required.
There is no special dependency for posttrans, these scriptlets run when
transactions are resolved. The plain dependency has to be used to
support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- prlimit: do_prlimit needs to have a speculation check
(bsc#1209256 CVE-2017-5753).
- commit fca254e
- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4
- usb: dwc3: exynos: Fix remove() function (git-fixes).
- commit 1162027
- usb: chipidea: fix deadlock in ci_otg_del_timer (git-fixes).
- commit c85689a
- blacklist.conf: duplicate
- commit 9a30402
- blacklist.conf: false positive
- commit 6886a4a
- NET: usb: qmi_wwan: Adding support for Cinterion MV31
(git-fixes).
- commit 64d8c67
- Update
patches.suse/l2tp-fix-race-in-pppol2tp_release-with-session-objec.patch
(bsc#1076830 bsc#1208850 CVE-2022-20567).
- commit 47065bb
- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
(CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
(CVE-2023-1095 bsc#1208777).
- commit c4928a4
- Delete
patches.suse/livepatch-define-a-macro-for-new-api-identification.patch.
This definition was used by kgraft codestreams (SLE12-SP3), but the
livepatch support for such codestreams has ended.
- commit 4fbaecf
- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89
- PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently
(git-fixes).
- PCI: Use pci_update_current_state() in pci_enable_device_flags()
(git-fixes).
- PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes).
- PCI/MSI: Enforce MSI entry updates to be visible (git-fixes).
- PCI/MSI: Enforce that MSI-X table entry is masked for update
(git-fixes).
- PCI/MSI: Mask all unused MSI-X entries (git-fixes).
- PCI: aardvark: Fix checking for PIO Non-posted Request
(git-fixes).
- PCI: aardvark: Fix kernel panic during PIO transfer (git-fixes).
- PCI: xgene-msi: Fix race in installing chained irq handler
(git-fixes).
- PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (git-fixes).
- PCI/PM: Avoid using device_may_wakeup() for runtime PM
(git-fixes).
- Refresh
patches.suse/0002-PCI-PM-Use-the-NEVER_SKIP-driver-flag.patch.
- commit 7a5a840
- media: platform: ti: Add missing check for devm_regulator_get
(git-fixes).
- commit 38e97d5
- media: coda: Add check for kmalloc (git-fixes).
- commit 95a83e8
- media: coda: Add check for dcoda_iram_alloc (git-fixes).
- commit da6b661
- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
When the source file location provided with -L is either prefixed or
postfixed with forward slash, the script get stuck in a infinite loop
inside calc_dirs() where $path is an empty string.
user@localhost:/tmp> perl "/$HOME/group-source-files.pl"/ -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
...
path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
path = /usr/src/linux-5.14.21-150500.41/Documentation
path = /usr/src/linux-5.14.21-150500.41
path = /usr/src
path = /usr
path =
path =
path =
... # Stuck in an infinite loop
This workarounds the issue by breaking out the loop once path is an
empty string. For a proper fix we'd want something that
filesystem-aware, but this workaround should be enough for the rare
occation that this script is ran manually.
Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136
- PCI: Unify ACS quirk desired vs provided checking (git-fixes).
- PCI: Make ACS quirk implementations more uniform (git-fixes).
- commit 6452eb0
- README.BRANCH: Adding myself to the maintainer list
- commit 8fc11b2
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
which sets the variable for a simple command.
However, the script is no longer a simple command. Export the variable
instead.
- commit 152a069
- scripts/sequence-patch.sh: remove obsolete egrep
Avoids a warning and prepares for ultimate removal - boo#1203092
- commit 7a787f7
- PCI: aardvark: Don't touch PCIe registers if no card connected
(git-fixes).
- PCI: aardvark: Indicate error in 'val' when config read fails
(git-fixes).
- PCI: aardvark: Improve link training (git-fixes).
- PCI: aardvark: Don't blindly enable ASPM L0s and don't write
to read-only register (git-fixes).
- PCI: aardvark: Train link immediately after enabling training
(git-fixes).
- PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
(git-fixes).
- PCI: Avoid FLR for AMD Starship USB 3.0 (git-fixes).
- PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0 (git-fixes).
- PCI: endpoint: Fix for concurrent memory allocation in OB
address region (git-fixes).
- kabi: PCI: endpoint: Fix for concurrent memory allocation in
OB address region (git-fixes).
- PCI: endpoint: Cast the page number to phys_addr_t (git-fixes).
- PCI: aardvark: Remove PCIe outbound window configuration
(git-fixes).
- PCI: aardvark: Introduce an advk_pcie_valid_device() helper
(git-fixes).
- commit 36c0f12
- PCI: aardvark: Don't rely on jiffies while holding spinlock
(git-fixes).
- PCI: aardvark: Wait for endpoint to be ready before training
link (git-fixes).
- PCI/PM: Always return devices to D0 when thawing (git-fixes).
- PCI: tegra: Fix OF node reference leak (git-fixes).
- commit d6e8f39
- applicom: Fix PCI device refcount leak in applicom_init()
(git-fixes).
- PCI: Add ACS quirk for iProc PAXB (git-fixes).
- Refresh
patches.suse/PCI-Add-ACS-quirk-for-Amazon-Annapurna-Labs-root-por.patch.
- Refresh
patches.suse/PCI-Add-ACS-quirk-for-Broadcom-BCM57414-NIC.patch.
- PCI: PM: Avoid skipping bus-level PM on platforms without ACPI
(git-fixes).
- PCI: aardvark: Fix a leaked reference by adding missing
of_node_put() (git-fixes).
- commit 5dd1a12
- blacklist.conf: add few PCI patches
- commit 52e540a
- ARM: 8702/1: head-common.S: Clear lr before jumping to start_kernel() (git-fixes)
- commit 0e2e532
- git_sort: tests: do not disable package repository GPG check
This adds the Kernel repository key and enables GPG check for package
installation inside containers.
- commit b2615b2
- git_sort: tests: Adjust to new net repository location
- commit de2dc43
- git_sort: tests: Fix tests failing on SLE15
Use the correct base image, pygit2 is not found by pythong otherwise.
- commit 1088359
- git_sort: tests: exit on error
- commit 767bb07
- git_sort: tests: Use 15.4, 15.3 is EOL
- commit 3624818
- git_sort: tests: Kernel:tools does not have Leap repos, use SLE
- commit 46626b0
- scripts/renamepatches: Fix grep warning
grep: warning: stray before /
- commit 20e6e67
- scripts/renamepatches: Exclude search in irrelevant files
Especially large files in kabi/ can be simply avoided on slow devices
(or NFS).
- commit 9e1b932
- x86/power: Fix 'nosmt' vs hibernation triple fault during resume
(git-fixes).
- Refresh
patches.suse/cpu-smt-create-and-export-cpu_smt_possible.patch.
- commit 3ddadd1
- x86/stacktrace: Prevent infinite loop in arch_stack_walk_user()
(git-fixes).
- x86/build: Add 'set -e' to mkcapflags.sh to delete broken
capflags.c (git-fixes).
- x86/atomic: Fix smp_mb__{before,after}_atomic() (git-fixes).
- x86/PCI: Fix PCI IRQ routing table memory leak (git-fixes).
- x86/mm: Remove in_nmi() warning from 64-bit implementation of
vmalloc_fault() (git-fixes).
- x86/irq/64: Limit IST stack overflow check to #DB stack
(git-fixes).
- x86/uaccess, signal: Fix AC=1 bloat (git-fixes).
- x86/ia32: Fix ia32_restore_sigcontext() AC leak (git-fixes).
- commit 4fdbd92
- blacklist.conf: add some x86 commits
- commit 89c0d93
- scripts/renamepatches: Optimize search
Use bash hashmap instead of grepping list file.
sample:
5.0s -> 2.5s
Composed result with previous commit on SLE15-SP4->SLE15-SP5:
original
Executed in 207.82 secs fish external
usr time 263.64 secs 459.00 micros 263.64 secs
sys time 60.61 secs 185.00 micros 60.61 secs
optimized
Executed in 65.73 secs fish external
usr time 49.16 secs 639.00 micros 49.16 secs
sys time 18.52 secs 0.00 micros 18.52 secs
- commit 68e276c
- scripts/renamepatches: Optimize forks
Use single awk instead of multiple utilites.
sample:
6.4s -> 5.0s
- commit c44b590
- Update SUSE Root certificate file
Pull the root certificate from a later bundle where it is correctly
marked as CA certificate. Without this the certificate won't be added
into CA bundle.
- commit b2e67d7
- scripts/osc_wrapper: Assign spec with *.spec file when building
Commit 270fc6884c5b ("/scripts/osc_wrapper: Pass more options to osc"/),
decided that only the last argument of osc_wrapper can be the spec file.
But on commit 30f26fbbe86c ("/scripts/osc_wrapper: Accept --ibs | --obs
as the first parameter"/), it swaps the order of arguments, leaving
- -ibs/--obs as the last ones.
This creates a problem when running osc_wrapper with --ibs
kernel-default.spec, since it'll add the specfile in osc_args, and
letting spec variable empty. Later on, if spec if empty, the find_spec
function is called, setting the spec automatically. The end result is
messy:
$ ./scripts/osc_wrapper --ibs kernel-source/kernel-default.spec
osc -A https://api.suse.de build --no-service --local-package --alternative-project=Devel:Kernel:SLE15-SP4 + kernel-source/kernel-default.spec + <some other options here...> + - -define klp_symbols 1 standard kernel-source/kernel-default.spec
The osc command contains two spec definitions, which is wrong. The first
one is wrongly assumed to be an argument to be used for osc or
osc_wrapper.
The fix is to respect the argument of *.spec and assign it to spec
variable, and let other options to be handled by the code that is
currently present.
- commit 86d0aae
- arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region (git-fixes)
- commit 5ab30ad
- README: remove copy of config and update the text (bsc#1191924)
* the config is copied by sequence_patch.
* it makes no sense to copy a file called "/default"/ to the build tree
anyway.
* update the text, so that prerequisites are pre-installed.
- commit aef2a28
- scripts/python-bugzilla: Apply SUSE Bugzilla URL
- commit 4e69d74
- scripts: Reduce repetitions of Bugzilla URL
Just use the DEFAULT_BZ as vendored with python-bugzilla.
(rpm/config.sh usually specifies BUGZILLA_SERVER but it has been ignored
so far, don't deviate from that).
- commit eb1f26e
- scripts/python-bugzilla: Apply SUSE patches to python-bugzilla
- commit 029c1e9
- scripts: Update scripts/bugzilla
Raw copy from [1] a7c324041175a4157823bc2332a046cc2a54d105.
To access the REST API add
[apibugzilla.suse.com]
api_key = your_api_key
to ~/.bugzillarc
[1] https://github.com/python-bugzilla/python-bugzilla
- commit ccf7f1d
- arm64: Discard .note.GNU-stack section (bsc#1203693 bsc#1209798).
- commit cab7952
- Update patch reference for libata fix (bsc#1118212).
- commit 16b85ae
- libata: add horkage for ASMedia 1092 (git-fixes).
- commit 1ec1df0
- krb5
-
- Fix prefix reported by krb5-config, libraries and headers are not
installed under /usr/lib/mit prefix. (bsc#1211411);
- libX11
-
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
* Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
- libseccomp
-
- Speed up database handling when handling lots of rules like in docker
(bsc#1209407)
Added backported patches:
- 01-21b98d85e8bfdb701a5f9afd54ff5175af910a45.patch
- 02-19af04da86e9a4168a443f3563fc7aec8839edf0.patch
- libxml2
-
- Security update:
* [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
isn't deterministic
- Added patch libxml2-CVE-2023-29469.patch
* [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
xmlSchemaFixupComplexType
- Added patch libxml2-CVE-2023-28484-1.patch
- Added patch libxml2-CVE-2023-28484-2.patch
- libzypp
-
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
(bsc#1208329)
Maximum time in seconds that you allow the connection phase to
the server to take. This only limits the connection phase, it has
no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- version 16.22.7 (0)
- Removing a PTF without enabled repos should always fail
(bsc#1203248)
Without enabled repos, the dependent PTF-packages would be
removed (not replaced!) as well. To remove a PTF "/zypper install
- - -PTF"/ or a dedicated "/zypper removeptf PTF"/ should be used.
This will update the installed PTF packages to their latest
version.
- version 16.22.6 (0)
- mozilla-nss
-
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
fixes to PBKDF2 parameter validation.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
validate extra PBKDF2 parameters according to FIPS 140-3.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
excess code.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
checks. Thanks to Martin for the DHKey parts.
- Add manpages to mozilla-nss-tools (bsc#1208242)
- ncurses
-
- Modify patch ncurses-6.1.dif
* Secure writing terminfo entries by setfs[gu]id in s[gu]id
(boo#1210434, CVE-2023-29491)
* Reading is done since 2000/01/17
- nfs-utils
-
- 0206-gssd-Fix-inner-loop-variable-reuse.patch
Fix for previous patch
(bsc#1210136)
- 0205-nfsd.man-fix-typo-in-section-on-scope.patch
bsc#1209859
- 0204-Don-t-assume-the-machine-account-will-be-in-upp.patch
Be more flexabily with case of machine account name
(bsc#1207245)
- 0203-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
Avoid modprobe errors when sysctl is not installed.
(bsc#1200710 bsc#1207022 bsc#1206781)
- ntp
-
- bsc#1210386: out-of-bounds writes in mstolfp()
* CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554
* Add ntp-CVE-2023-26551.patch
- openldap2
-
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
* 0227-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
- openssl-1_0_0
-
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Fix DH key generation in FIPS mode, add support for constant BN for
DH parameters [bsc#1202062]
* Add patch: openssl-fips_fix_DH_key_generation.patch
- openssl-1_1
-
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- permissions
-
* mariadb: settings for new auth_pam_tool (bsc#1160285)
- Update to version 20170707:
- python-cffi
-
- Add require-writable.patch to support the optional argument
"/require_writable"/ in "/from_buffer"/ method, that's used by the
python-cryptography security fix gh#pyca/cryptography@9fbf84efc861
(bsc#1208036, CVE-2023-23931)
The upstream patch can be found here:
https://foss.heptapod.net/pypy/cffi/-/commit/c5c4d32c3e3ec0fbaabc4b9890fd17c9c58407d2
- python-cryptography
-
- Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931)
* Don't allow update_into to mutate immutable objects
- python3
-
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- python3-base
-
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- python36
-
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
- Use python3 modules to build the documentation.
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- samba
-
- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
in cleartext; (bso#15315); (bsc#1209481).
- Prevent use after free of messaging_ctdb_fde_ev structs;
(bso#15293); (bsc#1207416).
- shadow
-
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
- sudo
-
- Fix CVE-2023-28486, sudo does not escape control characters in
log messages, (CVE-2023-28486, bsc#1209362)
* Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
sudoreplay output (CVE-2023-28487, bsc#1209361)
- sudo-dont-enable-read-after-pty_finish.patch
* bsc#1203201
* Do not re-enable the reader when flushing the buffers as part
of pty_finish().
* While sudo-observe-SIGCHLD patch applied earlier prevents a
race condition from happening, this fixes a related buffer hang.
- Added sudo-fix_NULL_deref_RunAs.patch
* bsc#1206483
* Fix a situation where "/sudo -U otheruser -l"/ would dereference
a NULL pointer.
- supportutils
-
- Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Changed _sanitize_file to include lio_setup.sh (bsc#1206350)
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.7 (bsc#1209026)
+ Include information about the cached registration data
+ Collect the data that is sent to the update infrastructure during
registration
- systemd
-
- Import commit 95ad6444b8d4c9cbd6c745ba9b4463264109ee11
acb6da7b4a pager: make pager secure when under euid is changed or explicitly requested
7c8bbe16a2 pager: set $LESSSECURE whenver we invoke a pager (bsc#1208958 CVE-2023-26604)
e931881112 core: if the start command vanishes during runtime don't hit an assert (bsc#1206985)
- timezone
-
- timezone update 2023c:
* Revert changes made in 2023b
- timezone update 2023b:
* Lebanon delays the start of DST this year.
- timezone update 2023a:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
- Refresh tzdata-china.diff
- util-linux
-
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- util-linux-systemd
-
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- yast2-transfer
-
- Fixed TFTP download, truncate the target file to avoid garbage
at the end of the file when saving to an already existing file
(bsc#1208754)
- 3.1.4
- zlib
-
- Fix deflateBound() before deflateInit(), bsc#1210593
bsc1210593.patch
- Add DFLTCC support for using inflate() with a small window,
fixes bsc#1206513
* bsc1206513.patch
- zypper
-
- Add expert (allow-*) options to all installer commands
(bsc#428822)
- version 1.13.64
- Provide "/removeptf"/ command (bsc#1203249)
A remove command which prefers replacing dependant packages to
removing them as well.
A PTF is typically removed as soon as the fix it provides is
applied to the latest official update of the dependant packages.
But you don't want the dependant packages to be removed together
with the PTF, which is what the remove command would do. The
removeptf command however will aim to replace the dependant
packages by their official update versions.
- BuildRequires: libzypp-devel >= 16.22.6.
- version 1.13.63