From patchwork Wed Nov 5 14:31:32 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gustavo Zacarias X-Patchwork-Id: 407001 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from hemlock.osuosl.org (hemlock.osuosl.org [140.211.166.133]) by ozlabs.org (Postfix) with ESMTP id 96D6514008C for ; Thu, 6 Nov 2014 01:31:53 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 7E98D9511D; Wed, 5 Nov 2014 14:31:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2lFrOvIZ+X81; Wed, 5 Nov 2014 14:31:51 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id EDF6C94F48; Wed, 5 Nov 2014 14:31:50 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (whitealder.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 914A61C227E for ; Wed, 5 Nov 2014 14:31:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 8E46891A49 for ; Wed, 5 Nov 2014 14:31:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oC9RKs28pGzk for ; Wed, 5 Nov 2014 14:31:48 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.zacarias.com.ar (www.zacarias.com.ar [62.210.192.172]) by whitealder.osuosl.org (Postfix) with ESMTPS id F316591A36 for ; Wed, 5 Nov 2014 14:31:47 +0000 (UTC) Received: from asgard (cpe-186-23-17-245.telecentro-reversos.com.ar [186.23.17.245] (may be forged)) (authenticated bits=0) by www.zacarias.com.ar (8.14.9/8.14.9) with ESMTP id sA5EVcTF030188 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 5 Nov 2014 14:31:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zacarias.com.ar; s=dkey; t=1415197905; bh=TYKwrl7zyDJ1yB5lIMH2V5tr3bUgxt809DFv1lcBjcA=; h=From:To:Cc:Subject:Date; b=Yp/MyB9QyZdNbtGW5obrhE6XvrBoz9V+nzHMI+2L9rO/L6u4p+3M1qb/B8ORX4fXO oO5MF+KIyec2xkZ+FP3vVJFk1gi4wgSHrHBbuxwizb9uwp/zRYeE65sfLLuhewcnfj xYXCA8+fAppwe8W09OZNA16hbJyLSnGkZ6nL422w= Received: by asgard (sSMTP sendmail emulation); Wed, 05 Nov 2014 11:31:32 -0300 From: Gustavo Zacarias To: buildroot@busybox.net Date: Wed, 5 Nov 2014 11:31:32 -0300 Message-Id: <1415197892-30325-1-git-send-email-gustavo@zacarias.com.ar> X-Mailer: git-send-email 2.0.4 X-Virus-Scanned: clamav-milter 0.98.4 at www X-Virus-Status: Clean Subject: [Buildroot] [PATCH] libcurl: security bump to version 7.39.0 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes: CVE-2014-3707 - libcurl's function curl_easy_duphandle() has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending. Removed patch that was upstream and now in the release. Signed-off-by: Gustavo Zacarias Reviewed-by: Vicente Olivert Riera Tested-by: Vicente Olivert Riera --- package/libcurl/libcurl-0001-fixtimeout.patch | 37 --------------------------- package/libcurl/libcurl.hash | 2 +- package/libcurl/libcurl.mk | 2 +- 3 files changed, 2 insertions(+), 39 deletions(-) delete mode 100644 package/libcurl/libcurl-0001-fixtimeout.patch diff --git a/package/libcurl/libcurl-0001-fixtimeout.patch b/package/libcurl/libcurl-0001-fixtimeout.patch deleted file mode 100644 index f897ca4..0000000 --- a/package/libcurl/libcurl-0001-fixtimeout.patch +++ /dev/null @@ -1,37 +0,0 @@ -This fixes a timeout problem with xbmc. - -Backported from upstream: -https://github.com/bagder/curl/commit/d9762a7cdb35e70f8cb0bf1c2f8019e8391616e1 - -Signed-off-by: Bernd Kuhls - - -From d9762a7cdb35e70f8cb0bf1c2f8019e8391616e1 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 23 Sep 2014 11:44:03 +0200 -Subject: [PATCH] threaded-resolver: revert Curl_expire_latest() switch - -The switch to using Curl_expire_latest() in commit cacdc27f52b was a -mistake and was against the advice even mentioned in that commit. The -comparison in asyn-thread.c:Curl_resolver_is_resolved() makes -Curl_expire() the suitable function to use. - -Bug: http://curl.haxx.se/bug/view.cgi?id=1426 -Reported-By: graysky ---- - lib/asyn-thread.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index e4ad32b..6cdc9ad 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -541,7 +541,7 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn, - td->poll_interval = 250; - - td->interval_end = elapsed + td->poll_interval; -- Curl_expire_latest(conn->data, td->poll_interval); -+ Curl_expire(conn->data, td->poll_interval); - } - - return CURLE_OK; diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 7eded03..4c3b8ac 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 035bd41e99aa1a4e64713f4cea5ccdf366ca8199e9be1b53d5a043d5165f9eba curl-7.38.0.tar.bz2 +sha256 b222566e7087cd9701b301dd6634b360ae118cc1cbc7697e534dc451102ea4e0 curl-7.39.0.tar.bz2 diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 4af73b1..62ea5fb 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 7.38.0 +LIBCURL_VERSION = 7.39.0 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2 LIBCURL_SITE = http://curl.haxx.se/download LIBCURL_DEPENDENCIES = host-pkgconf \