code.ossystems Code Review - openembedded-core.git/commit

author	Mike Crowe <mac@mcrowe.com>
	Wed, 4 Aug 2021 17:05:52 +0000 (18:05 +0100)
committer	Steve Sakoman <steve@sakoman.com>
	Wed, 4 Aug 2021 19:56:48 +0000 (09:56 -1000)
commit	3631da82b3542df1c1e4bbd499fc2dbe67f5f3ec
tree	3b003918c1fda725ccc4310791db95185c5466d5	tree \| snapshot
parent	ba99fce9354555e556158a0af8ec809ae00cb62b	commit \| diff

curl: Fix CVE-2021-22924 and CVE-2021-22925

curl v7.78 contained fixes for five CVEs:

CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support
for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink"
so these fixes are unnecessary.

CVE-2021-22926[3] only affects builds for MacOS.

CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the
patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close
enough that the patch for CVE-2021-22924 applies without conflicts..

[1] https://curl.se/docs/CVE-2021-22922.html
[2] https://curl.se/docs/CVE-2021-22923.html
[3] https://curl.se/docs/CVE-2021-22926.html
[4] https://curl.se/docs/CVE-2021-22924.html
[5] https://curl.se/docs/CVE-2021-22925.html

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/curl/curl/CVE-2021-22924.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2021-22925.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl_7.69.1.bb		diff \| blob \| history