All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Maxin B. John" <maxin.john@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [jethro][PATCH 2/3] curl: security fix for CVE-2016-5420
Date: Mon, 22 Aug 2016 11:39:32 +0300	[thread overview]
Message-ID: <1471855173-19517-2-git-send-email-maxin.john@intel.com> (raw)
In-Reply-To: <1471855173-19517-1-git-send-email-maxin.john@intel.com>

Affected versions: libcurl 7.1 to and including 7.50.0

Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
 meta/recipes-support/curl/curl/CVE-2016-5420.patch | 31 ++++++++++++++++++++++
 meta/recipes-support/curl/curl_7.44.0.bb           |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2016-5420.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2016-5420.patch b/meta/recipes-support/curl/curl/CVE-2016-5420.patch
new file mode 100644
index 0000000..6bfacd7
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-5420.patch
@@ -0,0 +1,31 @@
+From 11ec5ad4352bba384404c56e77c7fab9382fd22d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 Jul 2016 00:51:48 +0200
+Subject: [PATCH] TLS: only reuse connections with the same client cert
+
+Bug: https://curl.haxx.se/docs/adv_20160803B.html
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-5420.patch
+
+CVE: CVE-2016-5420
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ lib/vtls/vtls.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 33e209d..3863777 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -99,6 +99,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
+      (data->verifyhost == needle->verifyhost) &&
+      safe_strequal(data->CApath, needle->CApath) &&
+      safe_strequal(data->CAfile, needle->CAfile) &&
++     safe_strequal(data->clientcert, needle->clientcert) &&
+      safe_strequal(data->random_file, needle->random_file) &&
+      safe_strequal(data->egdsocket, needle->egdsocket) &&
+      safe_strequal(data->cipher_list, needle->cipher_list))
+-- 
+2.4.0
+
diff --git a/meta/recipes-support/curl/curl_7.44.0.bb b/meta/recipes-support/curl/curl_7.44.0.bb
index dcd63aa..917bd27 100644
--- a/meta/recipes-support/curl/curl_7.44.0.bb
+++ b/meta/recipes-support/curl/curl_7.44.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
 # from mucking around with debug options
 #
 SRC_URI += " file://configure_ac.patch \
+             file://CVE-2016-5420.patch \
              file://CVE-2016-5419.patch \
              file://CVE-2016-0754.patch \
              file://CVE-2016-0755.patch"
-- 
2.4.0



  reply	other threads:[~2016-08-22  8:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-22  8:39 [jethro][PATCH 1/3] curl: security fix for CVE-2016-5419 Maxin B. John
2016-08-22  8:39 ` Maxin B. John [this message]
2016-08-22  8:39 ` [jethro][PATCH 3/3] curl: security fix for CVE-2016-5421 Maxin B. John

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1471855173-19517-2-git-send-email-maxin.john@intel.com \
    --to=maxin.john@intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.