| Message ID | 20231209200916.250950-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libcurl: security bump to version 8.5.0 | expand |
Peter, All, On 2023-12-09 21:09 +0100, Peter Korsgaard spake thusly: > Fixes the following security issues: > > - CVE-2023-46218: cookie mixed case PSL bypass > > This flaw allows a malicious HTTP server to set "super cookies" in curl > that are then passed back to more origins than what is otherwise allowed > or possible. This allows a site to set cookies that then would get sent > to different and unrelated sites and domains. > > https://curl.se/docs/CVE-2023-46218.html > > - CVE-2023-46219: HSTS long file name clears contents > > When saving HSTS data to an excessively long file name, curl could end up > removing all contents, making subsequent requests using that file unaware > of the HSTS status they should otherwise use. > > https://curl.se/docs/CVE-2023-46219.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/libcurl/libcurl.hash | 4 ++-- > package/libcurl/libcurl.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash > index ecd5d63909..d5c20d29d3 100644 > --- a/package/libcurl/libcurl.hash > +++ b/package/libcurl/libcurl.hash > @@ -1,5 +1,5 @@ > # Locally calculated after checking pgp signature > -# https://curl.se/download/curl-8.4.0.tar.xz.asc > +# https://curl.se/download/curl-8.5.0.tar.xz.asc > # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 > -sha256 16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d curl-8.4.0.tar.xz > +sha256 42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb curl-8.5.0.tar.xz > sha256 b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524 COPYING > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk > index 2c87821a48..3ecc587a52 100644 > --- a/package/libcurl/libcurl.mk > +++ b/package/libcurl/libcurl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBCURL_VERSION = 8.4.0 > +LIBCURL_VERSION = 8.5.0 > LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz > LIBCURL_SITE = https://curl.se/download > LIBCURL_DEPENDENCIES = host-pkgconf \ > -- > 2.39.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issues: > - CVE-2023-46218: cookie mixed case PSL bypass > This flaw allows a malicious HTTP server to set "super cookies" in curl > that are then passed back to more origins than what is otherwise allowed > or possible. This allows a site to set cookies that then would get sent > to different and unrelated sites and domains. > https://curl.se/docs/CVE-2023-46218.html > - CVE-2023-46219: HSTS long file name clears contents > When saving HSTS data to an excessively long file name, curl could end up > removing all contents, making subsequent requests using that file unaware > of the HSTS status they should otherwise use. > https://curl.se/docs/CVE-2023-46219.html > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2023.02.x and 2023.11.x, thanks.
diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index ecd5d63909..d5c20d29d3 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.se/download/curl-8.4.0.tar.xz.asc +# https://curl.se/download/curl-8.5.0.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d curl-8.4.0.tar.xz +sha256 42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb curl-8.5.0.tar.xz sha256 b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524 COPYING diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 2c87821a48..3ecc587a52 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 8.4.0 +LIBCURL_VERSION = 8.5.0 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.se/download LIBCURL_DEPENDENCIES = host-pkgconf \
Fixes the following security issues: - CVE-2023-46218: cookie mixed case PSL bypass This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. https://curl.se/docs/CVE-2023-46218.html - CVE-2023-46219: HSTS long file name clears contents When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. https://curl.se/docs/CVE-2023-46219.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libcurl/libcurl.hash | 4 ++-- package/libcurl/libcurl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)