From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 75026@debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.
Date: Mon, 23 Dec 2024 01:01:04 +0900 [thread overview]
Message-ID: <4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <cover.1734882716.git.maxim.cournoyer@gmail.com>
* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
gnu/local.mk | 1 -
gnu/packages/curl.scm | 47 ++--
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
3 files changed, 19 insertions(+), 229 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
- (replacement curl/fixed)
+ (version "8.11.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -115,20 +116,20 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(string-append "TFLAGS="
+ job-count " "
+ (if #$(or (system-hurd?)
+ (target-arm32?)
+ (target-aarch64?))
+ "~1474 " ;protocol FAIL
+ "")
+ ;; protocol FAIL
+ "~962 ~963 ~964 ~965 ~966 ~967 "
+ ;; These fail for unknown reasons.
+ "~165 ~1448 ~2046 ~2047"))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(>ls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");
--
2.46.0
next prev parent reply other threads:[~2024-12-22 16:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
2024-12-22 16:00 ` [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0 Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
2024-12-22 16:01 ` Maxim Cournoyer [this message]
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=75026@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).