Commit graph

8 commits

Author SHA1 Message Date
Hauke Mehrtens
4e07167eff curl: update to version 7.51.0
This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-12-03 16:38:44 +01:00
Dirk Neukirchen
6aebc6b16b curl: update to 7.49
fixes:
 CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL

- remove crypto auth compile fix
curl changelog of 7.46 states its fixed

- fix mbedtls and cyassl usability #19621 :
add path to certificate file (from Mozilla via curl) and
provide this in a new package

tested on ar71xx w. curl/mbedtls/wolfssl

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-05-19 16:56:34 +02:00
Hauke Mehrtens
a2b15e6c1d curl: upstep to latest version 7.48.0
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49182
2016-04-17 12:51:19 +00:00
Hauke Mehrtens
969ec949a8 curl: update curl to version 7.47.0
This fixes the following security problems:

CVE-2016-0754: remote file name path traversal in curl tool for Windows
http://curl.haxx.se/docs/adv_20160127A.html

CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use
http://curl.haxx.se/docs/adv_20160127B.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 48614
2016-02-01 22:37:05 +00:00
Hauke Mehrtens
97b14fd700 curl: update curl to version 7.43.0
This brings curl to version 7.43.0 and contains fixes for the following
security vulnerabilities:

CVE-2015-3236: lingering HTTP credentials in connection re-use
http://curl.haxx.se/docs/adv_20150617A.html

CVE-2015-3237: SMB send off unrelated memory contents
http://curl.haxx.se/docs/adv_20150617B.html

The 100-check_long_long patch is not needed any more, because the
upstream autoconf script already checks for long long when cyassl is
selected.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46169
2015-07-03 23:21:01 +00:00
John Crispin
89df45295e cURL: Update to version 7.40.0
* Update to version 7.40.0
* remove non existing config options around enable/disable HTTPS protocoll
* remove --with-ca-path if ssl support disabled
* set proxy support as default like all versions before CC did

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

SVN-Revision: 44176
2015-01-28 12:07:47 +00:00
Hauke Mehrtens
275ba42c52 curl: 7.36.0 -> 7.38.0
Main changes:
- URL parser: IPv6 zone identifiers are now supported
- cyassl: Use error-ssl.h when available (drop local patch)
- polarssl: support CURLOPT_CAPATH / --capath
- mkhelp: generate code for --disable-manual as well (drop local patch)

Full release notes: http://curl.haxx.se/changes.html

MIPS 34kc binary size:
- 7.36.0 before: 82,539 bytes
- 7.38.0 after: 83,321 bytes

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 42517
2014-09-13 20:26:08 +00:00
Jo-Philipp Wich
3a1b8699b6 curl: move to core packages
SVN-Revision: 41143
2014-06-11 15:43:24 +00:00