* [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
@ 2023-04-17 8:05 Hitendra Prajapati
2023-04-17 16:41 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 3+ messages in thread
From: Hitendra Prajapati @ 2023-04-17 8:05 UTC (permalink / raw)
To: openembedded-core; +Cc: Hitendra Prajapati
Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
.../curl/curl/CVE-2023-27538.patch | 31 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
new file mode 100644
index 0000000000..8ef81fb306
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
@@ -0,0 +1,31 @@
+From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+CVE: CVE-2023-27538
+Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index f5e54c7..7dd342a 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
+ (data->state.httpwant < CURL_HTTP_VERSION_2_0))
+ continue;
+
+- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 4c18afe293..b0a456016d 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-23916.patch \
file://CVE-2023-27533.patch \
file://CVE-2023-27534.patch \
+ file://CVE-2023-27538.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
2023-04-17 8:05 [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse Hitendra Prajapati
@ 2023-04-17 16:41 ` Steve Sakoman
2023-04-18 4:22 ` Hitendra Prajapati
0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2023-04-17 16:41 UTC (permalink / raw)
To: Hitendra Prajapati; +Cc: openembedded-core
There is also a patch submitted today that fixes this CVE as well as
two others: https://lists.openembedded.org/g/openembedded-core/message/180143
Could you review the above patch and ack if you approve. It would be
nice to fix all three patches in a single commit if possible.
Thanks!
Steve
On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati
<hprajapati@mvista.com> wrote:
>
> Upstream-Status: Backport from https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../curl/curl/CVE-2023-27538.patch | 31 +++++++++++++++++++
> meta/recipes-support/curl/curl_7.82.0.bb | 1 +
> 2 files changed, 32 insertions(+)
> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
>
> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
> new file mode 100644
> index 0000000000..8ef81fb306
> --- /dev/null
> +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
> @@ -0,0 +1,31 @@
> +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 10 Mar 2023 08:22:51 +0100
> +Subject: [PATCH] url: fix the SSH connection reuse check
> +
> +Reported-by: Harry Sintonen
> +Closes #10735
> +
> +CVE: CVE-2023-27538
> +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + lib/url.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/lib/url.c b/lib/url.c
> +index f5e54c7..7dd342a 100644
> +--- a/lib/url.c
> ++++ b/lib/url.c
> +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
> + (data->state.httpwant < CURL_HTTP_VERSION_2_0))
> + continue;
> +
> +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
> ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
> + if(!ssh_config_matches(needle, check))
> + continue;
> + }
> +--
> +2.25.1
> +
> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
> index 4c18afe293..b0a456016d 100644
> --- a/meta/recipes-support/curl/curl_7.82.0.bb
> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
> @@ -42,6 +42,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
> file://CVE-2023-23916.patch \
> file://CVE-2023-27533.patch \
> file://CVE-2023-27534.patch \
> + file://CVE-2023-27538.patch \
> "
> SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#180151): https://lists.openembedded.org/g/openembedded-core/message/180151
> Mute This Topic: https://lists.openembedded.org/mt/98314707/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse
2023-04-17 16:41 ` [OE-core] " Steve Sakoman
@ 2023-04-18 4:22 ` Hitendra Prajapati
0 siblings, 0 replies; 3+ messages in thread
From: Hitendra Prajapati @ 2023-04-18 4:22 UTC (permalink / raw)
To: Steve Sakoman; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]
Hi Steve,
It is fine with combined patch as it contains fix for CVE-2023-27538.
Thank you & Regards,
Hitendra
On 17/04/23 22:11, Steve Sakoman wrote:
> There is also a patch submitted today that fixes this CVE as well as
> two others:https://lists.openembedded.org/g/openembedded-core/message/180143
>
> Could you review the above patch and ack if you approve. It would be
> nice to fix all three patches in a single commit if possible.
>
> Thanks!
>
> Steve
>
> On Sun, Apr 16, 2023 at 10:05 PM Hitendra Prajapati
> <hprajapati@mvista.com> wrote:
>> Upstream-Status: Backport fromhttps://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
>>
>> Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> ---
>> .../curl/curl/CVE-2023-27538.patch | 31 +++++++++++++++++++
>> meta/recipes-support/curl/curl_7.82.0.bb | 1 +
>> 2 files changed, 32 insertions(+)
>> create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
>>
>> diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> new file mode 100644
>> index 0000000000..8ef81fb306
>> --- /dev/null
>> +++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
>> @@ -0,0 +1,31 @@
>> +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
>> +From: Daniel Stenberg<daniel@haxx.se>
>> +Date: Fri, 10 Mar 2023 08:22:51 +0100
>> +Subject: [PATCH] url: fix the SSH connection reuse check
>> +
>> +Reported-by: Harry Sintonen
>> +Closes #10735
>> +
>> +CVE: CVE-2023-27538
>> +Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
>> +Signed-off-by: Hitendra Prajapati<hprajapati@mvista.com>
>> +---
>> + lib/url.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/lib/url.c b/lib/url.c
>> +index f5e54c7..7dd342a 100644
>> +--- a/lib/url.c
>> ++++ b/lib/url.c
>> +@@ -1353,7 +1353,7 @@ ConnectionExists(struct Curl_easy *data,
>> + (data->state.httpwant < CURL_HTTP_VERSION_2_0))
>> + continue;
>> +
>> +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
>> ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) {
>> + if(!ssh_config_matches(needle, check))
>> + continue;
>> + }
>> +--
>> +2.25.1
>> +
>> diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
>> index 4c18afe293..b0a456016d 100644
>> --- a/meta/recipes-support/curl/curl_7.82.0.bb
>> +++ b/meta/recipes-support/curl/curl_7.82.0.bb
>> @@ -42,6 +42,7 @@ SRC_URI ="https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-23916.patch
>> \ file://CVE-2023-27533.patch \ file://CVE-2023-27534.patch \ +
>> file://CVE-2023-27538.patch \ "
>> SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#180151):https://lists.openembedded.org/g/openembedded-core/message/180151
>> Mute This Topic:https://lists.openembedded.org/mt/98314707/3620601
>> Group Owner:openembedded-core+owner@lists.openembedded.org
>> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
--
Regards,
Hitendra Prajapati
MontaVista Software LLC
[-- Attachment #2: Type: text/html, Size: 5228 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-04-18 4:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-17 8:05 [kirkstone][PATCH] curl: CVE-2023-27538 fix SSH connection too eager reuse Hitendra Prajapati
2023-04-17 16:41 ` [OE-core] " Steve Sakoman
2023-04-18 4:22 ` Hitendra Prajapati
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox