package/libcurl: security bump to version 7.83.1

Fixes the following security issues: - CVE-2022-27778: curl removes wrong file on error https://curl.se/docs/CVE-2022-27778.html - CVE-2022-27779: cookie for trailing dot TLD https://curl.se/docs/CVE-2022-27779.html - CVE-2022-27780: percent-encoded path separator in URL host https://curl.se/docs/CVE-2022-27780.html - CVE-2022-27781: CERTINFO never-ending busy-loop https://curl.se/docs/CVE-2022-27781.html - CVE-2022-27782: TLS and SSH connection too eager reuse https://curl.se/docs/CVE-2022-27782.html - CVE-2022-30115: HSTS bypass via trailing dot https://curl.se/docs/CVE-2022-30115.html Drop now upstreamed 0001-mbedtls-fix-compile-when-h2-enabled.patch Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-05-11 12:07:06 +02:00 · 2022-05-11 12:07:06 +02:00 · de2961462b
commit de2961462b
parent 4c22b1650d
3 changed files with 3 additions and 35 deletions
--- a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
+++ b/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch
@ -1,32 +0,0 @@
-From 6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 28 Apr 2022 17:11:50 +0200
-Subject: [PATCH] mbedtls: fix compile when h2-enabled
-
-Fixes #8766
-Reported-by: LigH-de on github
-Closes #8768
-
-Downloaded from upstream commit
-https://github.com/curl/curl/commit/6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
- lib/vtls/mbedtls.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
-index 64f57c5d8321..5f9b87e6b75b 100644
--- a/lib/vtls/mbedtls.c
-+++ b/lib/vtls/mbedtls.c
-@@ -815,8 +815,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn,
-     if(next_protocol) {
-       infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol);
- #ifdef USE_HTTP2
-      if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) &&
-         !next_protocol[ALPN_H2_LEN]) {
-+      if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) &&
-+         !next_protocol[ALPN_H2_LENGTH]) {
-         conn->negnpn = CURL_HTTP_VERSION_2;
-       }
-       else
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-7.83.0.tar.xz.asc
+# https://curl.se/download/curl-7.83.1.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  bbff0e6b5047e773f3c3b084d80546cc1be4e354c09e419c2d0ef6116253511a  curl-7.83.0.tar.xz
+sha256  2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4  curl-7.83.1.tar.xz
 sha256  321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a  COPYING
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBCURL_VERSION = 7.83.0
+LIBCURL_VERSION = 7.83.1
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \