Subject: CVS commit: [pkgsrc-2013Q4] pkgsrc/www/curl
From: Matthias Scheler
Date: 2014-03-11 13:47:11
Message id: 20140311124712.04AE196@cvs.netbsd.org

Log Message:
Pullup ticket #4338 - requested by taca
www/curl: security update

Revisions pulled up:
- www/curl/Makefile                                             1.133-1.134
- www/curl/PLIST                                                1.43
- www/curl/distinfo                                             1.91-1.92
- www/curl/patches/patch-aa                                     1.25

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Tue Dec 31 11:48:03 UTC 2013

   Modified Files:
   	pkgsrc/www/curl: Makefile PLIST distinfo

   Log Message:
   Changes 7.34.0:
   SSL: protocol version can be specified more precisely
   imap/pop3/smtp: Added graceful cancellation of SASL authentication
   Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
   base64: Added validation of base64 input strings when decoding
   curl_easy_setopt: Added the ability to set the login options separately
   smtp: Added support for additional SMTP commands
   curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
   nss: allow to use TLS > 1.0 if built against recent NSS
   SECURITY: added this document to describe our security processes
   parseconfig: warn if unquoted white spaces are detected

   Bugfixes:
   SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
   darwinssl: un-break iOS build after PKCS/12 feature added
   tool: use XFERFUNCTION to save some casts
   usercertinmem: fix memory leaks
   ssh: Handle successful SSH_USERAUTH_NONE
   NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
   test906: Fixed failing test on some platforms
   sasl: initialize NSS before using NTLM crypto
   sasl: Fixed memory leak in OAUTH2 message creation
   imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
   cmake: unbreak for non-Windows platforms
   ssh: initialize per-handle data in ssh_connect()
   glob: fix broken URLs
   configure: check for long long when building with cyassl
   CURLOPT_RESOLVE: mention they don't time-out
   docs/examples/httpput.c: fix build for MSVC
   FTP: make the data connection work when going through proxy
   NSS: support for CERTINFO feature
   curl_multi_wait: accept 0 from multi_timeout() as valid timeout
   glob_range: pass the closing bracket for a-z ranges
   tool_help: Updated --list-only description to include POP3
   Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
   cmake: fix Windows build with IPv6 support
   ares: Fixed compilation under Visual Studio 2012
   curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
   curl.1: mention that -O does no URL decoding
   darwinssl: PKCS/12 import feature now requires Lion or later
   darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
   configure: Fix test with -Werror=implicit-function-declaration
   sigpipe: factor out sigpipe_reset from easy.c
   curl_multi_cleanup: ignore SIGPIPE
   globbing: curl glob counter mismatch with {} list use
   parseconfig: dash options can't specified with colon or equals
   digest: fix CURLAUTH_DIGEST_IE
   curl.h: for OpenBSD
   darwinssl: Fix #if 10.6.0 for SecKeychainSearch
   TFTP: fix return codes for connect timeout
   login options: remove the ;[options] support from CURLOPT_USERPWD
   imap: Fixed incorrect fallback to clear text authentication
   parsedate: avoid integer overflow
   curl.1: document -J doesn't %-decode
   multi: add timer inaccuracy margin to timeout/connecttimeout

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Sat Feb  1 11:07:14 UTC 2014

   Modified Files:
   	pkgsrc/www/curl: Makefile distinfo
   	pkgsrc/www/curl/patches: patch-aa

   Log Message:
   Changes 7.35.0:
   imap/pop3/smtp: Added support for SASL authentication downgrades
   imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
   TheArtOfHttpScripting: major update, converted layout and more
   mprintf: Added support for I, I32 and I64 size specifiers
   makefile: Added support for VC7, VC11 and VC12

   Bugfixes:
   SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
   curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
   pop3: Fixed APOP being determined by CAPA response rather than by timestamp
   Curl_pp_readresp: zero terminate line
   FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
   docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
   pop3: Fixed auth preference not being honored when CAPA not supported
   imap: Fixed auth preference not being honored when CAPABILITY not supported
   threaded resolver: Use pthread_t * for curl_thread_t
   FILE: we don't support paused transfers using this protocol
   connect: Try all addresses in first connection attempt
   curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
   OpenSSL: Fix forcing SSLv3 connections
   openssl: allow explicit sslv2 selection
   FTP parselist: fix "total" parser
   conncache: fix possible dereference of null pointer
   multi.c: fix possible dereference of null pointer
   mk-ca-bundle: introduces -d and warns about using this script
   ConnectionExists: fix NTLM check for new connection
   trynextip: fix build for non-IPV6 capable systems
   Curl_updateconninfo: don't do anything for UDP "connections"
   darwinssl: un-break Leopard build after PKCS-12 change
   threaded-resolver: never use NULL hints with getaddrinf
   multi_socket: remind app if timeout didn't run
   OpenSSL: deselect weak ciphers by default
   error message: Sensible message on timeout when transfer size unknown
   curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
   win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
   configure: fix gssapi linking on HP-UX
   chunked-parser: abort on overflows, allow 64 bit chunks
   chunked parsing: relax the CR strictness
   cookie: max-age fixes
   progress bar: always update when at 100%
   progress bar: increase update frequency to 10Hz
   tool: Fixed incorrect return code if command line parser runs out of memory
   tool: Fixed incorrect return code if password prompting runs out of memory
   HTTP POST: omit Content-Length if data size is unknown
   GnuTLS: disable insecure ciphers
   GnuTLS: honor --slv2 and the --tlsv1[.N] switches
   multi: Fixed a memory leak on OOM condition
   netrc: Fixed a memory and file descriptor leak on OOM
   getpass: fix password parsing from console
   TFTP: fix crash on time-out
   hostip: don't remove DNS entries that are in use
   tests: lots of tests fixed to pass the OOM torture tests

Files:
RevisionActionfile
1.132.2.1modifypkgsrc/www/curl/Makefile
1.42.2.1modifypkgsrc/www/curl/PLIST
1.90.2.1modifypkgsrc/www/curl/distinfo
1.24.2.1modifypkgsrc/www/curl/patches/patch-aa