main/curl: security upgrade to 7.36.0 (CVE-2014-0138 CVE-2014-0139)

groff is now needed to build built-in manual. ref #2816

(cherry picked from commit d218307c3f5ca3bb714075368f71f8c7332371cb)

Conflicts:
	main/curl/APKBUILD

2 files changed, 7 insertions, 59 deletions

diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index ec69ddd7d8..ca9c373e65 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -1,17 +1,15 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
-pkgver=7.33.0
-pkgrel=2
+pkgver=7.36.0
+pkgrel=0
 pkgdesc="An URL retrival utility and library"
 url="http://curl.haxx.se"
 arch="all"
 license="MIT"
 depends="ca-certificates"
 depends_dev="zlib-dev openssl-dev libssh2-dev"
-makedepends="$depends_dev"
-source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2
-	CVE-2014-0015.patch
-	"
+makedepends="groff $depends_dev"
+source="http://curl.haxx.se/download/curl-$pkgver.tar.bz2"
 subpackages="$pkgname-doc $pkgname-dev"
 
 _builddir="$srcdir/$pkgname-$pkgver"
@@ -45,9 +43,6 @@ package() {
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
 
-md5sums="57409d6bf0bd97053b8378dbe0cadcef  curl-7.33.0.tar.bz2
-bab6cc59679fbb496c2c3034418b70d8  CVE-2014-0015.patch"
-sha256sums="0afde4cd949e2658eddc3cda675b19b165eea1af48ac5f3e1ec160792255d1b3  curl-7.33.0.tar.bz2
-4d7e468cbd699fe0fc15635ab496d97761976b38f480b38075c7b9646e8e73a0  CVE-2014-0015.patch"
-sha512sums="13f61e8255859f3d1138bf7cc935bda90af5f51103f1660b9e9cc6dd63d37b7672752900f3a76f8c80d47a7c02061077c6417d53617576f4030e180552b75076  curl-7.33.0.tar.bz2
-607591592932c317a40bb8fe7c2cab58b97eb08de14bd890c8b56fb49e49274a76fad52af3e29dc529d8537cc782b08d3471f30f7e90e0ff25500019fa961524  CVE-2014-0015.patch"
+md5sums="e6d1f9d1b59da5062109ffe14e0569a4  curl-7.36.0.tar.bz2"
+sha256sums="1fbe82b89bcd6b7ccda8cb0ff076edc60e911595030e27689f4abd5ef7f3cfcd  curl-7.36.0.tar.bz2"
+sha512sums="ae471d382c9c8f321a987e7a5a302abe7cb2cae4204ea65234b02c73303abef7c995c50ce8219bd90d762fa63006d50293e4350e78aee2c2086b6f7aec09b01a  curl-7.36.0.tar.bz2"
diff --git a/main/curl/CVE-2014-0015.patch b/main/curl/CVE-2014-0015.patch
deleted file mode 100644
index 745db00e7b..0000000000
--- a/main/curl/CVE-2014-0015.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 8ae35102c43d8d06572c3a1292eb6e27e663c78d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 7 Jan 2014 09:33:54 +0100
-Subject: [PATCH] ConnectionExists: fix NTLM check for new connection
-
-When the requested authentication bitmask includes NTLM, we cannot
-re-use a connection for another username/password as we then risk
-re-using NTLM (connection-based auth).
-
-This has the unfortunate downside that if you include NTLM as a possible
-auth, you cannot re-use connections for other usernames/passwords even
-if NTLM doesn't end up the auth type used.
-
-Reported-by: Paras S
-Patched-by: Paras S
-Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html
----
- lib/url.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 74d0893..3f85502 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -5,7 +5,7 @@
-  *                            | (__| |_| |  _ <| |___
-  *                             \___|\___/|_| \_\_____|
-  *
-- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
-  *
-  * This software is licensed as described in the file COPYING, which
-  * you should have received as part of this distribution. The terms
-@@ -2886,8 +2886,8 @@ static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke)
-   struct connectdata *check;
-   struct connectdata *chosen = 0;
-   bool canPipeline = IsPipeliningPossible(data, needle);
--  bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) ||
--                  (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE;
-+  bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) ||
-+    (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE;
-   struct connectbundle *bundle;
- 
-   *force_reuse = FALSE;
--- 
-1.8.5.1
-