From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 25 May 2022 11:46:51 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ntnbP-008VII-5X for lore@lore.pengutronix.de; Wed, 25 May 2022 11:46:51 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1ntnbO-0001i8-Dz; Wed, 25 May 2022 11:46:50 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ntnZt-0007Gz-Hf; Wed, 25 May 2022 11:45:17 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1ntnZu-004RBK-45; Wed, 25 May 2022 11:45:16 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1ntnZs-00BwIw-0v; Wed, 25 May 2022 11:45:16 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Wed, 25 May 2022 11:45:16 +0200 Message-Id: <20220525094516.2845687-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220511072028.1152041-1-christian.melki@t2data.com> References: <20220511072028.1152041-1-christian.melki@t2data.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] libcurl: Version bump. 7.83.0 -> 7.83.1 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Christian Melki Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as c261fdaa3bc36e02c7c3b94397e8de4764b05165. Michael [sent from post-receive hook] On Wed, 25 May 2022 11:45:15 +0200, Christian Melki wrote: > Usual churn of fixes. > Curl is seeing an accelerated CVE ticketing. > Probably due to a functioning bug bounty program. > https://hackerone.com/curl?type=team > With 30 reports in the last 90 days. > So probably expect more CVEs in the near future. > > Changelog: https://curl.se/changes.html > Security: https://curl.se/docs/security.html > > Plugs CVEs: CVE-2022-30115, CVE-2022-27782, CVE-2022-27781, > CVE-2022-27780, CVE-2022-27779, CVE-2022-27778 > > Signed-off-by: Christian Melki > Message-Id: <20220511072028.1152041-1-christian.melki@t2data.com> > [mol: remove obsolte patch] > Signed-off-by: Michael Olbrich > > diff --git a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch b/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch > deleted file mode 100644 > index e94cc87a54d4..000000000000 > --- a/patches/curl-7.83.0/0001-http-move-Curl_allow_auth_to_host.patch > +++ /dev/null > @@ -1,61 +0,0 @@ > -From: Daniel Stenberg > -Date: Fri, 29 Apr 2022 22:56:47 +0200 > -Subject: [PATCH] http: move Curl_allow_auth_to_host() > - > -It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef > - > -Reported-by: Michael Olbrich > -Fixes #8772 > -Closes #8775 > ---- > - lib/http.c | 30 +++++++++++++++--------------- > - 1 file changed, 15 insertions(+), 15 deletions(-) > - > -diff --git a/lib/http.c b/lib/http.c > -index 0d5c449bc72a..b215307dcaaa 100644 > ---- a/lib/http.c > -+++ b/lib/http.c > -@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) > - return result; > - } > - > -+/* > -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other > -+ * "sensitive data" can (still) be sent to this host. > -+ */ > -+bool Curl_allow_auth_to_host(struct Curl_easy *data) > -+{ > -+ struct connectdata *conn = data->conn; > -+ return (!data->state.this_is_a_follow || > -+ data->set.allow_auth_to_other_hosts || > -+ (data->state.first_host && > -+ strcasecompare(data->state.first_host, conn->host.name) && > -+ (data->state.first_remote_port == conn->remote_port) && > -+ (data->state.first_remote_protocol == conn->handler->protocol))); > -+} > -+ > - #ifndef CURL_DISABLE_HTTP_AUTH > - /* > - * Output the correct authentication header depending on the auth type > -@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data, > - return CURLE_OK; > - } > - > --/* > -- * Curl_allow_auth_to_host() tells if authentication, cookies or other > -- * "sensitive data" can (still) be sent to this host. > -- */ > --bool Curl_allow_auth_to_host(struct Curl_easy *data) > --{ > -- struct connectdata *conn = data->conn; > -- return (!data->state.this_is_a_follow || > -- data->set.allow_auth_to_other_hosts || > -- (data->state.first_host && > -- strcasecompare(data->state.first_host, conn->host.name) && > -- (data->state.first_remote_port == conn->remote_port) && > -- (data->state.first_remote_protocol == conn->handler->protocol))); > --} > -- > - /** > - * Curl_http_output_auth() setups the authentication headers for the > - * host/proxy and the correct authentication > diff --git a/patches/curl-7.83.0/series b/patches/curl-7.83.0/series > deleted file mode 100644 > index 9ccc49f9cceb..000000000000 > --- a/patches/curl-7.83.0/series > +++ /dev/null > @@ -1,4 +0,0 @@ > -# generated by git-ptx-patches > -#tag:base --start-number 1 > -0001-http-move-Curl_allow_auth_to_host.patch > -# c4e69d4d6fe80949a188daf1e2e80518 - git-ptx-patches magic > diff --git a/rules/libcurl.make b/rules/libcurl.make > index 3840b2abd2db..8faa948bf476 100644 > --- a/rules/libcurl.make > +++ b/rules/libcurl.make > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl > # > # Paths and names > # > -LIBCURL_VERSION := 7.83.0 > -LIBCURL_MD5 := b7924acdea33dedc3150a044789ed0bb > +LIBCURL_VERSION := 7.83.1 > +LIBCURL_MD5 := 08c6d9c25d9cf8d17be28363753e42ca > LIBCURL := curl-$(LIBCURL_VERSION) > LIBCURL_SUFFIX := tar.xz > LIBCURL_URL := https://curl.haxx.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)