curl: fix CVE-2025-10148 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Yogita Urade <yogita.urade@windriver.com>	2025-09-24 13:56:56 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-09-25 12:25:51 -0700
commit	2fdaf43bcb7f19179dda24cef24216895dfce1b1 (patch)
tree	000151f2165de84b9fdb1c7ac082646ac8ea234a /scripts/lib/checklayer/__init__.py
parent	96c7bfd6793bf4282337e101abc10bcb8be38436 (diff)
download	poky-2fdaf43bcb7f19179dda24cef24216895dfce1b1.tar.gz

curl: fix CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-10148 Upstream patch: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa (From OE-Core rev: 83420a408551688ebb298b88b16d2e384e9b7bfd) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>

Diffstat (limited to 'scripts/lib/checklayer/__init__.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: