Affected versions: curl 7.34.0 to and including 7.54.1
Not affected versions: curl < 7.34.0 and >= 7.55.0
(From OE-Core rev: a12cc7500a224d4be91f67f7921e1f16fcf880d4)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Affected versions: libcurl 7.15.0 to and including 7.54.1
Not affected versions: libcurl < 7.15.0 and >= 7.55.0
(From OE-Core rev: eafbe104727d79643c1738360789ae455fff116c)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Multi-threaded applications using libcurl crash
on DNS timeouts when built using OE.
The reason is as follows:
By default, libcurl implements DNS timeouts using a
timer (alarm()) and a pair of setjmp()/longjmp().
This approach is unsafe in multi-threaded applications
for various reasons, as e.g. explained in the relevant
man-pages.
To avoid this, libcurl can be compiled with a built-in
threaded resolver, or against the c-ares asynchronous
resolver library.
To keep extra dependencies to a minimum, and to mimic
other distributions (debian at least), and because
c-ares is not available in OE-core, add a PACKAGECONFIG
to be able to enable use of of the built-in threaded
resolver and enable it by default.
(From OE-Core rev: f4dbb4ce29fcd03e64c83efea39f32df437c21cc)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 41f1e44fce976c4140cda62a41349e91e69d04ef)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is 'libcurl' in NVD.
(From OE-Core rev: f5381da49ac781ef017a1b9816c00b512ca9c7c2)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE fixed in 7.51.0:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
To see complete log access link bellow:
https://curl.haxx.se/changes.html#7_51_0
(From OE-Core rev: 0154ff997db8021f93e6ffe8f7a0627d7a1d9b89)
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
krb5 is needed to enables GSS-Negotiate authentication
(From OE-Core rev: 78811b6e608452a3137df6ed2346c69d42d8fd27)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ac_cv_sizeof_off_t was previously in the site cache files, which was breaking
large file support and required a workaround in each recipe that actually wanted
to use large files.
Now that the entry has been removed from the site cache, we can remove the
workarounds.
(From OE-Core rev: 1485d7cae88adb3575c6eaa47784fe50820d2740)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Proxy support is a feature, so should not have been disabled in
the previous commit (which disabled support for legacy protocols):
http://git.openembedded.org/openembedded-core/commit/?id=b26634900d487a22eef41e9e077d35fb347d4c29
(From OE-Core rev: dfb0064fb16eba1446b8f3db13e0b8b3b4764481)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As a result of this commit, the following protocols will now be
disabled by default:
DICT GOPHER IMAP IMAPS POP3 POP3S RTSP SMTP SMTPS TELNET TFTP
Also add a PACKAGECONFIG option for libidn (previously disabled
unconditionally).
(From OE-Core rev: b26634900d487a22eef41e9e077d35fb347d4c29)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch has been carried around in oe-core for a long time.
It contains two unrelated changes and neither seem to be required
any more. Drop the patch.
(From OE-Core rev: 27837df35db57f50b8fa7f7c6b3f2e400205deb9)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adjust LIC_FILES_CHKSUM beginline due to changes to the Copyright to
acknowledge additional contributors. No change to the license text.
(From OE-Core rev: 0ab2c3b105fe92efbc814a3985879996932878c6)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Full changelog: http://curl.haxx.se/changes.html#7_47_0
Security fixes: http://curl.haxx.se/docs/vulnerabilities.html
CVE-2016-0754 : remote file name path traversal in curl tool for Windows
CVE-2016-0755 : NTLM credentials not-checked for proxy connection re-use
(From OE-Core rev: 6600190d7efb69dd5121b9ca082ad4c0dbc5e17e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl-config will be installed to target, cleanup buildpaths in it:
* remove ${STAGING_DIR_HOST} from CC, CFLAGS ...
(From OE-Core rev: 3e4978a534afc7fd4b82a044da8d9774cf09a4f0)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bump to version 7.44
(From OE-Core rev: edea6df23692686c8401dea877234072ee117b36)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade to include a security fixes for CVE-2015-3153
(From OE-Core rev: a99047605020ea76209279e98556687c61e1da0d)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue was reported on poky ml as well see
https://lists.yoctoproject.org/pipermail/poky/2013-December/009435.html
Change-Id: Iedf22467889893111fde0433e411fd0546a38546
(From OE-Core rev: 3c58712465494e441c4036a7cf21d2e6d343efab)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There should be only one dev and dbg package.
(From OE-Core rev: eb972e9b4b4210fa1c35fc0fae0ada27264b2e66)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enabling support for the smb protocol does not create
a build time dependency on samba.
(From OE-Core rev: b4c7921001a30e0162cacbe12b1a5b888b36db57)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl 7.40.0 added support for the SMB/CIFS protocol. So provide
a PACKAGECONFIG option for smb.
Reported-by: Andre McCurdy <armccurdy@gmail.com>
(From OE-Core rev: c776fd463902594e77cf9a8199039714a078437c)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bump to version 7.40
(From OE-Core rev: d3704312252c1607883099063151c599cca81cbe)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.
(From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By not detecting and rejecting domain names for partial literal IP addresses
properly when parsing received HTTP cookies, libcurl can be fooled to both
sending cookies to wrong sites and into allowing arbitrary sites to set cookies
for others.
(From OE-Core rev: 985ef933208da1dd1f17645613ce08e6ad27e2c1)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The user can enable libssh2 via conf/local.conf or custom distro
configuration, this will pull in libssh2, which is not used by default.
For example, a curl_x.y.z.bbappend file containing the following line:
PACKAGECONFIG += "libssh2"
(From OE-Core rev: d425e005d274cac0ef7160f53c41bda175444f69)
Signed-off-by: Fabrice Coulon <fabrice.coulon@axis.com>
Signed-off-by: Olof Johansson <olof.johansson@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise this is a non-deterministic build dependency.
(From OE-Core rev: 8521d4d6b73c93ae60cca3d04673cdd02c27446c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a zlib PACKAGECONFIG control and update PACKAGECONFIG[ssl] to
include the openssl dependency. Older hardcoded DEPENDS can then
be removed.
(From OE-Core rev: e668c79de927eff635f29fb5ff001f6b106ccc81)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This will allow curl run as nativesdk and fixes the following:
fatal: unable to access 'https://...': Protocol https not supported or disabled in libcurl
(From OE-Core rev: 76a702f4cde7ca8dd2946633f489386e43b6be26)
Signed-off-by: João Henrique Ferreira de Freitas <joaohf@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This will allow for easier configuration of curl for SSL vs gnutls
[YOCTO #6329]
(From OE-Core rev: 6a8144390eb2dee6e1baf7be75cffcacbb247002)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default ipv6 is auto detected for native builds but disabled when
cross compiling.
This commit adds a PACKAGECONFIG option, unconditionally enabled for
native and nativesdk builds and controlled by the ipv6 DISTRO feature
for target builds.
(From OE-Core rev: f8377e96b353f8cf4a5812fa14c1c0405f769096)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the adaptation for the a bugfix upstream
The inappropriate file src/tool_hugehelp.c presence in the curl 7.36 release
interfered with the upstream fix for
https://sourceforge.net/p/curl/bugs/1350/
(From OE-Core rev: c5a52f5b5ae7c5528bc59ee7fb69a2f460a89b81)
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mostly cosmetic, but entries in PACKAGES should be specified the exact same way as FILES/RRECOMMENDS entries to avoid problems.
(From OE-Core rev: 4d2a7f47a9830788455afe00a7c6a857cebbcb81)
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mkhelp: generate code for --disable-manual as well
This allows configure --disable-manual to run and build without having
to regenerate the src/tool_hugehelp.c file which otherwise is necessary
since we ship tarballs with that file present.
(From OE-Core rev: 544a96255203a6779d1f0022d003c6680f330511)
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>