| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backport CVE-2020-8284 fixes from upstream, but drop
binary file tests/data/test1465.
upstream fixes for CVE-2020-8231, CVE-2020-8285 and CVE-2020-8286
does not applies cleanly to 7.69.1, fedora have working patch
hence import patch from Fedora.
https://koji.fedoraproject.org/koji/rpminfo?rpmID=24270817
(From OE-Core rev: 16ec5dea53d24cc1449d173912c1056c873fa98d)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The official links on:
https://curl.haxx.se/download.html
use https now and we're seeing this warning:
WARNING: curl-native-7.72.0-r0 do_fetch: Failed to fetch URL http://curl.haxx.se/download/curl-7.72.0.tar.bz2, attempting MIRRORS if available
(From OE-Core rev: 9f39e53b0e1bf74b233b3e33a9996934a198f533)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0aa24abf6c4d68efa63026d2496b6adc16734d35)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid false positives (such as CVE-2010-0734, rubygems:curl), expand
the CVE_PRODUCT list to include all the vendors that have been used.
(From OE-Core rev: 3c0029c9cf22b6983020edf9ce2aeb7b326d8c12)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb265122cccea9466405fdd924ad10ce8cda0dec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://curl.haxx.se/
MR: 104472, 104458
Type: Security Fix
Disposition: Backport from https://github.com/curl/curl/commit/{600a8cded447cd/8236aba58542c5f}
ChangeID: 1300924f7a64b22375b4326daeef0b686481e30c
Description:
- Affected versions: curl 7.20.0 to and including 7.70.0
- Not affected versions: curl < 7.20.0 and curl >= 7.71.0
Fixes both CVE-2020-8169 and CVE-2020-8177
(From OE-Core rev: f42702baee57ab3d1b7ab7833e72c7d56ad4ee94)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Contains a number of fixes for issues discovered post-7.69.0.
For details, see full changelog:
https://curl.haxx.se/changes.html#7_69_1
(From OE-Core rev: d3af3cf801ab5b235bce427bc73d2e6b29083368)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Specify exclusive package configs for glew and curl to make sure that
conflict package configs will NOT set at same time.
(From OE-Core rev: 8579673bdb314dbc554f40fc4c4c1db3d0bb0d63)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Bugfix release. For details, see full changelog
- https://curl.haxx.se/changes.html#7_69_0
(From OE-Core rev: 2d6a9904a838c5e498c0e2a2e34169cd2877a785)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See full changelog https://curl.haxx.se/changes.html#7_68_0
The hash of the license is updated because the copyright year was
updated in COPYING file:
-Copyright (c) 1996 - 2019, Daniel Stenberg, <daniel@haxx.se>, and many
+Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
(From OE-Core rev: 887b16b653140b6ce6293863334b1d000ec6a9ed)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 3fda2e0dda6823623cb6af2ce28bce9569816e95)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: dec1616af9c2709c2ad78722cc4075b765de332d)
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: e3043b2c86556d91387dfbdf155e9b5547cc20c4)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://curl.haxx.se/changes.html#7_65_2
(From OE-Core rev: 54b91da2bd07e8c3a40e61d90af251a1bfbf50f4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
-Upgrade from curl_7.64.1.bb to curl_7.65.1.bb.
(From OE-Core rev: e3b7cb02a86b5040b3dc1439b142f25f0f8df8a0)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 1d3f15fb928981ea094773c921b6829d6df45e45)
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The license checksum changed as the copyright years changed.
Fixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
(From OE-Core rev: 41c3ee4fe87a181786c47da044da700e8f605540)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
curl: add %{stderr} and %{stdout} for --write-out
curl: add undocumented option --dump-module-paths for win32
setopt: add CURLOPT_CURLU
For full list of changes see:
https://curl.haxx.se/changes.html
(From OE-Core rev: 2837266edbe097dcd9ff5fcdf29bb56f38bf564d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 72e542f564691d892d140a69d7fcc6b442897cf8)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Drop all CVE patches now included in update.
For details see: https://curl.haxx.se/changes.html
(From OE-Core rev: 43a802c2605cd2f6095a7738347338492eafe722)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: f0394e80a37f1da47042a1aa0487594f390603f9)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 0f0db9fc8512a0ecd0cdba3304a195cd925a5029)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are now missed in the reports.
Hence, switch "CVE_PRODUCT" to a space separated list
of the items.
(From OE-Core rev: 69ff709c2450c42139fd9705e3a74464221ad754)
Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some reason, the copyright part was left out of the license
information included in LIC_FILES_CHKSUM, preventing it from being
used in, e.g., documentation to satisfy the requirements of the
license.
License-Update: Include the complete license information
(From OE-Core rev: 390becd2dcf4fe791ec3715a74e34a46bd457e7a)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport the CVE patch from the upstream
https://github.com/curl/curl/commit/57d299a499155d4b327e341c6024e293b0418243.patch
https://curl.haxx.se/docs/CVE-2018-14618.html
https://nvd.nist.gov/vuln/detail/CVE-2018-14618
(From OE-Core rev: b76903b4b7bfec71be0a8a14e2cab4e2ec852222)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: b3fe71af20997921360b6ac7d100b5baf9708d53)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
Now that oe-core has libidn2 we can enable it by default in target curl builds.
(From OE-Core rev: aae20d0277feb768ca290492ccfad30962bb8706)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --libcurl command line option causes curl to generate C source
code which, when compiled and linked with libcurl, creates a binary
which behaves in the same way as curl when run with the other options
passed on the curl command line.
https://curl.haxx.se/docs/manpage.html#--libcurl
It's a development tool and not generally useful on the target,
especially if the target doesn't contain a toolchain etc.
(From OE-Core rev: a1cda48761f70b5989bb8b9c91d71c0b3a03466e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add PACKAGECONFIG option for brotli (disable by default)
- Add PACKAGECONFIG option for built-in manpages (disabled by
default). Embedding a copy of the manpages within the curl binary
adds approx 60k of gzipped data and duplicates the contents of the
curl-doc package.
- Add PACKAGECONFIG option for verbose error messages (enabled by
default)
- Disable legacy NTLM http authentication via delegation to the
external winbind ntlm_auth helper (which isn't going to work
without a runtime dependency on samba).
(From OE-Core rev: 0bf3637a07228576d78cf4c71de92781ec143d7f)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
https://curl.haxx.se/changes.html#7_61_0
(From OE-Core rev: b26ca91574a88745910d44777bb17ac0616baf3e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 65b86e87a693fc7a76e163734cd2da56494302c8)
Signed-off-by: Binghua Guan <freebendy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://curl.haxx.se/changes.html#7_60_0
Also refresh 0001-replace-krb5-config-with-pkg-config.patch and drop
configure_ac.patch, which we've apparently been dragging along
unnecessarily for the past 5 years:
https://github.com/curl/curl/commit/c277bd6ce7069819484eb3dc30b5858735fde377
(From OE-Core rev: 4063c1e4b233b28ae14420a83960fd93b437a4a4)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 4c1ed0a1a265add8d856a6d2c6f04562b975c180)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since v7.51.0, libidn2 is the only available option, libidn
support was dropped.
The configure option was renamed as of v7.53.0
Therefore, curl unconditionally tries to build against libidn2,
which in particular is a problem for curl-native, as that might
or might not build against the build-machine's libidn2 now,
which furthermore causes problems when trying to share sstate
between multiple build machines.
We therefore see the following in the config log:
...
checking whether to build with libidn2... (assumed) yes
...
checking for libidn2 options with pkg-config... no
configure: IDN_LIBS: "-lidn2"
configure: IDN_LDFLAGS: ""
configure: IDN_CPPFLAGS: ""
configure: IDN_DIR: ""
checking if idn2_lookup_ul can be linked... yes
checking idn2.h usability... yes
checking idn2.h presence... yes
checking for idn2.h... yes
...
IDN support: enabled (libidn2)
...
even though this recipe tries to disable that.
While libidn2 isn't available in OE, this change at least:
* prevents curl-native to silently build against libidn2 if
that is installed on build machine, even if not requested
* alerts people who use the PACKAGECONFIG option that it's
not actually doing what they intend to do
(From OE-Core rev: 705eaea991622bdbb2ee83eefa8df8e665e3efe4)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 9763c9d649a22f9024d832eb625bee35b583e717)
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.Upgrade curl from 7.54.1 to 7.57.0.
2.Delete CVE-2017-1000099.patch, CVE-2017-1000100.patch, CVE-2017-1000101.patch, CVE-2017-1000254.patch, reproducible-mkhelp.patch, since it is integrated upstream.
3.Remove "do_install_append()" from curl_7.57.0.bb, since curl/curlbuild.h has been removed.
(From OE-Core rev: 215d5677004537fc190b5381157ac8b94db6d7e8)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improve reproducible build of curl-dev and curl-dbg packages.
curl-dev: Correctly remove build host references from curl-config
curl-dbg: Do not generate time stamps in files generated by mkhelp.pl
(From OE-Core rev: 6bc323ac9315712e75a0282cddb292bc84afc6f1)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Porting patch from <https://github.com/curl/curl/commit/
5ff2c5ff25750aba1a8f64fbcad8e5b891512584> to solve CVE-2017-1000254.
(From OE-Core rev: 08f8d5db06647b94f96d655100c358047682dd2f)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This build time option is needed to use the '--dns-interface' runtime
parameter to instruct 'curl' to use a specific interface for DNS
resolution.
Not enabled by default, as it depends on 'c-ares' package from
meta-openembedded (meta-networking).
(From OE-Core rev: 4fe0aa3791db0ee6c85e7a068f69def6e7c0da46)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
With default --without-nghttp2 flag set there was no way to get
http2 protocol support using nghttp2 library. Instead moved it to
PACKAGECONFIG options
(From OE-Core rev: bcc8560300c8b1218b1f3709f5a7732e17fbfa46)
Signed-off-by: baali <shantanu@senic.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport upstream commits to fix:
- CVE-2017-1000099
https://curl.haxx.se/docs/adv_20170809C.html
https://curl.haxx.se/CVE-2017-1000099.patch
- CVE-2017-1000100
https://curl.haxx.se/docs/adv_20170809B.html
https://curl.haxx.se/CVE-2017-1000100.patch
- CVE-2017-1000101
https://curl.haxx.se/docs/adv_20170809A.html
https://curl.haxx.se/CVE-2017-1000101.patch
(From OE-Core rev: 2eb590bbeab4dbf2583a78fcbaf3723757116123)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multi-threaded applications using libcurl crash
on DNS timeouts when built using OE.
The reason is as follows:
By default, libcurl implements DNS timeouts using a
timer (alarm()) and a pair of setjmp()/longjmp().
This approach is unsafe in multi-threaded applications
for various reasons, as e.g. explained in the relevant
man-pages.
To avoid this, libcurl can be compiled with a built-in
threaded resolver, or against the c-ares asynchronous
resolver library.
To keep extra dependencies to a minimum, and to mimic
other distributions (debian at least), and because
c-ares is not available in OE-core, add a PACKAGECONFIG
to be able to enable use of of the built-in threaded
resolver and enable it by default.
(From OE-Core rev: 41f1e44fce976c4140cda62a41349e91e69d04ef)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 2f0b593eacf889486a75c715b823a8337bc3b109)
Signed-off-by: Oleksandr Kravchuk <oleksandr.kravchuk@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: cf0fe542b13e2bb64caeebb7d80a7642bbf8416c)
Signed-off-by: Oleksandr Kravchuk <oleksandr.kravchuk@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: f34ab1aae3c9cb2a4068ec684492df1a48f5cd4d)
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 8889426d822fb403db1c2263e88ed7608202aafa)
Signed-off-by: Oleksandr Kravchuk <oleksandr.kravchuk@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From OE-Core rev: 0a1427bf9aeeda6bee2cc0af8da4ea5fd90aef6f)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: d4218bb468ab9485a0a0cb12b07cb1d96dc6326b)
Signed-off-by: Oleksandr Kravchuk <oleksandr.kravchuk@pelagicore.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
This is 'libcurl' in NVD.
(From OE-Core rev: f5381da49ac781ef017a1b9816c00b512ca9c7c2)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE fixed in 7.51.0:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
To see complete log access link bellow:
https://curl.haxx.se/changes.html#7_51_0
(From OE-Core rev: 0154ff997db8021f93e6ffe8f7a0627d7a1d9b89)
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes 3 CVES:
CVE-2016-5419
CVE-2016-5420
CVE-2016-5421
(From OE-Core rev: 62157e2b31c206be40f95574bb205dae5e8e4b68)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 638e648fdcba2f2a4fdf53747290a9a98ea0a86e)
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|