Commit Graph

105 Commits

Author SHA1 Message Date
Peter Korsgaard
87d58cccf1 libcurl: security bump to version 7.61.1
Fixes CVE-2018-14618: NTLM password overflow via integer overflow

For more details, see the advisory:
https://curl.haxx.se/docs/CVE-2018-14618.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-09-06 09:35:21 +02:00
Michaël Burtin
9b733d45f4 libcurl: add nghttp2 optional dependency
The nghttp2 package has recently been added to buildroot. When
enabled, this adds support for HTTP2 to libcurl.

By default, libcurl configure script will enable HTTP2 if the library
is found using pkg-config. Adding this option makes the build
consistent.

Signed-off-by: Michaël Burtin <michael.burtin@netgem.com>
Signed-off-by: Anisse Astier <anisse.astier.ext@netgem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-07-19 16:59:55 +02:00
Baruch Siach
bf79731153 libcurl: security bump to version 7.61.0
Fixes CVE-2018-0500: curl might overflow a heap based memory buffer when
sending data over SMTP and using a reduced read buffer.

Drop upstream patch.

Add reference to tarball signature key.

Drop CRYPTO_lock seed. Removed from configure script since 7.45.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-07-12 22:18:54 +02:00
Peter Korsgaard
8b0fd3cb49 Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-06-02 11:21:20 +02:00
Fabrice Fontaine
624603328a libcurl: fix build with ssh2 and static mbedtls
The ssh2 pkg-config file could contain the following lines when build
with a static version of mbedtls:
   Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
   Libs.private: /xxx/libmbedcrypto.a

This static mbedtls library must be used to correctly detect ssh2
support and this library must be copied in libcurl.pc otherwise
compilation of any application (such as upmpdcli) with libcurl will fail
when trying to find mbedtls functions included in libssh2.

So, replace pkg-config --libs-only-l by pkg-config --libs.

Fixes:
 - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-05-27 23:42:10 +02:00
Fabrice Fontaine
8451acf298 libcurl: replace libidn by libidn2
libidn has been replaced by libidn2 since 7.51.0 (October 2016):
9c91ec7781

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-20 16:10:43 +02:00
Baruch Siach
051e2f2d0b libcurl: security bump to version 7.60.0
Drop upstream patch.

This release fixes the security issues listed below.

CVE-2018-1000300: curl might overflow a heap based memory buffer when
closing down an FTP connection with very long server command replies.

  https://curl.haxx.se/docs/adv_2018-82c2.html

CVE-2018-1000301: curl can be tricked into reading data beyond the end
of a heap based buffer used to store downloaded content.

  https://curl.haxx.se/docs/adv_2018-b138.html

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-19 13:47:21 +02:00
Adam Duskett
c4b8832cfc libcurl: fix building against libressl
LibreSSL 2.7.x breaks libcurl 7.59.0 with the error:
error: static declaration of ‘OpenSSL_version_num’ follows non-static
declaration

This failure has since been fixed upstream with commit:
7c90c93c0b

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-01 15:17:39 +02:00
Baruch Siach
e7d658e029 libcurl: add brotli optional dependency
The brotli package has recently been added to Buildroot. Add brotli an
an optional dependency to libcurl to make the build consistent.

It turns out that libcurl configure script uses pkg-config to figure
out link libraries only when --with-brotli is explicitly set. So this
also fixes static build failure.

Fixes:
http://autobuild.buildroot.net/results/64b/64bc0dfe284206390ae0680b94c0876863a3c0f3/
http://autobuild.buildroot.net/results/233/23376d8653dea6361e42b0f17b6aaab3c14d99cf/
http://autobuild.buildroot.net/results/b19/b198db4b69e18e6d01ec95aae9c6096c1912dd9c/

Cc: Adrian Perez de Castro <aperez@igalia.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-04-03 00:28:45 +02:00
Baruch Siach
bf3476e5b1 libcurl: security bump to version 7.59.0
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.

https://curl.haxx.se/docs/adv_2018-9cd6.html

CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.

https://curl.haxx.se/docs/adv_2018-97a2.html

CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.

https://curl.haxx.se/docs/adv_2018-b047.html

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-03-16 10:34:28 +01:00
Eric Le Bihan
736e0fc5d6 libcurl: add host variant
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-05 14:57:48 +01:00
Baruch Siach
e02dd5a492 libcurl: security bump to version 7.58.0
Fixes CVE-2018-1000007: libcurl might leak authentication data to third
parties.

https://curl.haxx.se/docs/adv_2018-b3bf.html

Fixes CVE-2018-1000005: libcurl contains an out bounds read in code handling
HTTP/2 trailers.

https://curl.haxx.se/docs/adv_2018-824a.html

Update license hash due to copyright year change.

[Peter: also add CVE-2018-1000005 reference]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-26 09:11:23 +01:00
Peter Korsgaard
fb2ed96198 libcurl: security bump to version 7.57.0
Fixes the following security issues:

- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access

For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-11-30 10:29:57 +01:00
Peter Korsgaard
62d4dd2999 libcurl: security bump to version 7.56.1
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read

https://curl.haxx.se/docs/adv_20171023.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-25 09:44:09 +02:00
Peter Korsgaard
9d95b93e5d libcurl: security bump to version 7.56.0
Drop upstreamed patch.

Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:

https://curl.haxx.se/docs/adv_20171004.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-05 22:40:14 +02:00
Baruch Siach
10e998e7cc libcurl: fix build without threads
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.

Add upstream patch that fixes the configure option for disabling the
threaded resolver.

Fixes:
http://autobuild.buildroot.net/results/39f/39fa63fb2ecb75e4b2521d1ee3dfa357c4e5c594/
http://autobuild.buildroot.net/results/dfd/dfd296086d0d6bed73b92fe2fa4ba5434dddf796/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-09-13 08:22:11 +02:00
Baruch Siach
3f6c10df67 libcurl: bump to version 7.55.1
Drop upstream patch.

Add license hash.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-09-09 22:18:10 +02:00
Thomas Petazzoni
6361a50e3f libcurl: fix build on uncommon architectures
Since the bump to 7.55.0, libcurl fails to build on a number of
uncommon architectures (ARC, OpenRISC, etc.). This is due to upstream
commit 73a2fcea0b4adea6ba342cd7ed1149782c214ae3 ("includes: remove
curl/curlbuild.h and curl/curlrules.h"), which makes libcurl rely on
more architecture-specific related defines in include/curl/system.h.

This commit therefore adds a patch that fixes the 32-bit vs. 64-bit
detection for all architecture, using gcc's __SIZEOF_LONG__
definition. It has been tested successfully with test-pkg on all 47
toolchain configurations.

Fixes:

  http://autobuild.buildroot.net/results/bf26c08cf3267214278674472f931603f69951ae/
  (and many similar issues)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-08-11 22:06:36 +02:00
Baruch Siach
d88c79090a libcurl: security bump to version 7.55.0
Fixes:

 glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
 tftp: reject file name lengths that don't fit (CVE-2017-1000100)
 file: output the correct buffer to the user (CVE-2017-1000099)

Switch to .tar.xz to save bandwidth.

Add reference to tarball signature.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-08-11 12:42:34 +02:00
Adam Duskett
5dccd7249e package/lib*: fix wrapping of Config.in help text
The check-package script when ran gives warnings on text wrapping
on all of these Config files.  This patch cleans up all warnings
related to the text wrapping for the Config files starting with
lib in the package directory.

The appropriate indentation is: <tab><2 spaces><62 chars>
See http://nightly.buildroot.org/#writing-rules-config-in for more
information.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-31 19:10:08 +02:00
Naoki Matsumoto
d80110a635 libcurl: LICENSE value changes to SPDX
The curl license is a MIT/X derivative license, but
has a distinct identifier in SPDX, so use that:

https://spdx.org/licenses/curl.html

[Peter: reword commit message]
Signed-off-by: Naoki Matsumoto <n-matsumoto@melcoinc.co.jp>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-02 23:35:46 +02:00
Adam Duskett
c52d50336e libcurl: bump version to 7.54.1
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-06-21 22:42:54 +02:00
Vicente Olivert Riera
034e95e51e libcurl: bump version to 7.54.0 (security)
Security fixes:
 - CVE-2017-7468: switch off SSL session id when client cert is used

Full changelog: https://curl.haxx.se/changes.html

Removing 0001-CVE-2017-7407.patch. It's included in this release:
  1890d59905

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-20 23:13:07 +02:00
Baruch Siach
08bf26bb34 libcurl: apply upstream security patch
CVE-2017-7407: --write-out out of buffer read

https://curl.haxx.se/docs/adv_20170403.html

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-04-12 21:14:01 +02:00
Vicente Olivert Riera
07db6fa6e8 libcurl: bump version to 7.53.1
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-03-10 21:52:40 +01:00
Peter Korsgaard
c5f5d9fa4e libcurl: security bump to version 7.53.0
Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored

>From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6):

Curl and libcurl support "OCSP stapling", also known as the TLS Certificate
Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When
telling curl to use this feature, it uses that TLS extension to ask for a
fresh proof of the server's certificate's validity. If the server doesn't
support the extension, or fails to provide said proof, curl is expected to
return an error.

Due to a coding mistake, the code that checks for a test success or failure,
ends up always thinking there's valid proof, even when there is none or if the
server doesn't support the TLS extension in question. Contrary to how it used
to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes
invalid or otherwise be mislead that the server is in a better shape than it
is in reality.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-02-23 21:35:11 +01:00
Judd Meinders
4ac8510e12 libcurl: optional verbose strings config
This patch enables a config to set --enable-verbose during the
configuration of libcurl.  The option is triggered by setting
BR2_PACKAGE_LIBCURL_VERBOSE.

Signed-off-by: Judd Meinders <judd.meinders@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-02-01 22:01:50 +01:00
Peter Korsgaard
72b6bf8f57 libcurl: security bump to 7.52.1
Fixes CVE-2016-9594 - Unitilized random

Libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value
into the buffer the pointer pointed to.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-23 22:29:23 +01:00
Peter Korsgaard
0c5beb6501 libcurl: security bump to 7.52.0
Fixes CVE-2016-9586 - printf floating point buffer overflow

For details, see:
https://curl.haxx.se/docs/adv_20161221A.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-21 19:44:44 +01:00
Baruch Siach
f9138514d1 libcurl: move site to https
Saves a redirect.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-11-03 22:31:05 +01:00
Vicente Olivert Riera
afdb102bd5 libcurl: bump version to 7.51.0 (security)
List of fixed CVEs:

CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Full ChangeLog:

https://curl.haxx.se/changes.html#7_51_0

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-11-02 17:25:20 +01:00
Vicente Olivert Riera
28dc7f4adc libcurl: bump version to 7.50.3
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-14 21:45:58 +02:00
Vicente Olivert Riera
475387b439 libcurl: bump version to 7.50.2
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-07 12:17:28 +02:00
Vicente Olivert Riera
559c3820f8 libcurl: security bump version to 7.50.1
Contains fixes for CVE-2016-5419..5421:
https://curl.haxx.se/docs/vuln-7.50.0.html

[Peter: extend commit message with CVE info]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-08-03 20:50:39 +02:00
Vicente Olivert Riera
627dc235ff libcurl: bump version to 7.50.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-21 13:56:15 +02:00
Vicente Olivert Riera
5c913c17b2 libcurl: security bump version to 7.49.1
Fixes CVE-2016-4802, https://curl.haxx.se/docs/adv_20160530.html

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-05-31 12:59:10 +02:00
Vicente Olivert Riera
4e58fe16b2 libcurl: bump version to 7.49.0
Fixes CVE-2016-3739, https://curl.haxx.se/docs/adv_20160518.html.

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
[Thomas: add reference to the CVE being fixed, pointed by Gustavo.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-05-23 17:05:24 +02:00
Gustavo Zacarias
98e28b564e libcurl: bump to version 7.48.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-03-25 20:54:27 +01:00
Gustavo Zacarias
0af16e3a92 libcurl: enable mbedtls support
Now that we've got an mbedtls package in the tree we can enable the
optional support for it in libcurl.

We also remove the comment about polarssl support needing version
1.3.x. Indeed, polarssl was renamed to mbedtls when bought by ARM,
which was circa the 1.3.x polarssl release. Due to this referring to
polarssl 1.3.x doesn't make a lot of sense, and we'll probably never
package polarssl 1.3.x in Buildroot now that mbedtls replaces it.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Luca Ceresoli <luca@lucaceresoli.net>
[Thomas: slightly improve commit log as suggested by Luca, using
explanations from Gustavo.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-03-08 21:24:53 +01:00
Gustavo Zacarias
ee467ccd63 libcurl: bump to version 7.47.1
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-02-08 21:26:09 +01:00
Bernd Kuhls
4adae5d2ea package/libcurl: security bump version to 7.47.0
Fixes
CVE-2016-0754: remote file name path traversal in curl tool for Windows
CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-01-28 22:29:08 +01:00
Vicente Olivert Riera
b97525bd61 libcurl: bump version to 7.46.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-12-02 21:27:30 +01:00
Yann E. MORIN
71b1d39726 package/libcurl: carefully override LD_LIBRARY_PATH
To build libcurl, we need to override LD_LIBRARY and force it to a sane
value, otherwise libcurl is confused when target == host (see a51ce319,
libcurl: fix configure with openssl when target == host).

That is currently OK, since we always set LD_LIBRARY_PATH to a non-empty
value.

However, we're soon to stop setting it at all.

So, if the user has an empty (or no) LD_LIBRARY_PATH in his envirnment,
we'd end up adding the current working directory to LD_LIBRARY_PATH (as
an empty entry in a colon-separated list is most probably interpreted as
meaning the current working directory, which we do know can cause issue,
and which we expressely check against in support/dependencies/dependencies.sh

Fix that by only using an existing LD_LIBRARY_PATH if it is not empty.
Also use a Makefile construct as it is easier to read than a shell one
(we can do that, as all variables from the environment are available as
make variables).

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <jacmet@uclibc.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-11-17 10:00:26 +01:00
Ryan Barnett
83cd80d580 libcurl: fix license typo
The license for libcurl is actually 'ISC' not 'ICS'.

Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-27 22:50:56 +01:00
Vicente Olivert Riera
7f4b13cc52 libcurl: bump to version 7.45.0
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-10-08 17:06:51 +02:00
Gustavo Zacarias
cf0fb42a42 libcurl: bump to version 7.44.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-09-04 11:57:05 +02:00
Vicente Olivert Riera
fc91ffa2f9 libcurl: bump to version 7.43.0
- Bump to version 7.43.0
- Update hash file

Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-06-18 22:41:32 +02:00
John Keeping
ff05e241f8 libcurl: use c-ares if available
By default libcurl uses the C library's DNS resolver which is
synchronous, even if an application is using libcurl's non-blocking mode
of operation.

Configure libcurl to use c-ares if it is selected so that it can resolve
addresses asynchronously if required.

[Peter: explicitly disable c-ares support if not enabled]
Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-05-03 19:25:24 +02:00
Gustavo Zacarias
62592bb660 libcurl: security bump to version 7.42.1
Fixes:
CVE-2013-3153 - sensitive HTTP server headers also sent to proxies.

And drop upstream patches.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-04-29 23:27:02 +02:00
Gustavo Zacarias
63b1fa81ec libcurl: disable curldebug
curldebug is a more advanced form of debugging for curl which audits
source code with the checksource.pl tool, and treats warnings as errors.
Normally users won't want/need this so disable it since it leads to
failed builds when debug info is enabled (which is what people normally
want).
When buildroot does --enable-debug curl inherently enables curldebug too.

Solves bug #8041.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-04-23 22:59:05 +02:00