| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security vulnerabilities fixed between 7.47.1 and 7.53.1 versions:
=================================================================
TLS session resumption client cert bypass (again): CVE-2017-XXXX
--write-out out of buffer read: CVE-2017-7407
SSL_VERIFYSTATUS ignored: CVE-2017-2629
uninitialized random: CVE-2016-9594
printf floating point buffer overflow: CVE-2016-9586
Win CE schannel cert wildcard matches too much: CVE-2016-9952
Win CE schannel cert name out of buffer read: CVE-2016-9953
cookie injection for other servers: CVE-2016-8615
case insensitive password comparison: CVE-2016-8616
OOB write via unchecked multiplication: CVE-2016-8617
double-free in curl_maprintf: CVE-2016-8618
double-free in krb5 code: CVE-2016-8619
glob parser write/read out of bounds: CVE-2016-8620
curl_getdate read out of bounds: CVE-2016-8621
URL unescape heap overflow via integer truncation: CVE-2016-8622
Use-after-free via shared cookies: CVE-2016-8623
invalid URL parsing with '#': CVE-2016-8624
IDNA 2003 makes curl use wrong host: CVE-2016-8625
curl escape and unescape integer overflows: CVE-2016-7167
Incorrect reuse of client certificates: CVE-2016-7141
TLS session resumption client cert bypass: CVE-2016-5419
Re-using connections with wrong client cert: CVE-2016-5420
use of connection struct after free: CVE-2016-5421
Windows DLL hijacking: CVE-2016-4802
TLS certificate check bypass with mbedTLS/PolarSSL: CVE-2016-3739
Reference:
https://curl.haxx.se/docs/security.html
https://curl.haxx.se/changes.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
|
|
|
|
|
|
|
|
|
|
|
| |
IDNA 2003 makes curl use wrong host
Affected versions: curl 7.12.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102K.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
invalid URL parsing with '#'
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102J.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Use-after-free via shared cookies
Affected versions: curl 7.10.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102I.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
URL unescape heap overflow via integer truncation
Affected versions: curl 7.24.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102H.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
curl_getdate read out of bounds
Affected versions: curl 7.12.2 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102G.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
glob parser write/read out of bounds
Affected versions: curl 7.34.0 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102F.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
double-free in krb5 code
Affected versions: curl 7.3 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102E.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
double-free in curl_maprintf
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102D.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
OOB write via unchecked multiplication
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102C.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
case insensitive password comparison
Affected versions: curl 7.7 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102B.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
cookie injection for other servers
Affected versions: curl 7.1 to and including 7.50.3
Reference:
https://curl.haxx.se/docs/adv_20161102A.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Affected versions:
Affected versions: libcurl 7.19.6 to and including 7.50.1
Not affected versions: libcurl >= 7.50.2
Reference to upstream patch:
https://curl.haxx.se/CVE-2016-7141.patch
(From OE-Core rev: fb8f291d9ea2ebc011403f72cb91af372a795091)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Affected versions: libcurl 7.32.0 to and including 7.50.0
(From OE-Core rev: 2a9f4823483b6f5decc6d504858f06f66ab9e06c)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Affected versions: libcurl 7.1 to and including 7.50.0
(From OE-Core rev: cc567d8fb9eca630cd21d40ece99babcc5b7d045)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Affected versions: libcurl 7.1 to and including 7.50.0
(From OE-Core rev: 0b56a2f6174a44495f8a58dc0864c161ffd37b80)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch has been carried around in oe-core for a long time.
It contains two unrelated changes and neither seem to be required
any more. Drop the patch.
(From OE-Core rev: 27837df35db57f50b8fa7f7c6b3f2e400205deb9)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Remove backported CVE patches
(From OE-Core rev: 257ca2054c907c9c9868ccae57c6e0d750fb1164)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.
(From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
By not detecting and rejecting domain names for partial literal IP addresses
properly when parsing received HTTP cookies, libcurl can be fooled to both
sending cookies to wrong sites and into allowing arbitrary sites to set cookies
for others.
(From OE-Core rev: 985ef933208da1dd1f17645613ce08e6ad27e2c1)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Remove unused "remove_inappropriate_file_from_rel.patch"
(From OE-Core rev: ad1b9480f2ef5a4450f8b31ef7b3141ee7462b4f)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Remove patches that are fixed upstream
(From OE-Core rev: d5d169af2b34596deb3997c2bfa7398c447c4fac)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the adaptation for the a bugfix upstream
The inappropriate file src/tool_hugehelp.c presence in the curl 7.36 release
interfered with the upstream fix for
https://sourceforge.net/p/curl/bugs/1350/
(From OE-Core rev: c5a52f5b5ae7c5528bc59ee7fb69a2f460a89b81)
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mkhelp: generate code for --disable-manual as well
This allows configure --disable-manual to run and build without having
to regenerate the src/tool_hugehelp.c file which otherwise is necessary
since we ship tarballs with that file present.
(From OE-Core rev: 544a96255203a6779d1f0022d003c6680f330511)
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Add upstream-status to configure_ac.patch.
(From OE-Core rev: 8fc6904fe97438478119db6cd23b7b4eb33b50aa)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
0001-Fix-NULL-pointer-reference-when-closing-an-unused-mu.patch now
part of upstream.
(From OE-Core rev: 2d79a2f88b6676847ef868d3cc6475bd643b28a3)
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
* e.g. ecore, efreet segfault a lot without this patch
(From OE-Core rev: b93011d3e719c46089ccdb39c60d3a9e9cfa5a14)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
- obsolete_automake_macros.patch removed as it's part of upstream.
- dont_override_ac_config_macro_dir.patch removed as no longer needed.
- pkgconfig_fix.patch updated to apply cleanly
(From OE-Core rev: b0c541236b4c4670ce77f55886b6ce02c562b8c2)
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 2cb1285195439faa48571acc5346d25b4de214b4)
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not invoke CURL_SET_COMPILER_DEBUG_OPTS in configure.ac.
This will allow debug options set in our CFLAGS to be
used.
(From OE-Core rev: ba151faad47e6874b295ebd9699ce154bc4ff741)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Config system changed from 7.24.0 and the noldlibpatch
is no longer needed, thus deleted.
(From OE-Core rev: 0d2d59420b5924491ccd5c091c823b9c277a6721)
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
from 7.21.2
(From OE-Core rev: 7b26788c52136eb6a95507758936756b3dfcbaa4)
Signed-off-by: Qing He <qing.he@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
|