From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DFACDCE7A8A for ; Sun, 24 Sep 2023 21:32:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 7F0B141734; Sun, 24 Sep 2023 21:32:30 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7F0B141734 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3CB_TeeDrTp; Sun, 24 Sep 2023 21:32:29 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id 8E6A441775; Sun, 24 Sep 2023 21:32:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 8E6A441775 Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 4820D1BF2CC for ; Sun, 24 Sep 2023 21:32:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 2209160E5C for ; Sun, 24 Sep 2023 21:32:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2209160E5C X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrCcX6OHXRh4 for ; Sun, 24 Sep 2023 21:32:26 +0000 (UTC) Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by smtp3.osuosl.org (Postfix) with ESMTPS id D99266080A for ; Sun, 24 Sep 2023 21:32:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D99266080A Received: by mail.gandi.net (Postfix) with ESMTPSA id BD9481BF203; Sun, 24 Sep 2023 21:32:22 +0000 (UTC) Received: from peko by dell.be.48ers.dk with local (Exim 4.94.2) (envelope-from ) id 1qkWiE-001yIy-5M; Sun, 24 Sep 2023 23:32:22 +0200 From: Peter Korsgaard To: Yann E. MORIN References: <20230917124914.2F93D87163@busybox.osuosl.org> Date: Sun, 24 Sep 2023 23:32:22 +0200 In-Reply-To: <20230917124914.2F93D87163@busybox.osuosl.org> (Yann E. MORIN's message of "Sun, 17 Sep 2023 14:41:04 +0200") Message-ID: <87o7hrfeah.fsf@48ers.dk> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 X-GND-Sasl: peter@korsgaard.com Subject: Re: [Buildroot] [git commit] package/libcurl: security bump to version 8.3.0 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: buildroot@buildroot.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" >>>>> "Yann" == Yann E MORIN writes: > commit: > https://git.buildroot.net/buildroot/commit/?id=56b066740608e9ca62ce5739fe1a683f7050b605 > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master > Fixes the following security issue: > CVE-2023-38039: HTTP headers eat all memory > When curl retrieves an HTTP response, it stores the incoming headers so that > they can be accessed later via the libcurl headers API. > However, curl did not have a limit on the size or quantity of headers it > would accept in a response, allowing a malicious server to stream an endless > series of headers to a client and eventually cause curl to run out of heap > memory. > https://curl.se/docs/CVE-2023-38039.html > Signed-off-by: Peter Korsgaard > Signed-off-by: Yann E. MORIN Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot