Message ID | 4f33b3435349660c4e3f2b444104442e6a9498b1.1502386545.git.baruch@tkos.co.il |
---|---|
State | Accepted |
Headers | show |
On 10-08-17 19:35, Baruch Siach wrote: > Fixes: > > glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) > tftp: reject file name lengths that don't fit (CVE-2017-1000100) > file: output the correct buffer to the user (CVE-2017-1000099) > > Switch to .tar.xz to save bandwidth. > > Add reference to tarball signature. Nice! > Signed-off-by: Baruch Siach <baruch@tkos.co.il> Applied to master, thanks. Regards, Arnout
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes: > Fixes: > glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) > tftp: reject file name lengths that don't fit (CVE-2017-1000100) > file: output the correct buffer to the user (CVE-2017-1000099) > Switch to .tar.xz to save bandwidth. > Add reference to tarball signature. > Signed-off-by: Baruch Siach <baruch@tkos.co.il> Committed to 2017.02.x, thanks.
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 1b8d80fc9662..6d49b6742830 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,2 +1,3 @@ # Locally calculated after checking pgp signature -sha256 fdfc4df2d001ee0c44ec071186e770046249263c491fcae48df0e1a3ca8f25a0 curl-7.54.1.tar.bz2 +# https://curl.haxx.se/download/curl-7.55.0.tar.xz.asc +sha256 cdd58522f8607fd4e871df79d73acb3155075e2134641e5adab12a0962df059d curl-7.55.0.tar.xz diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 684844919e3a..dd0ccbfa4621 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,8 +4,8 @@ # ################################################################################ -LIBCURL_VERSION = 7.54.1 -LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2 +LIBCURL_VERSION = 7.55.0 +LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.haxx.se/download LIBCURL_DEPENDENCIES = host-pkgconf \ $(if $(BR2_PACKAGE_ZLIB),zlib) \
Fixes: glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) tftp: reject file name lengths that don't fit (CVE-2017-1000100) file: output the correct buffer to the user (CVE-2017-1000099) Switch to .tar.xz to save bandwidth. Add reference to tarball signature. Signed-off-by: Baruch Siach <baruch@tkos.co.il> --- package/libcurl/libcurl.hash | 3 ++- package/libcurl/libcurl.mk | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-)