From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Christian Melki <christian.melki@t2data.com>
Subject: Re: [ptxdist] [APPLIED] libcurl: Version bump. 7.83.0 -> 7.83.1
Date: Wed, 25 May 2022 11:45:16 +0200 [thread overview]
Message-ID: <20220525094516.2845687-1-m.olbrich@pengutronix.de> (raw)
In-Reply-To: <20220511072028.1152041-1-christian.melki@t2data.com>
Thanks, applied as c261fdaa3bc36e02c7c3b94397e8de4764b05165.
Michael
[sent from post-receive hook]
On Wed, 25 May 2022 11:45:15 +0200, Christian Melki <christian.melki@t2data.com> wrote:
> Usual churn of fixes.
> Curl is seeing an accelerated CVE ticketing.
> Probably due to a functioning bug bounty program.
> https://hackerone.com/curl?type=team
> With 30 reports in the last 90 days.
> So probably expect more CVEs in the near future.
>
> Changelog: https://curl.se/changes.html
> Security: https://curl.se/docs/security.html
>
> Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
> CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
>
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20220511072028.1152041-1-christian.melki@t2data.com>
> [mol: remove obsolte patch]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch b/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> deleted file mode 100644
> index e94cc87a54d4..000000000000
> --- a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> +++ /dev/null
> @@ -1,61 +0,0 @@
> -From: Daniel Stenberg <daniel@haxx.se>
> -Date: Fri, 29 Apr 2022 22:56:47 +0200
> -Subject: [PATCH] http: move Curl_allow_auth_to_host()
> -
> -It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
> -
> -Reported-by: Michael Olbrich
> -Fixes #8772
> -Closes #8775
> ----
> - lib/http.c | 30 +++++++++++++++---------------
> - 1 file changed, 15 insertions(+), 15 deletions(-)
> -
> -diff --git a/lib/http.c b/lib/http.c
> -index 0d5c449bc72a..b215307dcaaa 100644
> ---- a/lib/http.c
> -+++ b/lib/http.c
> -@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data)
> - return result;
> - }
> -
> -+/*
> -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
> -+ * "sensitive data" can (still) be sent to this host.
> -+ */
> -+bool Curl_allow_auth_to_host(struct Curl_easy *data)
> -+{
> -+ struct connectdata *conn = data->conn;
> -+ return (!data->state.this_is_a_follow ||
> -+ data->set.allow_auth_to_other_hosts ||
> -+ (data->state.first_host &&
> -+ strcasecompare(data->state.first_host, conn->host.name) &&
> -+ (data->state.first_remote_port == conn->remote_port) &&
> -+ (data->state.first_remote_protocol == conn->handler->protocol)));
> -+}
> -+
> - #ifndef CURL_DISABLE_HTTP_AUTH
> - /*
> - * Output the correct authentication header depending on the auth type
> -@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data,
> - return CURLE_OK;
> - }
> -
> --/*
> -- * Curl_allow_auth_to_host() tells if authentication, cookies or other
> -- * "sensitive data" can (still) be sent to this host.
> -- */
> --bool Curl_allow_auth_to_host(struct Curl_easy *data)
> --{
> -- struct connectdata *conn = data->conn;
> -- return (!data->state.this_is_a_follow ||
> -- data->set.allow_auth_to_other_hosts ||
> -- (data->state.first_host &&
> -- strcasecompare(data->state.first_host, conn->host.name) &&
> -- (data->state.first_remote_port == conn->remote_port) &&
> -- (data->state.first_remote_protocol == conn->handler->protocol)));
> --}
> --
> - /**
> - * Curl_http_output_auth() setups the authentication headers for the
> - * host/proxy and the correct authentication
> diff --git a/patches/curl-7.83.0/series b/patches/curl-7.83.0/series
> deleted file mode 100644
> index 9ccc49f9cceb..000000000000
> --- a/patches/curl-7.83.0/series
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-http-move-Curl_allow_auth_to_host.patch
> -# c4e69d4d6fe80949a188daf1e2e80518 - git-ptx-patches magic
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 3840b2abd2db..8faa948bf476 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
> #
> # Paths and names
> #
> -LIBCURL_VERSION := 7.83.0
> -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
> +LIBCURL_VERSION := 7.83.1
> +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
> LIBCURL := curl-$(LIBCURL_VERSION)
> LIBCURL_SUFFIX := tar.xz
> LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
prev parent reply other threads:[~2022-05-25 9:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-11 7:20 [ptxdist] [PATCH] " Christian Melki
2022-05-11 10:49 ` Alexander Dahl
2022-05-13 8:35 ` Michael Olbrich
2022-05-13 8:42 ` Christian Melki
2022-05-13 12:49 ` Michael Olbrich
2022-05-25 9:45 ` Michael Olbrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220525094516.2845687-1-m.olbrich@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=christian.melki@t2data.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox