Bug 257306

Summary: ftp/curl: Update to 7.78.0 (security and bugfix release)
Product: Ports & Packages Reporter: rob2g2 <rob2g2-freebsd>
Component: Individual Port(s)Assignee: Po-Chuan Hsieh <sunpoet>
Status: Closed FIXED    
Severity: Affects Many People CC: asomers, brnrd, dereks, ports-secteam, sunpoet, toni.viemero
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback+
koobs: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://curl.se/changes.html#7_78_0
Attachments:
Description Flags
patch to submit the curl vulnerabilities to vuxml
none
git diff for ftp/curl
none
git diff for ftp/curl brnrd: maintainer-approval?

Description rob2g2 2021-07-21 08:54:01 UTC
inform users via vuxml about the recent curl vulnerabilities
Comment 1 rob2g2 2021-07-21 08:55:27 UTC
Created attachment 226583 [details]
patch to submit the curl vulnerabilities to vuxml
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 09:02:41 UTC
Thank you for the report ann patch Rob
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 09:09:08 UTC
^Triage: Switch this to cover the update, released today. 

See also: https://curl.se/news.html
Comment 5 Toni Viemerö 2021-07-21 10:05:47 UTC
The patch contains a warning for Chrome.

Bad copypaste from previous vuxml?

> <p>Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.</p>
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 10:39:37 UTC
brnrd landed the vuxml entry: 

https://cgit.freebsd.org/ports/commit/?id=ef33c559bad0b10e9427cf64eee4e7036d420f66
Comment 7 Bernard Spil freebsd_committer 2021-07-21 10:55:36 UTC
(In reply to rob2g2 from comment #1)
Oops. Totally failed to check against Bugzilla and committed something of my own...
Comment 8 Bernard Spil freebsd_committer 2021-07-21 11:00:31 UTC
Created attachment 226588 [details]
git diff for ftp/curl

ftp/curl: Security update to 7.78.0

 * METALINK removed upstream
 * Removes CFLAGS patching in Configure

Security:    aa646c01-ea0d-11eb-9b84-d4c9ef517024
Comment 9 Bernard Spil freebsd_committer 2021-07-21 11:04:02 UTC
Build logs:

13.0 / LibreSSL: https://brnrd.eu/poudriere/data/130libre-default/2021-07-21_10h47m53s/logs/curl-7.78.0.log

Running testport against 7.78.0, see the 'Ports - git' builds on https://brnrd.eu/poudriere
Comment 10 Bernard Spil freebsd_committer 2021-07-21 11:11:17 UTC
Created attachment 226589 [details]
git diff for ftp/curl

Updated patch to address plist error with default options.

Poudriere logs for default FreeBSD options e.g. https://brnrd.eu/poudriere/build.html?mastername=130amd64-git&build=2021-07-21_11h08m49s
Comment 11 Po-Chuan Hsieh freebsd_committer 2021-08-08 19:26:15 UTC
Updated to 7.78.0 in ee05a0fbe5a5835ca262c01f28de2f050c0d0da1. Thanks!
Comment 12 Derek Schrock 2021-08-19 14:21:11 UTC
What about merge-quarterly?

https://cgit.freebsd.org/ports/tree/ftp/curl/Makefile?h=2021Q3

2021Q3 is still 7.77.0.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-20 00:22:47 UTC
The branch 2021Q3 has been updated by fluffy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a4ab211f245678b9341a14fdc2ec0a7481078405

commit a4ab211f245678b9341a14fdc2ec0a7481078405
Author:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
AuthorDate: 2021-07-21 21:12:52 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2021-08-19 19:11:01 +0000

    ftp/curl: Update to 7.78.0
    
    - Remove METALINK option: all support removed by upstream
    - Update NTLM option: it has own configure option now
    
    Changes:        https://curl.se/changes.html
    (cherry picked from commit ee05a0fbe5a5835ca262c01f28de2f050c0d0da1)
    
    With hat:       ports-secteam