From patchwork Sat Dec 9 20:09:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1874085 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SnfKJ5BBgz23nC for ; Sun, 10 Dec 2023 07:11:16 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id E47E16FA97; Sat, 9 Dec 2023 20:11:14 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E47E16FA97 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZw5Cwn3OpTw; Sat, 9 Dec 2023 20:11:14 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 135D86FAAC; Sat, 9 Dec 2023 20:11:13 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 135D86FAAC X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 72F361BF267 for ; Sat, 9 Dec 2023 20:09:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 49A8540253 for ; Sat, 9 Dec 2023 20:09:23 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 49A8540253 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaWVwdZ-rp7X for ; Sat, 9 Dec 2023 20:09:21 +0000 (UTC) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by smtp2.osuosl.org (Postfix) with ESMTPS id 89DE5400FB for ; Sat, 9 Dec 2023 20:09:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 89DE5400FB Received: by mail.gandi.net (Postfix) with ESMTPSA id 16D8120003; Sat, 9 Dec 2023 20:09:17 +0000 (UTC) Received: from peko by dell.be.48ers.dk with local (Exim 4.96) (envelope-from ) id 1rC3dV-0013Ht-1I; Sat, 09 Dec 2023 21:09:17 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Sat, 9 Dec 2023 21:09:15 +0100 Message-Id: <20231209200916.250950-1-peter@korsgaard.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-GND-Sasl: peter@korsgaard.com Subject: [Buildroot] [PATCH] package/libcurl: security bump to version 8.5.0 X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" Fixes the following security issues: - CVE-2023-46218: cookie mixed case PSL bypass This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. https://curl.se/docs/CVE-2023-46218.html - CVE-2023-46219: HSTS long file name clears contents When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. https://curl.se/docs/CVE-2023-46219.html Signed-off-by: Peter Korsgaard --- package/libcurl/libcurl.hash | 4 ++-- package/libcurl/libcurl.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index ecd5d63909..d5c20d29d3 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.se/download/curl-8.4.0.tar.xz.asc +# https://curl.se/download/curl-8.5.0.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d curl-8.4.0.tar.xz +sha256 42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb curl-8.5.0.tar.xz sha256 b1d7feb949ea5023552029fbe0bf5db4f23c2f85e9b8e51e18536f0ecbf9c524 COPYING diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 2c87821a48..3ecc587a52 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 8.4.0 +LIBCURL_VERSION = 8.5.0 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.se/download LIBCURL_DEPENDENCIES = host-pkgconf \