Subject: CVS commit: pkgsrc/net/libfetch
From: Taylor R Campbell
Date: 2024-01-03 04:54:46
Message id: 20240103035446.EB35DFA42@cvs.NetBSD.org

Log Message:
net/libfetch: update to 2.40

Validate HTTPS by default, unless environment variable
SSL_NO_VERIFY_PEER is set (from FreeBSD).

WARNING: This changes the semantics of the library in ways that may
break the functionality of existing callers, even callers that don't
ask to fetch HTTPS URLs -- because HTTP may redirect to HTTPS.

WARNING: This does not guarantee fetching HTTPS URLs will return only
authenticated data from the named host.  If the host redirects to
HTTP or FTP, libfetch will follow the redirect and return
unauthenticated data with no way for the caller to know this has
happened (short of disabling redirects altogether -- including
HTTPS-to-HTTPS redirects -- with the undocumented `A' flag).

That's OK for pkgsrc distfile fetch, since we have checksums stored
in pkgsrc for the distfiles, but makes a simple server
misconfiguration a security vulnerability with pkg_add or pkgin (even
with signed packages, because there's a lot of attack surface between
the transport layer and the package signatures).

Discussion on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/12/09/msg028590.html
https://mail-index.netbsd.org/tech-pkg/2023/12/22/msg028654.html

ok gdt (https://mail-index.netbsd.org/tech-pkg/2023/12/31/msg028733.html)

Files:
RevisionActionfile
1.65modifypkgsrc/net/libfetch/Makefile
1.32modifypkgsrc/net/libfetch/files/common.c
1.18modifypkgsrc/net/libfetch/files/fetch.3