From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 09 May 2022 08:30:11 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1nnwuJ-006quq-Tc
	for lore@lore.pengutronix.de; Mon, 09 May 2022 08:30:11 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1nnwuJ-0002O3-1y; Mon, 09 May 2022 08:30:11 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1nnwtA-0000sr-Su; Mon, 09 May 2022 08:29:00 +0200
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1nnwtB-001F62-Hs; Mon, 09 May 2022 08:29:00 +0200
Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1nnwt9-00FlUn-Ii; Mon, 09 May 2022 08:28:59 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Mon,  9 May 2022 08:28:59 +0200
Message-Id: <20220509062859.3757354-1-m.olbrich@pengutronix.de>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220427110807.31395-1-christian.melki@t2data.com>
References: <20220427110807.31395-1-christian.melki@t2data.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Re: [ptxdist] [APPLIED] libcurl: Version bump. 7.82.0 -> 7.83.0
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Christian Melki <christian.melki@t2data.com>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

Thanks, applied as b6681a786f773132719369d38859350597f1e139.

Michael

[sent from post-receive hook]

On Mon, 09 May 2022 08:28:59 +0200, Christian Melki <christian.melki@t2data.com> wrote:
> The usual bunch of bugfixes. Curl is very active, as always.
> https://curl.se/changes.html#7_83_0
> Plugs vulnerabilities: CVE-2022-27776, CVE-2022-27775, CVE-2022-27774 and CVE-2022-22576.
> All still in preliminary state @mitre as of writing.
> For details about curl security, visit the security page:
> https://curl.se/docs/security.html
> 
> * Builds without nss per default.
> * Explicitly disable headers-api.
> * Explicitly disable msh3.
> * lber is disabled by not selecting ldap (no change from previous).
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20220427110807.31395-1-christian.melki@t2data.com>
> [mol: add upstream fix to build host-libcurl]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch b/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> new file mode 100644
> index 000000000000..e94cc87a54d4
> --- /dev/null
> +++ b/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> @@ -0,0 +1,61 @@
> +From: Daniel Stenberg <daniel@haxx.se>
> +Date: Fri, 29 Apr 2022 22:56:47 +0200
> +Subject: [PATCH] http: move Curl_allow_auth_to_host()
> +
> +It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
> +
> +Reported-by: Michael Olbrich
> +Fixes #8772
> +Closes #8775
> +---
> + lib/http.c | 30 +++++++++++++++---------------
> + 1 file changed, 15 insertions(+), 15 deletions(-)
> +
> +diff --git a/lib/http.c b/lib/http.c
> +index 0d5c449bc72a..b215307dcaaa 100644
> +--- a/lib/http.c
> ++++ b/lib/http.c
> +@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data)
> +   return result;
> + }
> + 
> ++/*
> ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
> ++ * "sensitive data" can (still) be sent to this host.
> ++ */
> ++bool Curl_allow_auth_to_host(struct Curl_easy *data)
> ++{
> ++  struct connectdata *conn = data->conn;
> ++  return (!data->state.this_is_a_follow ||
> ++          data->set.allow_auth_to_other_hosts ||
> ++          (data->state.first_host &&
> ++           strcasecompare(data->state.first_host, conn->host.name) &&
> ++           (data->state.first_remote_port == conn->remote_port) &&
> ++           (data->state.first_remote_protocol == conn->handler->protocol)));
> ++}
> ++
> + #ifndef CURL_DISABLE_HTTP_AUTH
> + /*
> +  * Output the correct authentication header depending on the auth type
> +@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data,
> +   return CURLE_OK;
> + }
> + 
> +-/*
> +- * Curl_allow_auth_to_host() tells if authentication, cookies or other
> +- * "sensitive data" can (still) be sent to this host.
> +- */
> +-bool Curl_allow_auth_to_host(struct Curl_easy *data)
> +-{
> +-  struct connectdata *conn = data->conn;
> +-  return (!data->state.this_is_a_follow ||
> +-          data->set.allow_auth_to_other_hosts ||
> +-          (data->state.first_host &&
> +-           strcasecompare(data->state.first_host, conn->host.name) &&
> +-           (data->state.first_remote_port == conn->remote_port) &&
> +-           (data->state.first_remote_protocol == conn->handler->protocol)));
> +-}
> +-
> + /**
> +  * Curl_http_output_auth() setups the authentication headers for the
> +  * host/proxy and the correct authentication
> diff --git a/patches/curl-7.83.0/series b/patches/curl-7.83.0/series
> new file mode 100644
> index 000000000000..9ccc49f9cceb
> --- /dev/null
> +++ b/patches/curl-7.83.0/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-http-move-Curl_allow_auth_to_host.patch
> +# c4e69d4d6fe80949a188daf1e2e80518  - git-ptx-patches magic
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 3c99caa47e3e..3840b2abd2db 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
>  #
>  # Paths and names
>  #
> -LIBCURL_VERSION	:= 7.82.0
> -LIBCURL_MD5	:= ce05eb61ef7c398feb7dbe23122d0bd9
> +LIBCURL_VERSION	:= 7.83.0
> +LIBCURL_MD5	:= b7924acdea33dedc3150a044789ed0bb
>  LIBCURL		:= curl-$(LIBCURL_VERSION)
>  LIBCURL_SUFFIX	:= tar.xz
>  LIBCURL_URL	:= https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
> @@ -45,6 +45,7 @@ LIBCURL_CONF_OPT	:= \
>  	--enable-rt \
>  	--disable-ech \
>  	--disable-code-coverage \
> +	--disable-headers-api \
>  	$(GLOBAL_LARGE_FILE_OPTION) \
>  	--$(call ptx/endis, PTXCONF_LIBCURL_HTTP)-http \
>  	--$(call ptx/endis, PTXCONF_LIBCURL_FTP)-ftp \
> @@ -119,6 +120,7 @@ LIBCURL_CONF_OPT	:= \
>  	--without-libidn2 \
>  	--without-nghttp2 \
>  	--without-ngtcp2 \
> +	--without-msh3 \
>  	--without-nghttp3 \
>  	--without-quiche \
>  	--without-zsh-functions-dir \