curl: 8.0.1 -> 8.1.1

[mweinelt]

https://daniel.haxx.se/blog/2023/05/17/curl-8-1-0-http2-over-proxy/
https://curl.se/changes.html#8_1_0
https://curl.se/changes.html#8_1_1

https://www.openwall.com/lists/oss-security/2023/05/17/1
https://www.openwall.com/lists/oss-security/2023/05/17/2
https://www.openwall.com/lists/oss-security/2023/05/17/3
https://www.openwall.com/lists/oss-security/2023/05/17/4

Fixes: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322

Description of changes

Things done

• Built on platform(s) (only for 8.1.0)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[tomodachi94]

Lgtm. Thank you for contributing to Nixpkgs!

[mweinelt]

https://curl.se/mail/lib-2023-05/0029.html

Drafting.

[ivan]

curl 8.1.1 is available now: https://curl.se/mail/lib-2023-05/0040.html

[risicle]

Assume we'll be backporting this to 23.05?

[mweinelt]

The question was just whether we go with 8.1.1 or pick the patches like for 22.11.

[risicle]

Built curl.tests successfully on macos 10.15.

[github-actions]

Successfully created backport PR for staging-23.05:

• [Backport staging-23.05] curl: 8.0.1 -> 8.1.1 #233937

[vcunat]

This broke build of curlHTTP3. Most likely it will need update of ngtcp2 and/or nghttp3.

EDIT: details
https://github.com/curl/curl/blob/curl-8_1_1/docs/HTTP3.md#ngtcp2-version

Hydra only has darwin logs for now, but I confirmed on linux locally:
https://hydra.nixos.org/build/221673473/nixlog/2/tail

[vcunat]

I think this part is maintained primarily by @Izorkin?

Fixes would primarily target staging-next now: PR #233944

[vcunat]

ngtcp2 certainly does suffer from incompatible changes coming relatively often (on most of minor-number bumps IIRC). That's why I separated ngtcp2-gnutls which is only directly used by knot-dns and thus can be updated in lock-step.

Maybe we should start keeping ngtcp2 + nghttp3 on the versions needed by our current curl? (fortunately, curlHTTP3 seems to be the only consumer right now)

[Izorkin]

Upstream curl wrote that an update of nghttp2 to 1.53.0 is required. The PR to update ngtcp2 is there too, only to the master branch.
If needed, I can put all the updates into 1 PR and throw it into the staging branch.

[vcunat]

I don't see any problems related to nghttp2. (that's on in the default curl)

[Izorkin]

I don't see any problems related to nghttp2. (that's on in the default curl)

curl/curl#11031 (comment)

[risicle]

Which of the passthru.tests would have exhibited this problem? Or did we fail to test curlFull?

[vcunat]

curlFull apparently does not enable HTTP/3

@Izorkin: I thought you referred to nixpkgs master, not curl master. I see them writing that nghttp2 1.52 is bad for curl, but we don't use that (yet). I don't see hint that our current version is bad. (update to 1.53 could be done, but it's a huge rebuild)

EDIT: curl*.tests.nginx-http3 seems to (always) depend on curlHTTP3, but I image any nixos test will be very expensive in case you rebuild curl...