curl: update 7.78.0 -> 7.79.1

(From OE-Core rev: b4f08791b7652898f398c86db9352b706eeda9e4) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Alexander Kanavin <alex.kanavin@gmail.com> 2021-10-19 17:33:30 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-10-23 17:42:25 +0100
commit: a901b318880035340a63ecb5e9a94d64555571b9 (patch)
tree: 44081795c8465c46ba7f6addb0be927a8a88ec9b /meta/recipes-support/curl
parent: 1f827cbf5eaf4e2e1c48c602e804ff37d35f9f0b (diff)
download: poky-a901b318880035340a63ecb5e9a94d64555571b9.tar.gz
4 files changed, 2 insertions, 726 deletions
diff --git a/meta/recipes-support/curl/curl/cve-2021-22945.patch b/meta/recipes-support/curl/curl/cve-2021-22945.patch
deleted file mode 100644
index 2cbe110332..0000000000
--- a/meta/recipes-support/curl/curl/cve-2021-22945.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-CVE: CVE-2021-22945
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 92cb3059dab2f9ef3e6ea614dad5c86917d19807 Mon Sep 17 00:00:00 2001
-From: z2_ on hackerone <>
-Date: Tue, 24 Aug 2021 09:50:33 +0200
-Subject: [PATCH 1/3] mqtt: clear the leftovers pointer when sending succeeds
-CVE-2021-22945
-Bug: https://curl.se/docs/CVE-2021-22945.html
---
- lib/mqtt.c | 4 ++++
- 1 file changed, 4 insertions(+)
-diff --git a/lib/mqtt.c b/lib/mqtt.c
-index f077e6c3d..fcd40b41e 100644
--- a/lib/mqtt.c
-+++ b/lib/mqtt.c
-@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
-     mq->sendleftovers = sendleftovers;
-     mq->nsend = nsend;
-   }
-+  else {
-+    mq->sendleftovers = NULL;
-+    mq->nsend = 0;
-+  }
-   return result;
- }
- 
-- 
-2.25.1
diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch
deleted file mode 100644
index 1a4b3e1144..0000000000
--- a/meta/recipes-support/curl/curl/cve-2021-22946.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-CVE: CVE-2021-22946
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Wed, 8 Sep 2021 11:56:22 +0200
-Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd
-In imap and pop3, check if TLS is required even when capabilities
-request has failed.
-In ftp, ignore preauthentication (230 status of server greeting) if TLS
-is required.
-Bug: https://curl.se/docs/CVE-2021-22946.html
-CVE-2021-22946
---
- lib/ftp.c               |  9 ++++---
- lib/imap.c              | 24 ++++++++----------
- lib/pop3.c              | 33 +++++++++++-------------
- tests/data/Makefile.inc |  2 ++
- tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
- tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
- 7 files changed, 195 insertions(+), 36 deletions(-)
- create mode 100644 tests/data/test984
- create mode 100644 tests/data/test985
- create mode 100644 tests/data/test986
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 1a699de59..08d18ca74 100644
--- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
-     /* we have now received a full FTP server response */
-     switch(ftpc->state) {
-     case FTP_WAIT220:
-      if(ftpcode == 230)
-        /* 230 User logged in - already! */
-        return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      if(ftpcode == 230) {
-+        /* 230 User logged in - already! Take as 220 if TLS required. */
-+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
-+           conn->bits.ftp_use_control_ssl)
-+          return ftp_state_user_resp(data, ftpcode, ftpc->state);
-+      }
-       else if(ftpcode != 220) {
-         failf(data, "Got a %03d ftp-server response when 220 was expected",
-               ftpcode);
-diff --git a/lib/imap.c b/lib/imap.c
-index ab4d412ee..efc0420ce 100644
--- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
-       line += wordlen;
-     }
-   }
-  else if(imapcode == IMAP_RESP_OK) {
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
-      if(imapc->tls_supported)
-        /* Switch to TLS connection now */
-        result = imap_perform_starttls(data, conn);
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
-        /* Fallback and carry on with authentication */
-        result = imap_perform_authentication(data, conn);
-      else {
-        failf(data, "STARTTLS not supported.");
-        result = CURLE_USE_SSL_FAILED;
-      }
-+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-+    /* PREAUTH is not compatible with STARTTLS. */
-+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
-+      /* Switch to TLS connection now */
-+      result = imap_perform_starttls(data, conn);
-     }
-    else
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-       result = imap_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STARTTLS not available.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
-   else
-     result = imap_perform_authentication(data, conn);
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 5fdd6f3e0..f97e10eab 100644
--- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
-       }
-     }
-   }
-  else if(pop3code == '+') {
-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
-      if(pop3c->tls_supported)
-        /* Switch to TLS connection now */
-        result = pop3_perform_starttls(data, conn);
-      else if(data->set.use_ssl == CURLUSESSL_TRY)
-        /* Fallback and carry on with authentication */
-        result = pop3_perform_authentication(data, conn);
-      else {
-        failf(data, "STLS not supported.");
-        result = CURLE_USE_SSL_FAILED;
-      }
-    }
-    else
-      result = pop3_perform_authentication(data, conn);
-  }
-   else {
-     /* Clear text is supported when CAPA isn't recognised */
-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
-+    if(pop3code != '+')
-+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- 
-    result = pop3_perform_authentication(data, conn);
-+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
-+      result = pop3_perform_authentication(data, conn);
-+    else if(pop3code == '+' && pop3c->tls_supported)
-+      /* Switch to TLS connection now */
-+      result = pop3_perform_starttls(data, conn);
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-+      /* Fallback and carry on with authentication */
-+      result = pop3_perform_authentication(data, conn);
-+    else {
-+      failf(data, "STLS not supported.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
- 
-   return result;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 163696962..5cd092192 100644
--- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- test972 \
- \
-+test984 test985 test986 \
-+\
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
- test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
-diff --git a/tests/data/test984 b/tests/data/test984
-new file mode 100644
-index 000000000..e573f23c1
--- /dev/null
-+++ b/tests/data/test984
-@@ -0,0 +1,56 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPABILITY A001 BAD Not implemented
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test985 b/tests/data/test985
-new file mode 100644
-index 000000000..d0db4aadf
--- /dev/null
-+++ b/tests/data/test985
-@@ -0,0 +1,54 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPA -ERR Not implemented
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+CAPA
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test986 b/tests/data/test986
-new file mode 100644
-index 000000000..a709437a4
--- /dev/null
-+++ b/tests/data/test986
-@@ -0,0 +1,53 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY welcome 230 Welcome
-+REPLY AUTH 500 unknown command
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP require STARTTLS while preauthenticated
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+AUTH TLS
-+</protocol>
-+</verify>
-+</testcase>
-- 
-2.25.1
diff --git a/meta/recipes-support/curl/curl/cve-2021-22947.patch b/meta/recipes-support/curl/curl/cve-2021-22947.patch
deleted file mode 100644
index 8a5031275a..0000000000
--- a/meta/recipes-support/curl/curl/cve-2021-22947.patch
+++ /dev/null
@@ -1,355 +0,0 @@
-CVE: CVE-2021-22947
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From aefa7370cb02801a571d51287d290d67068998b8 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Tue, 7 Sep 2021 13:26:42 +0200
-Subject: [PATCH 3/3] ftp,imap,pop3,smtp: reject STARTTLS server response
- pipelining
-If a server pipelines future responses within the STARTTLS response, the
-former are preserved in the pingpong cache across TLS negotiation and
-used as responses to the encrypted commands.
-This fix detects pipelined STARTTLS responses and rejects them with an
-error.
-CVE-2021-22947
-Bug: https://curl.se/docs/CVE-2021-22947.html
---
- lib/ftp.c               |  3 +++
- lib/imap.c              |  4 +++
- lib/pop3.c              |  4 +++
- lib/smtp.c              |  4 +++
- tests/data/Makefile.inc |  2 +-
- tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
- tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
- tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
- 9 files changed, 236 insertions(+), 1 deletion(-)
- create mode 100644 tests/data/test980
- create mode 100644 tests/data/test981
- create mode 100644 tests/data/test982
- create mode 100644 tests/data/test983
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 08d18ca74..0b9c9b732 100644
--- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2743,6 +2743,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
-     case FTP_AUTH:
-       /* we have gotten the response to a previous AUTH command */
- 
-+      if(pp->cache_size)
-+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
-+
-       /* RFC2228 (page 5) says:
-        *
-        * If the server is willing to accept the named security mechanism,
-diff --git a/lib/imap.c b/lib/imap.c
-index efc0420ce..d1a48d7e3 100644
--- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
- 
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.imapc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(imapcode != IMAP_RESP_OK) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/pop3.c b/lib/pop3.c
-index f97e10eab..a06acb7b8 100644
--- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -772,6 +772,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
-   CURLcode result = CURLE_OK;
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.pop3c.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(pop3code != '+') {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/smtp.c b/lib/smtp.c
-index 1a3da1559..9b9403b3d 100644
--- a/lib/smtp.c
-+++ b/lib/smtp.c
-@@ -835,6 +835,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
-   CURLcode result = CURLE_OK;
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.smtpc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(smtpcode != 220) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied, code %d", smtpcode);
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 5cd092192..c524b993e 100644
--- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -118,7 +118,7 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- test972 \
- \
-test984 test985 test986 \
-+test980 test981 test982 test983 test984 test985 test986 \
- \
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
-diff --git a/tests/data/test980 b/tests/data/test980
-new file mode 100644
-index 000000000..97567f856
--- /dev/null
-+++ b/tests/data/test980
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+SMTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+AUTH PLAIN
-+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
-+REPLY AUTH 535 5.7.8 Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+smtp
-+</server>
-+ <name>
-+SMTP STARTTLS pipelined server response
-+ </name>
-+<stdin>
-+mail body
-+</stdin>
-+ <command>
-+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+EHLO %TESTNUMBER
-+STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test981 b/tests/data/test981
-new file mode 100644
-index 000000000..2b98ce42a
--- /dev/null
-+++ b/tests/data/test981
-@@ -0,0 +1,59 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
-+REPLY LOGIN A003 BAD Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP STARTTLS pipelined server response
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+A002 STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test982 b/tests/data/test982
-new file mode 100644
-index 000000000..9e07cc0b3
--- /dev/null
-+++ b/tests/data/test982
-@@ -0,0 +1,57 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STLS USER
-+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
-+REPLY PASS -ERR Authentication credentials invalid
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 STARTTLS pipelined server response
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+CAPA
-+STLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test983 b/tests/data/test983
-new file mode 100644
-index 000000000..300ec459c
--- /dev/null
-+++ b/tests/data/test983
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
-+REPLY PASS 530 Login incorrect
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP STARTTLS pipelined server response
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+</protocol>
-+</verify>
-+</testcase>
-- 
-2.25.1
diff --git a/meta/recipes-support/curl/curl_7.78.0.bb b/meta/recipes-support/curl/curl_7.79.1.bb
index 3f736d8da6..919777ce36 100644
--- a/meta/recipes-support/curl/curl_7.78.0.bb
+++ b/meta/recipes-support/curl/curl_7.79.1.bb
@@ -11,12 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
 SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
           file://0001-replace-krb5-config-with-pkg-config.patch \
-           file://cve-2021-22945.patch \
+           "
-           file://cve-2021-22946.patch \
-           file://cve-2021-22947.patch \
-"
-SRC_URI[sha256sum] = "98530b317dc95ccb324bbe4f834f07bb642fbc393b794ddf3434f246a71ea44a"
+SRC_URI[sha256sum] = "de62c4ab9a9316393962e8b94777a570bb9f71feb580fb4475e412f2f9387851"
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
author	Alexander Kanavin <alex.kanavin@gmail.com>	2021-10-19 17:33:30 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-10-23 17:42:25 +0100
commit	a901b318880035340a63ecb5e9a94d64555571b9 (patch)
tree	44081795c8465c46ba7f6addb0be927a8a88ec9b /meta/recipes-support/curl
parent	1f827cbf5eaf4e2e1c48c602e804ff37d35f9f0b (diff)
download	poky-a901b318880035340a63ecb5e9a94d64555571b9.tar.gz

diff --git a/meta/recipes-support/curl/curl/cve-2021-22945.patch b/meta/recipes-support/curl/curl/cve-2021-22945.patch deleted file mode 100644 index 2cbe110332..0000000000 --- a/meta/recipes-support/curl/curl/cve-2021-22945.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	CVE: CVE-2021-22945
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 92cb3059dab2f9ef3e6ea614dad5c86917d19807 Mon Sep 17 00:00:00 2001
6	From: z2_ on hackerone <>
7	Date: Tue, 24 Aug 2021 09:50:33 +0200
8	Subject: [PATCH 1/3] mqtt: clear the leftovers pointer when sending succeeds
9
10	CVE-2021-22945
11
12	Bug: https://curl.se/docs/CVE-2021-22945.html
13	---
14	lib/mqtt.c \| 4 ++++
15	1 file changed, 4 insertions(+)
16
17	diff --git a/lib/mqtt.c b/lib/mqtt.c
18	index f077e6c3d..fcd40b41e 100644
19	--- a/lib/mqtt.c
20	+++ b/lib/mqtt.c
21	@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
22	mq->sendleftovers = sendleftovers;
23	mq->nsend = nsend;
24	}
25	+ else {
26	+ mq->sendleftovers = NULL;
27	+ mq->nsend = 0;
28	+ }
29	return result;
30	}
31
32	--
33	2.25.1
34


diff --git a/meta/recipes-support/curl/curl/cve-2021-22946.patch b/meta/recipes-support/curl/curl/cve-2021-22946.patch deleted file mode 100644 index 1a4b3e1144..0000000000 --- a/meta/recipes-support/curl/curl/cve-2021-22946.patch +++ /dev/null
@@ -1,332 +0,0 @@
1	CVE: CVE-2021-22946
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 089e18aefcee9b5093a96e9e1aa92751dde1f991 Mon Sep 17 00:00:00 2001
6	From: Patrick Monnerat <patrick@monnerat.net>
7	Date: Wed, 8 Sep 2021 11:56:22 +0200
8	Subject: [PATCH 2/3] ftp,imap,pop3: do not ignore --ssl-reqd
9
10	In imap and pop3, check if TLS is required even when capabilities
11	request has failed.
12
13	In ftp, ignore preauthentication (230 status of server greeting) if TLS
14	is required.
15
16	Bug: https://curl.se/docs/CVE-2021-22946.html
17
18	CVE-2021-22946
19	---
20	lib/ftp.c \| 9 ++++---
21	lib/imap.c \| 24 ++++++++----------
22	lib/pop3.c \| 33 +++++++++++-------------
23	tests/data/Makefile.inc \| 2 ++
24	tests/data/test984 \| 56 +++++++++++++++++++++++++++++++++++++++++
25	tests/data/test985 \| 54 +++++++++++++++++++++++++++++++++++++++
26	tests/data/test986 \| 53 ++++++++++++++++++++++++++++++++++++++
27	7 files changed, 195 insertions(+), 36 deletions(-)
28	create mode 100644 tests/data/test984
29	create mode 100644 tests/data/test985
30	create mode 100644 tests/data/test986
31
32	diff --git a/lib/ftp.c b/lib/ftp.c
33	index 1a699de59..08d18ca74 100644
34	--- a/lib/ftp.c
35	+++ b/lib/ftp.c
36	@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
37	/* we have now received a full FTP server response */
38	switch(ftpc->state) {
39	case FTP_WAIT220:
40	- if(ftpcode == 230)
41	- /* 230 User logged in - already! */
42	- return ftp_state_user_resp(data, ftpcode, ftpc->state);
43	+ if(ftpcode == 230) {
44	+ /* 230 User logged in - already! Take as 220 if TLS required. */
45	+ if(data->set.use_ssl <= CURLUSESSL_TRY \|\|
46	+ conn->bits.ftp_use_control_ssl)
47	+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
48	+ }
49	else if(ftpcode != 220) {
50	failf(data, "Got a %03d ftp-server response when 220 was expected",
51	ftpcode);
52	diff --git a/lib/imap.c b/lib/imap.c
53	index ab4d412ee..efc0420ce 100644
54	--- a/lib/imap.c
55	+++ b/lib/imap.c
56	@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
57	line += wordlen;
58	}
59	}
60	- else if(imapcode == IMAP_RESP_OK) {
61	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
62	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
63	- if(imapc->tls_supported)
64	- /* Switch to TLS connection now */
65	- result = imap_perform_starttls(data, conn);
66	- else if(data->set.use_ssl == CURLUSESSL_TRY)
67	- /* Fallback and carry on with authentication */
68	- result = imap_perform_authentication(data, conn);
69	- else {
70	- failf(data, "STARTTLS not supported.");
71	- result = CURLE_USE_SSL_FAILED;
72	- }
73	+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
74	+ /* PREAUTH is not compatible with STARTTLS. */
75	+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
76	+ /* Switch to TLS connection now */
77	+ result = imap_perform_starttls(data, conn);
78	}
79	- else
80	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
81	result = imap_perform_authentication(data, conn);
82	+ else {
83	+ failf(data, "STARTTLS not available.");
84	+ result = CURLE_USE_SSL_FAILED;
85	+ }
86	}
87	else
88	result = imap_perform_authentication(data, conn);
89	diff --git a/lib/pop3.c b/lib/pop3.c
90	index 5fdd6f3e0..f97e10eab 100644
91	--- a/lib/pop3.c
92	+++ b/lib/pop3.c
93	@@ -741,28 +741,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
94	}
95	}
96	}
97	- else if(pop3code == '+') {
98	- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
99	- /* We don't have a SSL/TLS connection yet, but SSL is requested */
100	- if(pop3c->tls_supported)
101	- /* Switch to TLS connection now */
102	- result = pop3_perform_starttls(data, conn);
103	- else if(data->set.use_ssl == CURLUSESSL_TRY)
104	- /* Fallback and carry on with authentication */
105	- result = pop3_perform_authentication(data, conn);
106	- else {
107	- failf(data, "STLS not supported.");
108	- result = CURLE_USE_SSL_FAILED;
109	- }
110	- }
111	- else
112	- result = pop3_perform_authentication(data, conn);
113	- }
114	else {
115	/* Clear text is supported when CAPA isn't recognised */
116	- pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
117	+ if(pop3code != '+')
118	+ pop3c->authtypes \|= POP3_TYPE_CLEARTEXT;
119
120	- result = pop3_perform_authentication(data, conn);
121	+ if(!data->set.use_ssl \|\| conn->ssl[FIRSTSOCKET].use)
122	+ result = pop3_perform_authentication(data, conn);
123	+ else if(pop3code == '+' && pop3c->tls_supported)
124	+ /* Switch to TLS connection now */
125	+ result = pop3_perform_starttls(data, conn);
126	+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
127	+ /* Fallback and carry on with authentication */
128	+ result = pop3_perform_authentication(data, conn);
129	+ else {
130	+ failf(data, "STLS not supported.");
131	+ result = CURLE_USE_SSL_FAILED;
132	+ }
133	}
134
135	return result;
136	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
137	index 163696962..5cd092192 100644
138	--- a/tests/data/Makefile.inc
139	+++ b/tests/data/Makefile.inc
140	@@ -118,6 +118,8 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
141	test963 test964 test965 test966 test967 test968 test969 test970 test971 \
142	test972 \
143	\
144	+test984 test985 test986 \
145	+\
146	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
147	test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
148	test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
149	diff --git a/tests/data/test984 b/tests/data/test984
150	new file mode 100644
151	index 000000000..e573f23c1
152	--- /dev/null
153	+++ b/tests/data/test984
154	@@ -0,0 +1,56 @@
155	+<testcase>
156	+<info>
157	+<keywords>
158	+IMAP
159	+STARTTLS
160	+</keywords>
161	+</info>
162	+
163	+#
164	+# Server-side
165	+<reply>
166	+<servercmd>
167	+REPLY CAPABILITY A001 BAD Not implemented
168	+</servercmd>
169	+</reply>
170	+
171	+#
172	+# Client-side
173	+<client>
174	+<features>
175	+SSL
176	+</features>
177	+<server>
178	+imap
179	+</server>
180	+ <name>
181	+IMAP require STARTTLS with failing capabilities
182	+ </name>
183	+ <command>
184	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
185	+</command>
186	+<file name="log/upload%TESTNUMBER">
187	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
188	+From: Fred Foobar <foobar@example.COM>
189	+Subject: afternoon meeting
190	+To: joe@example.com
191	+Message-Id: <B27397-0100000@example.COM>
192	+MIME-Version: 1.0
193	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
194	+
195	+Hello Joe, do you think we can meet at 3:30 tomorrow?
196	+</file>
197	+</client>
198	+
199	+#
200	+# Verify data after the test has been "shot"
201	+<verify>
202	+# 64 is CURLE_USE_SSL_FAILED
203	+<errorcode>
204	+64
205	+</errorcode>
206	+<protocol>
207	+A001 CAPABILITY
208	+</protocol>
209	+</verify>
210	+</testcase>
211	diff --git a/tests/data/test985 b/tests/data/test985
212	new file mode 100644
213	index 000000000..d0db4aadf
214	--- /dev/null
215	+++ b/tests/data/test985
216	@@ -0,0 +1,54 @@
217	+<testcase>
218	+<info>
219	+<keywords>
220	+POP3
221	+STARTTLS
222	+</keywords>
223	+</info>
224	+
225	+#
226	+# Server-side
227	+<reply>
228	+<servercmd>
229	+REPLY CAPA -ERR Not implemented
230	+</servercmd>
231	+<data nocheck="yes">
232	+From: me@somewhere
233	+To: fake@nowhere
234	+
235	+body
236	+
237	+--
238	+ yours sincerely
239	+</data>
240	+</reply>
241	+
242	+#
243	+# Client-side
244	+<client>
245	+<features>
246	+SSL
247	+</features>
248	+<server>
249	+pop3
250	+</server>
251	+ <name>
252	+POP3 require STARTTLS with failing capabilities
253	+ </name>
254	+ <command>
255	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
256	+ </command>
257	+</client>
258	+
259	+#
260	+# Verify data after the test has been "shot"
261	+<verify>
262	+# 64 is CURLE_USE_SSL_FAILED
263	+<errorcode>
264	+64
265	+</errorcode>
266	+<protocol>
267	+CAPA
268	+</protocol>
269	+</verify>
270	+</testcase>
271	diff --git a/tests/data/test986 b/tests/data/test986
272	new file mode 100644
273	index 000000000..a709437a4
274	--- /dev/null
275	+++ b/tests/data/test986
276	@@ -0,0 +1,53 @@
277	+<testcase>
278	+<info>
279	+<keywords>
280	+FTP
281	+STARTTLS
282	+</keywords>
283	+</info>
284	+
285	+#
286	+# Server-side
287	+<reply>
288	+<servercmd>
289	+REPLY welcome 230 Welcome
290	+REPLY AUTH 500 unknown command
291	+</servercmd>
292	+</reply>
293	+
294	+# Client-side
295	+<client>
296	+<features>
297	+SSL
298	+</features>
299	+<server>
300	+ftp
301	+</server>
302	+ <name>
303	+FTP require STARTTLS while preauthenticated
304	+ </name>
305	+<file name="log/test%TESTNUMBER.txt">
306	+data
307	+ to
308	+ see
309	+that FTPS
310	+works
311	+ so does it?
312	+</file>
313	+ <command>
314	+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
315	+</command>
316	+</client>
317	+
318	+# Verify data after the test has been "shot"
319	+<verify>
320	+# 64 is CURLE_USE_SSL_FAILED
321	+<errorcode>
322	+64
323	+</errorcode>
324	+<protocol>
325	+AUTH SSL
326	+AUTH TLS
327	+</protocol>
328	+</verify>
329	+</testcase>
330	--
331	2.25.1
332


diff --git a/meta/recipes-support/curl/curl/cve-2021-22947.patch b/meta/recipes-support/curl/curl/cve-2021-22947.patch deleted file mode 100644 index 8a5031275a..0000000000 --- a/meta/recipes-support/curl/curl/cve-2021-22947.patch +++ /dev/null
@@ -1,355 +0,0 @@
1	CVE: CVE-2021-22947
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From aefa7370cb02801a571d51287d290d67068998b8 Mon Sep 17 00:00:00 2001
6	From: Patrick Monnerat <patrick@monnerat.net>
7	Date: Tue, 7 Sep 2021 13:26:42 +0200
8	Subject: [PATCH 3/3] ftp,imap,pop3,smtp: reject STARTTLS server response
9	pipelining
10
11	If a server pipelines future responses within the STARTTLS response, the
12	former are preserved in the pingpong cache across TLS negotiation and
13	used as responses to the encrypted commands.
14
15	This fix detects pipelined STARTTLS responses and rejects them with an
16	error.
17
18	CVE-2021-22947
19
20	Bug: https://curl.se/docs/CVE-2021-22947.html
21	---
22	lib/ftp.c \| 3 +++
23	lib/imap.c \| 4 +++
24	lib/pop3.c \| 4 +++
25	lib/smtp.c \| 4 +++
26	tests/data/Makefile.inc \| 2 +-
27	tests/data/test980 \| 52 ++++++++++++++++++++++++++++++++++++
28	tests/data/test981 \| 59 +++++++++++++++++++++++++++++++++++++++++
29	tests/data/test982 \| 57 +++++++++++++++++++++++++++++++++++++++
30	tests/data/test983 \| 52 ++++++++++++++++++++++++++++++++++++
31	9 files changed, 236 insertions(+), 1 deletion(-)
32	create mode 100644 tests/data/test980
33	create mode 100644 tests/data/test981
34	create mode 100644 tests/data/test982
35	create mode 100644 tests/data/test983
36
37	diff --git a/lib/ftp.c b/lib/ftp.c
38	index 08d18ca74..0b9c9b732 100644
39	--- a/lib/ftp.c
40	+++ b/lib/ftp.c
41	@@ -2743,6 +2743,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
42	case FTP_AUTH:
43	/* we have gotten the response to a previous AUTH command */
44
45	+ if(pp->cache_size)
46	+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
47	+
48	/* RFC2228 (page 5) says:
49	*
50	* If the server is willing to accept the named security mechanism,
51	diff --git a/lib/imap.c b/lib/imap.c
52	index efc0420ce..d1a48d7e3 100644
53	--- a/lib/imap.c
54	+++ b/lib/imap.c
55	@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
56
57	(void)instate; /* no use for this yet */
58
59	+ /* Pipelining in response is forbidden. */
60	+ if(data->conn->proto.imapc.pp.cache_size)
61	+ return CURLE_WEIRD_SERVER_REPLY;
62	+
63	if(imapcode != IMAP_RESP_OK) {
64	if(data->set.use_ssl != CURLUSESSL_TRY) {
65	failf(data, "STARTTLS denied");
66	diff --git a/lib/pop3.c b/lib/pop3.c
67	index f97e10eab..a06acb7b8 100644
68	--- a/lib/pop3.c
69	+++ b/lib/pop3.c
70	@@ -772,6 +772,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
71	CURLcode result = CURLE_OK;
72	(void)instate; /* no use for this yet */
73
74	+ /* Pipelining in response is forbidden. */
75	+ if(data->conn->proto.pop3c.pp.cache_size)
76	+ return CURLE_WEIRD_SERVER_REPLY;
77	+
78	if(pop3code != '+') {
79	if(data->set.use_ssl != CURLUSESSL_TRY) {
80	failf(data, "STARTTLS denied");
81	diff --git a/lib/smtp.c b/lib/smtp.c
82	index 1a3da1559..9b9403b3d 100644
83	--- a/lib/smtp.c
84	+++ b/lib/smtp.c
85	@@ -835,6 +835,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
86	CURLcode result = CURLE_OK;
87	(void)instate; /* no use for this yet */
88
89	+ /* Pipelining in response is forbidden. */
90	+ if(data->conn->proto.smtpc.pp.cache_size)
91	+ return CURLE_WEIRD_SERVER_REPLY;
92	+
93	if(smtpcode != 220) {
94	if(data->set.use_ssl != CURLUSESSL_TRY) {
95	failf(data, "STARTTLS denied, code %d", smtpcode);
96	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
97	index 5cd092192..c524b993e 100644
98	--- a/tests/data/Makefile.inc
99	+++ b/tests/data/Makefile.inc
100	@@ -118,7 +118,7 @@ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
101	test963 test964 test965 test966 test967 test968 test969 test970 test971 \
102	test972 \
103	\
104	-test984 test985 test986 \
105	+test980 test981 test982 test983 test984 test985 test986 \
106	\
107	test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
108	test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
109	diff --git a/tests/data/test980 b/tests/data/test980
110	new file mode 100644
111	index 000000000..97567f856
112	--- /dev/null
113	+++ b/tests/data/test980
114	@@ -0,0 +1,52 @@
115	+<testcase>
116	+<info>
117	+<keywords>
118	+SMTP
119	+STARTTLS
120	+</keywords>
121	+</info>
122	+
123	+#
124	+# Server-side
125	+<reply>
126	+<servercmd>
127	+CAPA STARTTLS
128	+AUTH PLAIN
129	+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
130	+REPLY AUTH 535 5.7.8 Authentication credentials invalid
131	+</servercmd>
132	+</reply>
133	+
134	+#
135	+# Client-side
136	+<client>
137	+<features>
138	+SSL
139	+</features>
140	+<server>
141	+smtp
142	+</server>
143	+ <name>
144	+SMTP STARTTLS pipelined server response
145	+ </name>
146	+<stdin>
147	+mail body
148	+</stdin>
149	+ <command>
150	+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
151	+</command>
152	+</client>
153	+
154	+#
155	+# Verify data after the test has been "shot"
156	+<verify>
157	+# 8 is CURLE_WEIRD_SERVER_REPLY
158	+<errorcode>
159	+8
160	+</errorcode>
161	+<protocol>
162	+EHLO %TESTNUMBER
163	+STARTTLS
164	+</protocol>
165	+</verify>
166	+</testcase>
167	diff --git a/tests/data/test981 b/tests/data/test981
168	new file mode 100644
169	index 000000000..2b98ce42a
170	--- /dev/null
171	+++ b/tests/data/test981
172	@@ -0,0 +1,59 @@
173	+<testcase>
174	+<info>
175	+<keywords>
176	+IMAP
177	+STARTTLS
178	+</keywords>
179	+</info>
180	+
181	+#
182	+# Server-side
183	+<reply>
184	+<servercmd>
185	+CAPA STARTTLS
186	+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
187	+REPLY LOGIN A003 BAD Authentication credentials invalid
188	+</servercmd>
189	+</reply>
190	+
191	+#
192	+# Client-side
193	+<client>
194	+<features>
195	+SSL
196	+</features>
197	+<server>
198	+imap
199	+</server>
200	+ <name>
201	+IMAP STARTTLS pipelined server response
202	+ </name>
203	+ <command>
204	+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
205	+</command>
206	+<file name="log/upload%TESTNUMBER">
207	+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
208	+From: Fred Foobar <foobar@example.COM>
209	+Subject: afternoon meeting
210	+To: joe@example.com
211	+Message-Id: <B27397-0100000@example.COM>
212	+MIME-Version: 1.0
213	+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
214	+
215	+Hello Joe, do you think we can meet at 3:30 tomorrow?
216	+</file>
217	+</client>
218	+
219	+#
220	+# Verify data after the test has been "shot"
221	+<verify>
222	+# 8 is CURLE_WEIRD_SERVER_REPLY
223	+<errorcode>
224	+8
225	+</errorcode>
226	+<protocol>
227	+A001 CAPABILITY
228	+A002 STARTTLS
229	+</protocol>
230	+</verify>
231	+</testcase>
232	diff --git a/tests/data/test982 b/tests/data/test982
233	new file mode 100644
234	index 000000000..9e07cc0b3
235	--- /dev/null
236	+++ b/tests/data/test982
237	@@ -0,0 +1,57 @@
238	+<testcase>
239	+<info>
240	+<keywords>
241	+POP3
242	+STARTTLS
243	+</keywords>
244	+</info>
245	+
246	+#
247	+# Server-side
248	+<reply>
249	+<servercmd>
250	+CAPA STLS USER
251	+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
252	+REPLY PASS -ERR Authentication credentials invalid
253	+</servercmd>
254	+<data nocheck="yes">
255	+From: me@somewhere
256	+To: fake@nowhere
257	+
258	+body
259	+
260	+--
261	+ yours sincerely
262	+</data>
263	+</reply>
264	+
265	+#
266	+# Client-side
267	+<client>
268	+<features>
269	+SSL
270	+</features>
271	+<server>
272	+pop3
273	+</server>
274	+ <name>
275	+POP3 STARTTLS pipelined server response
276	+ </name>
277	+ <command>
278	+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
279	+ </command>
280	+</client>
281	+
282	+#
283	+# Verify data after the test has been "shot"
284	+<verify>
285	+# 8 is CURLE_WEIRD_SERVER_REPLY
286	+<errorcode>
287	+8
288	+</errorcode>
289	+<protocol>
290	+CAPA
291	+STLS
292	+</protocol>
293	+</verify>
294	+</testcase>
295	diff --git a/tests/data/test983 b/tests/data/test983
296	new file mode 100644
297	index 000000000..300ec459c
298	--- /dev/null
299	+++ b/tests/data/test983
300	@@ -0,0 +1,52 @@
301	+<testcase>
302	+<info>
303	+<keywords>
304	+FTP
305	+STARTTLS
306	+</keywords>
307	+</info>
308	+
309	+#
310	+# Server-side
311	+<reply>
312	+<servercmd>
313	+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
314	+REPLY PASS 530 Login incorrect
315	+</servercmd>
316	+</reply>
317	+
318	+# Client-side
319	+<client>
320	+<features>
321	+SSL
322	+</features>
323	+<server>
324	+ftp
325	+</server>
326	+ <name>
327	+FTP STARTTLS pipelined server response
328	+ </name>
329	+<file name="log/test%TESTNUMBER.txt">
330	+data
331	+ to
332	+ see
333	+that FTPS
334	+works
335	+ so does it?
336	+</file>
337	+ <command>
338	+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
339	+</command>
340	+</client>
341	+
342	+# Verify data after the test has been "shot"
343	+<verify>
344	+# 8 is CURLE_WEIRD_SERVER_REPLY
345	+<errorcode>
346	+8
347	+</errorcode>
348	+<protocol>
349	+AUTH SSL
350	+</protocol>
351	+</verify>
352	+</testcase>
353	--
354	2.25.1
355


diff --git a/meta/recipes-support/curl/curl_7.78.0.bb b/meta/recipes-support/curl/curl_7.79.1.bb index 3f736d8da6..919777ce36 100644 --- a/meta/recipes-support/curl/curl_7.78.0.bb +++ b/meta/recipes-support/curl/curl_7.79.1.bb
@@ -11,12 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
11		11
12	SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \	12	SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
13	file://0001-replace-krb5-config-with-pkg-config.patch \	13	file://0001-replace-krb5-config-with-pkg-config.patch \
14	file://cve-2021-22945.patch \	14	"
15	file://cve-2021-22946.patch \
16	file://cve-2021-22947.patch \
17	"
18		15
19	SRC_URI[sha256sum] = "98530b317dc95ccb324bbe4f834f07bb642fbc393b794ddf3434f246a71ea44a"	16	SRC_URI[sha256sum] = "de62c4ab9a9316393962e8b94777a570bb9f71feb580fb4475e412f2f9387851"
20		17
21	# Curl has used many names over the years...	18	# Curl has used many names over the years...
22	CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"	19	CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"