import curl-7.61.1-18.el8_4.1

7a92a58e · Rocky Automation · 98f45c7f · 7a92a58e · 7a92a58e
Commit 7a92a58e authored Sep 22, 2021 by Rocky Automation 📺
--- a/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
+++ b/SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.1
-Release: 18%{?dist}
+Release: 18%{?dist}.1
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@@ -79,6 +79,9 @@ Patch27:  0027-curl-7.61.1-CVE-2020-8286.patch
 # http: send payload when (proxy) authentication is done (#1918692)
 Patch28:  0028-curl-7.61.1-http-auth-payload.patch
+# fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+Patch31:  0031-curl-7.61.1-CVE-2021-22924.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -104,7 +107,6 @@ BuildRequires: gcc
 BuildRequires: groff
 BuildRequires: krb5-devel
 BuildRequires: libidn2-devel
-BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
 BuildRequires: libssh-devel
@@ -278,6 +280,7 @@ sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
+%patch31 -p1
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@@ -314,6 +317,7 @@ export common_configure_opts=" \
    --enable-symbol-hiding \
    --enable-ipv6 \
    --enable-threaded-resolver \
+    --without-libmetalink \
    --with-gssapi \
    --with-nghttp2 \
    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
@@ -329,7 +333,6 @@ export common_configure_opts=" \
        --disable-manual \
        --without-brotli \
        --without-libidn2 \
-        --without-libmetalink \
        --without-libpsl \
        --without-libssh
 )
@@ -343,7 +346,6 @@ export common_configure_opts=" \
        --enable-manual \
        --with-brotli \
        --with-libidn2 \
-        --with-libmetalink \
        --with-libpsl \
        --with-libssh
 )
@@ -441,6 +443,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 %changelog
+* Thu Aug 05 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18.el8_4.1
+- fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
+- disable metalink support to fix the following vulnerabilities
+    CVE-2021-22923 - metalink download sends credentials
+    CVE-2021-22922 - wrong content via metalink not discarded
 * Thu Jan 28 2021 Kamil Dudka <kdudka@redhat.com> - 7.61.1-18
 - http: send payload when (proxy) authentication is done (#1918692)
 - curl: Inferior OCSP verification (CVE-2020-8286)