The curl configure script wants to take control of the compiler
flags for optimization and debugging. The actual interactions are
more complex, but the gist is that the flags are stripped from
CFLAGS, and if --enable-optimize or --enable-debug are specified,
an approved optimization or debugging flag is added.
report/ok bentley@
CVE-2018-14618: NTLM password overflow via integer overflow
Stop using SEPARATE_BUILD since many regression tests will fail to
find the curl executable otherwise.
own alternative for libressl/old openssl which was conflicting. Slightly
annoying because they want to print the LibreSSL version number and
OpenSSL_version_num() gives the fixed 2.0.0 coming from
OPENSSL_VERSION_NUMBER. Discussed with jsing
* file: output the correct buffer to the user (CVE-2017-1000099)
* tftp: reject file name lengths that don't fit (CVE-2017-1000100)
* glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Note that this drops support for internationalized domain names.
ok sthen@
CVE-2015-3143: Re-using authenticated connection when unauthenticated
CVE-2015-3144: host name out of boundary memory access
CVE-2015-3145: cookie parser out of boundary memory access
CVE-2015-3148: Negotiate not treated as connection-oriented
but leave the formatting to pkg_create(1) if needed. In the special
cases where they do need to call mandoc (for example, like in this
case, to include a formatted manual into a binary program) they
should pass the -Tascii option to avoid depending on the user's
locale, since mandoc -Tlocale will soon be the default.
In this case, it isn't strictly needed because the upstream Makefile
uses "env LC_ALL=C" when calling groff/mandoc. But let's avoid the
fragility of depending on that, and let's avoid setting a bad example.
No package change, no bump.
ok naddy@ (MAINTAINER)
