From: <mingli.yu@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [kirkstone][PATCH] curl: Upgrade to 7.84.0
Date: Tue, 5 Jul 2022 19:08:46 +0800 [thread overview]
Message-ID: <20220705110846.901820-1-mingli.yu@windriver.com> (raw)
From: Mingli Yu <mingli.yu@windriver.com>
Upgrade to 7.84.0 to fix CVEs [1].
Backport a patch fixing a compile issue where sched.h was not included
on certain platforms.
[1] https://curl.se/changes.html#7_84_0
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
...ude-sched.h-if-available-to-fix-buil.patch | 33 ++
.../curl/curl/CVE-2022-22576.patch | 145 ------
.../curl/curl/CVE-2022-27774-1.patch | 45 --
.../curl/curl/CVE-2022-27774-2.patch | 80 ---
.../curl/curl/CVE-2022-27774-3.patch | 83 ----
.../curl/curl/CVE-2022-27774-4.patch | 35 --
.../curl/curl/CVE-2022-27775.patch | 37 --
.../curl/curl/CVE-2022-27776.patch | 115 -----
.../curl/curl/CVE-2022-27779.patch | 42 --
.../curl/curl/CVE-2022-27780.patch | 33 --
.../curl/curl/CVE-2022-27781.patch | 43 --
.../curl/curl/CVE-2022-27782-1.patch | 458 ------------------
.../curl/curl/CVE-2022-27782-2.patch | 71 ---
.../curl/curl/CVE-2022-30115.patch | 82 ----
.../curl/{curl_7.82.0.bb => curl_7.84.0.bb} | 16 +-
15 files changed, 35 insertions(+), 1283 deletions(-)
create mode 100644 meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
delete mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch
rename meta/recipes-support/curl/{curl_7.82.0.bb => curl_7.84.0.bb} (87%)
diff --git a/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch
new file mode 100644
index 0000000000..771bdb2b96
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch
@@ -0,0 +1,33 @@
+From e2e7f54b7bea521fa8373095d0f43261a720cda0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Jun 2022 08:46:21 +0200
+Subject: [PATCH] easy_lock.h: include sched.h if available to fix build
+
+Patched-by: Harry Sintonen
+
+Closes #9054
+
+Upstream-Status: Backport [e2e7f54b7bea521fa8373095d0f43261a720cda0]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/easy_lock.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/easy_lock.h b/lib/easy_lock.h
+index 819f50ce8..1f54289ce 100644
+--- a/lib/easy_lock.h
++++ b/lib/easy_lock.h
+@@ -36,6 +36,9 @@
+
+ #elif defined (HAVE_ATOMIC)
+ #include <stdatomic.h>
++#if defined(HAVE_SCHED_YIELD)
++#include <sched.h>
++#endif
+
+ #define curl_simple_lock atomic_bool
+ #define CURL_SIMPLE_LOCK_INIT false
+--
+2.35.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch
deleted file mode 100644
index 469cf220ba..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-22576.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Mon, 25 Apr 2022 11:44:05 +0200
-Subject: [PATCH] url: check sasl additional parameters for connection reuse.
-
-Also move static function safecmp() as non-static Curl_safecmp() since
-its purpose is needed at several places.
-
-Bug: https://curl.se/docs/CVE-2022-22576.html
-
-CVE-2022-22576
-
-Closes #8746
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/strcase.c | 10 ++++++++++
- lib/strcase.h | 2 ++
- lib/url.c | 13 ++++++++++++-
- lib/urldata.h | 1 +
- lib/vtls/vtls.c | 21 ++++++---------------
- 5 files changed, 31 insertions(+), 16 deletions(-)
-
-diff --git a/lib/strcase.c b/lib/strcase.c
-index dd46ca1..692a3f1 100644
---- a/lib/strcase.c
-+++ b/lib/strcase.c
-@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
- } while(*src++ && --n);
- }
-
-+/* Compare case-sensitive NUL-terminated strings, taking care of possible
-+ * null pointers. Return true if arguments match.
-+ */
-+bool Curl_safecmp(char *a, char *b)
-+{
-+ if(a && b)
-+ return !strcmp(a, b);
-+ return !a && !b;
-+}
-+
- /* --- public functions --- */
-
- int curl_strequal(const char *first, const char *second)
-diff --git a/lib/strcase.h b/lib/strcase.h
-index b628656..382b80a 100644
---- a/lib/strcase.h
-+++ b/lib/strcase.h
-@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
- void Curl_strntoupper(char *dest, const char *src, size_t n);
- void Curl_strntolower(char *dest, const char *src, size_t n);
-
-+bool Curl_safecmp(char *a, char *b);
-+
- #endif /* HEADER_CURL_STRCASE_H */
-diff --git a/lib/url.c b/lib/url.c
-index adef2cd..94e3406 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn)
- Curl_safefree(conn->passwd);
- Curl_safefree(conn->sasl_authzid);
- Curl_safefree(conn->options);
-+ Curl_safefree(conn->oauth_bearer);
- Curl_dyn_free(&conn->trailer);
- Curl_safefree(conn->host.rawalloc); /* host name buffer */
- Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
-@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data,
- /* This protocol requires credentials per connection,
- so verify that we're using the same name and password as well */
- if(strcmp(needle->user, check->user) ||
-- strcmp(needle->passwd, check->passwd)) {
-+ strcmp(needle->passwd, check->passwd) ||
-+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
-+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
- /* one of them was different */
- continue;
- }
-@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data,
- }
- }
-
-+ if(data->set.str[STRING_BEARER]) {
-+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
-+ if(!conn->oauth_bearer) {
-+ result = CURLE_OUT_OF_MEMORY;
-+ goto out;
-+ }
-+ }
-+
- #ifdef USE_UNIX_SOCKETS
- if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
- conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
-diff --git a/lib/urldata.h b/lib/urldata.h
-index cc8a600..03da59a 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -984,6 +984,7 @@ struct connectdata {
- char *passwd; /* password string, allocated */
- char *options; /* options string, allocated */
- char *sasl_authzid; /* authorisation identity string, allocated */
-+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
- unsigned char httpversion; /* the HTTP version*10 reported by the server */
- struct curltime now; /* "current" time */
- struct curltime created; /* creation time */
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index 03b85ba..a40ac06 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
- return !memcmp(first->data, second->data, first->len); /* same data */
- }
-
--static bool safecmp(char *a, char *b)
--{
-- if(a && b)
-- return !strcmp(a, b);
-- else if(!a && !b)
-- return TRUE; /* match */
-- return FALSE; /* no match */
--}
--
-
- bool
- Curl_ssl_config_matches(struct ssl_primary_config *data,
-@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
- blobcmp(data->cert_blob, needle->cert_blob) &&
- blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
- blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
-- safecmp(data->CApath, needle->CApath) &&
-- safecmp(data->CAfile, needle->CAfile) &&
-- safecmp(data->issuercert, needle->issuercert) &&
-- safecmp(data->clientcert, needle->clientcert) &&
-- safecmp(data->random_file, needle->random_file) &&
-- safecmp(data->egdsocket, needle->egdsocket) &&
-+ Curl_safecmp(data->CApath, needle->CApath) &&
-+ Curl_safecmp(data->CAfile, needle->CAfile) &&
-+ Curl_safecmp(data->issuercert, needle->issuercert) &&
-+ Curl_safecmp(data->clientcert, needle->clientcert) &&
-+ Curl_safecmp(data->random_file, needle->random_file) &&
-+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
- Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
- Curl_safe_strcasecompare(data->curves, needle->curves) &&
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
deleted file mode 100644
index f24003fd79..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH] connect: store "conn_remote_port" in the info struct
-
-To make it available after the connection ended.
-
-Prerequisite for the patches that address CVE-2022-27774.
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/connect.c | 1 +
- lib/urldata.h | 6 +++++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/connect.c b/lib/connect.c
-index 64f9511..7518807 100644
---- a/lib/connect.c
-+++ b/lib/connect.c
-@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
- data->info.conn_scheme = conn->handler->scheme;
- data->info.conn_protocol = conn->handler->protocol;
- data->info.conn_primary_port = conn->port;
-+ data->info.conn_remote_port = conn->remote_port;
- data->info.conn_local_port = local_port;
- }
-
-diff --git a/lib/urldata.h b/lib/urldata.h
-index f92052a..5218f76 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1160,7 +1160,11 @@ struct PureInfo {
- reused, in the connection cache. */
-
- char conn_primary_ip[MAX_IPADR_LEN];
-- int conn_primary_port;
-+ int conn_primary_port; /* this is the destination port to the connection,
-+ which might have been a proxy */
-+ int conn_remote_port; /* this is the "remote port", which is the port
-+ number of the used URL, independent of proxy or
-+ not */
- char conn_local_ip[MAX_IPADR_LEN];
- int conn_local_port;
- const char *conn_scheme;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
deleted file mode 100644
index 9739634dfe..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 16:24:33 +0200
-Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
-
-... unless explicitly permitted.
-
-Bug: https://curl.se/docs/CVE-2022-27774.html
-Reported-by: Harry Sintonen
-Closes #8748
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 48 insertions(+), 1 deletion(-)
-
-diff --git a/lib/transfer.c b/lib/transfer.c
-index 1f8019b..752fe14 100644
---- a/lib/transfer.c
-+++ b/lib/transfer.c
-@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
- return CURLE_OUT_OF_MEMORY;
- }
- else {
--
- uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
- if(uc)
- return Curl_uc_to_curlcode(uc);
-+
-+ /* Clear auth if this redirects to a different port number or protocol,
-+ unless permitted */
-+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
-+ char *portnum;
-+ int port;
-+ bool clear = FALSE;
-+
-+ if(data->set.use_port && data->state.allow_port)
-+ /* a custom port is used */
-+ port = (int)data->set.use_port;
-+ else {
-+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
-+ CURLU_DEFAULT_PORT);
-+ if(uc) {
-+ free(newurl);
-+ return Curl_uc_to_curlcode(uc);
-+ }
-+ port = atoi(portnum);
-+ free(portnum);
-+ }
-+ if(port != data->info.conn_remote_port) {
-+ infof(data, "Clear auth, redirects to port from %u to %u",
-+ data->info.conn_remote_port, port);
-+ clear = TRUE;
-+ }
-+ else {
-+ char *scheme;
-+ const struct Curl_handler *p;
-+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
-+ if(uc) {
-+ free(newurl);
-+ return Curl_uc_to_curlcode(uc);
-+ }
-+
-+ p = Curl_builtin_scheme(scheme);
-+ if(p && (p->protocol != data->info.conn_protocol)) {
-+ infof(data, "Clear auth, redirects scheme from %s to %s",
-+ data->info.conn_scheme, scheme);
-+ clear = TRUE;
-+ }
-+ free(scheme);
-+ }
-+ if(clear) {
-+ Curl_safefree(data->state.aptr.user);
-+ Curl_safefree(data->state.aptr.passwd);
-+ }
-+ }
- }
-
- if(type == FOLLOW_FAKE) {
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
deleted file mode 100644
index e4e8c294a6..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 17:59:15 +0200
-Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either
-
-Follow-up to 620ea21410030
-
-Reported-by: Harry Sintonen
-Closes #8751
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/http.c | 10 +++++-----
- lib/http.h | 6 ++++++
- lib/vtls/openssl.c | 3 ++-
- 3 files changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 0791dcf..4433824 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
- }
-
- /*
-- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
-- * data" can (still) be sent to this host.
-+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
-+ * "sensitive data" can (still) be sent to this host.
- */
--static bool allow_auth_to_host(struct Curl_easy *data)
-+bool Curl_allow_auth_to_host(struct Curl_easy *data)
- {
- struct connectdata *conn = data->conn;
- return (!data->state.this_is_a_follow ||
-@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
-
- /* To prevent the user+password to get sent to other than the original host
- due to a location-follow */
-- if(allow_auth_to_host(data)
-+ if(Curl_allow_auth_to_host(data)
- #ifndef CURL_DISABLE_NETRC
- || conn->bits.netrc
- #endif
-@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
- checkprefix("Cookie:", compare)) &&
- /* be careful of sending this potentially sensitive header to
- other hosts */
-- !allow_auth_to_host(data))
-+ !Curl_allow_auth_to_host(data))
- ;
- else {
- #ifdef USE_HYPER
-diff --git a/lib/http.h b/lib/http.h
-index 07e963d..9000bae 100644
---- a/lib/http.h
-+++ b/lib/http.h
-@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
- bool proxytunnel); /* TRUE if this is the request setting
- up the proxy tunnel */
-
-+/*
-+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
-+ * "sensitive data" can (still) be sent to this host.
-+ */
-+bool Curl_allow_auth_to_host(struct Curl_easy *data);
-+
- #endif /* HEADER_CURL_HTTP_H */
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 616a510..e8633f4 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #endif
-
- #ifdef USE_OPENSSL_SRP
-- if(ssl_authtype == CURL_TLSAUTH_SRP) {
-+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
-+ Curl_allow_auth_to_host(data)) {
- char * const ssl_username = SSL_SET_OPTION(username);
-
- infof(data, "Using TLS-SRP username: %s", ssl_username);
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
deleted file mode 100644
index a642336797..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 26 Apr 2022 07:46:19 +0200
-Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects
-
-Follow-up to 620ea21410030 and 139a54ed0a172a
-
-Reported-by: Harry Sintonen
-Closes #8752
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/vtls/gtls.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 5749376..fe45b3a 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data,
- }
-
- #ifdef HAVE_GNUTLS_SRP
-- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
-+ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
-+ Curl_allow_auth_to_host(data)) {
- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
-
-- rc = gnutls_srp_allocate_client_credentials(
-- &backend->srp_client_cred);
-+ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
- gnutls_strerror(rc));
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch
deleted file mode 100644
index 666a906352..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27775.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 11:48:00 +0200
-Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
-
-Make connections to two separate IPv6 zone ids create separate
-connections.
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27775.html
-Closes #8747
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/conncache.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/lib/conncache.c b/lib/conncache.c
-index cd5756a..9b9f683 100644
---- a/lib/conncache.c
-+++ b/lib/conncache.c
-@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
- /* report back which name we used */
- *hostp = hostname;
-
-- /* put the number first so that the hostname gets cut off if too long */
-- msnprintf(buf, len, "%ld%s", port, hostname);
-+ /* put the numbers first so that the hostname gets cut off if too long */
-+#ifdef ENABLE_IPV6
-+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
-+#else
-+ msnprintf(buf, len, "%ld/%s", port, hostname);
-+#endif
- Curl_strntolower(buf, buf, len);
- }
-
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
deleted file mode 100644
index 2feee45200..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27776.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 25 Apr 2022 13:05:40 +0200
-Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
-
-CVE-2022-27776
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27776.html
-Closes #8749
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/http.c | 34 ++++++++++++++++++++++------------
- lib/urldata.h | 16 +++++++++-------
- 2 files changed, 31 insertions(+), 19 deletions(-)
-
-diff --git a/lib/http.c b/lib/http.c
-index 799d4fb..0791dcf 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
- return CURLE_OK;
- }
-
-+/*
-+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
-+ * data" can (still) be sent to this host.
-+ */
-+static bool allow_auth_to_host(struct Curl_easy *data)
-+{
-+ struct connectdata *conn = data->conn;
-+ return (!data->state.this_is_a_follow ||
-+ data->set.allow_auth_to_other_hosts ||
-+ (data->state.first_host &&
-+ strcasecompare(data->state.first_host, conn->host.name) &&
-+ (data->state.first_remote_port == conn->remote_port) &&
-+ (data->state.first_remote_protocol == conn->handler->protocol)));
-+}
-+
- /**
- * Curl_http_output_auth() setups the authentication headers for the
- * host/proxy and the correct authentication
-@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
- with it */
- authproxy->done = TRUE;
-
-- /* To prevent the user+password to get sent to other than the original
-- host due to a location-follow, we do some weirdo checks here */
-- if(!data->state.this_is_a_follow ||
-+ /* To prevent the user+password to get sent to other than the original host
-+ due to a location-follow */
-+ if(allow_auth_to_host(data)
- #ifndef CURL_DISABLE_NETRC
-- conn->bits.netrc ||
-+ || conn->bits.netrc
- #endif
-- !data->state.first_host ||
-- data->set.allow_auth_to_other_hosts ||
-- strcasecompare(data->state.first_host, conn->host.name)) {
-+ )
- result = output_auth_headers(data, conn, authhost, request, path, FALSE);
-- }
- else
- authhost->done = TRUE;
-
-@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
- checkprefix("Cookie:", compare)) &&
- /* be careful of sending this potentially sensitive header to
- other hosts */
-- (data->state.this_is_a_follow &&
-- data->state.first_host &&
-- !data->set.allow_auth_to_other_hosts &&
-- !strcasecompare(data->state.first_host, conn->host.name)))
-+ !allow_auth_to_host(data))
- ;
- else {
- #ifdef USE_HYPER
-@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
- return CURLE_OUT_OF_MEMORY;
-
- data->state.first_remote_port = conn->remote_port;
-+ data->state.first_remote_protocol = conn->handler->protocol;
- }
- Curl_safefree(data->state.aptr.host);
-
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 03da59a..f92052a 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1329,14 +1329,16 @@ struct UrlState {
- char *ulbuf; /* allocated upload buffer or NULL */
- curl_off_t current_speed; /* the ProgressShow() function sets this,
- bytes / second */
-- char *first_host; /* host name of the first (not followed) request.
-- if set, this should be the host name that we will
-- sent authorization to, no else. Used to make Location:
-- following not keep sending user+password... This is
-- strdup() data.
-- */
-+
-+ /* host name, port number and protocol of the first (not followed) request.
-+ if set, this should be the host name that we will sent authorization to,
-+ no else. Used to make Location: following not keep sending user+password.
-+ This is strdup()ed data. */
-+ char *first_host;
-+ int first_remote_port;
-+ unsigned int first_remote_protocol;
-+
- int retrycount; /* number of retries on a new connection */
-- int first_remote_port; /* remote port of the first (not followed) request */
- struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
- long sessionage; /* number of the most recent session */
- struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27779.patch b/meta/recipes-support/curl/curl/CVE-2022-27779.patch
deleted file mode 100644
index 235be900a3..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27779.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 16:47:06 +0200
-Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine
-
-The check for a dot in the domain must not consider a single trailing
-dot to be fine, as then TLD + trailing dot is fine and curl will accept
-setting cookies for it.
-
-CVE-2022-27779
-
-Reported-by: Axel Chong
-Bug: https://curl.se/docs/CVE-2022-27779.html
-Closes #8820
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/cookie.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index d418efa..1b8c8f9 100644
---- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
- /* Make sure domain contains a dot or is localhost. */
- static bool bad_domain(const char *domain)
- {
-- return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
-+ if(strcasecompare(domain, "localhost"))
-+ return FALSE;
-+ else {
-+ /* there must be a dot present, but that dot must not be a trailing dot */
-+ char *dot = strchr(domain, '.');
-+ if(dot)
-+ return dot[1] ? FALSE : TRUE;
-+ }
-+ return TRUE;
- }
-
- /*
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27780.patch b/meta/recipes-support/curl/curl/CVE-2022-27780.patch
deleted file mode 100644
index 8820af3f74..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27780.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 08:19:38 +0200
-Subject: [PATCH] urlapi: reject percent-decoding host name into separator
- bytes
-
-CVE-2022-27780
-
-Reported-by: Axel Chong
-Bug: https://curl.se/docs/CVE-2022-27780.html
-Closes #8826
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/urlapi.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/urlapi.c b/lib/urlapi.c
-index ff00ee4..00222fc 100644
---- a/lib/urlapi.c
-+++ b/lib/urlapi.c
-@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
- #endif
- }
- else {
-- /* letters from the second string is not ok */
-- len = strcspn(hostname, " \r\n");
-+ /* letters from the second string are not ok */
-+ len = strcspn(hostname, " \r\n\t/:#?!@");
- if(hlen != len)
- /* hostname with bad content */
- return CURLUE_BAD_HOSTNAME;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
deleted file mode 100644
index 52f39a0cc5..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27781.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 10:07:15 +0200
-Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
-
-CVE-2022-27781
-
-Reported-by: Florian Kohnhäuser
-Bug: https://curl.se/docs/CVE-2022-27781.html
-Closes #8822
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/vtls/nss.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index 558e3be..52f2060 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data,
- PR_Free(common_name);
- }
-
-+/* A number of certs that will never occur in a real server handshake */
-+#define TOO_MANY_CERTS 300
-+
- static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
- {
- CURLcode result = CURLE_OK;
-@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
- cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
- while(cert2) {
- i++;
-+ if(i >= TOO_MANY_CERTS) {
-+ CERT_DestroyCertificate(cert2);
-+ failf(data, "certificate loop");
-+ return CURLE_SSL_CERTPROBLEM;
-+ }
- if(cert2->isRoot) {
- CERT_DestroyCertificate(cert2);
- break;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
deleted file mode 100644
index ce2599be81..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
+++ /dev/null
@@ -1,458 +0,0 @@
-From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 23:13:53 +0200
-Subject: [PATCH] tls: check more TLS details for connection reuse
-
-CVE-2022-27782
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27782.html
-Closes #8825
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/setopt.c | 29 +++++++++++++++++------------
- lib/url.c | 23 ++++++++++++++++-------
- lib/urldata.h | 13 +++++++------
- lib/vtls/gtls.c | 32 +++++++++++++++++---------------
- lib/vtls/mbedtls.c | 2 +-
- lib/vtls/nss.c | 6 +++---
- lib/vtls/openssl.c | 10 +++++-----
- lib/vtls/vtls.c | 21 +++++++++++++++++++++
- 8 files changed, 87 insertions(+), 49 deletions(-)
-
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 8e1bf12..7aa6fdb 100644
---- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-
- case CURLOPT_SSL_OPTIONS:
- arg = va_arg(param, long);
-+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
- data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
- data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
- data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
-@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- #ifndef CURL_DISABLE_PROXY
- case CURLOPT_PROXY_SSL_OPTIONS:
- arg = va_arg(param, long);
-+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
- data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
- data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
- data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
-@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- case CURLOPT_TLSAUTH_USERNAME:
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
- va_arg(param, char *));
-- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
-+ !data->set.ssl.primary.authtype)
-+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
- break;
- #ifndef CURL_DISABLE_PROXY
- case CURLOPT_PROXY_TLSAUTH_USERNAME:
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
- va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
-- !data->set.proxy_ssl.authtype)
-- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+ !data->set.proxy_ssl.primary.authtype)
-+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
-+ SRP */
- break;
- #endif
- case CURLOPT_TLSAUTH_PASSWORD:
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
- va_arg(param, char *));
-- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
-+ !data->set.ssl.primary.authtype)
-+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
- break;
- #ifndef CURL_DISABLE_PROXY
- case CURLOPT_PROXY_TLSAUTH_PASSWORD:
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
- va_arg(param, char *));
- if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
-- !data->set.proxy_ssl.authtype)
-- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-+ !data->set.proxy_ssl.primary.authtype)
-+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
- break;
- #endif
- case CURLOPT_TLSAUTH_TYPE:
- argptr = va_arg(param, char *);
- if(!argptr ||
- strncasecompare(argptr, "SRP", strlen("SRP")))
-- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
-+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
- else
-- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
-+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
- break;
- #ifndef CURL_DISABLE_PROXY
- case CURLOPT_PROXY_TLSAUTH_TYPE:
- argptr = va_arg(param, char *);
- if(!argptr ||
- strncasecompare(argptr, "SRP", strlen("SRP")))
-- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
-+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
- else
-- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
-+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
- break;
- #endif
- #endif
-diff --git a/lib/url.c b/lib/url.c
-index 94e3406..5ebf5e2 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
- set->ssl.primary.verifypeer = TRUE;
- set->ssl.primary.verifyhost = TRUE;
- #ifdef USE_TLS_SRP
-- set->ssl.authtype = CURL_TLSAUTH_NONE;
-+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
- #endif
- set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
- type */
-@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
- conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
- conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
- conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
-+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
-+#ifdef USE_TLS_SRP
-+#endif
- #ifndef CURL_DISABLE_PROXY
- conn->proxy_ssl_config.verifystatus =
- data->set.proxy_ssl.primary.verifystatus;
- conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
- conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
-+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
-+#ifdef USE_TLS_SRP
-+#endif
- #endif
- conn->ip_version = data->set.ipver;
- conn->bits.connect_only = data->set.connect_only;
-@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
- data->set.str[STRING_SSL_ISSUERCERT_PROXY];
- data->set.proxy_ssl.primary.issuercert_blob =
- data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
-- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
-+ data->set.proxy_ssl.primary.CRLfile =
-+ data->set.str[STRING_SSL_CRLFILE_PROXY];
- data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
- data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
- data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
-@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
- data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
- data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
- #endif
-- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
-+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
- data->set.ssl.key = data->set.str[STRING_KEY];
- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
- #ifdef USE_TLS_SRP
-- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
-- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
-+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
-+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
- #ifndef CURL_DISABLE_PROXY
-- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
-- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
-+ data->set.proxy_ssl.primary.username =
-+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
-+ data->set.proxy_ssl.primary.password =
-+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
- #endif
- #endif
- data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 5218f76..e006495 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -253,10 +253,17 @@ struct ssl_primary_config {
- char *cipher_list; /* list of ciphers to use */
- char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
- char *pinned_key;
-+ char *CRLfile; /* CRL to check certificate revocation */
- struct curl_blob *cert_blob;
- struct curl_blob *ca_info_blob;
- struct curl_blob *issuercert_blob;
-+#ifdef USE_TLS_SRP
-+ char *username; /* TLS username (for, e.g., SRP) */
-+ char *password; /* TLS password (for, e.g., SRP) */
-+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
-+#endif
- char *curves; /* list of curves to use */
-+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
- BIT(verifypeer); /* set TRUE if this is desired */
- BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
- BIT(verifystatus); /* set TRUE if certificate status must be checked */
-@@ -266,7 +273,6 @@ struct ssl_primary_config {
- struct ssl_config_data {
- struct ssl_primary_config primary;
- long certverifyresult; /* result from the certificate verification */
-- char *CRLfile; /* CRL to check certificate revocation */
- curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
- void *fsslctxp; /* parameter for call back */
- char *cert_type; /* format for certificate (default: PEM)*/
-@@ -274,11 +280,6 @@ struct ssl_config_data {
- struct curl_blob *key_blob;
- char *key_type; /* format for private key (default: PEM) */
- char *key_passwd; /* plain text private key password */
--#ifdef USE_TLS_SRP
-- char *username; /* TLS username (for, e.g., SRP) */
-- char *password; /* TLS password (for, e.g., SRP) */
-- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
--#endif
- BIT(certinfo); /* gather lots of certificate info */
- BIT(falsestart);
- BIT(enable_beast); /* allow this flaw for interoperability's sake*/
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index fe45b3a..3c31782 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data,
- }
-
- #ifdef HAVE_GNUTLS_SRP
-- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
-+ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
- Curl_allow_auth_to_host(data)) {
-- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
-+ infof(data, "Using TLS-SRP username: %s",
-+ SSL_SET_OPTION(primary.username));
-
- rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred);
- if(rc != GNUTLS_E_SUCCESS) {
-@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data,
- }
-
- rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
-- SSL_SET_OPTION(username),
-- SSL_SET_OPTION(password));
-+ SSL_SET_OPTION(primary.username),
-+ SSL_SET_OPTION(primary.password));
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_srp_set_client_cred() failed: %s",
- gnutls_strerror(rc));
-@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data,
- }
- #endif
-
-- if(SSL_SET_OPTION(CRLfile)) {
-+ if(SSL_SET_OPTION(primary.CRLfile)) {
- /* set the CRL list file */
- rc = gnutls_certificate_set_x509_crl_file(backend->cred,
-- SSL_SET_OPTION(CRLfile),
-+ SSL_SET_OPTION(primary.CRLfile),
- GNUTLS_X509_FMT_PEM);
- if(rc < 0) {
- failf(data, "error reading crl file %s (%s)",
-- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
-+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
- return CURLE_SSL_CRL_BADFILE;
- }
- else
- infof(data, "found %d CRL in %s",
-- rc, SSL_SET_OPTION(CRLfile));
-+ rc, SSL_SET_OPTION(primary.CRLfile));
- }
-
- /* Initialize TLS session as a client */
-@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data,
- #ifdef HAVE_GNUTLS_SRP
- /* Only add SRP to the cipher list if SRP is requested. Otherwise
- * GnuTLS will disable TLS 1.3 support. */
-- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
-+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
- size_t len = strlen(prioritylist);
-
- char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
-@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data,
-
- #ifdef HAVE_GNUTLS_SRP
- /* put the credentials to the current session */
-- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
-+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
- rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
- backend->srp_client_cred);
- if(rc != GNUTLS_E_SUCCESS) {
-@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- SSL_CONN_CONFIG(verifyhost) ||
- SSL_CONN_CONFIG(issuercert)) {
- #ifdef HAVE_GNUTLS_SRP
-- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
-- && SSL_SET_OPTION(username) != NULL
-+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
-+ && SSL_SET_OPTION(primary.username)
- && !SSL_CONN_CONFIG(verifypeer)
- && gnutls_cipher_get(session)) {
- /* no peer cert, but auth is ok if we have SRP user and cipher and no
-@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- failf(data, "server certificate verification failed. CAfile: %s "
- "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
- "none",
-- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
-+ SSL_SET_OPTION(primary.CRLfile) ?
-+ SSL_SET_OPTION(primary.CRLfile) : "none");
- return CURLE_PEER_FAILED_VERIFICATION;
- }
- else
-@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
- gnutls_certificate_free_credentials(backend->cred);
-
- #ifdef HAVE_GNUTLS_SRP
-- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
-- && SSL_SET_OPTION(username) != NULL)
-+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
-+ && SSL_SET_OPTION(primary.username) != NULL)
- gnutls_srp_free_client_credentials(backend->srp_client_cred);
- #endif
-
-diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
-index b9fd26a..bd4ad8f 100644
---- a/lib/vtls/mbedtls.c
-+++ b/lib/vtls/mbedtls.c
-@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
- const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
- char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
- const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
-- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
-+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
- const char * const hostname = SSL_HOST_NAME();
- #ifndef CURL_DISABLE_VERBOSE_STRINGS
- const long int port = SSL_HOST_PORT();
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index 52f2060..959e23e 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
- }
- }
-
-- if(SSL_SET_OPTION(CRLfile)) {
-- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
-+ if(SSL_SET_OPTION(primary.CRLfile)) {
-+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
- if(rv) {
- result = rv;
- goto error;
- }
-- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile));
-+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
- }
-
- if(SSL_SET_OPTION(primary.clientcert)) {
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index e8633f4..d98bbcb 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #endif
- const long int ssl_version = SSL_CONN_CONFIG(version);
- #ifdef USE_OPENSSL_SRP
-- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
-+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
- #endif
- char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
- const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
-@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
- const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
- const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
-- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
-+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
- char error_buffer[256];
- struct ssl_backend_data *backend = connssl->backend;
- bool imported_native_ca = false;
-@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
- #ifdef USE_OPENSSL_SRP
- if((ssl_authtype == CURL_TLSAUTH_SRP) &&
- Curl_allow_auth_to_host(data)) {
-- char * const ssl_username = SSL_SET_OPTION(username);
--
-+ char * const ssl_username = SSL_SET_OPTION(primary.username);
-+ char * const ssl_password = SSL_SET_OPTION(primary.password);
- infof(data, "Using TLS-SRP username: %s", ssl_username);
-
- if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
- failf(data, "Unable to set SRP user name");
- return CURLE_BAD_FUNCTION_ARGUMENT;
- }
-- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
-+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
- failf(data, "failed setting SRP password");
- return CURLE_BAD_FUNCTION_ARGUMENT;
- }
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index a40ac06..e2d3438 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
- {
- if((data->version == needle->version) &&
- (data->version_max == needle->version_max) &&
-+ (data->ssl_options == needle->ssl_options) &&
- (data->verifypeer == needle->verifypeer) &&
- (data->verifyhost == needle->verifyhost) &&
- (data->verifystatus == needle->verifystatus) &&
-@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
- Curl_safecmp(data->clientcert, needle->clientcert) &&
- Curl_safecmp(data->random_file, needle->random_file) &&
- Curl_safecmp(data->egdsocket, needle->egdsocket) &&
-+#ifdef USE_TLS_SRP
-+ Curl_safecmp(data->username, needle->username) &&
-+ Curl_safecmp(data->password, needle->password) &&
-+ (data->authtype == needle->authtype) &&
-+#endif
- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
- Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
- Curl_safe_strcasecompare(data->curves, needle->curves) &&
-+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
- Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
- return TRUE;
-
-@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
- dest->verifyhost = source->verifyhost;
- dest->verifystatus = source->verifystatus;
- dest->sessionid = source->sessionid;
-+ dest->ssl_options = source->ssl_options;
-+#ifdef USE_TLS_SRP
-+ dest->authtype = source->authtype;
-+#endif
-
- CLONE_BLOB(cert_blob);
- CLONE_BLOB(ca_info_blob);
-@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
- CLONE_STRING(cipher_list13);
- CLONE_STRING(pinned_key);
- CLONE_STRING(curves);
-+ CLONE_STRING(CRLfile);
-+#ifdef USE_TLS_SRP
-+ CLONE_STRING(username);
-+ CLONE_STRING(password);
-+#endif
-
- return TRUE;
- }
-@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
- Curl_safefree(sslc->ca_info_blob);
- Curl_safefree(sslc->issuercert_blob);
- Curl_safefree(sslc->curves);
-+ Curl_safefree(sslc->CRLfile);
-+#ifdef USE_TLS_SRP
-+ Curl_safefree(sslc->username);
-+ Curl_safefree(sslc->password);
-+#endif
- }
-
- #ifdef USE_SSL
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
deleted file mode 100644
index 74fa7f85a9..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 23:13:53 +0200
-Subject: [PATCH] url: check SSH config match on connection reuse
-
-CVE-2022-27782
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2022-27782.html
-Closes #8825
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/url.c | 11 +++++++++++
- lib/vssh/ssh.h | 6 +++---
- 2 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index 5ebf5e2..c713e54 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
- }
- }
-
-+static bool ssh_config_matches(struct connectdata *one,
-+ struct connectdata *two)
-+{
-+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
-+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
-+}
- /*
- * Given one filled in connection struct (named needle), this function should
- * detect if there already is one that has all the significant details
-@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
- (data->state.httpwant < CURL_HTTP_VERSION_2_0))
- continue;
-
-+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
-+ if(!ssh_config_matches(needle, check))
-+ continue;
-+ }
-+
- if((needle->handler->flags&PROTOPT_SSL)
- #ifndef CURL_DISABLE_PROXY
- || !needle->bits.httpproxy || needle->bits.tunnel_proxy
-diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
-index 7972081..30d82e5 100644
---- a/lib/vssh/ssh.h
-+++ b/lib/vssh/ssh.h
-@@ -7,7 +7,7 @@
- * | (__| |_| | _ <| |___
- * \___|\___/|_| \_\_____|
- *
-- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
-@@ -131,8 +131,8 @@ struct ssh_conn {
-
- /* common */
- const char *passphrase; /* pass-phrase to use */
-- char *rsa_pub; /* path name */
-- char *rsa; /* path name */
-+ char *rsa_pub; /* strdup'ed public key file */
-+ char *rsa; /* strdup'ed private key file */
- bool authed; /* the connection has been authenticated fine */
- bool acceptfail; /* used by the SFTP_QUOTE (continue if
- quote command fails) */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-30115.patch b/meta/recipes-support/curl/curl/CVE-2022-30115.patch
deleted file mode 100644
index 96839cf204..0000000000
--- a/meta/recipes-support/curl/curl/CVE-2022-30115.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 9 May 2022 08:13:55 +0200
-Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names
-
-CVE-2022-30115
-
-Reported-by: Axel Chong
-Bug: https://curl.se/docs/CVE-2022-30115.html
-Closes #8821
-
-Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a]
-Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
----
- lib/hsts.c | 30 +++++++++++++++++++++++++-----
- 1 file changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/lib/hsts.c b/lib/hsts.c
-index 03fcc9e..b9fa6f7 100644
---- a/lib/hsts.c
-+++ b/lib/hsts.c
-@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
- curl_off_t expires)
- {
- struct stsentry *sts = hsts_entry();
-+ char *duphost;
-+ size_t hlen;
- if(!sts)
- return CURLE_OUT_OF_MEMORY;
-
-- sts->expires = expires;
-- sts->includeSubDomains = subdomains;
-- sts->host = strdup(hostname);
-- if(!sts->host) {
-+ duphost = strdup(hostname);
-+ if(!duphost) {
- free(sts);
- return CURLE_OUT_OF_MEMORY;
- }
-+
-+ hlen = strlen(duphost);
-+ if(duphost[hlen - 1] == '.')
-+ /* strip off trailing any dot */
-+ duphost[--hlen] = 0;
-+
-+ sts->host = duphost;
-+ sts->expires = expires;
-+ sts->includeSubDomains = subdomains;
- Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
- return CURLE_OK;
- }
-@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
- bool subdomain)
- {
- if(h) {
-+ char buffer[MAX_HSTS_HOSTLEN + 1];
- time_t now = time(NULL);
- size_t hlen = strlen(hostname);
- struct Curl_llist_element *e;
- struct Curl_llist_element *n;
-+
-+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
-+ return NULL;
-+ memcpy(buffer, hostname, hlen);
-+ if(hostname[hlen-1] == '.')
-+ /* remove the trailing dot */
-+ --hlen;
-+ buffer[hlen] = 0;
-+ hostname = buffer;
-+
- for(e = h->list.head; e; e = n) {
- struct stsentry *sts = e->ptr;
- n = e->next;
-@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
- CURLSTScode sc;
- DEBUGASSERT(h);
- do {
-- char buffer[257];
-+ char buffer[MAX_HSTS_HOSTLEN + 1];
- struct curl_hstsentry e;
- e.name = buffer;
- e.namelen = sizeof(buffer)-1;
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.84.0.bb
similarity index 87%
rename from meta/recipes-support/curl/curl_7.82.0.bb
rename to meta/recipes-support/curl/curl_7.84.0.bb
index ba3fd11820..addbaf14b1 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.84.0.bb
@@ -10,21 +10,9 @@ LICENSE = "MIT-open-group"
LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238"
SRC_URI = "https://curl.se/download/${BP}.tar.xz \
- file://CVE-2022-22576.patch \
- file://CVE-2022-27775.patch \
- file://CVE-2022-27776.patch \
- file://CVE-2022-27774-1.patch \
- file://CVE-2022-27774-2.patch \
- file://CVE-2022-27774-3.patch \
- file://CVE-2022-27774-4.patch \
- file://CVE-2022-30115.patch \
- file://CVE-2022-27780.patch \
- file://CVE-2022-27781.patch \
- file://CVE-2022-27779.patch \
- file://CVE-2022-27782-1.patch \
- file://CVE-2022-27782-2.patch \
+ file://0001-easy_lock.h-include-sched.h-if-available-to-fix-buil.patch \
"
-SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
+SRC_URI[sha256sum] = "2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8"
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
--
2.25.1
next reply other threads:[~2022-07-05 11:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-05 11:08 mingli.yu [this message]
2022-07-05 14:49 ` [OE-core] [kirkstone][PATCH] curl: Upgrade to 7.84.0 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220705110846.901820-1-mingli.yu@windriver.com \
--to=mingli.yu@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.