Subject: CVS commit: [pkgsrc-2018Q4] pkgsrc/www/curl
From: Benny Siegert
Date: 2019-02-16 16:59:04
Message id: 20190216155904.57AB7FB16@cvs.NetBSD.org

Log Message:
Pullup ticket #5910 - requested by mlelstv
www/curl: security fix

Revisions pulled up:
- www/curl/Makefile                                             1.207
- www/curl/PLIST                                                1.73
- www/curl/distinfo                                             1.150

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Wed Feb  6 08:02:48 UTC 2019

   Modified Files:
           pkgsrc/www/curl: Makefile PLIST distinfo

   Log Message:
   curl: updated to 7.64.0

   curl and libcurl 7.64.0

   This release includes the following changes:
   * cookies: leave secure cookies alone
   * hostip: support wildcard hosts
   * http: Implement trailing headers for chunked transfers
   * http: added options for allowing HTTP/0.9 responses
   * timeval: Use high resolution timestamps on Windows

   This release includes the following bugfixes:
   * CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
   * CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
   * CVE-2019-3823: SMTP end-of-response out-of-bounds read
   * FAQ: remove mention of sourceforge for github
   * OS400: handle memory error in list conversion
   * OS400: upgrade ILE/RPG binding.
   * README: add codacy code quality badge
   * Revert http_negotiate: do not close connection
   * THANKS: added several missing names from year <= 2000
   * build: make 'tidy' target work for metalink builds
   * cmake: added checks for variadic macros
   * cmake: updated check for HAVE_POLL_FINE to match autotools
   * cmake: use lowercase for function name like the rest of the code
   * configure: detect xlclang separately from clang
   * configure: fix recv/send/select detection on Android
   * configure: rewrite --enable-code-coverage
   * conncache_unlock: avoid indirection by changing input argument type
   * cookie: fix comment typo
   * cookies: allow secure override when done over HTTPS
   * cookies: extend domain checks to non psl builds
   * cookies: skip custom cookies when redirecting cross-site
   * curl --xattr: strip credentials from any URL that is stored
   * curl -J: refuse to append to the destination file
   * curl/urlapi.h: include "curl.h" first
   * curl_multi_remove_handle() don't block terminating c-ares requests
   * darwinssl: accept setting max-tls with default min-tls
   * disconnect: separate connections and easy handles better
   * disconnect: set conn->data for protocol disconnect
   * docs/version.d: mention MultiSSL
   * docs: fix the --tls-max description
   * docs: use $(INSTALL_DATA) to install man page
   * docs: use meaningless port number in CURLOPT_LOCALPORT example
   * gopher: always include the entire gopher-path in request
   * http2: clear pause stream id if it gets closed
   * if2ip: remove unused function Curl_if_is_interface_name
   * libssh: do not let libssh create socket
   * libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
   * libssh: free sftp_canonicalize_path() data correctly
   * libtest/stub_gssapi: use "real" snprintf
   * mbedtls: use VERIFYHOST
   * multi: multiplexing improvements
   * multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
   * ntlm: fix NTMLv2 compliance
   * ntlm_sspi: add support for channel binding
   * openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
   * openssl: fix the SSL_get_tlsext_status_ocsp_resp call
   * openvms: fix OpenSSL discovery on VAX
   * openvms: fix typos in documentation
   * os400: add a missing closing bracket
   * os400: fix extra parameter syntax error
   * pingpong: change default response timeout to 120 seconds
   * pingpong: ignore regular timeout in disconnect phase
   * printf: fix format specifiers
   * runtests.pl: Fix perl call to include srcdir
   * schannel: fix compiler warning
   * schannel: preserve original certificate path parameter
   * schannel: stop calling it "winssl"
   * sigpipe: if mbedTLS is used, ignore SIGPIPE
   * smb: fix incorrect path in request if connection reused
   * ssh: log the libssh2 error message when ssh session startup fails
   * test1558: verify CURLINFO_PROTOCOL on file:// transfer
   * test1561: improve test name
   * test1653: make it survive torture tests
   * tests: allow tests to pass by 2037-02-12
   * tests: move objnames-* from lib into tests
   * timediff: fix math for unsigned time_t
   * timeval: Disable MSVC Analyzer GetTickCount warning
   * tool_cb_prg: avoid integer overflow
   * travis: added cmake build for osx
   * urlapi: Fix port parsing of eol colon
   * urlapi: distinguish possibly empty query
   * urlapi: fix parsing ipv6 with zone index
   * urldata: rename easy_conn to just conn
   * winbuild: conditionally use /DZLIB_WINAPI
   * wolfssl: fix memory-leak in threaded use
   * spnego_sspi: add support for channel binding

Files:
RevisionActionfile
1.205.2.1modifypkgsrc/www/curl/Makefile
1.72.2.1modifypkgsrc/www/curl/PLIST
1.149.2.1modifypkgsrc/www/curl/distinfo