Update curl from 7.64.0 to 7.65.0 #1120

thomas · 2019-05-24T13:38:54Z

The build fixes two security issues, and reduces the number of library dependencies.
Additional tests (besides the self-test) included git clone and building of python, perl and R. These ones use libcurl for their download tools. Testing with webservers would have required to simulate a libupdate on an old one, but in the meantime the running ones all have their setup fixed -- so proceed with fingers crossed.

Libs referenced in 7.64 build:

#ldd /usr/lib/libcurl.so.4 | nl
     1          linux-vdso.so.1
     2          libnghttp2.so.14 => /usr/lib/libnghttp2.so.14
     3          libssl.so.1.1 => /usr/lib/libssl.so.1.1
     4          libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1
     5          libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2
     6          liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2
     7          libbrotlidec.so.0.6.0 => /usr/lib/libbrotlidec.so.0.6.0
     8          libz.so.1 => /lib/libz.so.1
     9          libpthread.so.0 => /lib/libpthread.so.0
    10          libc.so.6 => /lib/libc.so.6
    11          libdl.so.2 => /lib/libdl.so.2
    12          libresolv.so.2 => /lib/libresolv.so.2
    13          libsasl2.so.2 => /usr/lib/libsasl2.so.2
    14          libm.so.6 => /lib/libm.so.6
    15          libbrotlicommon.so.0.6.0 => /usr/lib/libbrotlicommon.so.0.6.0
    16          /lib64/ld-linux-x86-64.so.2

Now:

#ldd /usr/lib/libcurl.so.4 | nl
     1          linux-vdso.so.1
     2          libnghttp2.so.14 => /usr/lib/libnghttp2.so.14
     3          libssl.so.1.1 => /usr/lib/libssl.so.1.1
     4          libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1
     5          libz.so.1 => /lib/libz.so.1
     6          libpthread.so.0 => /lib/libpthread.so.0
     7          libc.so.6 => /lib/libc.so.6
     8          libdl.so.2 => /lib/libdl.so.2
     9          /lib64/ld-linux-x86-64.so.2

These features are removed since they have caused trouble in the past (conflicting imports of libldap), or are considered as unneeded. - libbrotli, a rather new and uncommon compression lib - lber/ldap, using curl for ldap access is rather exotic The update also fixes two issues, - Integer overflows in curl_url_set - tftp: use the current blksize for recvfrom() https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436

pmenzel · 2019-05-24T14:05:37Z

curl.be0

-#}
+mee_configure() {
+    bee_configure \
+      --without-brotli \


I would keep this enabled. It’s quite common, and the utility curl is often used for debugging and testing.

Sounds interesting, but I'm not convinced that anyone here has ever used curl to debug brotli.

thomas added 2 commits May 24, 2019 12:33

curl: Increase version to 7.65.0

ab2832e

pmenzel reviewed May 24, 2019

View reviewed changes

thomas merged commit 063cf71 into master Jun 13, 2019

Update curl from 7.64.0 to 7.65.0 #1120

Update curl from 7.64.0 to 7.65.0 #1120

thomas commented May 24, 2019

pmenzel May 24, 2019

thomas Jun 13, 2019

Update curl from 7.64.0 to 7.65.0 #1120

Update curl from 7.64.0 to 7.65.0 #1120

Conversation

thomas commented May 24, 2019

pmenzel May 24, 2019

Choose a reason for hiding this comment

thomas Jun 13, 2019

Choose a reason for hiding this comment