Opened 2 years ago

Closed 2 years ago

#15542 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:


New minor version.

Change History (5)

comment:1 by Bruce Dubbs, 2 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Xi Ruoyao, 2 years ago

The CHANGES from 7.78.0 has about 1500 lines. 3 CVEs are mentioned:

  • CVE-2021-22945: UAF and double-free in MQTT sending
  • CVE-2021-22946: Protocol downgrade required TLS bypassed
  • CVE-2021-22947: STARTTLS protocol injection via MITM

comment:3 by Xi Ruoyao, 2 years ago

Priority: normalelevated

comment:4 by Bruce Dubbs, 2 years ago

Version 7.79.0 (14 Sep 2021)

  • FAQ: add two dev related questions
    • 8.1 Why does curl use C89?
    • 8.2 Will curl be rewritten?
  • zuul.d/jobs: disable three tests for *-openssl-disable-proxy
  • ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
    • This fix detects pipelined STARTTLS responses and rejects them with an error. CVE-2021-22947
  • ftp,imap,pop3: do not ignore --ssl-reqd
    • CVE-2021-22946
  • mqtt: clear the leftovers pointer when sending succeeds
    • CVE-2021-22945
  • zuul: bump the rustls job to use v0.7.2
  • RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023
  • SECURITY-PROCESS: tweak a little to match current practices
  • http_proxy: fix the User-Agent inclusion in CONNECT
  • Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
  • ngtcp2: fix build with ngtcp2 and nghttp3
  • write-out.d: clarify size_download/upload
  • http2: Curl_http2_setup needs to init stream data in all invokes
  • url: fix compiler warning in no-verbose builds
  • non-ascii: fix build errors from strerror fix
  • parse_args: redo the warnings for --remote-header-name combos
  • ngtcp2: adapt to new size defintions upstream
  • rustls: add strerror.h include
  • docs: the security list is reached at security at now
  • runtests: add option -u to error on server unexpectedly alive
  • opts docs: unify phrasing in NAME header
  • strerror.h: remove the #include from files not using it
  • lib: don't use strerror()
  • cirrus: Add FreeBSD 13.0 job and disable sanitizer build
  • curl: add warning for incompatible parameters usage
  • curl: stop retry if Retry-After: is longer than allowed

Many more in the CHANGES file.

comment:5 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at commit 284be226ec6fc68b90d139b76a393e3ae4f2ceed

Package updates.
    Update to librsvg-2.52.0.
    Update to links-2.24.
    Update to curl-7.79.0.
Note: See TracTickets for help on using tickets.