Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 1919) +++ trunk/server/fedora/Makefile (revision 1922) @@ -19,5 +19,5 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh +upstream_yum = krb5 krb5.i686 httpd openssh curl hackage = MonadCatchIO-mtl-0.3.0.1 cgi-3001.1.8.1 unix-handle-0.0.0 upstream_hackage = ghc-MonadCatchIO-mtl ghc-cgi ghc-unix-handle Index: trunk/server/fedora/specs/curl.spec.patch =================================================================== --- trunk/server/fedora/specs/curl.spec.patch (revision 1922) +++ trunk/server/fedora/specs/curl.spec.patch (revision 1922) @@ -0,0 +1,40 @@ +--- /tmp/t/curl.spec 2011-07-01 10:50:07.000000000 -0400 ++++ /tmp/t/curl.spec 2011-07-01 10:50:46.000000000 -0400 +@@ -1,7 +1,7 @@ + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) + Name: curl + Version: 7.20.1 +-Release: 5%{?dist} ++Release: 5.scripts.%{scriptsversion}%{?dist} + License: MIT + Group: Applications/Internet + Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma +@@ -90,6 +90,9 @@ + # workaround for broken applications using curl multi (#599340) + Patch108: 0108-curl-7.20.1-threaded-dns-multi.patch + ++# disable credential delegation over Negotiate (CVE-2011-2192) ++Patch1000: curl-gssapi-delegation.patch ++ + Provides: webclient + URL: http://curl.haxx.se/ + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +@@ -190,6 +193,7 @@ + %patch105 -p1 + %patch106 -p1 + %patch108 -p1 ++%patch1000 -p1 + + # other patches + %patch15 -p1 +@@ -289,6 +293,10 @@ + %{_datadir}/aclocal/libcurl.m4 + + %changelog ++* Fri Jul 01 2011 Geoffrey Thomas 7.20.1-5.scripts.r1922 ++- disable credential delegation over Negotiate (CVE-2011-2192) ++ Patch from upstream: http://curl.haxx.se/docs/adv_20110623.html ++ + * Fri Nov 26 2010 Kamil Dudka 7.20.1-5 + - do not send QUIT to a dead FTP control connection (#650255) + - prevent FTP client from hanging on unrecognized ABOR response (#649347)