<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/libcurl, branch 2018.02.1</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2018.02.1</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2018.02.1'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2018-04-06T14:33:03+00:00</updated>
<entry>
<title>libcurl: security bump to version 7.59.0</title>
<updated>2018-04-06T14:33:03+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2018-03-15T18:06:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=6f2d5ed2befbb895aca7d9be2304f7124846c434'/>
<id>urn:sha1:6f2d5ed2befbb895aca7d9be2304f7124846c434</id>
<content type='text'>
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.

https://curl.haxx.se/docs/adv_2018-9cd6.html

CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.

https://curl.haxx.se/docs/adv_2018-97a2.html

CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.

https://curl.haxx.se/docs/adv_2018-b047.html

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
(cherry picked from commit bf3476e5b1527ac91c0a12949be7da5253ea66c1)
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: add host variant</title>
<updated>2018-02-05T13:57:48+00:00</updated>
<author>
<name>Eric Le Bihan</name>
<email>eric.le.bihan.dev@free.fr</email>
</author>
<published>2018-02-04T18:07:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=736e0fc5d6103300fb5d6b0cde5e22ce978b8a80'/>
<id>urn:sha1:736e0fc5d6103300fb5d6b0cde5e22ce978b8a80</id>
<content type='text'>
Signed-off-by: Eric Le Bihan &lt;eric.le.bihan.dev@free.fr&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.58.0</title>
<updated>2018-01-26T08:11:23+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2018-01-26T06:17:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e02dd5a4924c69fc806f4191bc7be67e28d5ad37'/>
<id>urn:sha1:e02dd5a4924c69fc806f4191bc7be67e28d5ad37</id>
<content type='text'>
Fixes CVE-2018-1000007: libcurl might leak authentication data to third
parties.

https://curl.haxx.se/docs/adv_2018-b3bf.html

Fixes CVE-2018-1000005: libcurl contains an out bounds read in code handling
HTTP/2 trailers.

https://curl.haxx.se/docs/adv_2018-824a.html

Update license hash due to copyright year change.

[Peter: also add CVE-2018-1000005 reference]
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.57.0</title>
<updated>2017-11-30T09:29:57+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-11-30T00:07:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=fb2ed961988867ab77c48786075e03a6110d1d0a'/>
<id>urn:sha1:fb2ed961988867ab77c48786075e03a6110d1d0a</id>
<content type='text'>
Fixes the following security issues:

- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access

For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.56.1</title>
<updated>2017-10-25T07:44:09+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-23T23:13:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=62d4dd2999a0446c2b868a7c6fbcc764a470493d'/>
<id>urn:sha1:62d4dd2999a0446c2b868a7c6fbcc764a470493d</id>
<content type='text'>
Fixes CVE-2017-1000257 - IMAP FETCH response out of bounds read

https://curl.haxx.se/docs/adv_20171023.html

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.56.0</title>
<updated>2017-10-05T20:40:14+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-10-04T07:35:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7'/>
<id>urn:sha1:9d95b93e5d36442979cdff7a9f3ee10b1eb9e0c7</id>
<content type='text'>
Drop upstreamed patch.

Fixes CVE-2017-1000254 - FTP PWD response parser out of bounds read:

https://curl.haxx.se/docs/adv_20171004.html

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: fix build without threads</title>
<updated>2017-09-13T06:22:11+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-09-12T11:43:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=10e998e7ccc827c53f3637abb70a06f1521e239e'/>
<id>urn:sha1:10e998e7ccc827c53f3637abb70a06f1521e239e</id>
<content type='text'>
When c-ares is not enabled libcurl enables the threaded DNS resolver by
default. Make sure the threaded resolvers is disabled when the toolchain
does not support threads.

Add upstream patch that fixes the configure option for disabling the
threaded resolver.

Fixes:
http://autobuild.buildroot.net/results/39f/39fa63fb2ecb75e4b2521d1ee3dfa357c4e5c594/
http://autobuild.buildroot.net/results/dfd/dfd296086d0d6bed73b92fe2fa4ba5434dddf796/

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>libcurl: bump to version 7.55.1</title>
<updated>2017-09-09T20:18:10+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-09-09T20:10:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=3f6c10df674b7cc7a854fb0099ebeb926d162975'/>
<id>urn:sha1:3f6c10df674b7cc7a854fb0099ebeb926d162975</id>
<content type='text'>
Drop upstream patch.

Add license hash.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: fix build on uncommon architectures</title>
<updated>2017-08-11T20:06:36+00:00</updated>
<author>
<name>Thomas Petazzoni</name>
<email>thomas.petazzoni@free-electrons.com</email>
</author>
<published>2017-08-11T18:32:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=6361a50e3f813c81d49636ee92a427442b9a2160'/>
<id>urn:sha1:6361a50e3f813c81d49636ee92a427442b9a2160</id>
<content type='text'>
Since the bump to 7.55.0, libcurl fails to build on a number of
uncommon architectures (ARC, OpenRISC, etc.). This is due to upstream
commit 73a2fcea0b4adea6ba342cd7ed1149782c214ae3 ("includes: remove
curl/curlbuild.h and curl/curlrules.h"), which makes libcurl rely on
more architecture-specific related defines in include/curl/system.h.

This commit therefore adds a patch that fixes the 32-bit vs. 64-bit
detection for all architecture, using gcc's __SIZEOF_LONG__
definition. It has been tested successfully with test-pkg on all 47
toolchain configurations.

Fixes:

  http://autobuild.buildroot.net/results/bf26c08cf3267214278674472f931603f69951ae/
  (and many similar issues)

Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>libcurl: security bump to version 7.55.0</title>
<updated>2017-08-11T10:42:34+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-08-10T17:35:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=d88c79090add53947dc3290fb61d51f2b630301c'/>
<id>urn:sha1:d88c79090add53947dc3290fb61d51f2b630301c</id>
<content type='text'>
Fixes:

 glob: do not parse after a strtoul() overflow range (CVE-2017-1000101)
 tftp: reject file name lengths that don't fit (CVE-2017-1000100)
 file: output the correct buffer to the user (CVE-2017-1000099)

Switch to .tar.xz to save bandwidth.

Add reference to tarball signature.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) &lt;arnout@mind.be&gt;
</content>
</entry>
</feed>
