开源软件构建与测试

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 2

_service:tar_scm:curl.spec Changed

@@ -7,7 +7,7 @@
 
 Name:           curl
 Version:        8.4.0
-Release:        6
+Release:        10
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -32,6 +32,8 @@
 Patch24:        backport-tool_cfgable-free-proxy_-cipher13_list-on-exit.patch
 Patch25:        backport-CVE-2024-7264-x509asn1-clean-up-GTime2str.patch
 Patch26:        backport-CVE-2024-7264-x509asn1-unittests-and-fixes-fo.patch
+Patch27:        backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch
+Patch28:        backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -217,6 +219,27 @@
 %{_mandir}/man3/*
 
 %changelog
+* Fri Sep 20 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-10
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:url: allow DoH transfers to override max connection limit
+
+* Thu Sep 12 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-9
+- Type:CVE
+- CVE:CVE-2024-8096
+- SUG:NA
+- DESC:fix CVE-2024-8096
+
+* Thu Sep 05 2024 zhouyihang <zhouyihang3@h-partners.com> - 8.4.0-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:revert modify licence from curl to MIT
+
+* Thu Aug 15 2024 zhangxianjun <zhangxianjun@kylinos.cn> - 8.4.0-7
+- modify licence from curl to MIT
+
 * Wed Jul 31 2024 yinyongkang <yinyongkang@kylinos.cn> - 8.4.0-6
 - Type:CVE
 - CVE:CVE-2024-7264

_service:tar_scm:backport-CVE-2024-8096-gtls-fix-OCSP-stapling-management.patch Added

@@ -0,0 +1,206 @@
+From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 20 Aug 2024 16:14:39 +0200
+Subject: PATCH gtls: fix OCSP stapling management
+
+Reported-by: Hiroki Kurosawa
+Closes #14642
+
+Conflict:NA
+Reference:https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f
+---
+ lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
+ 1 file changed, 73 insertions(+), 73 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 03d6fcc03..c7589d9d3 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
+   init_flags |= GNUTLS_NO_TICKETS;
+ #endif
+ 
++#if defined(GNUTLS_NO_STATUS_REQUEST)
++  if(!config->verifystatus)
++    /* Disable the "status_request" TLS extension, enabled by default since
++       GnuTLS 3.8.0. */
++    init_flags |= GNUTLS_NO_STATUS_REQUEST;
++#endif
++
+   rc = gnutls_init(&gtls->session, init_flags);
+   if(rc != GNUTLS_E_SUCCESS) {
+     failf(data, "gnutls_init() failed: %d", rc);
+@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
+     infof(data, "  server certificate verification SKIPPED");
+ 
+   if(config->verifystatus) {
+-    if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
+-      gnutls_datum_t status_request;
+-      gnutls_ocsp_resp_t ocsp_resp;
++    gnutls_datum_t status_request;
++    gnutls_ocsp_resp_t ocsp_resp;
++    gnutls_ocsp_cert_status_t status;
++    gnutls_x509_crl_reason_t reason;
+ 
+-      gnutls_ocsp_cert_status_t status;
+-      gnutls_x509_crl_reason_t reason;
++    rc = gnutls_ocsp_status_request_get(session, &status_request);
+ 
+-      rc = gnutls_ocsp_status_request_get(session, &status_request);
++    if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
++      failf(data, "No OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      infof(data, " server certificate status verification FAILED");
++    if(rc < 0) {
++      failf(data, "Invalid OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+-        failf(data, "No OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    gnutls_ocsp_resp_init(&ocsp_resp);
+ 
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
++    if(rc < 0) {
++      failf(data, "Invalid OCSP response received");
++      return CURLE_SSL_INVALIDCERTSTATUS;
++    }
+ 
+-      gnutls_ocsp_resp_init(&ocsp_resp);
++    (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
++                                      &status, NULL, NULL, NULL, &reason);
+ 
+-      rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
+-      if(rc < 0) {
+-        failf(data, "Invalid OCSP response received");
+-        return CURLE_SSL_INVALIDCERTSTATUS;
+-      }
++    switch(status) {
++    case GNUTLS_OCSP_CERT_GOOD:
++      break;
+ 
+-      (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
+-                                        &status, NULL, NULL, NULL, &reason);
++    case GNUTLS_OCSP_CERT_REVOKED: {
++      const char *crl_reason;
+ 
+-      switch(status) {
+-      case GNUTLS_OCSP_CERT_GOOD:
++      switch(reason) {
++      default:
++      case GNUTLS_X509_CRLREASON_UNSPECIFIED:
++        crl_reason = "unspecified reason";
+         break;
+ 
+-      case GNUTLS_OCSP_CERT_REVOKED: {
+-        const char *crl_reason;
+-
+-        switch(reason) {
+-          default:
+-          case GNUTLS_X509_CRLREASON_UNSPECIFIED:
+-            crl_reason = "unspecified reason";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
+-            crl_reason = "private key compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_CACOMPROMISE:
+-            crl_reason = "CA compromised";
+-            break;
+-
+-          case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
+-            crl_reason = "affiliation has changed";
+-            break;
++      case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
++        crl_reason = "private key compromised";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_SUPERSEDED:
+-            crl_reason = "certificate superseded";
+-            break;
++      case GNUTLS_X509_CRLREASON_CACOMPROMISE:
++        crl_reason = "CA compromised";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
+-            crl_reason = "operation has ceased";
+-            break;
++      case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
++        crl_reason = "affiliation has changed";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
+-            crl_reason = "certificate is on hold";
+-            break;
++      case GNUTLS_X509_CRLREASON_SUPERSEDED:
++        crl_reason = "certificate superseded";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
+-            crl_reason = "will be removed from delta CRL";
+-            break;
++      case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
++        crl_reason = "operation has ceased";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
+-            crl_reason = "privilege withdrawn";
+-            break;
++      case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
++        crl_reason = "certificate is on hold";
++        break;
+ 
+-          case GNUTLS_X509_CRLREASON_AACOMPROMISE:
+-            crl_reason = "AA compromised";
+-            break;
+-        }
++      case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
++        crl_reason = "will be removed from delta CRL";
++        break;
+ 
+-        failf(data, "Server certificate was revoked: %s", crl_reason);
++      case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
++        crl_reason = "privilege withdrawn";
+         break;
+-      }
+ 
+-      default:
+-      case GNUTLS_OCSP_CERT_UNKNOWN:
+-        failf(data, "Server certificate status is unknown");
++      case GNUTLS_X509_CRLREASON_AACOMPROMISE:
++        crl_reason = "AA compromised";
+         break;
+       }
+ 
+-      gnutls_ocsp_resp_deinit(ocsp_resp);
++      failf(data, "Server certificate was revoked: %s", crl_reason);
++      break;
++    }
+ 
+-      return CURLE_SSL_INVALIDCERTSTATUS;
++    default:
++    case GNUTLS_OCSP_CERT_UNKNOWN:
++      failf(data, "Server certificate status is unknown");
++      break;
+     }
+-    else
+-      infof(data, "  server certificate status verification OK");
++
++    gnutls_ocsp_resp_deinit(ocsp_resp);
++    if(status != GNUTLS_OCSP_CERT_GOOD)

_service:tar_scm:backport-url-allow-DoH-transfers-to-override-max-connection-limit.patch Added

@@ -0,0 +1,49 @@
+From b049388d473a9a0189f3180e57e04a39a3793382 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Jun 2024 17:00:05 +0200
+Subject: PATCH url: allow DoH transfers to override max connection limit
+
+When reaching the set maximum limit of allowed connections, allow a new
+connection anyway if the transfer is created for the (internal) purpose
+of doing a DoH name resolve. Otherwise, unrelated "normal" transfers can
+starve out new DoH requests making it impossible to name resolve for new
+transfers.
+
+Bug: https://curl.se/mail/lib-2024-06/0001.html
+Reported-by: kartatz
+Closes #13880
+
+Conflict:NA
+Reference:https://github.com/curl/curl/commit/b049388d473a9a0189f3180e57e04a39a3793382
+---
+ lib/url.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 41e35e153..4eabf0c87 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3662,10 +3662,16 @@ static CURLcode create_conn(struct Curl_easy *data,
+       conn_candidate = Curl_conncache_extract_oldest(data);
+       if(conn_candidate)
+         Curl_disconnect(data, conn_candidate, FALSE);
+-      else {
+-        infof(data, "No connections available in cache");
+-        connections_available = FALSE;
+-      }
++      else
++#ifndef CURL_DISABLE_DOH
++        if(data->set.dohfor)
++          infof(data, "Allowing DoH to override max connection limit");
++        else
++#endif
++        {
++          infof(data, "No connections available in cache");
++          connections_available = FALSE;
++        }
+     }
+ 
+     if(!connections_available) {
+-- 
+2.33.0
+

_service Changed