From fcd5e110cf286fa9ebd2a38c367a7d85cd25f945 Mon Sep 17 00:00:00 2001
From: Bernd Kuhls <bernd.kuhls@t-online.de>
Date: Tue, 28 Jun 2022 19:15:56 +0200
Subject: [PATCH] package/libcurl: security bump to version 7.84.0

Fixes the following security issues:

- CVE-2022-32205: Set-Cookie denial of service
  https://curl.se/docs/CVE-2022-32205.html

- CVE-2022-32206: HTTP compression denial of service
  https://curl.se/docs/CVE-2022-32206.html

- CVE-2022-32207: Unpreserved file permissions
  https://curl.se/docs/CVE-2022-32207.html

- CVE-2022-32208: FTP-KRB bad message verification
  https://curl.se/docs/CVE-2022-32208.html

Changelog: https://curl.se/changes.html

Upstream removed configure option --enable-hidden-symbols:
https://github.com/curl/curl/commit/0c2d3118aa2bc040411203d33ab6034067fd9d62

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b034109dd60a429690acf9c5501c6658c53eae13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libcurl/libcurl.hash | 4 ++--
 package/libcurl/libcurl.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 8672380f09..672591e470 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-7.83.1.tar.xz.asc
+# https://curl.se/download/curl-7.84.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  2cb9c2356e7263a1272fd1435ef7cdebf2cd21400ec287b068396deb705c22c4  curl-7.83.1.tar.xz
+sha256  2d118b43f547bfe5bae806d8d47b4e596ea5b25a6c1f080aef49fbcd817c5db8  curl-7.84.0.tar.xz
 sha256  321b1a09ebc30410f2e837c072e5521cf7095b757193af4a7dae1086e36ed31a  COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 11f1e4de59..e241bd1c88 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.83.1
+LIBCURL_VERSION = 7.84.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
@@ -23,7 +23,7 @@ LIBCURL_INSTALL_STAGING = YES
 # Likewise, there is no compiler on the target, so libcurl-option (to
 # generate C code) isn't very useful
 LIBCURL_CONF_OPTS = --disable-manual --disable-ntlm-wb \
-	--enable-hidden-symbols --with-random=/dev/urandom --disable-curldebug \
+	--with-random=/dev/urandom --disable-curldebug \
 	--disable-libcurl-option --disable-ldap --disable-ldaps
 
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)