* [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1
@ 2022-05-11 7:20 Christian Melki
2022-05-11 10:49 ` Alexander Dahl
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Christian Melki @ 2022-05-11 7:20 UTC (permalink / raw)
To: ptxdist
Usual churn of fixes.
Curl is seeing an accelerated CVE ticketing.
Probably due to a functioning bug bounty program.
https://hackerone.com/curl?type=team
With 30 reports in the last 90 days.
So probably expect more CVEs in the near future.
Changelog: https://curl.se/changes.html
Security: https://curl.se/docs/security.html
Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
rules/libcurl.make | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rules/libcurl.make b/rules/libcurl.make
index 3840b2abd..8faa948bf 100644
--- a/rules/libcurl.make
+++ b/rules/libcurl.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
#
# Paths and names
#
-LIBCURL_VERSION := 7.83.0
-LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
+LIBCURL_VERSION := 7.83.1
+LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
LIBCURL := curl-$(LIBCURL_VERSION)
LIBCURL_SUFFIX := tar.xz
LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
--
2.34.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1
2022-05-11 7:20 [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1 Christian Melki
@ 2022-05-11 10:49 ` Alexander Dahl
2022-05-13 8:35 ` Michael Olbrich
2022-05-25 9:45 ` [ptxdist] [APPLIED] " Michael Olbrich
2 siblings, 0 replies; 6+ messages in thread
From: Alexander Dahl @ 2022-05-11 10:49 UTC (permalink / raw)
To: Christian Melki; +Cc: ptxdist
Hej hej,
Am Wed, May 11, 2022 at 09:20:28AM +0200 schrieb Christian Melki:
> Usual churn of fixes.
> Curl is seeing an accelerated CVE ticketing.
> Probably due to a functioning bug bounty program.
> https://hackerone.com/curl?type=team
> With 30 reports in the last 90 days.
> So probably expect more CVEs in the near future.
>
> Changelog: https://curl.se/changes.html
> Security: https://curl.se/docs/security.html
>
> Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
> CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
>
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
Acked-by: Alexander Dahl <ada@thorsis.com>
Greets
Alex
> ---
> rules/libcurl.make | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 3840b2abd..8faa948bf 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
> #
> # Paths and names
> #
> -LIBCURL_VERSION := 7.83.0
> -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
> +LIBCURL_VERSION := 7.83.1
> +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
> LIBCURL := curl-$(LIBCURL_VERSION)
> LIBCURL_SUFFIX := tar.xz
> LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
> --
> 2.34.1
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1
2022-05-11 7:20 [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1 Christian Melki
2022-05-11 10:49 ` Alexander Dahl
@ 2022-05-13 8:35 ` Michael Olbrich
2022-05-13 8:42 ` Christian Melki
2022-05-25 9:45 ` [ptxdist] [APPLIED] " Michael Olbrich
2 siblings, 1 reply; 6+ messages in thread
From: Michael Olbrich @ 2022-05-13 8:35 UTC (permalink / raw)
To: Christian Melki; +Cc: ptxdist
On Wed, May 11, 2022 at 09:20:28AM +0200, Christian Melki wrote:
> Usual churn of fixes.
> Curl is seeing an accelerated CVE ticketing.
> Probably due to a functioning bug bounty program.
> https://hackerone.com/curl?type=team
> With 30 reports in the last 90 days.
> So probably expect more CVEs in the near future.
>
> Changelog: https://curl.se/changes.html
> Security: https://curl.se/docs/security.html
>
> Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
> CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
The old version has a patch. It's from upstream, but I'm not sure if it got
applied to the bugfix release.
Michael
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> ---
> rules/libcurl.make | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 3840b2abd..8faa948bf 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
> #
> # Paths and names
> #
> -LIBCURL_VERSION := 7.83.0
> -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
> +LIBCURL_VERSION := 7.83.1
> +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
> LIBCURL := curl-$(LIBCURL_VERSION)
> LIBCURL_SUFFIX := tar.xz
> LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
> --
> 2.34.1
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1
2022-05-13 8:35 ` Michael Olbrich
@ 2022-05-13 8:42 ` Christian Melki
2022-05-13 12:49 ` Michael Olbrich
0 siblings, 1 reply; 6+ messages in thread
From: Christian Melki @ 2022-05-13 8:42 UTC (permalink / raw)
To: Michael Olbrich; +Cc: ptxdist
My bad.
It needs to be removed. Included in the release.
Daniel added it:
https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266
/Christian
On 5/13/22 10:35 AM, Michael Olbrich wrote:
> On Wed, May 11, 2022 at 09:20:28AM +0200, Christian Melki wrote:
>> Usual churn of fixes.
>> Curl is seeing an accelerated CVE ticketing.
>> Probably due to a functioning bug bounty program.
>> https://hackerone.com/curl?type=team
>> With 30 reports in the last 90 days.
>> So probably expect more CVEs in the near future.
>>
>> Changelog: https://curl.se/changes.html
>> Security: https://curl.se/docs/security.html
>>
>> Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
>> CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
>
> The old version has a patch. It's from upstream, but I'm not sure if it got
> applied to the bugfix release.
>
> Michael
>
>> Signed-off-by: Christian Melki <christian.melki@t2data.com>
>> ---
>> rules/libcurl.make | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/rules/libcurl.make b/rules/libcurl.make
>> index 3840b2abd..8faa948bf 100644
>> --- a/rules/libcurl.make
>> +++ b/rules/libcurl.make
>> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
>> #
>> # Paths and names
>> #
>> -LIBCURL_VERSION := 7.83.0
>> -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
>> +LIBCURL_VERSION := 7.83.1
>> +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
>> LIBCURL := curl-$(LIBCURL_VERSION)
>> LIBCURL_SUFFIX := tar.xz
>> LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
>> --
>> 2.34.1
>>
>>
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1
2022-05-13 8:42 ` Christian Melki
@ 2022-05-13 12:49 ` Michael Olbrich
0 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2022-05-13 12:49 UTC (permalink / raw)
To: Christian Melki; +Cc: ptxdist
On Fri, May 13, 2022 at 10:42:51AM +0200, Christian Melki wrote:
> My bad.
>
> It needs to be removed. Included in the release.
> Daniel added it:
> https://github.com/curl/curl/commit/d7b970e46ba29a7e558e21d19f485977ffed6266
Ok, I'll fix it here.
Michael
> /Christian
>
> On 5/13/22 10:35 AM, Michael Olbrich wrote:
> > On Wed, May 11, 2022 at 09:20:28AM +0200, Christian Melki wrote:
> > > Usual churn of fixes.
> > > Curl is seeing an accelerated CVE ticketing.
> > > Probably due to a functioning bug bounty program.
> > > https://hackerone.com/curl?type=team
> > > With 30 reports in the last 90 days.
> > > So probably expect more CVEs in the near future.
> > >
> > > Changelog: https://curl.se/changes.html
> > > Security: https://curl.se/docs/security.html
> > >
> > > Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
> > > CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
> >
> > The old version has a patch. It's from upstream, but I'm not sure if it got
> > applied to the bugfix release.
> >
> > Michael
> >
> > > Signed-off-by: Christian Melki <christian.melki@t2data.com>
> > > ---
> > > rules/libcurl.make | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/rules/libcurl.make b/rules/libcurl.make
> > > index 3840b2abd..8faa948bf 100644
> > > --- a/rules/libcurl.make
> > > +++ b/rules/libcurl.make
> > > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
> > > #
> > > # Paths and names
> > > #
> > > -LIBCURL_VERSION := 7.83.0
> > > -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
> > > +LIBCURL_VERSION := 7.83.1
> > > +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
> > > LIBCURL := curl-$(LIBCURL_VERSION)
> > > LIBCURL_SUFFIX := tar.xz
> > > LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
> > > --
> > > 2.34.1
> > >
> > >
> > >
> >
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] [APPLIED] libcurl: Version bump. 7.83.0 -> 7.83.1
2022-05-11 7:20 [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1 Christian Melki
2022-05-11 10:49 ` Alexander Dahl
2022-05-13 8:35 ` Michael Olbrich
@ 2022-05-25 9:45 ` Michael Olbrich
2 siblings, 0 replies; 6+ messages in thread
From: Michael Olbrich @ 2022-05-25 9:45 UTC (permalink / raw)
To: ptxdist; +Cc: Christian Melki
Thanks, applied as c261fdaa3bc36e02c7c3b94397e8de4764b05165.
Michael
[sent from post-receive hook]
On Wed, 25 May 2022 11:45:15 +0200, Christian Melki <christian.melki@t2data.com> wrote:
> Usual churn of fixes.
> Curl is seeing an accelerated CVE ticketing.
> Probably due to a functioning bug bounty program.
> https://hackerone.com/curl?type=team
> With 30 reports in the last 90 days.
> So probably expect more CVEs in the near future.
>
> Changelog: https://curl.se/changes.html
> Security: https://curl.se/docs/security.html
>
> Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781,
> CVE-2022-27780, CVE-2022-27779, CVE-2022-27778
>
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20220511072028.1152041-1-christian.melki@t2data.com>
> [mol: remove obsolte patch]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch b/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> deleted file mode 100644
> index e94cc87a54d4..000000000000
> --- a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch
> +++ /dev/null
> @@ -1,61 +0,0 @@
> -From: Daniel Stenberg <daniel@haxx.se>
> -Date: Fri, 29 Apr 2022 22:56:47 +0200
> -Subject: [PATCH] http: move Curl_allow_auth_to_host()
> -
> -It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
> -
> -Reported-by: Michael Olbrich
> -Fixes #8772
> -Closes #8775
> ----
> - lib/http.c | 30 +++++++++++++++---------------
> - 1 file changed, 15 insertions(+), 15 deletions(-)
> -
> -diff --git a/lib/http.c b/lib/http.c
> -index 0d5c449bc72a..b215307dcaaa 100644
> ---- a/lib/http.c
> -+++ b/lib/http.c
> -@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data)
> - return result;
> - }
> -
> -+/*
> -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
> -+ * "sensitive data" can (still) be sent to this host.
> -+ */
> -+bool Curl_allow_auth_to_host(struct Curl_easy *data)
> -+{
> -+ struct connectdata *conn = data->conn;
> -+ return (!data->state.this_is_a_follow ||
> -+ data->set.allow_auth_to_other_hosts ||
> -+ (data->state.first_host &&
> -+ strcasecompare(data->state.first_host, conn->host.name) &&
> -+ (data->state.first_remote_port == conn->remote_port) &&
> -+ (data->state.first_remote_protocol == conn->handler->protocol)));
> -+}
> -+
> - #ifndef CURL_DISABLE_HTTP_AUTH
> - /*
> - * Output the correct authentication header depending on the auth type
> -@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data,
> - return CURLE_OK;
> - }
> -
> --/*
> -- * Curl_allow_auth_to_host() tells if authentication, cookies or other
> -- * "sensitive data" can (still) be sent to this host.
> -- */
> --bool Curl_allow_auth_to_host(struct Curl_easy *data)
> --{
> -- struct connectdata *conn = data->conn;
> -- return (!data->state.this_is_a_follow ||
> -- data->set.allow_auth_to_other_hosts ||
> -- (data->state.first_host &&
> -- strcasecompare(data->state.first_host, conn->host.name) &&
> -- (data->state.first_remote_port == conn->remote_port) &&
> -- (data->state.first_remote_protocol == conn->handler->protocol)));
> --}
> --
> - /**
> - * Curl_http_output_auth() setups the authentication headers for the
> - * host/proxy and the correct authentication
> diff --git a/patches/curl-7.83.0/series b/patches/curl-7.83.0/series
> deleted file mode 100644
> index 9ccc49f9cceb..000000000000
> --- a/patches/curl-7.83.0/series
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-http-move-Curl_allow_auth_to_host.patch
> -# c4e69d4d6fe80949a188daf1e2e80518 - git-ptx-patches magic
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 3840b2abd2db..8faa948bf476 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
> #
> # Paths and names
> #
> -LIBCURL_VERSION := 7.83.0
> -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb
> +LIBCURL_VERSION := 7.83.1
> +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca
> LIBCURL := curl-$(LIBCURL_VERSION)
> LIBCURL_SUFFIX := tar.xz
> LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-05-25 9:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-11 7:20 [ptxdist] [PATCH] libcurl: Version bump. 7.83.0 -> 7.83.1 Christian Melki
2022-05-11 10:49 ` Alexander Dahl
2022-05-13 8:35 ` Michael Olbrich
2022-05-13 8:42 ` Christian Melki
2022-05-13 12:49 ` Michael Olbrich
2022-05-25 9:45 ` [ptxdist] [APPLIED] " Michael Olbrich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox