Automatic update for curl-8.6.0-1.fc40.
* Thu Feb 1 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2024-0853 - OCSP verification bypass with TLS session reuse
- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix)
- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843)
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2024-634a6662aaPlease log in to add feedback.
This update was automatically created
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been submitted for stable by bodhi
This breaks two distinct things for us (Cockpit project):
--unixto stop working. OK, fair enough.--unixwas never a valid option (the correct spelling is--unix-socket) and the change here is that the "partial match" feature was removed. Easy enough for us to fix, but that's surely going to hit other people as well.Thank you for your feedback.
There was a big refactor/rewrite related to transfer response handling. So it's possible that there might be some regression - https://github.com/curl/curl/pull/12480
I managed to bisect it to this commit: https://github.com/curl/curl/commit/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551 which is not included in that PR (which never got merged) but (indeed, curiously) tags it as Closed in the commit message.
It is "merged" via Closes #12480 in the commit message. (They add Closes to all commits and push them to the master branch. This results in closing the original PR) It is included in the curl 8.6.0
I've done some additional research. It happens when the
--headcommand-line option is used and the server returns a non-empty encoding withTransfer-Encoding: chunked. MDN says:https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
which suggests that the server is behaving in a way it should not, but the bug is with curl for not ignoring it. The MDN article links the RFC which says something else:
https://www.rfc-editor.org/rfc/rfc9110#HEAD
.... so, our bug?
Based on the links you provided, I would say so. Could you try updating your server so that the body is not sent for the HEAD method?
Could you provide a reproducer? I can report this issue to the upstream.
Or you can report it yourself here - https://github.com/curl/curl/issues/new?assignees=&labels=&projects=&template=bug_report.yml
We ended up changing our webserver implementation to be more RFC compliant. Strictly speaking, this is not a curl bug (although the error message could certainly be improved...).
More info here: https://github.com/cockpit-project/cockpit/pull/19927
Upstream merged commit, which ignores body when HEAD method was used.
https://github.com/curl/curl/pull/12842
I'm going to backport it to rawhide.