curl: fix CVE-2024-11053 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Yogita Urade <yogita.urade@windriver.com>	2025-07-08 14:27:28 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-07-14 08:37:40 -0700
commit	580a1571c4bc7341bd19b067b9e5a8bc4194b627 (patch)
tree	133939d536f65e3700735d30d6a7efb5f572d2ab /meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch
parent	def97edcef31f0bfdea674de70684bcbd1b2e134 (diff)
download	poky-580a1571c4bc7341bd19b067b9e5a8bc4194b627.tar.gz

curl: fix CVE-2024-11053

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. References: https://nvd.nist.gov/vuln/detail/CVE-2024-11053 https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053-pre1.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95 https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95 Upstream patch: https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907 https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 (From OE-Core rev: 87823ff05a4f90b42c138902639a59231fa17def) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'meta/recipes-devtools/python/python3/avoid_warning_about_tkinter.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: