stable

curl-8.6.0-1.fc40

FEDORA-2024-634a6662aa created by jamacku 3 months ago for Fedora 40

Automatic update for curl-8.6.0-1.fc40.

Changelog
* Thu Feb  1 2024 Jan Macku <jamacku@redhat.com> - 8.6.0-1
- new upstream release, which fixes the following vulnerabilities
    CVE-2024-0853 - OCSP verification bypass with TLS session reuse
- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix)
- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-634a6662aa

This update was automatically created

3 months ago

This update's test gating status has been changed to 'waiting'.

3 months ago

This update's test gating status has been changed to 'passed'.

3 months ago

This update has been submitted for stable by bodhi

3 months ago
User Icon lis commented & provided feedback 3 months ago
karma

This breaks two distinct things for us (Cockpit project):

  • this upstream change https://github.com/curl/curl/commit/07dd60c05b5f6b00ff7cc0d65c6b46cb1a6938a2 causes --unix to stop working. OK, fair enough. --unix was never a valid option (the correct spelling is --unix-socket) and the change here is that the "partial match" feature was removed. Easy enough for us to fix, but that's surely going to hit other people as well.
  • worse, though: there's a new "curl: (8) Failed reading the chunked-encoded stream" failure coming from our tests and it's not clear why. I've tried to reproduce this with various versions from upstream git, but have been unable to do so.

Thank you for your feedback.

There was a big refactor/rewrite related to transfer response handling. So it's possible that there might be some regression - https://github.com/curl/curl/pull/12480

I managed to bisect it to this commit: https://github.com/curl/curl/commit/d7b6ce64ce0ad787ad2ed3ee05c94938a6b4f551 which is not included in that PR (which never got merged) but (indeed, curiously) tags it as Closed in the commit message.

It is "merged" via Closes #12480 in the commit message. (They add Closes to all commits and push them to the master branch. This results in closing the original PR) It is included in the curl 8.6.0

I've done some additional research. It happens when the --head command-line option is used and the server returns a non-empty encoding with Transfer-Encoding: chunked. MDN says:

Warning: A response to a HEAD method should not have a body. If it has one anyway, that body must be ignored

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD

which suggests that the server is behaving in a way it should not, but the bug is with curl for not ignoring it. The MDN article links the RFC which says something else:

The HEAD method is identical to GET except that the server MUST NOT send content in the response.

https://www.rfc-editor.org/rfc/rfc9110#HEAD

.... so, our bug?

Based on the links you provided, I would say so. Could you try updating your server so that the body is not sent for the HEAD method?

Could you provide a reproducer? I can report this issue to the upstream.

Or you can report it yourself here - https://github.com/curl/curl/issues/new?assignees=&labels=&projects=&template=bug_report.yml

We ended up changing our webserver implementation to be more RFC compliant. Strictly speaking, this is not a curl bug (although the error message could certainly be improved...).

More info here: https://github.com/cockpit-project/cockpit/pull/19927

Upstream merged commit, which ignores body when HEAD method was used.

https://github.com/curl/curl/pull/12842

I'm going to backport it to rawhide.


Please login to add feedback.

Metadata
Type
unspecified
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
0 days
Dates
submitted
3 months ago
in testing
3 months ago
in stable
3 months ago
approved
3 months ago

Automated Test Results