* [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
@ 2016-11-08 10:41 Sona Sarmadi
2016-11-09 11:58 ` Sona Sarmadi
0 siblings, 1 reply; 3+ messages in thread
From: Sona Sarmadi @ 2016-11-08 10:41 UTC (permalink / raw)
To: openembedded-core
The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} (94%)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.51.0.bb
similarity index 94%
rename from meta/recipes-support/curl/curl_7.50.1.bb
rename to meta/recipes-support/curl/curl_7.51.0.bb
index a21419a..e1a996b 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.51.0.bb
@@ -14,8 +14,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
#
SRC_URI += " file://configure_ac.patch"
-SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
-SRC_URI[sha256sum] = "3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156"
+SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
+SRC_URI[sha256sum] = "7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
inherit autotools pkgconfig binconfig multilib_header
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
2016-11-08 10:41 [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb Sona Sarmadi
@ 2016-11-09 11:58 ` Sona Sarmadi
2016-11-09 15:16 ` akuster808
0 siblings, 1 reply; 3+ messages in thread
From: Sona Sarmadi @ 2016-11-09 11:58 UTC (permalink / raw)
To: Richard Purdie (richard.purdie@linuxfoundation.org),
Armin Kuster (akuster808@gmail.com)
Cc: openembedded-core@lists.openembedded.org
Hi guys,
curl 7.51.0-r0 addresses all these CVEs. I wonder if we can upgrade krogoth and morty to curl 7.51.0-r0 as well? Both package versions are using same share library version i.e. libcurl.so.4.4.0 so I assume full ABI compatibility.
tmp/work/i586-poky-linux/curl/7.47.1-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0
tmp/work/i586-poky-linux/curl/7.51.0-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0
For more info see:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10617
Thanks
//Sona
-----Original Message-----
From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Sona Sarmadi
Sent: den 8 november 2016 11:42
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
The upgrade addresses following CVEs:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Reference:
https://curl.haxx.se/docs/security.html
Fixes [Yocto #10617]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} (94%)
diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.51.0.bb
similarity index 94%
rename from meta/recipes-support/curl/curl_7.50.1.bb
rename to meta/recipes-support/curl/curl_7.51.0.bb
index a21419a..e1a996b 100644
--- a/meta/recipes-support/curl/curl_7.50.1.bb
+++ b/meta/recipes-support/curl/curl_7.51.0.bb
@@ -14,8 +14,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ # SRC_URI += " file://configure_ac.patch"
-SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
-SRC_URI[sha256sum] = "3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156"
+SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
+SRC_URI[sha256sum] = "7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
inherit autotools pkgconfig binconfig multilib_header
--
1.9.1
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
2016-11-09 11:58 ` Sona Sarmadi
@ 2016-11-09 15:16 ` akuster808
0 siblings, 0 replies; 3+ messages in thread
From: akuster808 @ 2016-11-09 15:16 UTC (permalink / raw)
To: Sona Sarmadi, Richard Purdie (richard.purdie@linuxfoundation.org)
Cc: openembedded-core@lists.openembedded.org
On 11/09/2016 03:58 AM, Sona Sarmadi wrote:
> Hi guys,
>
> curl 7.51.0-r0 addresses all these CVEs. I wonder if we can upgrade krogoth and morty to curl 7.51.0-r0 as well?
Updating morty seems plausible . I appears the changes are mostly bug fixes.
Krogoth is a large jump and I would not recommend upgrading the package.
- Armin
> Both package versions are using same share library version i.e. libcurl.so.4.4.0 so I assume full ABI compatibility.
>
> tmp/work/i586-poky-linux/curl/7.47.1-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0
> tmp/work/i586-poky-linux/curl/7.51.0-r0/sysroot-destdir/usr/lib/libcurl.so.4.4.0
>
> For more info see:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10617
>
> Thanks
> //Sona
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of Sona Sarmadi
> Sent: den 8 november 2016 11:42
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb
>
> The upgrade addresses following CVEs:
> CVE-2016-8615: cookie injection for other servers
> CVE-2016-8616: case insensitive password comparison
> CVE-2016-8617: OOB write via unchecked multiplication
> CVE-2016-8618: double-free in curl_maprintf
> CVE-2016-8619: double-free in krb5 code
> CVE-2016-8620: glob parser write/read out of bounds
> CVE-2016-8621: curl_getdate read out of bounds
> CVE-2016-8622: URL unescape heap overflow via integer truncation
> CVE-2016-8623: Use-after-free via shared cookies
> CVE-2016-8624: invalid URL parsing with '#'
> CVE-2016-8625: IDNA 2003 makes curl use wrong host
>
> Reference:
> https://curl.haxx.se/docs/security.html
>
> Fixes [Yocto #10617]
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-support/curl/{curl_7.50.1.bb => curl_7.51.0.bb} (94%)
>
> diff --git a/meta/recipes-support/curl/curl_7.50.1.bb b/meta/recipes-support/curl/curl_7.51.0.bb
> similarity index 94%
> rename from meta/recipes-support/curl/curl_7.50.1.bb
> rename to meta/recipes-support/curl/curl_7.51.0.bb
> index a21419a..e1a996b 100644
> --- a/meta/recipes-support/curl/curl_7.50.1.bb
> +++ b/meta/recipes-support/curl/curl_7.51.0.bb
> @@ -14,8 +14,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ # SRC_URI += " file://configure_ac.patch"
>
> -SRC_URI[md5sum] = "015f6a0217ca6f2c5442ca406476920b"
> -SRC_URI[sha256sum] = "3c12c5f54ccaa1d40abc65d672107dcc75d3e1fcb38c267484334280096e5156"
> +SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
> +SRC_URI[sha256sum] = "7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
>
> inherit autotools pkgconfig binconfig multilib_header
>
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-09 15:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-08 10:41 [PATCH] curl: Upgrade 7.50.1.bb -> curl_7.51.0.bb Sona Sarmadi
2016-11-09 11:58 ` Sona Sarmadi
2016-11-09 15:16 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox