diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2025-04-22 11:48:14 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-04-28 08:18:53 -0700 |
| commit | 2e67952192f95cd7465c5c795e5d420aba8c9827 (patch) | |
| tree | 71c400f0446776efdd483babb4040d0d00d0b251 /scripts/lib/wic/plugins/source/bootimg-efi.py | |
| parent | f8ca40f3d1c504e065dc4e52bc059ef438d754eb (diff) | |
| download | poky-2e67952192f95cd7465c5c795e5d420aba8c9827.tar.gz | |
curl: fix CVE-2024-11053
When asked to both use a `.netrc` file for credentials and to
follow HTTP redirects, curl could leak the password used for
the first host to the followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry
that matches the redirect target hostname but the entry either
omits just the password or omits both login and password.
CVE-2024-11053-0001 is the dependent commit, CVE-2024-11053-0002 is
actual CVE fix and the actual fix caused a regression that was fixed
by CVE-2024-11053-0003.
Reference:
https://curl.se/docs/CVE-2024-11053.html
https://git.launchpad.net/ubuntu/+source/curl/commit/?h=applied/ubuntu/noble-devel&id=9ea469c352a313104f750dea93e78df8d868c435
Upstream patches:
https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907
https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af3194
https://github.com/curl/curl/commit/9fce2c55d4b0273ac99b59bd8cb982a6d96b88cf
(From OE-Core rev: 084d8ca3b47b47333edba87f6aa427a12ee574f2)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/lib/wic/plugins/source/bootimg-efi.py')
0 files changed, 0 insertions, 0 deletions