import curl-7.61.1-30.el8_8.3

c8 imports/c8/curl-7.61.1-30.el8_8.3
MSVSphere Packaging Team 1 year ago
parent aba87afaee
commit b2bfaf4b25

@ -1 +1,2 @@
c4f38a84efdd1622213b3600168d6305d5c01a30 SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch
8b56123714b4e061f0f71005c5be598b12f82483 SOURCES/curl-7.61.1.tar.xz

1
.gitignore vendored

@ -1 +1,2 @@
SOURCES/0043-curl-7.61.1-CVE-2022-35252.patch
SOURCES/curl-7.61.1.tar.xz

@ -1,171 +0,0 @@
From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 31 Oct 2018 11:08:49 +0100
Subject: [PATCH 1/3] runtests: use the local curl for verifying
... revert the mistaken change brought in commit 8440616f53.
Reported-by: Alessandro Ghedini
Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html
Closes #3198
Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/runtests.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/runtests.pl b/tests/runtests.pl
index 8d8ed81..d62fa40 100755
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@@ -152,7 +152,7 @@ my $NEGTELNETPORT; # TELNET server port with negotiation
my $srcdir = $ENV{'srcdir'} || '.';
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
-my $VCURL="curl"; # what curl binary to use to verify the servers with
+my $VCURL=$CURL; # what curl binary to use to verify the servers with
# VCURL is handy to set to the system one when the one you
# just built hangs or crashes and thus prevent verification
my $DBGCURL=$CURL; #"../src/.libs/curl"; # alternative for debugging
--
2.37.3
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Aug 2022 00:09:17 +0200
Subject: [PATCH 2/3] cookie: reject cookies with "control bytes"
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-35252.html
CVE-2022-35252
Closes #9381
Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/cookie.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/lib/cookie.c b/lib/cookie.c
index cb0c03b..e0470a1 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr)
*str = strdup(newstr);
}
+/*
+ RFC 6265 section 4.1.1 says a server should accept this range:
+
+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
+
+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
+ fine. The prime reason for filtering out control bytes is that some HTTP
+ servers return 400 for requests that contain such.
+*/
+static int invalid_octets(const char *p)
+{
+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
+ static const char badoctets[] = {
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
+ };
+ size_t vlen, len;
+ /* scan for all the octets that are *not* in cookie-octet */
+ len = strcspn(p, badoctets);
+ vlen = strlen(p);
+ return (len != vlen);
+}
+
/*
* remove_expired() removes expired cookies.
*/
@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data,
badcookie = TRUE;
break;
}
+ if(invalid_octets(whatptr) || invalid_octets(name)) {
+ infof(data, "invalid octets in name/value, cookie dropped");
+ badcookie = TRUE;
+ break;
+ }
}
else if(!len) {
/* this was a "<name>=" with no content, and we must allow
--
2.37.1
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Aug 2022 00:09:17 +0200
Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/tests/data/test8 b/tests/data/test8
index a8548e6..8587611 100644
--- a/tests/data/test8
+++ b/tests/data/test8
@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want;
Set-Cookie: nocookie=yes; path=/WE;
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
Set-Cookie: partialip=nono; domain=.0.0.1;
+Set-Cookie: cookie1=-junk
+Set-Cookie: cookie2=-junk
+Set-Cookie: cookie3=-junk
+Set-Cookie: cookie4=-junk
+Set-Cookie: cookie5=-junk
+Set-Cookie: cookie6=-junk
+Set-Cookie: cookie7=-junk
+Set-Cookie: cookie8=-junk
+Set-Cookie: cookie9=junk- -
+Set-Cookie: cookie11= -junk
+Set-Cookie: cookie12= -junk
+Set-Cookie: cookie14=-junk
+Set-Cookie: cookie15=-junk
+Set-Cookie: cookie16=-junk
+Set-Cookie: cookie17=-junk
+Set-Cookie: cookie18=-junk
+Set-Cookie: cookie19=-junk
+Set-Cookie: cookie20=-junk
+Set-Cookie: cookie21=-junk
+Set-Cookie: cookie22=-junk
+Set-Cookie: cookie23=-junk
+Set-Cookie: cookie24=-junk
+Set-Cookie: cookie25=-junk
+Set-Cookie: cookie26=-junk
+Set-Cookie: cookie27=-junk
+Set-Cookie: cookie28=-junk
+Set-Cookie: cookie29=-junk
+Set-Cookie: cookie30=-junk
+Set-Cookie: cookie31=-junk
+Set-Cookie: cookie31=-junk
</file>
<precheck>
@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi
GET /we/want/8 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
</protocol>
</verify>
--
2.37.1

@ -0,0 +1,51 @@
From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 10 Mar 2023 09:22:43 +0100
Subject: [PATCH] url: only reuse connections with same GSS delegation
Reported-by: Harry Sintonen
Closes #10731
---
lib/url.c | 6 ++++++
lib/urldata.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/lib/url.c b/lib/url.c
index df6ef1213..cc2f427dc 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
}
}
+ /* GSS delegation differences do not actually affect every connection
+ and auth method, but this check takes precaution before efficiency */
+ if(needle->gssapi_delegation != check->gssapi_delegation)
+ continue;
+
if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
if(!ssh_config_matches(needle, check))
continue;
@@ -1950,5 +1950,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
conn->fclosesocket = data->set.fclosesocket;
conn->closesocket_client = data->set.closesocket_client;
+ conn->gssapi_delegation = data->set.gssapi_delegation;
return conn;
error:
diff --git a/lib/urldata.h b/lib/urldata.h
index bf5daaf50..da5de5ba9 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1061,6 +1061,8 @@ struct connectdata {
char *unix_domain_socket;
bool abstract_unix_socket;
#endif
+
+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
};
/* The end of connectdata. */
--
2.40.1

File diff suppressed because it is too large Load Diff

@ -0,0 +1,305 @@
From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 24 Apr 2023 21:07:02 +0200
Subject: [PATCH] hostcheck: fix host name wildcard checking
The leftmost "label" of the host name can now only match against single
'*'. Like the browsers have worked for a long time.
- extended unit test 1397 for this
- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
Reported-by: Hiroki Kurosawa
Closes #11018
---
lib/hostcheck.c | 50 +++++++--------
tests/data/test1397 | 10 ++-
tests/unit/Makefile.am | 94 ----------------------------
tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++
tests/unit/unit1397.c | 134 ++++++++++++++++++++++++----------------
5 files changed, 202 insertions(+), 180 deletions(-)
diff --git a/lib/hostcheck.c b/lib/hostcheck.c
index e827dc58f378c..d061c6356f97f 100644
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@@ -43,6 +43,17 @@
/* The last #include file should be: */
#include "memdebug.h"
+/* check the two input strings with given length, but do not
+ assume they end in nul-bytes */
+static int pmatch(const char *hostname, size_t hostlen,
+ const char *pattern, size_t patternlen)
+{
+ if(hostlen != patternlen)
+ return CURL_HOST_NOMATCH;
+ return strncasecompare(hostname, pattern, hostlen) ?
+ CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+}
+
/*
* Match a hostname against a wildcard pattern.
* E.g.
@@ -65,26 +76,27 @@
static int hostmatch(char *hostname, char *pattern)
{
- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
- int wildcard_enabled;
- size_t prefixlen, suffixlen;
+ size_t hostlen, patternlen;
+ const char *pattern_label_end;
struct in_addr ignored;
#ifdef ENABLE_IPV6
struct sockaddr_in6 si6;
#endif
+ DEBUGASSERT(pattern);
+ DEBUGASSERT(hostname);
+
+ hostlen = strlen(hostname);
+ patternlen = strlen(pattern);
+
/* normalize pattern and hostname by stripping off trailing dots */
- size_t len = strlen(hostname);
- if(hostname[len-1]=='.')
- hostname[len-1] = 0;
- len = strlen(pattern);
- if(pattern[len-1]=='.')
- pattern[len-1] = 0;
-
- pattern_wildcard = strchr(pattern, '*');
- if(pattern_wildcard == NULL)
- return strcasecompare(pattern, hostname) ?
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ if(hostname[hostlen-1]=='.')
+ hostname[hostlen-1] = 0;
+ if(pattern[patternlen-1]=='.')
+ pattern[patternlen-1] = 0;
+
+ if(strncmp(pattern, "*.", 2))
+ return pmatch(hostname, hostlen, pattern, patternlen);
/* detect IP address as hostname and fail the match if so */
if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
@@ -96,34 +108,20 @@ static int hostmatch(char *hostname, char *pattern)
/* We require at least 2 dots in pattern to avoid too wide wildcard
match. */
- wildcard_enabled = 1;
pattern_label_end = strchr(pattern, '.');
- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
- pattern_wildcard > pattern_label_end ||
- strncasecompare(pattern, "xn--", 4)) {
- wildcard_enabled = 0;
+ if(pattern_label_end == NULL ||
+ (strrchr(pattern, '.') == pattern_label_end))
+ return pmatch(pattern, patternlen, hostname, hostlen);
+
+ const char *hostname_label_end = strchr(hostname, '.');
+ if(hostname_label_end != NULL) {
+ size_t skiphost = hostname_label_end - hostname;
+ size_t skiplen = pattern_label_end - pattern;
+ return pmatch(hostname_label_end, hostlen - skiphost,
+ pattern_label_end, patternlen - skiplen);
}
- if(!wildcard_enabled)
- return strcasecompare(pattern, hostname) ?
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
-
- hostname_label_end = strchr(hostname, '.');
- if(hostname_label_end == NULL ||
- !strcasecompare(pattern_label_end, hostname_label_end))
- return CURL_HOST_NOMATCH;
- /* The wildcard must match at least one character, so the left-most
- label of the hostname is at least as large as the left-most label
- of the pattern. */
- if(hostname_label_end - hostname < pattern_label_end - pattern)
- return CURL_HOST_NOMATCH;
-
- prefixlen = pattern_wildcard - pattern;
- suffixlen = pattern_label_end - (pattern_wildcard + 1);
- return strncasecompare(pattern, hostname, prefixlen) &&
- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
- suffixlen) ?
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ return CURL_HOST_NOMATCH;
}
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
diff --git a/tests/data/test1397 b/tests/data/test1397
index 84f962abebee3..f31b2c2a3f330 100644
--- a/tests/data/test1397
+++ b/tests/data/test1397
@@ -2,8 +2,7 @@
<info>
<keywords>
unittest
-ssl
-wildcard
+Curl_cert_hostcheck
</keywords>
</info>
@@ -15,10 +14,10 @@ none
<features>
unittest
</features>
- <name>
-Check wildcard certificate matching function Curl_cert_hostcheck
- </name>
+<name>
+Curl_cert_hostcheck unit tests
+</name>
<tool>
unit1397
</tool>
</client>
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
index 2f3d3aa4d09e1..3ae75618d5d10 100644
--- a/tests/unit/unit1397.c
+++ b/tests/unit/unit1397.c
@@ -21,8 +21,6 @@
***************************************************************************/
#include "curlcheck.h"
-#include "hostcheck.h" /* from the lib dir */
-
static CURLcode unit_setup(void)
{
return CURLE_OK;
@@ -30,50 +28,93 @@ static CURLcode unit_setup(void)
static void unit_stop(void)
{
- /* done before shutting down and exiting */
}
-UNITTEST_START
-
/* only these backends define the tested functions */
-#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
-
- /* here you start doing things and checking that the results are good */
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
+#include "hostcheck.h"
+struct testcase {
+ const char *host;
+ const char *pattern;
+ bool match;
+};
-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
- "good 1");
-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
- "good 2");
-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
- "good 3");
-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
- "good 4");
-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
- "good 5");
-
-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
-
-#ifdef ENABLE_IPV6
-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
- "fe80::3285:a9ff:fe46:b619"), "bad 14");
-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
- "fe80::3285:a9ff:fe46:b619"), "good 6");
-#endif
+static struct testcase tests[] = {
+ {"", "", FALSE},
+ {"a", "", FALSE},
+ {"", "b", FALSE},
+ {"a", "b", FALSE},
+ {"aa", "bb", FALSE},
+ {"\xff", "\xff", TRUE},
+ {"aa.aa.aa", "aa.aa.bb", FALSE},
+ {"aa.aa.aa", "aa.aa.aa", TRUE},
+ {"aa.aa.aa", "*.aa.bb", FALSE},
+ {"aa.aa.aa", "*.aa.aa", TRUE},
+ {"192.168.0.1", "192.168.0.1", TRUE},
+ {"192.168.0.1", "*.168.0.1", FALSE},
+ {"192.168.0.1", "*.0.1", FALSE},
+ {"h.ello", "*.ello", FALSE},
+ {"h.ello.", "*.ello", FALSE},
+ {"h.ello", "*.ello.", FALSE},
+ {"h.e.llo", "*.e.llo", TRUE},
+ {"h.e.llo", " *.e.llo", FALSE},
+ {" h.e.llo", "*.e.llo", TRUE},
+ {"h.e.llo.", "*.e.llo", TRUE},
+ {"*.e.llo.", "*.e.llo", TRUE},
+ {"************.e.llo.", "*.e.llo", TRUE},
+ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
+ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
+ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
+ ".e.llo.", "*.e.llo", TRUE},
+ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
+ {"h.e.llo.", "*.e.llo.", TRUE},
+ {"h.e.llo", "*.e.llo.", TRUE},
+ {".h.e.llo", "*.e.llo.", FALSE},
+ {"h.e.llo", "*.*.llo.", FALSE},
+ {"h.e.llo", "h.*.llo", FALSE},
+ {"h.e.llo", "h.e.*", FALSE},
+ {"hello", "*.ello", FALSE},
+ {"hello", "**llo", FALSE},
+ {"bar.foo.example.com", "*.example.com", FALSE},
+ {"foo.example.com", "*.example.com", TRUE},
+ {"baz.example.net", "b*z.example.net", FALSE},
+ {"foobaz.example.net", "*baz.example.net", FALSE},
+ {"xn--l8j.example.local", "x*.example.local", FALSE},
+ {"xn--l8j.example.net", "*.example.net", TRUE},
+ {"xn--l8j.example.net", "*j.example.net", FALSE},
+ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
+ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
+ {"xl8j.example.net", "*.example.net", TRUE},
+ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
+ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
+ {NULL, NULL, FALSE}
+};
-#endif
+UNITTEST_START
+{
+ int i;
+ for(i = 0; tests[i].host; i++) {
+ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
+ strlen(tests[i].pattern),
+ tests[i].host,
+ strlen(tests[i].host))) {
+ fprintf(stderr,
+ "HOST: %s\n"
+ "PTRN: %s\n"
+ "did %sMATCH\n",
+ tests[i].host,
+ tests[i].pattern,
+ tests[i].match ? "NOT ": "");
+ unitfail++;
+ }
+ }
+}
+UNITTEST_STOP
+#else
- /* you end the test code like this: */
+UNITTEST_START
UNITTEST_STOP
+#endif

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.61.1
Release: 30%{?dist}.2
Release: 30%{?dist}.3
License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -142,6 +142,15 @@ Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch
# sftp: do not specify O_APPEND when not in append mode (#2187717)
Patch50: 0050-curl-7.61.1-sftp-upload-flags.patch
# fix GSS delegation too eager connection re-use
Patch51: 0051-curl-7.61.1-CVE-2023-27536.patch
# rebuild certs with 2048-bit RSA keys
Patch52: 0052-curl-7.61.1-rebuilt-certs.patch
# fix host name wildcard checking
Patch53: 0053-curl-7.61.1-CVE-2023-28321.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -364,6 +373,9 @@ sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
%patch47 -p1
%patch48 -p1
%patch50 -p1
%patch51 -p1
git apply %{PATCH52}
%patch53 -p1
# make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -526,6 +538,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog
* Tue Jun 13 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-30.el8_8.3
- fix GSS delegation too eager connection re-use (CVE-2023-27536)
- rebuild certs with 2048-bit RSA keys
- fix host name wildcard checking (CVE-2023-28321)
* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30.el8_8.2
- sftp: do not specify O_APPEND when not in append mode (#2187717)

Loading…
Cancel
Save