<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/libcurl/libcurl.hash, branch 2017.11</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.11</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.11'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-11-30T09:29:57+00:00</updated>
<entry>
<title>libcurl: security bump to version 7.57.0</title>
<updated>2017-11-30T09:29:57+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-11-30T00:07:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=fb2ed961988867ab77c48786075e03a6110d1d0a'/>
<id>urn:sha1:fb2ed961988867ab77c48786075e03a6110d1d0a</id>
<content type='text'>
Fixes the following security issues:

- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access

For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.56.1</title>
<updated>2017-10-25T07:44:09+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-23T23:13:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=62d4dd2999a0446c2b868a7c6fbcc764a470493d'/>
<id>urn:sha1:62d4dd2999a0446c2b868a7c6fbcc764a470493d</id>
<content type='text'>
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read

https://curl.haxx.se/docs/adv_20171023.html

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.56.0</title>
<updated>2017-10-05T20:40:14+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-04T07:35:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7'/>
<id>urn:sha1:9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7</id>
<content type='text'>
Drop upstreamed patch.

Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:

https://curl.haxx.se/docs/adv_20171004.html

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: bump to version 7.55.1</title>
<updated>2017-09-09T20:18:10+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-09-09T20:10:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=3f6c10df674b7cc7a854fb0099ebeb926d162975'/>
<id>urn:sha1:3f6c10df674b7cc7a854fb0099ebeb926d162975</id>
<content type='text'>
Drop upstream patch.

Add license hash.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.55.0</title>
<updated>2017-08-11T10:42:34+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-08-10T17:35:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=d88c79090add53947dc3290fb61d51f2b630301c'/>
<id>urn:sha1:d88c79090add53947dc3290fb61d51f2b630301c</id>
<content type='text'>
Fixes:

 glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
 tftp: reject file name lengths that don't fit (CVE-2017-1000100)
 file: output the correct buffer to the user (CVE-2017-1000099)

Switch to .tar.xz to save bandwidth.

Add reference to tarball signature.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
</content>
</entry>
<entry>
<title>libcurl: bump version to 7.54.1</title>
<updated>2017-06-21T20:42:54+00:00</updated>
<author>
<name>Adam Duskett</name>
<email>Aduskett@gmail.com</email>
</author>
<published>2017-06-21T20:30:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c52d50336eb6c51eb9d590cebdee72623d76dd51'/>
<id>urn:sha1:c52d50336eb6c51eb9d590cebdee72623d76dd51</id>
<content type='text'>
Signed-off-by: Adam Duskett &lt;aduskett@codeblue.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: bump version to 7.54.0 (security)</title>
<updated>2017-04-20T21:13:07+00:00</updated>
<author>
<name>Vicente Olivert Riera</name>
<email>Vincent.Riera@imgtec.com</email>
</author>
<published>2017-04-19T09:07:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=034e95e51e7dbe97a11d708c7762ff64861ec705'/>
<id>urn:sha1:034e95e51e7dbe97a11d708c7762ff64861ec705</id>
<content type='text'>
Security fixes:
 - CVE-2017-7468: switch off SSL session id when client cert is used

Full changelog: https://curl.haxx.se/changes.html

Removing 0001-CVE-2017-7407.patch. It's included in this release:
  https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13

Signed-off-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: bump version to 7.53.1</title>
<updated>2017-03-10T20:52:40+00:00</updated>
<author>
<name>Vicente Olivert Riera</name>
<email>Vincent.Riera@imgtec.com</email>
</author>
<published>2017-03-10T17:17:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=07db6fa6e83560a6901a74685024d45872da68d7'/>
<id>urn:sha1:07db6fa6e83560a6901a74685024d45872da68d7</id>
<content type='text'>
Signed-off-by: Vicente Olivert Riera &lt;Vincent.Riera@imgtec.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.53.0</title>
<updated>2017-02-23T20:35:11+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-02-22T07:25:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c5f5d9fa4e378f3b81f51284e32ee1c23ab2a575'/>
<id>urn:sha1:c5f5d9fa4e378f3b81f51284e32ee1c23ab2a575</id>
<content type='text'>
Fixes CVE-2017-2629 - curl SSL_VERIFYSTATUS ignored

&gt;From the advisory (http://www.openwall.com/lists/oss-security/2017/02/21/6):

Curl and libcurl support "OCSP stapling", also known as the TLS Certificate
Status Request extension (using the `CURLOPT_SSL_VERIFYSTATUS` option). When
telling curl to use this feature, it uses that TLS extension to ask for a
fresh proof of the server's certificate's validity. If the server doesn't
support the extension, or fails to provide said proof, curl is expected to
return an error.

Due to a coding mistake, the code that checks for a test success or failure,
ends up always thinking there's valid proof, even when there is none or if the
server doesn't support the TLS extension in question. Contrary to how it used
to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes
invalid or otherwise be mislead that the server is in a better shape than it
is in reality.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to 7.52.1</title>
<updated>2016-12-23T21:29:23+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2016-12-23T10:16:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=72b6bf8f57569c14238d223bb6cc6fec7fd3af4d'/>
<id>urn:sha1:72b6bf8f57569c14238d223bb6cc6fec7fd3af4d</id>
<content type='text'>
Fixes CVE-2016-9594 - Unitilized random

Libcurl's (new) internal function that returns a good 32bit random value was
implemented poorly and overwrote the pointer instead of writing the value
into the buffer the pointer pointed to.

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
</feed>
