curl: Add fix for CVE-2023-23914, CVE-2023-23915

Add below patches to fix CVE-2023-23914 [1], CVE-2023-23915 [2] CVE-2023-23914_5-1.patch CVE-2023-23914_5-2.patch CVE-2023-23914_5-3.patch CVE-2023-23914_5-4.patch CVE-2023-23914_5-5.patch [1] https://curl.se/docs/CVE-2023-23914.html [2] https://curl.se/docs/CVE-2023-23915.html (From OE-Core rev: c80ede99b60cfbb0e7b339e1a7dc9f082f0da1f3) Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> Signed-off-by: pawan <badganchipv@gmail.com> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Pawan Badganchi <badganchipv@gmail.com> 2023-03-22 13:45:01 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-28 22:31:53 +0100
commit: 64eba948a9794c4f37d2473ad2bc3a17db2c3766 (patch)
tree: 404f3a0f2ed181ca57b34d1683b22cf8ab562cab
parent: 85661be8ff3623faf05525bc9f27a2457381f8e9 (diff)
download: poky-64eba948a9794c4f37d2473ad2bc3a17db2c3766.tar.gz
6 files changed, 519 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
new file mode 100644
index 0000000000..d357cee76c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
@@ -0,0 +1,280 @@
+From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:20 +0100
+Subject: [PATCH] share: add sharing of HSTS cache among handles
+Closes #10138
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport [https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a]
+Comment: Refreshed hunk from hsts.c and urldata.h
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ include/curl/curl.h                 |  1 +
+ lib/hsts.c                          | 15 +++++++++
+ lib/hsts.h                          |  2 ++
+ lib/setopt.c                        | 48 ++++++++++++++++++++++++-----
+ lib/share.c                         | 32 +++++++++++++++++--
+ lib/share.h                         |  6 +++-
+ lib/transfer.c                      |  3 ++
+ lib/url.c                           |  6 +++-
+ lib/urldata.h                       |  2 ++
+ 9 files changed, 109 insertions(+), 11 deletions(-)
+--- a/include/curl/curl.h
+++ b/include/curl/curl.h
+@@ -2953,6 +2953,7 @@ typedef enum {
+   CURL_LOCK_DATA_SSL_SESSION,
+   CURL_LOCK_DATA_CONNECT,
+   CURL_LOCK_DATA_PSL,
+  CURL_LOCK_DATA_HSTS,
+   CURL_LOCK_DATA_LAST
+ } curl_lock_data;
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -37,6 +37,7 @@
+ #include "parsedate.h"
+ #include "rand.h"
+ #include "rename.h"
+#include "share.h"
+ #include "strtoofft.h"
+ /* The last 3 #include files should be in this order */
+@@ -561,4 +562,18 @@
+   return CURLE_OK;
+ }
+void Curl_hsts_loadfiles(struct Curl_easy *data)
+{
+  struct curl_slist *l = data->set.hstslist;
+  if(l) {
+    Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE);
+
+    while(l) {
+      (void)Curl_hsts_loadfile(data, data->hsts, l->data);
+      l = l->next;
+    }
+    Curl_share_unlock(data, CURL_LOCK_DATA_HSTS);
+  }
+}
+
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+--- a/lib/hsts.h
+++ b/lib/hsts.h
+@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_
+                             struct hsts *h, const char *file);
+ CURLcode Curl_hsts_loadcb(struct Curl_easy *data,
+                           struct hsts *h);
+void Curl_hsts_loadfiles(struct Curl_easy *data);
+ #else
+ #define Curl_hsts_cleanup(x)
+ #define Curl_hsts_loadcb(x,y) CURLE_OK
+ #define Curl_hsts_save(x,y,z)
+#define Curl_hsts_loadfiles(x)
+ #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
+ #endif /* HEADER_CURL_HSTS_H */
+--- a/lib/setopt.c
+++ b/lib/setopt.c
+@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+         data->cookies = NULL;
+ #endif
+#ifndef CURL_DISABLE_HSTS
+      if(data->share->hsts == data->hsts)
+        data->hsts = NULL;
+#endif
+#ifdef USE_SSL
+       if(data->share->sslsession == data->state.session)
+         data->state.session = NULL;
+-
+#endif
+ #ifdef USE_LIBPSL
+       if(data->psl == &data->share->psl)
+         data->psl = data->multi? &data->multi->psl: NULL;
+@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+         data->cookies = data->share->cookies;
+       }
+ #endif   /* CURL_DISABLE_HTTP */
+#ifndef CURL_DISABLE_HSTS
+      if(data->share->hsts) {
+        /* first free the private one if any */
+        Curl_hsts_cleanup(&data->hsts);
+        data->hsts = data->share->hsts;
+      }
+#endif   /* CURL_DISABLE_HTTP */
+#ifdef USE_SSL
+       if(data->share->sslsession) {
+         data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions;
+         data->state.session = data->share->sslsession;
+       }
+#endif
+ #ifdef USE_LIBPSL
+       if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL))
+         data->psl = &data->share->psl;
+@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+   case CURLOPT_HSTSWRITEDATA:
+     data->set.hsts_write_userp = va_arg(param, void *);
+     break;
+-  case CURLOPT_HSTS:
+  case CURLOPT_HSTS: {
+    struct curl_slist *h;
+     if(!data->hsts) {
+       data->hsts = Curl_hsts_init();
+       if(!data->hsts)
+         return CURLE_OUT_OF_MEMORY;
+     }
+     argptr = va_arg(param, char *);
+-    result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
+-    if(result)
+-      return result;
+-    if(argptr)
+-      (void)Curl_hsts_loadfile(data, data->hsts, argptr);
+    if(argptr) {
+      result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
+      if(result)
+        return result;
+      /* this needs to build a list of file names to read from, so that it can
+         read them later, as we might get a shared HSTS handle to load them
+         into */
+      h = curl_slist_append(data->set.hstslist, argptr);
+      if(!h) {
+        curl_slist_free_all(data->set.hstslist);
+        data->set.hstslist = NULL;
+        return CURLE_OUT_OF_MEMORY;
+      }
+      data->set.hstslist = h; /* store the list for later use */
+    }
+    else {
+      /* clear the list of HSTS files */
+      curl_slist_free_all(data->set.hstslist);
+      data->set.hstslist = NULL;
+      if(!data->share || !data->share->hsts)
+        /* throw away the HSTS cache unless shared */
+        Curl_hsts_cleanup(&data->hsts);
+    }
+     break;
+  }
+   case CURLOPT_HSTS_CTRL:
+     arg = va_arg(param, long);
+     if(arg & CURLHSTS_ENABLE) {
+--- a/lib/share.c
+++ b/lib/share.c
+@@ -29,9 +29,11 @@
+ #include "share.h"
+ #include "psl.h"
+ #include "vtls/vtls.h"
+-#include "curl_memory.h"
+#include "hsts.h"
+-/* The last #include file should be: */
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+ #include "memdebug.h"
+ struct Curl_share *
+@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *sha
+ #endif
+       break;
+    case CURL_LOCK_DATA_HSTS:
+#ifndef CURL_DISABLE_HSTS
+      if(!share->hsts) {
+        share->hsts = Curl_hsts_init();
+        if(!share->hsts)
+          res = CURLSHE_NOMEM;
+      }
+#else   /* CURL_DISABLE_HSTS */
+      res = CURLSHE_NOT_BUILT_IN;
+#endif
+      break;
+
+     case CURL_LOCK_DATA_SSL_SESSION:
+ #ifdef USE_SSL
+       if(!share->sslsession) {
+@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *sha
+ #endif
+       break;
+    case CURL_LOCK_DATA_HSTS:
+#ifndef CURL_DISABLE_HSTS
+      if(share->hsts) {
+        Curl_hsts_cleanup(&share->hsts);
+      }
+#else   /* CURL_DISABLE_HSTS */
+      res = CURLSHE_NOT_BUILT_IN;
+#endif
+      break;
+
+     case CURL_LOCK_DATA_SSL_SESSION:
+ #ifdef USE_SSL
+       Curl_safefree(share->sslsession);
+@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *sh
+   Curl_cookie_cleanup(share->cookies);
+ #endif
+#ifndef CURL_DISABLE_HSTS
+  Curl_hsts_cleanup(&share->hsts);
+#endif
+
+ #ifdef USE_SSL
+   if(share->sslsession) {
+     size_t i;
+--- a/lib/share.h
+++ b/lib/share.h
+@@ -59,10 +59,14 @@ struct Curl_share {
+ #ifdef USE_LIBPSL
+   struct PslCache psl;
+ #endif
+-
+#ifndef CURL_DISABLE_HSTS
+  struct hsts *hsts;
+#endif
+#ifdef USE_SSL
+   struct Curl_ssl_session *sslsession;
+   size_t max_ssl_sessions;
+   long sessionage;
+#endif
+ };
+ CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data,
+--- a/lib/transfer.c
+++ b/lib/transfer.c
+@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_ea
+   if(data->state.resolve)
+     result = Curl_loadhostpairs(data);
+  /* If there is a list of hsts files to read */
+  Curl_hsts_loadfiles(data);
+
+   if(!result) {
+     /* Allow data->set.use_port to set which port to use. This needs to be
+      * disabled for example when we follow Location: headers to URLs using
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **d
+   Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]);
+   Curl_altsvc_cleanup(&data->asi);
+   Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]);
+-  Curl_hsts_cleanup(&data->hsts);
+#ifndef CURL_DISABLE_HSTS
+  if(!data->share || !data->share->hsts)
+    Curl_hsts_cleanup(&data->hsts);
+  curl_slist_free_all(data->set.hstslist); /* clean up list */
+#endif
+ #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
+   Curl_http_auth_cleanup_digest(data);
+ #endif
+--- a/lib/urldata.h
+++ b/lib/urldata.h
+@@ -1670,6 +1670,8 @@
+   void *seek_client;    /* pointer to pass to the seek callback */
+ #ifndef CURL_DISABLE_HSTS
+  struct curl_slist *hstslist; /* list of HSTS files set by
+                                  curl_easy_setopt(HSTS) calls */
+   curl_hstsread_callback hsts_read;
+   void *hsts_read_userp;
+   curl_hstswrite_callback hsts_write;
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch
new file mode 100644
index 0000000000..668972cb3f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch
@@ -0,0 +1,23 @@
+From 0bf8b796a0ea98395b390c7807187982215f5c11 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH] tool_operate: share HSTS between handles
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/ca17cfed2df001356cfe2841f166569bac0f5e8c]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/tool_operate.c | 1 +
+ 1 file changed, 1 insertion(+)
+--- a/src/tool_operate.c
+++ b/src/tool_operate.c
+@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *gl
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT);
+         curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL);
+        curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS);
+         /* Get the required arguments for each operation */
+         do {
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch
new file mode 100644
index 0000000000..4422b26834
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch
@@ -0,0 +1,45 @@
+From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH] hsts: handle adding the same host name again
+It will then use the largest expire time of the two entries.
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/e077b30a42272d964d76e5b815a0af7dc65d8360]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/hsts.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+diff --git a/lib/hsts.c b/lib/hsts.c
+index 339237be1c621..8d6723ee587d2 100644
+--- a/lib/hsts.c
+++ b/lib/hsts.c
+@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line)
+   if(2 == rc) {
+     time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) :
+       TIME_T_MAX;
+-    CURLcode result;
+    CURLcode result = CURLE_OK;
+     char *p = host;
+     bool subdomain = FALSE;
+    struct stsentry *e;
+     if(p[0] == '.') {
+       p++;
+       subdomain = TRUE;
+     }
+-    result = hsts_create(h, p, subdomain, expires);
+    /* only add it if not already present */
+    e = Curl_hsts(h, p, subdomain);
+    if(!e)
+      result = hsts_create(h, p, subdomain, expires);
+    else {
+      /* the same host name, use the largest expire time */
+      if(expires > e->expires)
+        e->expires = expires;
+    }
+     if(result)
+       return result;
+   }
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch
new file mode 100644
index 0000000000..865b3f93a5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch
@@ -0,0 +1,48 @@
+From dc0725244a3163f1e2d5f51165db3a1a430f3ba0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH] runtests: support crlf="yes" for verify/proxy
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/fd7e1a557e414dd803c9225e37a2ca84e1df2269]
+Comment: Refreshed hunk from FILEFORMAT.md
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ tests/FILEFORMAT.md | 4 ++--
+ tests/runtests.pl   | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+--- a/tests/FILEFORMAT.md
+++ b/tests/FILEFORMAT.md
+@@ -540,14 +540,14 @@
+ One perl op per line that operates on the protocol dump. This is pretty
+ advanced. Example: `s/^EPRT .*/EPRT stripped/`.
+-### `<protocol [nonewline="yes"]>`
+### `<protocol [nonewline="yes"][crlf="yes"]>`
+ the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
+ the trailing newline of this given data before comparing with the one actually
+ sent by the client The `<strip>` and `<strippart>` rules are applied before
+ comparisons are made.
+-### `<proxy [nonewline="yes"]>`
+### `<proxy [nonewline="yes"][crlf="yes"]>`
+ The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
+ server is used), if 'nonewline' is set, we will cut off the trailing newline
+--- a/tests/runtests.pl
+++ b/tests/runtests.pl
+@@ -4744,6 +4744,11 @@ sub singletest {
+             }
+         }
+        if($hash{'crlf'} ||
+           ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) {
+            map subNewlines(0, \$_), @protstrip;
+        }
+
+         $res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
+         if($res) {
+             return $errorreturncode;
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch
new file mode 100644
index 0000000000..1a363f0b4b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch
@@ -0,0 +1,118 @@
+From ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 27 Dec 2022 11:50:23 +0100
+Subject: [PATCH] test446: verify hsts with two URLs
+CVE: CVE-2023-23914 CVE-2023-23915
+Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/7e89dfd463597701dd1defcad7be54f7d3c9d55d]
+Comment: Refreshed hunk from Makefile.inc
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test446      | 84 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 1 deletion(-)
+ create mode 100644 tests/data/test446
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3a6356bd122bc..fe1bb1c74c2ab 100644
+--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
+@@ -72,6 +72,7 @@
+ \
+ test430 test431 test432 test433 test434 test435 test436 \
+ \
+test446 \
+ test490 test491 test492 test493 test494 \
+ \
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+diff --git a/tests/data/test446 b/tests/data/test446
+new file mode 100644
+index 0000000000000..0e2dfdcfe33b6
+--- /dev/null
+++ b/tests/data/test446
+@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP proxy
+HSTS
+trailing-dot
+</keywords>
+</info>
+
+<reply>
+
+# we use this as response to a CONNECT
+<connect nocheck="yes">
+HTTP/1.1 200 OK
+
+</connect>
+<data crlf="yes">
+HTTP/1.1 200 OK
+Content-Length: 6
+Strict-Transport-Security: max-age=604800
+
+-foo-
+</data>
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Content-Length: 6
+Strict-Transport-Security: max-age=6048000
+
+-baa-
+</data2>
+</reply>
+
+<client>
+<server>
+https
+http-proxy
+</server>
+<features>
+HSTS
+proxy
+https
+debug
+</features>
+<setenv>
+CURL_HSTS_HTTP=yes
+CURL_TIME=2000000000
+</setenv>
+
+<name>
+HSTS with two URLs
+</name>
+<command>
+-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002
+</command>
+</client>
+
+<verify>
+# we let it CONNECT to the server to confirm HSTS but deny from there
+<proxy crlf="yes">
+GET http://this.hsts.example./%TESTNUMBER HTTP/1.1
+Host: this.hsts.example.
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1
+Host: another.example.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</proxy>
+
+<file name="log/hsts%TESTNUMBER" mode="text">
+# Your HSTS cache. https://curl.se/docs/hsts.html
+# This file was generated by libcurl! Edit at your own risk.
+this.hsts.example "20330525 03:33:20"
+another.example.com "20330727 03:33:20"
+</file>
+
+</verify>
+</testcase>
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index b08af29059..b583060889 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -34,6 +34,11 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
           file://CVE-2022-42915.patch \
           file://CVE-2022-43551.patch \
           file://CVE-2022-43552.patch \
+           file://CVE-2023-23914_5-1.patch \
+           file://CVE-2023-23914_5-2.patch \
+           file://CVE-2023-23914_5-3.patch \
+           file://CVE-2023-23914_5-4.patch \
+           file://CVE-2023-23914_5-5.patch \
           "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
author	Pawan Badganchi <badganchipv@gmail.com>	2023-03-22 13:45:01 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-28 22:31:53 +0100
commit	64eba948a9794c4f37d2473ad2bc3a17db2c3766 (patch)
tree	404f3a0f2ed181ca57b34d1683b22cf8ab562cab
parent	85661be8ff3623faf05525bc9f27a2457381f8e9 (diff)
download	poky-64eba948a9794c4f37d2473ad2bc3a17db2c3766.tar.gz

diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch new file mode 100644 index 0000000000..d357cee76c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch
@@ -0,0 +1,280 @@
		1	From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 27 Dec 2022 11:50:20 +0100
		4	Subject: [PATCH] share: add sharing of HSTS cache among handles
		5
		6	Closes #10138
		7
		8	CVE: CVE-2023-23914 CVE-2023-23915
		9	Upstream-Status: Backport [https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a]
		10	Comment: Refreshed hunk from hsts.c and urldata.h
		11	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		12	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		13	---
		14	include/curl/curl.h \| 1 +
		15	lib/hsts.c \| 15 +++++++++
		16	lib/hsts.h \| 2 ++
		17	lib/setopt.c \| 48 ++++++++++++++++++++++++-----
		18	lib/share.c \| 32 +++++++++++++++++--
		19	lib/share.h \| 6 +++-
		20	lib/transfer.c \| 3 ++
		21	lib/url.c \| 6 +++-
		22	lib/urldata.h \| 2 ++
		23	9 files changed, 109 insertions(+), 11 deletions(-)
		24
		25	--- a/include/curl/curl.h
		26	+++ b/include/curl/curl.h
		27	@@ -2953,6 +2953,7 @@ typedef enum {
		28	CURL_LOCK_DATA_SSL_SESSION,
		29	CURL_LOCK_DATA_CONNECT,
		30	CURL_LOCK_DATA_PSL,
		31	+ CURL_LOCK_DATA_HSTS,
		32	CURL_LOCK_DATA_LAST
		33	} curl_lock_data;
		34
		35	--- a/lib/hsts.c
		36	+++ b/lib/hsts.c
		37	@@ -37,6 +37,7 @@
		38	#include "parsedate.h"
		39	#include "rand.h"
		40	#include "rename.h"
		41	+#include "share.h"
		42	#include "strtoofft.h"
		43
		44	/* The last 3 #include files should be in this order */
		45	@@ -561,4 +562,18 @@
		46	return CURLE_OK;
		47	}
		48
		49	+void Curl_hsts_loadfiles(struct Curl_easy *data)
		50	+{
		51	+ struct curl_slist *l = data->set.hstslist;
		52	+ if(l) {
		53	+ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE);
		54	+
		55	+ while(l) {
		56	+ (void)Curl_hsts_loadfile(data, data->hsts, l->data);
		57	+ l = l->next;
		58	+ }
		59	+ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS);
		60	+ }
		61	+}
		62	+
		63	#endif /* CURL_DISABLE_HTTP \|\| CURL_DISABLE_HSTS */
		64	--- a/lib/hsts.h
		65	+++ b/lib/hsts.h
		66	@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_
		67	struct hsts h, const char file);
		68	CURLcode Curl_hsts_loadcb(struct Curl_easy *data,
		69	struct hsts *h);
		70	+void Curl_hsts_loadfiles(struct Curl_easy *data);
		71	#else
		72	#define Curl_hsts_cleanup(x)
		73	#define Curl_hsts_loadcb(x,y) CURLE_OK
		74	#define Curl_hsts_save(x,y,z)
		75	+#define Curl_hsts_loadfiles(x)
		76	#endif /* CURL_DISABLE_HTTP \|\| CURL_DISABLE_HSTS */
		77	#endif /* HEADER_CURL_HSTS_H */
		78	--- a/lib/setopt.c
		79	+++ b/lib/setopt.c
		80	@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *
		81	data->cookies = NULL;
		82	#endif
		83
		84	+#ifndef CURL_DISABLE_HSTS
		85	+ if(data->share->hsts == data->hsts)
		86	+ data->hsts = NULL;
		87	+#endif
		88	+#ifdef USE_SSL
		89	if(data->share->sslsession == data->state.session)
		90	data->state.session = NULL;
		91	-
		92	+#endif
		93	#ifdef USE_LIBPSL
		94	if(data->psl == &data->share->psl)
		95	data->psl = data->multi? &data->multi->psl: NULL;
		96	@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *
		97	data->cookies = data->share->cookies;
		98	}
		99	#endif /* CURL_DISABLE_HTTP */
		100	+#ifndef CURL_DISABLE_HSTS
		101	+ if(data->share->hsts) {
		102	+ /* first free the private one if any */
		103	+ Curl_hsts_cleanup(&data->hsts);
		104	+ data->hsts = data->share->hsts;
		105	+ }
		106	+#endif /* CURL_DISABLE_HTTP */
		107	+#ifdef USE_SSL
		108	if(data->share->sslsession) {
		109	data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions;
		110	data->state.session = data->share->sslsession;
		111	}
		112	+#endif
		113	#ifdef USE_LIBPSL
		114	if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL))
		115	data->psl = &data->share->psl;
		116	@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *
		117	case CURLOPT_HSTSWRITEDATA:
		118	data->set.hsts_write_userp = va_arg(param, void *);
		119	break;
		120	- case CURLOPT_HSTS:
		121	+ case CURLOPT_HSTS: {
		122	+ struct curl_slist *h;
		123	if(!data->hsts) {
		124	data->hsts = Curl_hsts_init();
		125	if(!data->hsts)
		126	return CURLE_OUT_OF_MEMORY;
		127	}
		128	argptr = va_arg(param, char *);
		129	- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
		130	- if(result)
		131	- return result;
		132	- if(argptr)
		133	- (void)Curl_hsts_loadfile(data, data->hsts, argptr);
		134	+ if(argptr) {
		135	+ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr);
		136	+ if(result)
		137	+ return result;
		138	+ /* this needs to build a list of file names to read from, so that it can
		139	+ read them later, as we might get a shared HSTS handle to load them
		140	+ into */
		141	+ h = curl_slist_append(data->set.hstslist, argptr);
		142	+ if(!h) {
		143	+ curl_slist_free_all(data->set.hstslist);
		144	+ data->set.hstslist = NULL;
		145	+ return CURLE_OUT_OF_MEMORY;
		146	+ }
		147	+ data->set.hstslist = h; /* store the list for later use */
		148	+ }
		149	+ else {
		150	+ /* clear the list of HSTS files */
		151	+ curl_slist_free_all(data->set.hstslist);
		152	+ data->set.hstslist = NULL;
		153	+ if(!data->share \|\| !data->share->hsts)
		154	+ /* throw away the HSTS cache unless shared */
		155	+ Curl_hsts_cleanup(&data->hsts);
		156	+ }
		157	break;
		158	+ }
		159	case CURLOPT_HSTS_CTRL:
		160	arg = va_arg(param, long);
		161	if(arg & CURLHSTS_ENABLE) {
		162	--- a/lib/share.c
		163	+++ b/lib/share.c
		164	@@ -29,9 +29,11 @@
		165	#include "share.h"
		166	#include "psl.h"
		167	#include "vtls/vtls.h"
		168	-#include "curl_memory.h"
		169	+#include "hsts.h"
		170
		171	-/* The last #include file should be: */
		172	+/* The last 3 #include files should be in this order */
		173	+#include "curl_printf.h"
		174	+#include "curl_memory.h"
		175	#include "memdebug.h"
		176
		177	struct Curl_share *
		178	@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *sha
		179	#endif
		180	break;
		181
		182	+ case CURL_LOCK_DATA_HSTS:
		183	+#ifndef CURL_DISABLE_HSTS
		184	+ if(!share->hsts) {
		185	+ share->hsts = Curl_hsts_init();
		186	+ if(!share->hsts)
		187	+ res = CURLSHE_NOMEM;
		188	+ }
		189	+#else /* CURL_DISABLE_HSTS */
		190	+ res = CURLSHE_NOT_BUILT_IN;
		191	+#endif
		192	+ break;
		193	+
		194	case CURL_LOCK_DATA_SSL_SESSION:
		195	#ifdef USE_SSL
		196	if(!share->sslsession) {
		197	@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *sha
		198	#endif
		199	break;
		200
		201	+ case CURL_LOCK_DATA_HSTS:
		202	+#ifndef CURL_DISABLE_HSTS
		203	+ if(share->hsts) {
		204	+ Curl_hsts_cleanup(&share->hsts);
		205	+ }
		206	+#else /* CURL_DISABLE_HSTS */
		207	+ res = CURLSHE_NOT_BUILT_IN;
		208	+#endif
		209	+ break;
		210	+
		211	case CURL_LOCK_DATA_SSL_SESSION:
		212	#ifdef USE_SSL
		213	Curl_safefree(share->sslsession);
		214	@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *sh
		215	Curl_cookie_cleanup(share->cookies);
		216	#endif
		217
		218	+#ifndef CURL_DISABLE_HSTS
		219	+ Curl_hsts_cleanup(&share->hsts);
		220	+#endif
		221	+
		222	#ifdef USE_SSL
		223	if(share->sslsession) {
		224	size_t i;
		225	--- a/lib/share.h
		226	+++ b/lib/share.h
		227	@@ -59,10 +59,14 @@ struct Curl_share {
		228	#ifdef USE_LIBPSL
		229	struct PslCache psl;
		230	#endif
		231	-
		232	+#ifndef CURL_DISABLE_HSTS
		233	+ struct hsts *hsts;
		234	+#endif
		235	+#ifdef USE_SSL
		236	struct Curl_ssl_session *sslsession;
		237	size_t max_ssl_sessions;
		238	long sessionage;
		239	+#endif
		240	};
		241
		242	CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data,
		243	--- a/lib/transfer.c
		244	+++ b/lib/transfer.c
		245	@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_ea
		246	if(data->state.resolve)
		247	result = Curl_loadhostpairs(data);
		248
		249	+ /* If there is a list of hsts files to read */
		250	+ Curl_hsts_loadfiles(data);
		251	+
		252	if(!result) {
		253	/* Allow data->set.use_port to set which port to use. This needs to be
		254	* disabled for example when we follow Location: headers to URLs using
		255	--- a/lib/url.c
		256	+++ b/lib/url.c
		257	@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **d
		258	Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]);
		259	Curl_altsvc_cleanup(&data->asi);
		260	Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]);
		261	- Curl_hsts_cleanup(&data->hsts);
		262	+#ifndef CURL_DISABLE_HSTS
		263	+ if(!data->share \|\| !data->share->hsts)
		264	+ Curl_hsts_cleanup(&data->hsts);
		265	+ curl_slist_free_all(data->set.hstslist); /* clean up list */
		266	+#endif
		267	#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
		268	Curl_http_auth_cleanup_digest(data);
		269	#endif
		270	--- a/lib/urldata.h
		271	+++ b/lib/urldata.h
		272	@@ -1670,6 +1670,8 @@
		273
		274	void seek_client; / pointer to pass to the seek callback */
		275	#ifndef CURL_DISABLE_HSTS
		276	+ struct curl_slist hstslist; / list of HSTS files set by
		277	+ curl_easy_setopt(HSTS) calls */
		278	curl_hstsread_callback hsts_read;
		279	void *hsts_read_userp;
		280	curl_hstswrite_callback hsts_write;


diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch new file mode 100644 index 0000000000..668972cb3f --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch
@@ -0,0 +1,23 @@
		1	From 0bf8b796a0ea98395b390c7807187982215f5c11 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 27 Dec 2022 11:50:23 +0100
		4	Subject: [PATCH] tool_operate: share HSTS between handles
		5
		6	CVE: CVE-2023-23914 CVE-2023-23915
		7	Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/ca17cfed2df001356cfe2841f166569bac0f5e8c]
		8	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		9	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		10	---
		11	src/tool_operate.c \| 1 +
		12	1 file changed, 1 insertion(+)
		13
		14	--- a/src/tool_operate.c
		15	+++ b/src/tool_operate.c
		16	@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *gl
		17	curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION);
		18	curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT);
		19	curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL);
		20	+ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS);
		21
		22	/* Get the required arguments for each operation */
		23	do {


diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch new file mode 100644 index 0000000000..4422b26834 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch
@@ -0,0 +1,45 @@
		1	From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 27 Dec 2022 11:50:23 +0100
		4	Subject: [PATCH] hsts: handle adding the same host name again
		5
		6	It will then use the largest expire time of the two entries.
		7
		8	CVE: CVE-2023-23914 CVE-2023-23915
		9	Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/e077b30a42272d964d76e5b815a0af7dc65d8360]
		10	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		11	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		12	---
		13	lib/hsts.c \| 13 +++++++++++--
		14	1 file changed, 11 insertions(+), 2 deletions(-)
		15
		16	diff --git a/lib/hsts.c b/lib/hsts.c
		17	index 339237be1c621..8d6723ee587d2 100644
		18	--- a/lib/hsts.c
		19	+++ b/lib/hsts.c
		20	@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts h, char line)
		21	if(2 == rc) {
		22	time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) :
		23	TIME_T_MAX;
		24	- CURLcode result;
		25	+ CURLcode result = CURLE_OK;
		26	char *p = host;
		27	bool subdomain = FALSE;
		28	+ struct stsentry *e;
		29	if(p[0] == '.') {
		30	p++;
		31	subdomain = TRUE;
		32	}
		33	- result = hsts_create(h, p, subdomain, expires);
		34	+ /* only add it if not already present */
		35	+ e = Curl_hsts(h, p, subdomain);
		36	+ if(!e)
		37	+ result = hsts_create(h, p, subdomain, expires);
		38	+ else {
		39	+ /* the same host name, use the largest expire time */
		40	+ if(expires > e->expires)
		41	+ e->expires = expires;
		42	+ }
		43	if(result)
		44	return result;
		45	}


diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch new file mode 100644 index 0000000000..865b3f93a5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch
@@ -0,0 +1,48 @@
		1	From dc0725244a3163f1e2d5f51165db3a1a430f3ba0 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 27 Dec 2022 11:50:23 +0100
		4	Subject: [PATCH] runtests: support crlf="yes" for verify/proxy
		5
		6	CVE: CVE-2023-23914 CVE-2023-23915
		7	Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/fd7e1a557e414dd803c9225e37a2ca84e1df2269]
		8	Comment: Refreshed hunk from FILEFORMAT.md
		9	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		10	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		11	---
		12	tests/FILEFORMAT.md \| 4 ++--
		13	tests/runtests.pl \| 5 +++++
		14	2 files changed, 7 insertions(+), 2 deletions(-)
		15
		16	--- a/tests/FILEFORMAT.md
		17	+++ b/tests/FILEFORMAT.md
		18	@@ -540,14 +540,14 @@
		19	One perl op per line that operates on the protocol dump. This is pretty
		20	advanced. Example: `s/^EPRT .*/EPRT stripped/`.
		21
		22	-### `<protocol [nonewline="yes"]>`
		23	+### `<protocol [nonewline="yes"][crlf="yes"]>`
		24
		25	the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
		26	the trailing newline of this given data before comparing with the one actually
		27	sent by the client The `<strip>` and `<strippart>` rules are applied before
		28	comparisons are made.
		29
		30	-### `<proxy [nonewline="yes"]>`
		31	+### `<proxy [nonewline="yes"][crlf="yes"]>`
		32
		33	The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
		34	server is used), if 'nonewline' is set, we will cut off the trailing newline
		35	--- a/tests/runtests.pl
		36	+++ b/tests/runtests.pl
		37	@@ -4744,6 +4744,11 @@ sub singletest {
		38	}
		39	}
		40
		41	+ if($hash{'crlf'} \|\|
		42	+ ($has_hyper && ($keywords{"HTTP"} \|\| $keywords{"HTTPS"}))) {
		43	+ map subNewlines(0, \$_), @protstrip;
		44	+ }
		45	+
		46	$res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
		47	if($res) {
		48	return $errorreturncode;


diff --git a/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch b/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch new file mode 100644 index 0000000000..1a363f0b4b --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch
@@ -0,0 +1,118 @@
		1	From ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 Mon Sep 17 00:00:00 2001
		2	From: Daniel Stenberg <daniel@haxx.se>
		3	Date: Tue, 27 Dec 2022 11:50:23 +0100
		4	Subject: [PATCH] test446: verify hsts with two URLs
		5
		6	CVE: CVE-2023-23914 CVE-2023-23915
		7	Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/7e89dfd463597701dd1defcad7be54f7d3c9d55d]
		8	Comment: Refreshed hunk from Makefile.inc
		9	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
		10	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		11	---
		12	tests/data/Makefile.inc \| 2 +-
		13	tests/data/test446 \| 84 +++++++++++++++++++++++++++++++++++++++++
		14	2 files changed, 85 insertions(+), 1 deletion(-)
		15	create mode 100644 tests/data/test446
		16
		17	diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
		18	index 3a6356bd122bc..fe1bb1c74c2ab 100644
		19	--- a/tests/data/Makefile.inc
		20	+++ b/tests/data/Makefile.inc
		21	@@ -72,6 +72,7 @@
		22	\
		23	test430 test431 test432 test433 test434 test435 test436 \
		24	\
		25	+test446 \
		26	test490 test491 test492 test493 test494 \
		27	\
		28	test500 test501 test502 test503 test504 test505 test506 test507 test508 \
		29	diff --git a/tests/data/test446 b/tests/data/test446
		30	new file mode 100644
		31	index 0000000000000..0e2dfdcfe33b6
		32	--- /dev/null
		33	+++ b/tests/data/test446
		34	@@ -0,0 +1,84 @@
		35	+<?xml version="1.0" encoding="ISO-8859-1"?>
		36	+<testcase>
		37	+<info>
		38	+<keywords>
		39	+HTTP
		40	+HTTP proxy
		41	+HSTS
		42	+trailing-dot
		43	+</keywords>
		44	+</info>
		45	+
		46	+<reply>
		47	+
		48	+# we use this as response to a CONNECT
		49	+<connect nocheck="yes">
		50	+HTTP/1.1 200 OK
		51	+
		52	+</connect>
		53	+<data crlf="yes">
		54	+HTTP/1.1 200 OK
		55	+Content-Length: 6
		56	+Strict-Transport-Security: max-age=604800
		57	+
		58	+-foo-
		59	+</data>
		60	+<data2 crlf="yes">
		61	+HTTP/1.1 200 OK
		62	+Content-Length: 6
		63	+Strict-Transport-Security: max-age=6048000
		64	+
		65	+-baa-
		66	+</data2>
		67	+</reply>
		68	+
		69	+<client>
		70	+<server>
		71	+https
		72	+http-proxy
		73	+</server>
		74	+<features>
		75	+HSTS
		76	+proxy
		77	+https
		78	+debug
		79	+</features>
		80	+<setenv>
		81	+CURL_HSTS_HTTP=yes
		82	+CURL_TIME=2000000000
		83	+</setenv>
		84	+
		85	+<name>
		86	+HSTS with two URLs
		87	+</name>
		88	+<command>
		89	+-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002
		90	+</command>
		91	+</client>
		92	+
		93	+<verify>
		94	+# we let it CONNECT to the server to confirm HSTS but deny from there
		95	+<proxy crlf="yes">
		96	+GET http://this.hsts.example./%TESTNUMBER HTTP/1.1
		97	+Host: this.hsts.example.
		98	+User-Agent: curl/%VERSION
		99	+Accept: /
		100	+Proxy-Connection: Keep-Alive
		101	+
		102	+GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1
		103	+Host: another.example.com
		104	+User-Agent: curl/%VERSION
		105	+Accept: /
		106	+Proxy-Connection: Keep-Alive
		107	+
		108	+</proxy>
		109	+
		110	+<file name="log/hsts%TESTNUMBER" mode="text">
		111	+# Your HSTS cache. https://curl.se/docs/hsts.html
		112	+# This file was generated by libcurl! Edit at your own risk.
		113	+this.hsts.example "20330525 03:33:20"
		114	+another.example.com "20330727 03:33:20"
		115	+</file>
		116	+
		117	+</verify>
		118	+</testcase>


diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index b08af29059..b583060889 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -34,6 +34,11 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
34	file://CVE-2022-42915.patch \	34	file://CVE-2022-42915.patch \
35	file://CVE-2022-43551.patch \	35	file://CVE-2022-43551.patch \
36	file://CVE-2022-43552.patch \	36	file://CVE-2022-43552.patch \
		37	file://CVE-2023-23914_5-1.patch \
		38	file://CVE-2023-23914_5-2.patch \
		39	file://CVE-2023-23914_5-3.patch \
		40	file://CVE-2023-23914_5-4.patch \
		41	file://CVE-2023-23914_5-5.patch \
37	"	42	"
38	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"	43	SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
39		44