Pullup ticket #6435 - requested by leot

www/curl: security update

Revisions pulled up:
- www/curl/Makefile                                             1.240
- www/curl/PLIST                                                1.85
- www/curl/distinfo                                             1.169

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   leot
   Date:           Wed Mar 31 09:52:31 UTC 2021

   Modified Files:
           pkgsrc/www/curl: Makefile PLIST distinfo

   Log Message:
   curl: Update to 7.76.0

   Changes:
   7.76.0
   ===
   This release includes the following changes:

    o cookies: Support multiple -b parameters
    o curl: add --fail-with-body
    o doh: add options to disable ssl verification
    o http: add support to read and store the referrer header
    o sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
    o vtls: initial implementation of rustls backend

   This release includes the following bugfixes:

    o CVE-2021-22876: strip credentials from the auto-referer header field
    o CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
    o asyn-ares: use consistent resolve error message
    o BUG-BOUNTY: removed the cooperation mention
    o build: delete unused feature guards
    o build: fix --disable-dateparse
    o build: fix --disable-http-auth
    o build: remove all traces of USE_BLOCKING_SOCKETS
    o c-hyper: Remove superfluous pointer check
    o c-hyper: support automatic content-encoding
    o CI/azure: disable test 433 on azure-ubuntu
    o CI/azure: replace python-impacket with python3-impacket
    o ci: stop building on freebsd-12-1
    o cmake: fix import library name for non-MS compiler on Windows
    o cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
    o cmake: support WinIDN
    o config: fix building SMB with configure using Win32 Crypto
    o config: fix detection of restricted Windows App environment
    o configure: fail if --with-quiche is used and quiche isn't found
    o configure: make AC_TRY_* into AC_*_IFELSE
    o configure: make hyper opt-in, and fail if missing
    o configure: only add OpenSSL paths if they are defined
    o configure: provide Largefile feature for curl-config
    o configure: remove use of deprecated macros
    o configure: s/AC_HELP_STRING/AS_HELP_STRING
    o cookies: Fix potential NULL pointer deref with PSL
    o curl: set CURLOPT_NEW_FILE_PERMS if requested
    o curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
    o curl_multibyte: always return a heap-allocated copy of string
    o curl_multibyte: fall back to local code page stat/access on Windows
    o Curl_timeleft: check both timeouts during connect
    o curl_url_set.3: mention CURLU_PATH_AS_IS
    o CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
    o docs/HTTP2: remove the outdated remark about multiplexing for the tool
    o docs/Makefile.inc: format to be update-friendly
    o docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
    o docs: add missing Arg tag to --stderr
    o docs: Add SSL backend names to CURL_SSL_BACKEND
    o docs: clarify timeouts for queued transfers in multi API
    o docs: Explain DOH transfers inherit some SSL settings
    o docs: fix FILE example url in --metalink documentation
    o docs: make gen.pl support *italic* and **bold**
    o doh: Fix sharing user's resolve list with DOH handles
    o doh: Inherit CURLOPT_STDERR from user's easy handle
    o dynbuf: bump the max HTTP request to 1MB
    o examples: Remove threaded-shared-conn.c due to bug
    o file: Support unicode urls on windows
    o ftp: add 'list_only' to the transfer state struct
    o ftp: add 'prefer_ascii' to the transfer state struct
    o FTP: allow SIZE to fail when doing (resumed) upload
    o ftp: avoid SIZE when asking for a TYPE A file
    o ftp: fix Codacy/cppcheck warning about null pointer arithmetic
    o ftp: fix memory leak in ftp_done
    o ftp: never set data->set.ftp_append outside setopt
    o gen.pl: quote "bare" minuses in the nroff curl.1
    o github: add torture-ftp for FTP-only torture testing
    o gnutls: assume nettle crypto support
    o gskit: correct the gskit_send() prototype
    o hostip: fix build with sync resolver
    o hostip: fix crash in sync resolver builds that use DOH
    o hsts: remove unused defines
    o http2: don't set KEEP_SEND when there's no more data to be sent
    o http2: fail if connection terminated without END_STREAM
    o http: cap body data amount during send speed limiting
    o http: do not add a referrer header with empty value
    o http: make 416 not fail with resume + CURLOPT_FAILONERRROR
    o http: remove superfluous NULL assign
    o http: strip default port from URL sent to proxy
    o http: use credentials from transfer, not connection
    o ldap: use correct memory free function
    o lib1536: check ptr against NULL before dereferencing it
    o lib1537: check ptr against NULL before dereferencing it
    o lib: remove 'conn->data' completely
    o libssh2: kdb_callback: get the right struct pointer
    o libssh2:ssh_connect: clear session pointer after free
    o memdebug: close debug logfile explicitly on exit
    o mingw: enable using strcasecmp()
    o multi: close the connection when h2=>h1 downgrading
    o multi: do once-per-transfer inits in before_perform in DID state
    o multi: rename the multi transfer states
    o multi: update pending list when removing handle
    o ngtcp2: adapt to the new recv_datagram callback
    o ngtcp2: clarify calculation precedence
    o ngtcp2: Fix build error due to change in ngtcp2_addr_init
    o ngtcp2: sync with recent API updates
    o openldap: avoid NULL pointer dereferences
    o openssl: adapt to v3's new const for a few API calls
    o openssl: ensure to check SSL_CTX_set_alpn_protos return values
    o openssl: remove get_ssl_version_txt in favor of SSL_get_version
    o openssl: set the transfer pointer for logging early
    o OS400: update for CURLOPT_AWS_SIGV4
    o parse_proxy: fix a memory leak in the OOM path
    o pathhelp.pm: fix use of pwd -L in Msys environment
    o projects: Update VS projects for OpenSSL 1.1.x
    o quiche: fix build error: use 'int' for port number
    o quiche: fix crash when failing to connect
    o retry-all-errors.d: Explain curl errors versus HTTP response errors
    o retry.d: Clarify transient 5xx HTTP response codes
    o runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
    o runtests.pl: add a -P option to specify an external proxy
    o runtests.pl: kill processes locking test log files
    o setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
    o test1188: change error to check for: --fail HTTP status
    o test220/314: adjust to run with Hyper
    o test304: header CRLF cleanup to work with Hyper
    o test306: make it not run with Hyper
    o tests: disable .curlrc in more environments
    o tests: use %TESTNUMBER instead of fixed number
    o tftp: remove the 3600 second default timeout
    o time: enable 64-bit time_t in supported mingw environments
    o tool_help: add missing argument for --create-file-mode
    o tool_help: Increase space between option and description
    o tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
    o travis: add a rustls build
    o travis: bump wolfssl to 4.7.0
    o travis: only build wolfssl when needed
    o travis: split "torture" into a separate "events" build
    o travis: switch ngtcp2 build over to quictls
    o travis: use ubuntu nghttp2 package instead of build our own
    o url.c: use consistent error message for failed resolve
    o url: fix memory leak if OOM in the HSTS handling
    o url: fix possible use-after-free in default protocol
    o urldata: don't touch data->set.httpversion at run-time
    o urldata: fix build without HTTP and MQTT
    o urldata: make 'actions[]' use unsigned char instead of int
    o urldata: merge "struct DynamicStatic" into "struct UrlState"
    o urldata: remove the 'rtspversion' field
    o urldata: remove the _ORIG suffix from string names
    o version.d: Add missing features to the features list
    o wolfssl: don't store a NULL sessionid


   To generate a diff of this commit:
   cvs rdiff -u -r1.239 -r1.240 pkgsrc/www/curl/Makefile
   cvs rdiff -u -r1.84 -r1.85 pkgsrc/www/curl/PLIST
   cvs rdiff -u -r1.168 -r1.169 pkgsrc/www/curl/distinfo

3 files changed, 12 insertions, 8 deletions

diff --git a/www/curl/Makefile b/www/curl/Makefile
index 8cc8a487fa4..55c0df7e4a6 100644
--- a/www/curl/Makefile
+++ b/www/curl/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.239 2021/03/01 23:31:30 gdt Exp $
+# $NetBSD: Makefile,v 1.239.2.1 2021/04/04 13:22:06 spz Exp $
 
-DISTNAME=	curl-7.75.0
+DISTNAME=	curl-7.76.0
 CATEGORIES=	www
 MASTER_SITES=	https://curl.haxx.se/download/
 EXTRACT_SUFX=	.tar.xz
diff --git a/www/curl/PLIST b/www/curl/PLIST
index 5e2fca02b79..ad768c686b6 100644
--- a/www/curl/PLIST
+++ b/www/curl/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.84 2021/02/03 13:17:18 adam Exp $
+@comment $NetBSD: PLIST,v 1.84.2.1 2021/04/04 13:22:06 spz Exp $
 bin/curl
 bin/curl-config
 include/curl/curl.h
@@ -57,6 +57,7 @@ man/man3/CURLINFO_REDIRECT_COUNT.3
 man/man3/CURLINFO_REDIRECT_TIME.3
 man/man3/CURLINFO_REDIRECT_TIME_T.3
 man/man3/CURLINFO_REDIRECT_URL.3
+man/man3/CURLINFO_REFERER.3
 man/man3/CURLINFO_REQUEST_SIZE.3
 man/man3/CURLINFO_RESPONSE_CODE.3
 man/man3/CURLINFO_RETRY_AFTER.3
@@ -144,6 +145,9 @@ man/man3/CURLOPT_DNS_LOCAL_IP6.3
 man/man3/CURLOPT_DNS_SERVERS.3
 man/man3/CURLOPT_DNS_SHUFFLE_ADDRESSES.3
 man/man3/CURLOPT_DNS_USE_GLOBAL_CACHE.3
+man/man3/CURLOPT_DOH_SSL_VERIFYHOST.3
+man/man3/CURLOPT_DOH_SSL_VERIFYPEER.3
+man/man3/CURLOPT_DOH_SSL_VERIFYSTATUS.3
 man/man3/CURLOPT_DOH_URL.3
 man/man3/CURLOPT_EGDSOCKET.3
 man/man3/CURLOPT_ERRORBUFFER.3
diff --git a/www/curl/distinfo b/www/curl/distinfo
index ab2c0120729..71b4e3d7203 100644
--- a/www/curl/distinfo
+++ b/www/curl/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.168 2021/02/03 13:17:18 adam Exp $
+$NetBSD: distinfo,v 1.168.2.1 2021/04/04 13:22:06 spz Exp $
 
-SHA1 (curl-7.75.0.tar.xz) = ae65d2140104f441b65b60c5e1d541d11dab80c6
-RMD160 (curl-7.75.0.tar.xz) = 3b94b99c85e0cc61784f31d08b34f167d45e452c
-SHA512 (curl-7.75.0.tar.xz) = 4c2fc6658379b8b93dd50665b70f3000b63d3bcafd2df60b7e651a8edf4735b3decb06c338b84cb22058191aa9f8f4dc85760a42f9987210b59300758304b746
-Size (curl-7.75.0.tar.xz) = 2418816 bytes
+SHA1 (curl-7.76.0.tar.xz) = b4e7ee3c9b9d086a116c2f37f0969fc47cbf3ad0
+RMD160 (curl-7.76.0.tar.xz) = a24268c5c860c374c892fa6ae2e9426da922484e
+SHA512 (curl-7.76.0.tar.xz) = a67e5078b48150c6f5331e76b25a6b197f1e916be1db900bf9455b032b3af5a71610b47e607546ecbae510d196a0cfcb75a14dac549288797af1701b7b587ece
+Size (curl-7.76.0.tar.xz) = 2428552 bytes
 SHA1 (patch-configure) = 8dcc112bd2950e146a77bed7638e490e24a5aa71
 SHA1 (patch-curl-config.in) = a58c777fc1a0a087776e62ed2e2a1e0a339716df