package/libcurl: security bump to 8.4.0

Message ID	20231011073506.687039-1-sairon@sairon.cz
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> From: =?utf-8?b?SmFuIMSMZXJtw6Fr?= <sairon@sairon.cz> To: buildroot@buildroot.org Date: Wed, 11 Oct 2023 09:35:05 +0200 Message-Id: <20231011073506.687039-1-sairon@sairon.cz> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sairon.cz; s=google; t=1697009715; x=1697614515; darn=buildroot.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zEcrcjP140V4s8IPTX+On/jJcFW6eWY1Ljm65fl8BPM=; b=Jlck4RRr0z4QMJYbwXcPVU4BJg2Y1gGetJjLssRmHwTb24cowLSMsiMpSBjnE/WL6S u8hN1TYncwZavrGKUGQvfzbwec/6VhIMIPfopMbGwX7Qi9ln4sXrTpRUvx2+/28aguhk bP/zYzpDqFOBZ1QDvbsUxT/Y6bKQfcdXi7okT7HBdjkh5PzU+WdwvY3OlgmeXpba5Q7q iUxIGb1fn6B9myQNNn8ck4BKFwDLa7Yp5ZVWv4YeRhoFRW42o5hNlkVoLRrPEU9ubS/o h+VYw1aKVF6daE4YA5WLuhiWIaylOycwt21Qfm35pyhE6QyFw/ThnrYalx7k9UcfCJi7 dtMw== X-Mailman-Original-Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=sairon.cz header.i=@sairon.cz header.a=rsa-sha256 header.s=google header.b=Jlck4RRr Subject: [Buildroot] [PATCH] package/libcurl: security bump to 8.4.0 Precedence: list Cc: =?utf-8?b?SmFuIMSMZXJtw6Fr?= <sairon@sairon.cz> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	package/libcurl: security bump to 8.4.0 \| expand package/libcurl: security bump to 8.4.0

Message ID

20231011073506.687039-1-sairon@sairon.cz

State

Accepted

Headers

From: =?utf-8?b?SmFuIMSMZXJtw6Fr?= <sairon@sairon.cz>
To: buildroot@buildroot.org
Date: Wed, 11 Oct 2023 09:35:05 +0200
Message-Id: <20231011073506.687039-1-sairon@sairon.cz>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp3.osuosl.org;
 dkim=pass (2048-bit key) header.d=sairon.cz header.i=@sairon.cz
 header.a=rsa-sha256 header.s=google header.b=Jlck4RRr
Subject: [Buildroot] [PATCH] package/libcurl: security bump to 8.4.0
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
Cc: =?utf-8?b?SmFuIMSMZXJtw6Fr?= <sairon@sairon.cz>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

package/libcurl: security bump to 8.4.0 | expand

Commit Message

Jan Čermák Oct. 11, 2023, 7:35 a.m. UTC

Fixes following two vulnerabilities:

* CVE-2023-38545: SOCKS5 heap buffer overflow
  https://curl.se/docs/CVE-2023-38545.html
* CVE-2023-38546: cookie injection with none file
  https://curl.se/docs/CVE-2023-38546.html

Signed-off-by: Jan Čermák <sairon@sairon.cz>
---
 package/libcurl/libcurl.hash | 4 ++--
 package/libcurl/libcurl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

Comments

Peter Korsgaard Oct. 11, 2023, 8:52 a.m. UTC | #1

>>>>> "Jan" == Jan Čermák <sairon@sairon.cz> writes:

 > Fixes following two vulnerabilities:
 > * CVE-2023-38545: SOCKS5 heap buffer overflow
 >   https://curl.se/docs/CVE-2023-38545.html
 > * CVE-2023-38546: cookie injection with none file
 >   https://curl.se/docs/CVE-2023-38546.html

 > Signed-off-by: Jan Čermák <sairon@sairon.cz>

Committed, thanks.

Peter Korsgaard Oct. 13, 2023, 6:13 p.m. UTC | #2

>>>>> "Jan" == Jan Čermák <sairon@sairon.cz> writes:

 > Fixes following two vulnerabilities:
 > * CVE-2023-38545: SOCKS5 heap buffer overflow
 >   https://curl.se/docs/CVE-2023-38545.html
 > * CVE-2023-38546: cookie injection with none file
 >   https://curl.se/docs/CVE-2023-38546.html

 > Signed-off-by: Jan Čermák <sairon@sairon.cz>

Committed to 2023.02.x and 2023.08.x, thanks.

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 371d20a632..ecd5d63909 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@ 
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-8.3.0.tar.xz.asc
+# https://curl.se/download/curl-8.4.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  376d627767d6c4f05105ab6d497b0d9aba7111770dd9d995225478209c37ea63  curl-8.3.0.tar.xz
+sha256  16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d  curl-8.4.0.tar.xz
 sha256  b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524  COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index dd4cf43c6a..bd331a55aa 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBCURL_VERSION = 8.3.0
+LIBCURL_VERSION = 8.4.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \

package/libcurl: security bump to 8.4.0

Commit Message

Comments

Patch