PaulHowarth/Blog/2021-09-15

Wednesday 15th September 2021

Fedora Project

  • Updated perl-Net-SSLeay (1.90) in Rawhide to add fixes (mainly from upstream) for OpenSSL 3.0.0

Local Packages

  • Updated curl to 7.79.0:

    • bearssl: Support CURLOPT_CAINFO_BLOB

    • http: Consider cookies over localhost to be secure

    • secure transport: Support CURLINFO_CERTINFO

    • CVE-2021-22945: Clear the leftovers pointer when sending succeeds

    • CVE-2021-22946: Do not ignore --ssl-reqd

    • CVE-2021-22947: Reject STARTTLS server response pipelining

    • ares: Use ares_getaddrinfo()

    • asyn-ares.c: Move all version number checks to the top

    • auth: Do not append zero-terminator to authorisation id in kerberos
    • auth: Properly handle byte order in kerberos security message
    • auth: Use sasl authzid option in kerberos
    • auth: We do not support a security layer after kerberos authentication

    • BINDINGS.md: Update links to use https where available

    • build: Fix compiler warnings

    • c-hyper: Deal with Expect: 100-continue combined with POSTFIELDS

    • c-hyper: Fix header value passed to debug callback
    • c-hyper: Handle HTTP/1.1 ⇒ HTTP/1.0 downgrade on reused connection

    • c-hyper: Initial step for 100-continue support

    • c-hyper: Initial support for "dumping" 1xx HTTP responses

    • c-hyper: Remove the hyper_executor_poll() loop from Curl_http

    • CI/cirrus: Reduce compile time with increased parallelism

    • CI: Use GitHub Container Registry instead of Docker Hub

    • cirrus: Add FreeBSD 13.0 job and disable sanitizer build

    • cmake: Avoid poll() on macOS

    • cmake: Sync CURL_DISABLE options

    • codeql: Fix error "Resource not accessible by integration"

    • compressed.d: It's a request, not an order

    • config.d: Escape the backslash properly

    • config.d: Note that curlrc is used even when --config

    • config: Get rid of the unused HAVE_SIG_ATOMIC_T et. al.

    • configure.ac: Revert bad nghttp2 library detection improvements

    • configure: Error out if both ngtcp2 and quiche are specified

    • configure: Make --disable-hsts work

    • configure: Set classic mingw minimum OS version to XP

    • configure: Tweak nghttp2 library name fix

    • connect: Get local port + ip also when reusing connections

    • connect: Remove superfluous conditional

    • curl-openssl.m4: Check lib64 for the pkg-config file

    • curl-openssl.m4: Show correct output for OpenSSL v3

    • curl.1: Mention "global" flags

    • curl.1: Provide examples for each option

    • curl: Add warning for ignored data after quoted form parameter

    • curl: Add warning for incompatible parameters usage

    • curl: Better error message when -O fails to get a good name

    • curl: Stop retry if Retry-After: is longer than allowed

    • curl_easy_setopt.3: Improve the string copy wording

    • Curl_hsts_loadcb: Don't attempt to load if hsts wasn't inited

    • curl_setup.h: Sync values for HTTP_ONLY

    • curl_url_get.3: Clarify about path and query

    • CURLMOPT_TIMERFUNCTION.3: Remove misplaced "time"

    • CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited

    • CURLOPT_SSL_CTX_*.3: Tidy up the example

    • CURLOPT_UNIX_SOCKET_PATH.3: Remove nginx reference, add see also

    • docs/MQTT: Update state of username/password support

    • docs: Remove experimental mentions from HSTS and MQTT
    • docs: The security list is reached at security at curl.se now

    • easy: Use a custom implementation of wcsdup on Windows

    • examples/*hiperfifo.c: Fix calloc arguments to match function proto

    • examples/cookie_interface: Avoid printfing time_t directly

    • examples/cookie_interface: Fix scan-build printf warning

    • examples/ephiperfifo.c: Simplify signal handler

    • FAQ: Add two dev related questions

    • getparameter: Fix the --local-port number parser

    • happy-eyeballs-timeout-ms.d: Polish the wording

    • hostip: Make Curl_ipv6works function independent of getaddrinfo

    • http2: Curl_http2_setup needs to init stream data in all invokes

    • http2: Revert a change that broke upgrade to h2c
    • http2: Revert call the handle-closed function correctly on closed stream

    • http: Disallow >3-digit response codes

    • http: Ignore content-length if any transfer-encoding is used

    • http_proxy: Clear 'sending' when the outgoing request is sent

    • http_proxy: Fix the User-Agent inclusion in CONNECT

    • http_proxy: Fix user-agent and custom headers for CONNECT with hyper

    • http_proxy: Only wait for writeable socket while sending request

    • INTERNALS: Bump c-ares requirement to 1.16.0

    • INTERNALS: c-ares has a new home: c-ares.org

    • lib: Don't use strerror()

    • libcurl-errors.3: Clarify two CURLUcode errors

    • limit-rate.d: Clarify base unit

    • mailing lists: Move from cool.haxx.se to lists.haxx.se

    • mbedtls: Avoid using a large buffer on the stack
    • mbedTLS: Initial 3.0.0 support

    • mbedtls_threadlock: Fix unused variable warning

    • mksymbolsmanpage.pl: Fix showing symbol's last used version

    • mksymbolsmanpage.pl: Match symbols case insensitively

    • multi: Fix compiler warning with 'CURL_DISABLE_WAKEUP'

    • ngtcp2: Compile with the latest ngtcp2 and nghttp3
    • ngtcp2: Fix build with ngtcp2 and nghttp3

    • ngtcp2: Remove the acked_crypto_offset struct field init

    • ngtcp2: Replace deprecated functions with nghttp3_conn_shutdown_stream_read

    • ngtcp2: Reset the outstanding send buffer again when drained

    • ngtcp2: Rework the return value handling of ngtcp2_conn_writev_stream

    • ngtcp2: Stop buffering crypto data
    • ngtcp2: Utilize crypto API functions to simplify

    • openssl: Annotate SSL3_MT_SUPPLEMENTAL_DATA

    • openssl: When creating a new context, there cannot be an old one
    • opt-docs: Make sure all man pages have examples
    • opt-docs: Verify man page sections + order

    • opts docs: Unify phrasing in NAME header

    • output.d: Add method to suppress response bodies

    • page-header: Add GOPHERS, simplify wording in the 1st paragraph

    • progress: Fix a compile warning on some systems

    • progress: Make trspeed avoid floats

    • runtests: Add option -u to error on server unexpectedly alive

    • schannel: Work around typo in classic mingw macro

    • scripts: Invoke interpreters through /usr/bin/env

    • setopt: Enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper

    • strerror.h: Remove the #include from files not using it

    • symbols-in-versions: Fix CURLSSLBACKEND_QSOSSL last used version

    • test1138: Remove trailing space to make work with hyper

    • test1173: Check references to libcurl options

    • test1280: CRLFify the response to please hyper

    • test1565: Fix Windows build errors

    • test365: Verify response with chunked and Content-Length headers

    • tests/*server.pl: Flush output before executing subprocess

    • tests/*server.py: Remove pidfile on server termination

    • tests/runtests.pl: Clean-up copy-and-paste mistakes and unused code

    • tests/server/*.c: Align handling of portfile argument and file

    • tests: Adjust the tftpd output to work with hyper mode

    • tests: Be explicit about using 'python3' instead of 'python'

    • tests: Enable test 1129 for hyper builds
    • tests: Make three tests pass until 2037

    • tool/tests: Fix potential year 2038 issues

    • tool_operate: Fix --fail-early with parallel transfers

    • url: Fix compiler warning in no-verbose builds

    • urlapi.c: seturl: Assert URL instead of using if-check

    • vtls: Fix typo in schannel_verify.c

    • winbuild/README.md: Clarify GEN_PDB option

    • wolfssl: clean up wolfcrypt error queue

    • write-out.d: Clarify size_download/upload

    • x509asn1: Fix heap over-read when parsing x509 certificates

  • Updated perl-Net-SSLeay (1.90) as per the Fedora version

Recent