From: Hitendra Prajapati <hprajapati@mvista.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
Date: Tue, 18 Apr 2023 09:52:33 +0530 [thread overview]
Message-ID: <b01b0157-98ec-e84f-8395-d5d6fb05d0ea@mvista.com> (raw)
In-Reply-To: <CAOSpxdYO7-MnXgOCrWqT0OF54=sWGyUbmN-yyNOHHy8b7mF-1g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]
Hi Steve,
It is fine with combined patch as it contains fix for CVE-2023-27538.
Thank you & Regards,
Hitendra
On 17/04/23 22:11, Steve Sakoman wrote:
> There is also a patch submitted today that fixes this CVE as well as
> two others:https://lists.openembedded.org/g/openembedded-core/message/180143
>
> Could you review the above patch and ack if you approve. It would be
> nice to fix all three patches in a single commit if possible.
>
> Thanks!
>
> Steve
>
> On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati
> <hprajapati@mvista.com> wrote:
>> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
>>
>> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> ---
>> .../curl/curl/CVE-2023-27538.patch | 31 +++++++++++++++++++
>> meta/recipes-support/curl/curl_7.82.0.bb | 1 +
>> 2 files changed, 32 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> new file mode 100644
>> index 0000000000..8ef81fb306
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> @@ -0,0 +1,31 @@
>> +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg<daniel@haxx.se>
>> +Date: Fri, 10 Mar 2023 08:22:51 +0100
>> +Subject: [PATCH] url: fix the SSH connection reuse check
>> +
>> +Reported-by: Harry Sintonen
>> +Closes #10735
>> +
>> +CVE: CVE-2023-27538
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> +---
>> + lib/url.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index f5e54c7..7dd342a 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
>> + (data->state.httpwant < CURL_HTTP_VERSION_2_0))
>> + continue;
>> +
>> +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
>> ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
>> + if(!ssh_config_matches(needle, check))
>> + continue;
>> + }
>> +--
>> +2.25.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
>> index 4c18afe293..b0a456016d 100644
>> --- a/meta/recipes-support/curl/curl_7.82.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
>> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-23916.patch
>> \ file://CVE-2023-27533.patch \ file://CVE-2023-27534.patch \ +
>> file://CVE-2023-27538.patch \ "
>> SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180151):https://lists.openembedded.org/g/openembedded-core/message/180151
>> Mute This Topic:https://lists.openembedded.org/mt/98314707/3620601
>> Group Owner:openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 5228 bytes --]
prev parent reply other threads:[~2023-04-18 4:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-17 8:05 [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse Hitendra Prajapati
2023-04-17 16:41 ` [OE-core] " Steve Sakoman
2023-04-18 4:22 ` Hitendra Prajapati [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b01b0157-98ec-e84f-8395-d5d6fb05d0ea@mvista.com \
--to=hprajapati@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox