buildroot/package/libcurl, branch 2019.02-op-build

package/libcurl: bump to version 7.64.1

2019-03-28T10:14:31+00:00

Contains a number of fixes for issues discovered post-7.64.0. For details, see the list of changes: https://curl.haxx.se/changes.html#7_64_1 Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni (cherry picked from commit 48da1bc9fdebeaa011648c9b208b17f28a0878e3) Signed-off-by: Peter Korsgaard

libcurl: fix typo in configure option w/o OpenSSL

2019-02-20T21:32:21+00:00

When not using OpenSSL, the correct option to configure is --without-ssl with two dashes. Fixes: b8b78e7e6a ("libcurl: Allow selection of TLS package libcurl will use") Signed-off-by: Trent Piepho Signed-off-by: Arnout Vandecappelle (Essensium/Mind)

package/libcurl: security bump to version 7.64.0

2019-02-06T19:32:55+00:00

Fixes the following security issues: CVE-2018-16890: NTLM type-2 out-of-bounds buffer read https://curl.haxx.se/docs/CVE-2018-16890.html CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow https://curl.haxx.se/docs/CVE-2019-3822.html CVE-2019-3823: SMTP end-of-response out-of-bounds read https://curl.haxx.se/docs/CVE-2019-3823.html The copyright year changed in the COPYING file, so update the hash. Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni

package/libcurl: use GnuTLS's default cert path

2018-12-03T20:26:22+00:00

libcurl doesn't find any trust path for CA certs when it cross-compiles. When using OpenSSL, it is explicitly configured to use the SSL cert directory with OpenSSL style hash files in it. But with GnuTLS, it gets nothing. Rather than configure libcurl to use the OpenSSL directory or a bundle file, configure it to use the GnuTLS default. This way the CA certs path can be configured in one place (gnutls) and then libcurl and anyone else who uses gnutls can default to that. Also, when libcurl with gnutls is configured to use a directory, it ends up loading each cert three times. Signed-off-by: Trent Piepho Signed-off-by: Thomas Petazzoni

libcurl: Don't need --without-(ssl/gnutls/nss/mbedtls) twice

2018-11-13T07:25:36+00:00

Remove the --without-* options from the yes side of the TLS libraries selection checks. Since the --without-* option is now specified when the corresponding TLS library is not being used, it's no longer necessary when enabling a TLS library to explicity list all the other TLS libs that curl should not use. Signed-off-by: Trent Piepho Signed-off-by: Peter Korsgaard

libcurl: Allow selection of TLS package libcurl will use

2018-11-12T21:24:18+00:00

Instead of defaulting to OpenSSL, allow selection of package to use through a choice in libcurl's config. The default will be to select the first enabled TLS provider in the same preference order as is used now, i.e. no change from current behavior. Some of the alternative libraries have advantages over OpenSSL in certain areas. For example, gnutls has vastly superior PKCS11 support. One can use client TLS private keys by supplying a PKCS11 URI instead of a private key file name. The TLS server cert trust store can be a PKCS11 URI, e.g. configure libcurl with a ca-bundle of "pkcs11:model=p11-kit-trust". Now server certs can be stored in a software and/or hardware HSM(s). This doesn't work with OpenSSL. However, some software only supports OpenSSL for TLS or other crypto functions. So it might be necessary to enable OpenSSL for that reason. Signed-off-by: Trent Piepho [Peter: add BR2_PACKAGE_LIBCURL_TLS_SUPPORT and use it to hide choice & comment, explitly pass --without-foo if option is not enabled, only do .pc fixup if BR2_PACKAGE_LIBCURL_OPENSSL is enabled] Signed-off-by: Peter Korsgaard

libcurl: security bump to version 7.62.0

2018-10-31T08:48:06+00:00

Fixes the following security issues: CVE-2018-16839: SASL password overflow via integer overflow https://curl.haxx.se/docs/CVE-2018-16839.html CVE-2018-16840: use-after-free in handle close https://curl.haxx.se/docs/CVE-2018-16840.html CVE-2018-16842: warning message out-of-buffer read https://curl.haxx.se/docs/CVE-2018-16842.html Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni

libcurl: security bump to version 7.61.1

2018-09-06T07:35:21+00:00

Fixes CVE-2018-14618: NTLM password overflow via integer overflow For more details, see the advisory: https://curl.haxx.se/docs/CVE-2018-14618.html Signed-off-by: Peter Korsgaard

libcurl: add nghttp2 optional dependency

2018-07-19T14:59:55+00:00

The nghttp2 package has recently been added to buildroot. When enabled, this adds support for HTTP2 to libcurl. By default, libcurl configure script will enable HTTP2 if the library is found using pkg-config. Adding this option makes the build consistent. Signed-off-by: Michaël Burtin Signed-off-by: Anisse Astier Signed-off-by: Thomas Petazzoni

libcurl: security bump to version 7.61.0

2018-07-12T20:18:54+00:00

Fixes CVE-2018-0500: curl might overflow a heap based memory buffer when sending data over SMTP and using a reduced read buffer. Drop upstream patch. Add reference to tarball signature key. Drop CRYPTO_lock seed. Removed from configure script since 7.45. Cc: Matt Weber Signed-off-by: Baruch Siach Signed-off-by: Peter Korsgaard