Updated curl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The curl packages provide the
cURLutility for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT, TELNET, and TFTP servers, using any of the supported protocols. This utility offers many useful capabilities, such as proxy support, user authentication, FTP upload, HTTP post, and file transfer resume.
libssh2library did not sufficiently reflect its ABI extensions in its version, which prevented the RPM dependency scanner from adding the correct dependency of
libcurlon an updated version of
libssh2. Consequently, if the user updated
libcurlwithout first updating
libssh2, the update ended with incorrect linkage of
libcurland the user was then unable to update
libssh2using yum. An explicit dependency of
libcurlon an update version of
libssh2has been added and yum can now be used to update
libcurlrequired certificates loaded from files to have unique file base names due to limitation of the legacy API of NSS (Network Security Services). Some packages using
libcurldid not fulfil this requirement and caused nickname collisions within NSS. Now,
libcurlhas been modified to use a newer API of NSS, which does not suffer from this limitation, and packages using
libcurlare now allowed to load certificates from files with unrestricted file names.
libcurlmisinterpreted the Content-Length HTTP header when receiving data using the chunked encoding. Consequently,
libcurlfailed to read the last chunk of data and the transfer terminated prematurely. An upstream patch has been applied to fix the handling of the header and the chunked encoding in
libcurlnow works as expected.
- A sub-optimally chosen identifier in cURL source files clashed with an identifier from a public header file introduced in a newer version of
libssh2, which prevented the curl package from a successful build. An upstream patch has been applied on cURL source files, which fixes the identifier collisions and the package now builds as expected.
- The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL back end. This change led to collisions between
libcurland OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using both
libcurland OpenLDAP failed to establish SSL connections. This update modifies
libcurlto use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and
libcurlcan now connect to the LDAP server over SSL as expected.
- As a solution to a security issue, GSSAPI credential delegation was disabled, which broke the functionality of applications that were relying on delegation, incorrectly enabled by libcurl. To fix this issue, the
libcurloption has been introduced in order to enable delegation explicitly when applications need it. All applications using GSSAPI credential delegation can now use this new
libcurloption to be able to run properly.
- SSL connections could not be established with
libcurlif the selected NSS database was broken or invalid. This update modifies the code of
libcurlto initialize NSS without a valid database, which allows applications to establish SSL connections as expected.
libcurlincorrectly checked return values of the SCP/SFTP write functions provided by
libssh2. Negative values returned by those functions were treated as negative download amounts, which caused applications to terminate unexpectedly. With this update, all negative values are treated as errors and as such are properly handled on the
libcurllevel, thus preventing the crashes.
- Prior to this update,
libcurlused an obsolete
libssh2API for uploading files over the SCP protocol, which limited the maximum size of files being transferred on 32-bit architectures. Consequently, the 32-bit packages of
libcurlwere unable to transfer large files over SCP. With this update, a new
libssh2API for SCP uploads is used, which does not suffer from this limitation, thus fixing this bug.
libcurlprovided only HTTP status codes in error messages when reporting HTTP errors. This could confuse users not familiar with HTTP. Now,
libcurlhas been improved to include the HTTP reason phrase in error messages, thus providing more understandable output.
- This update introduces a new option,
--delegation, which enables Kerberos credential delegation in cURL.
Users of curl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.