libcurl3
libcurl3
Re: libcurl3
2012-04-30 16:08 UTC
On Sunday 29 April 2012 23:50:24 Piotr Jawidzyk wrote:
> http://maemo.org/packages/view/libcurl3/
>
> Situation quite similar to libxau6, yet from 30.03.2012. No
> changelog, not uploaded by maintainer, also replacing
> component from fremantle armel SSU. No idea, who uploaded
> "new" version and why.
>
> Could anyone knowledgeable drop an eye on the source code, and
> check WTF?
>
> /Estel
Hi! I looked at this problematic package.
Package has changelog in debian subfolder. Here is:
===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup
-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200
curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses
-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===
Source code of version in extras is here:
http://repository.maemo.org/extras-devel/pool/fremantle/free/source/c/curl/
tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html
I checked also additional patches and all are only compile flags, nothing more.
So I did not found anything strange in source code (no backdoor, etc..).
Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...
--
Pali Rohár
pali.rohar@gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk+euQ8ACgkQi/DJPQPkQ1LhkwCgkWZWSCJxCSNpxbiLS9WXYIqR
aLsAoKG7JJapZ0rACMqOxFfUV2G8+Fzb
=b4WX
-----END PGP SIGNATURE-----
> http://maemo.org/packages/view/libcurl3/
>
> Situation quite similar to libxau6, yet from 30.03.2012. No
> changelog, not uploaded by maintainer, also replacing
> component from fremantle armel SSU. No idea, who uploaded
> "new" version and why.
>
> Could anyone knowledgeable drop an eye on the source code, and
> check WTF?
>
> /Estel
Hi! I looked at this problematic package.
Package has changelog in debian subfolder. Here is:
===
curl (7.25.0-1maemo2) fremantle; urgency=low
* Maemo package cleanup
-- Ludek Finstrle <luf@pzkagis.cz> Fri, 30 Mar 2012 10:07:43 +0200
curl (7.25.0-1maemo1) fremantle; urgency=high
* New upstream release
- Fix builds with proxy or http disabled
- Fix a numeric overflow in parsing date
- COOKIES: strip the numerical ipv6 host properly
- Fix CONNECT: fix multi interface regression
http://curl.haxx.se/mail/lib-2012-03/0162.html
- SWS: refuse to serve CONNECT unless running as proxy
- Update detection logic of getaddrinfo() thread-safeness
- Fix --libcurl option output file text translation mode
- Fix OOM handling
- Fix resolve with c-ares: don't resolve IPv6 when not working
http://curl.haxx.se/mail/lib-2012-03/0045.html
- SMTP: Changed the curl error code for EHLO and HELO responses
-- Ludek Finstrle <luf@pzkagis.cz> Fri, 23 Mar 2012 09:29:36 +0100
===
Source code of version in extras is here:
http://repository.maemo.org/extras-devel/pool/fremantle/free/source/c/curl/
tarball curl_7.25.0.orig.tar.gz from extras-devel is same as
upstream 7.25.0 version on: http://curl.haxx.se/download.html
I checked also additional patches and all are only compile flags, nothing more.
So I did not found anything strange in source code (no backdoor, etc..).
Package is only "New upstream release". But still it is bad that anybody
can push new version of maemo core packages (also if it fixing strange bugs)
without any informations...
--
Pali Rohár
pali.rohar@gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAk+euQ8ACgkQi/DJPQPkQ1LhkwCgkWZWSCJxCSNpxbiLS9WXYIqR
aLsAoKG7JJapZ0rACMqOxFfUV2G8+Fzb
=b4WX
-----END PGP SIGNATURE-----
Situation quite similar to libxau6, yet from 30.03.2012. No changelog,
not uploaded by maintainer, also replacing component from fremantle
armel SSU. No idea, who uploaded "new" version and why.
Could anyone knowledgeable drop an eye on the source code, and check WTF?
/Estel