* [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1
@ 2022-05-11 10:07 Peter Korsgaard
2022-05-12 8:48 ` Peter Korsgaard
2022-05-28 9:16 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-05-11 10:07 UTC (permalink / raw)
To: buildroot; +Cc: Matt Weber
Fixes the following security issues:
- CVE-2022-27778: curl removes wrong file on error
https://curl.se/docs/CVE-2022-27778.html
- CVE-2022-27779: cookie for trailing dot TLD
https://curl.se/docs/CVE-2022-27779.html
- CVE-2022-27780: percent-encoded path separator in URL host
https://curl.se/docs/CVE-2022-27780.html
- CVE-2022-27781: CERTINFO never-ending busy-loop
https://curl.se/docs/CVE-2022-27781.html
- CVE-2022-27782: TLS and SSH connection too eager reuse
https://curl.se/docs/CVE-2022-27782.html
- CVE-2022-30115: HSTS bypass via trailing dot
https://curl.se/docs/CVE-2022-30115.html
Drop now upstreamed 0001-mbedtls-fix-compile-when-h2-enabled.patch
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-mbedtls-fix-compile-when-h2-enabled.patch | 32 -------------------
package/libcurl/libcurl.hash | 4 +--
package/libcurl/libcurl.mk | 2 +-
3 files changed, 3 insertions(+), 35 deletions(-)
delete mode 100644 package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
diff --git a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch b/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
deleted file mode 100644
index 61cbabd84a..0000000000
--- a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 28 Apr 2022 17:11:50 +0200
-Subject: [PATCH] mbedtls: fix compile when h2-enabled
-
-Fixes #8766
-Reported-by: LigH-de on github
-Closes #8768
-
-Downloaded from upstream commit
-https://github.com/curl/curl/commit/6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- lib/vtls/mbedtls.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
-index 64f57c5d8321..5f9b87e6b75b 100644
---- a/lib/vtls/mbedtls.c
-+++ b/lib/vtls/mbedtls.c
-@@ -815,8 +815,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn,
- if(next_protocol) {
- infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol);
- #ifdef USE_HTTP2
-- if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) &&
-- !next_protocol[ALPN_H2_LEN]) {
-+ if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) &&
-+ !next_protocol[ALPN_H2_LENGTH]) {
- conn->negnpn = CURL_HTTP_VERSION_2;
- }
- else
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 64a1129a90..8672380f09 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
-# https://curl.se/download/curl-7.83.0.tar.xz.asc
+# https://curl.se/download/curl-7.83.1.tar.xz.asc
# signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256 bbff0e6b5047e773f3c3b084d80546cc1be4e354c09e419c2d0ef6116253511a curl-7.83.0.tar.xz
+sha256 2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4 curl-7.83.1.tar.xz
sha256 321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index ea8529c914..15943f7512 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBCURL_VERSION = 7.83.0
+LIBCURL_VERSION = 7.83.1
LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
LIBCURL_SITE = https://curl.se/download
LIBCURL_DEPENDENCIES = host-pkgconf \
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1
2022-05-11 10:07 [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1 Peter Korsgaard
@ 2022-05-12 8:48 ` Peter Korsgaard
2022-05-28 9:16 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-05-12 8:48 UTC (permalink / raw)
To: buildroot; +Cc: Matt Weber
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2022-27778: curl removes wrong file on error
> https://curl.se/docs/CVE-2022-27778.html
> - CVE-2022-27779: cookie for trailing dot TLD
> https://curl.se/docs/CVE-2022-27779.html
> - CVE-2022-27780: percent-encoded path separator in URL host
> https://curl.se/docs/CVE-2022-27780.html
> - CVE-2022-27781: CERTINFO never-ending busy-loop
> https://curl.se/docs/CVE-2022-27781.html
> - CVE-2022-27782: TLS and SSH connection too eager reuse
> https://curl.se/docs/CVE-2022-27782.html
> - CVE-2022-30115: HSTS bypass via trailing dot
> https://curl.se/docs/CVE-2022-30115.html
> Drop now upstreamed 0001-mbedtls-fix-compile-when-h2-enabled.patch
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1
2022-05-11 10:07 [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1 Peter Korsgaard
2022-05-12 8:48 ` Peter Korsgaard
@ 2022-05-28 9:16 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-05-28 9:16 UTC (permalink / raw)
To: buildroot; +Cc: Matt Weber
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> - CVE-2022-27778: curl removes wrong file on error
> https://curl.se/docs/CVE-2022-27778.html
> - CVE-2022-27779: cookie for trailing dot TLD
> https://curl.se/docs/CVE-2022-27779.html
> - CVE-2022-27780: percent-encoded path separator in URL host
> https://curl.se/docs/CVE-2022-27780.html
> - CVE-2022-27781: CERTINFO never-ending busy-loop
> https://curl.se/docs/CVE-2022-27781.html
> - CVE-2022-27782: TLS and SSH connection too eager reuse
> https://curl.se/docs/CVE-2022-27782.html
> - CVE-2022-30115: HSTS bypass via trailing dot
> https://curl.se/docs/CVE-2022-30115.html
> Drop now upstreamed 0001-mbedtls-fix-compile-when-h2-enabled.patch
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2022.02.x, thanks.
> ---
> ...-mbedtls-fix-compile-when-h2-enabled.patch | 32 -------------------
> package/libcurl/libcurl.hash | 4 +--
> package/libcurl/libcurl.mk | 2 +-
> 3 files changed, 3 insertions(+), 35 deletions(-)
> delete mode 100644 package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
> diff --git a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch b/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
> deleted file mode 100644
> index 61cbabd84a..0000000000
> --- a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
> +++ /dev/null
> @@ -1,32 +0,0 @@
> -From 6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3 Mon Sep 17 00:00:00 2001
> -From: Daniel Stenberg <daniel@haxx.se>
> -Date: Thu, 28 Apr 2022 17:11:50 +0200
> -Subject: [PATCH] mbedtls: fix compile when h2-enabled
> -
> -Fixes #8766
> -Reported-by: LigH-de on github
> -Closes #8768
> -
> -Downloaded from upstream commit
> -https://github.com/curl/curl/commit/6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3
> -
> -Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> ----
> - lib/vtls/mbedtls.c | 4 ++--
> - 1 file changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
> -index 64f57c5d8321..5f9b87e6b75b 100644
> ---- a/lib/vtls/mbedtls.c
> -+++ b/lib/vtls/mbedtls.c
> -@@ -815,8 +815,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn,
> - if(next_protocol) {
> - infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol);
> - #ifdef USE_HTTP2
> -- if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) &&
> -- !next_protocol[ALPN_H2_LEN]) {
> -+ if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) &&
> -+ !next_protocol[ALPN_H2_LENGTH]) {
> - conn->negnpn = CURL_HTTP_VERSION_2;
> - }
> - else
> diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
> index 64a1129a90..8672380f09 100644
> --- a/package/libcurl/libcurl.hash
> +++ b/package/libcurl/libcurl.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -# https://curl.se/download/curl-7.83.0.tar.xz.asc
> +# https://curl.se/download/curl-7.83.1.tar.xz.asc
> # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
> -sha256 bbff0e6b5047e773f3c3b084d80546cc1be4e354c09e419c2d0ef6116253511a curl-7.83.0.tar.xz
> +sha256 2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4 curl-7.83.1.tar.xz
> sha256 321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a COPYING
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index ea8529c914..15943f7512 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
> -LIBCURL_VERSION = 7.83.0
> +LIBCURL_VERSION = 7.83.1
> LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
> LIBCURL_SITE = https://curl.se/download
> LIBCURL_DEPENDENCIES = host-pkgconf \
> --
> 2.30.2
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-28 9:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-11 10:07 [Buildroot] [PATCH] package/libcurl: security bump to version 7.83.1 Peter Korsgaard
2022-05-12 8:48 ` Peter Korsgaard
2022-05-28 9:16 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.