tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [security] Update www/curl to version 7.43.0
Hi,
On 06/29/15 18:41, Alistair Crooks wrote:
> Despite the fact that the freeze is now over, I've been informed that
> there are problems with curl 7.43.0 caching "Content-Length" between
> requests on the same connection. Probably best to wait for a fixed
> version to come from upstream.
Is this really a new issue from this release?
All I could find was this, from 2003 or older:
http://curl.haxx.se/docs/knownbugs.html
> 5. libcurl doesn't treat the content-length of compressed data properly, as
> it seems HTTP servers send the *uncompressed* length in that header and
> libcurl thinks of it as the *compressed* length. Some explanations are here:
> http://curl.haxx.se/mail/lib-2003-06/0146.html
Or is it something else?
Cheers,
-- khorben
> On 28 June 2015 at 12:03, Pierre Pronchery <khorben%defora.org@localhost> wrote:
>> Hi tech-pkg@,
>>
>> I am attaching a patch here that updates www/curl to version 7.43.0.
>> This new version, released on June 17th, corrects two security issues:
>> - CVE-2015-3236: lingering HTTP credentials in connection re-use
>> - CVE-2015-3237: SMB send off unrelated memory contents
>>
>> The full changelog is at http://curl.haxx.se/changes.html#7_43_0. It
>> also mentions "compilation fixes with old versions of NSS", among other
>> fixes.
>>
>> This patch deprecates patch-lib_http2.c, which seems to be obsolete in
>> 7.43.0 as documented. There is an issue with patch-aa (configure)
>> however, which does not apply anymore; someone else should review this,
>> or let me know how to handle this part.
>>
>> HTH,
>> --
>> khorben
>
--
khorben
Home |
Main Index |
Thread Index |
Old Index