Bug 257306 - ftp/curl: Update to 7.78.0 (security and bugfix release)
Summary: ftp/curl: Update to 7.78.0 (security and bugfix release)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Po-Chuan Hsieh
URL: https://curl.se/changes.html#7_78_0
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-07-21 08:54 UTC by rob2g2
Modified: 2021-08-20 00:22 UTC (History)
6 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly+


Attachments
patch to submit the curl vulnerabilities to vuxml (1.50 KB, patch)
2021-07-21 08:55 UTC, rob2g2
no flags Details | Diff
git diff for ftp/curl (2.56 KB, patch)
2021-07-21 11:00 UTC, Bernard Spil
no flags Details | Diff
git diff for ftp/curl (3.13 KB, patch)
2021-07-21 11:11 UTC, Bernard Spil
brnrd: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rob2g2 2021-07-21 08:54:01 UTC
inform users via vuxml about the recent curl vulnerabilities
Comment 1 rob2g2 2021-07-21 08:55:27 UTC
Created attachment 226583 [details]
patch to submit the curl vulnerabilities to vuxml
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 09:02:41 UTC
Thank you for the report ann patch Rob
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 09:09:08 UTC
^Triage: Switch this to cover the update, released today. 

See also: https://curl.se/news.html
Comment 5 Toni Viemerö 2021-07-21 10:05:47 UTC
The patch contains a warning for Chrome.

Bad copypaste from previous vuxml?

> <p>Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.</p>
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-07-21 10:39:37 UTC
brnrd landed the vuxml entry: 

https://cgit.freebsd.org/ports/commit/?id=ef33c559bad0b10e9427cf64eee4e7036d420f66
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2021-07-21 10:55:36 UTC
(In reply to rob2g2 from comment #1)
Oops. Totally failed to check against Bugzilla and committed something of my own...
Comment 8 Bernard Spil freebsd_committer freebsd_triage 2021-07-21 11:00:31 UTC
Created attachment 226588 [details]
git diff for ftp/curl

ftp/curl: Security update to 7.78.0

 * METALINK removed upstream
 * Removes CFLAGS patching in Configure

Security:    aa646c01-ea0d-11eb-9b84-d4c9ef517024
Comment 9 Bernard Spil freebsd_committer freebsd_triage 2021-07-21 11:04:02 UTC
Build logs:

13.0 / LibreSSL: https://brnrd.eu/poudriere/data/130libre-default/2021-07-21_10h47m53s/logs/curl-7.78.0.log

Running testport against 7.78.0, see the 'Ports - git' builds on https://brnrd.eu/poudriere
Comment 10 Bernard Spil freebsd_committer freebsd_triage 2021-07-21 11:11:17 UTC
Created attachment 226589 [details]
git diff for ftp/curl

Updated patch to address plist error with default options.

Poudriere logs for default FreeBSD options e.g. https://brnrd.eu/poudriere/build.html?mastername=130amd64-git&build=2021-07-21_11h08m49s
Comment 11 Po-Chuan Hsieh freebsd_committer freebsd_triage 2021-08-08 19:26:15 UTC
Updated to 7.78.0 in ee05a0fbe5a5835ca262c01f28de2f050c0d0da1. Thanks!
Comment 12 Derek Schrock 2021-08-19 14:21:11 UTC
What about merge-quarterly?

https://cgit.freebsd.org/ports/tree/ftp/curl/Makefile?h=2021Q3

2021Q3 is still 7.77.0.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2021-08-20 00:22:47 UTC
The branch 2021Q3 has been updated by fluffy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a4ab211f245678b9341a14fdc2ec0a7481078405

commit a4ab211f245678b9341a14fdc2ec0a7481078405
Author:     Po-Chuan Hsieh <sunpoet@FreeBSD.org>
AuthorDate: 2021-07-21 21:12:52 +0000
Commit:     Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2021-08-19 19:11:01 +0000

    ftp/curl: Update to 7.78.0
    
    - Remove METALINK option: all support removed by upstream
    - Update NTLM option: it has own configure option now
    
    Changes:        https://curl.se/changes.html
    (cherry picked from commit ee05a0fbe5a5835ca262c01f28de2f050c0d0da1)
    
    With hat:       ports-secteam