package/libcurl: security bump to version 8.5.0

Fixes the following security issues: - CVE-2023-46218: cookie mixed case PSL bypass This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. https://curl.se/docs/CVE-2023-46218.html - CVE-2023-46219: HSTS long file name clears contents When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. https://curl.se/docs/CVE-2023-46219.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit aaa9438b96) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-12-09 21:09:15 +01:00 · 2023-12-09 21:09:15 +01:00 · ae514155a1
commit ae514155a1
parent 14a8579cd0
2 changed files with 3 additions and 3 deletions
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-8.4.0.tar.xz.asc
+# https://curl.se/download/curl-8.5.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d  curl-8.4.0.tar.xz
+sha256  42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb  curl-8.5.0.tar.xz
 sha256  b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524  COPYING
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBCURL_VERSION = 8.4.0
+LIBCURL_VERSION = 8.5.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \