Re: [Buildroot] [PATCH] package/libcurl: security bump to version 8.5.0

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/libcurl: security bump to version 8.5.0
Date: Sat, 9 Dec 2023 21:57:09 +0100	[thread overview]
Message-ID: <ZXTUpaUf7AAB2l3T@landeda> (raw)
In-Reply-To: <20231209200916.250950-1-peter@korsgaard.com>

Peter, All,

On 2023-12-09 21:09 +0100, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> - CVE-2023-46218: cookie mixed case PSL bypass
> 
>   This flaw allows a malicious HTTP server to set "super cookies" in curl
>   that are then passed back to more origins than what is otherwise allowed
>   or possible.  This allows a site to set cookies that then would get sent
>   to different and unrelated sites and domains.
> 
>   https://curl.se/docs/CVE-2023-46218.html
> 
> - CVE-2023-46219: HSTS long file name clears contents
> 
>   When saving HSTS data to an excessively long file name, curl could end up
>   removing all contents, making subsequent requests using that file unaware
>   of the HSTS status they should otherwise use.
> 
>   https://curl.se/docs/CVE-2023-46219.html
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/libcurl/libcurl.hash | 4 ++--
>  package/libcurl/libcurl.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
> index ecd5d63909..d5c20d29d3 100644
> --- a/package/libcurl/libcurl.hash
> +++ b/package/libcurl/libcurl.hash
> @@ -1,5 +1,5 @@
>  # Locally calculated after checking pgp signature
> -# https://curl.se/download/curl-8.4.0.tar.xz.asc
> +# https://curl.se/download/curl-8.5.0.tar.xz.asc
>  # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
> -sha256  16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d  curl-8.4.0.tar.xz
> +sha256  42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb  curl-8.5.0.tar.xz
>  sha256  b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524  COPYING
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 2c87821a48..3ecc587a52 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBCURL_VERSION = 8.4.0
> +LIBCURL_VERSION = 8.5.0
>  LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
>  LIBCURL_SITE = https://curl.se/download
>  LIBCURL_DEPENDENCIES = host-pkgconf \
> -- 
> 2.39.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot