From de2961462bbb57985f73dfad18cc7a33d03fc433 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Wed, 11 May 2022 12:07:06 +0200 Subject: [PATCH] package/libcurl: security bump to version 7.83.1 Fixes the following security issues: - CVE-2022-27778: curl removes wrong file on error https://curl.se/docs/CVE-2022-27778.html - CVE-2022-27779: cookie for trailing dot TLD https://curl.se/docs/CVE-2022-27779.html - CVE-2022-27780: percent-encoded path separator in URL host https://curl.se/docs/CVE-2022-27780.html - CVE-2022-27781: CERTINFO never-ending busy-loop https://curl.se/docs/CVE-2022-27781.html - CVE-2022-27782: TLS and SSH connection too eager reuse https://curl.se/docs/CVE-2022-27782.html - CVE-2022-30115: HSTS bypass via trailing dot https://curl.se/docs/CVE-2022-30115.html Drop now upstreamed 0001-mbedtls-fix-compile-when-h2-enabled.patch Signed-off-by: Peter Korsgaard --- ...-mbedtls-fix-compile-when-h2-enabled.patch | 32 ------------------- package/libcurl/libcurl.hash | 4 +-- package/libcurl/libcurl.mk | 2 +- 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100644 package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch diff --git a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch b/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch deleted file mode 100644 index 61cbabd84a..0000000000 --- a/package/libcurl/0001-mbedtls-fix-compile-when-h2-enabled.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 28 Apr 2022 17:11:50 +0200 -Subject: [PATCH] mbedtls: fix compile when h2-enabled - -Fixes #8766 -Reported-by: LigH-de on github -Closes #8768 - -Downloaded from upstream commit -https://github.com/curl/curl/commit/6eb7fb37d901ed1e4ce07cbd628ee11bf02db1f3 - -Signed-off-by: Bernd Kuhls ---- - lib/vtls/mbedtls.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index 64f57c5d8321..5f9b87e6b75b 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -815,8 +815,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, - if(next_protocol) { - infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol); - #ifdef USE_HTTP2 -- if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) && -- !next_protocol[ALPN_H2_LEN]) { -+ if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) && -+ !next_protocol[ALPN_H2_LENGTH]) { - conn->negnpn = CURL_HTTP_VERSION_2; - } - else diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 64a1129a90..8672380f09 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.se/download/curl-7.83.0.tar.xz.asc +# https://curl.se/download/curl-7.83.1.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 bbff0e6b5047e773f3c3b084d80546cc1be4e354c09e419c2d0ef6116253511a curl-7.83.0.tar.xz +sha256 2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4 curl-7.83.1.tar.xz sha256 321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a COPYING diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index ea8529c914..15943f7512 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 7.83.0 +LIBCURL_VERSION = 7.83.1 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.se/download LIBCURL_DEPENDENCIES = host-pkgconf \