openembedded-core.git/meta/recipes-support/curl, branch dizzy Mirror of openembedded-core curl: add a few missing security fixes 2015-07-20T19:53:05+00:00 Armin Kuster akuster808@gmail.com 2015-05-10T20:20:21+00:00 cfcda9db45350d03158569c8c01e448cb426de5a CVE-2014-3707 CVE-2014-8150 CVE-2015-3153 not affected by: CVE-2014-8151 Signed-off-by: Armin Kuster <akuster808@gmail.com> 
CVE-2014-3707
CVE-2014-8150
CVE-2015-3153

not affected by:  CVE-2014-8151

Signed-off-by: Armin Kuster <akuster808@gmail.com>
curl: several security fixes 2015-07-20T19:53:05+00:00 Maxin B. John maxin.john@enea.com 2015-04-23T13:11:00+00:00 e525ef63ed2b4f3a250caf0748637b7f16b34d90 Fixes below listed bugs: 1. CVE-2015-3143 2. CVE-2015-3144 3. CVE-2015-3145 Dropped: 4. CVE-2015-3148 SPNEGO was introduced in 7.39 so this version not affected Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Fixes below listed bugs:
1. CVE-2015-3143
2. CVE-2015-3144
3. CVE-2015-3145

Dropped: 4. CVE-2015-3148
SPNEGO was introduced in 7.39 so this version not affected

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
curl: Fixup line ending merge issues 2014-11-24T16:23:20+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-11-24T16:23:16+00:00 5dee4e241d64e6144d74967cca583d249689773a Somehow the patch line endings got messed up during merge. This restores the delta. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Somehow the patch line endings got messed up during merge. This restores
the delta.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: Security Advisory - curl - CVE-2014-3620 2014-11-21T16:48:56+00:00 Chong Lu Chong.Lu@windriver.com 2014-11-04T01:35:18+00:00 db194a3af25a37ff2d6f091ef021894967ca5910 libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. (From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.

(From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853)

Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: Security Advisory - curl - CVE-2014-3613 2014-11-21T16:48:47+00:00 Chong Lu Chong.Lu@windriver.com 2014-10-24T08:26:41+00:00 7c4dfa64fd88066f2e0fbc917d8660f5b35e00c4 By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. (From OE-Core rev: 985ef933208da1dd1f17645613ce08e6ad27e2c1) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
By not detecting and rejecting domain names for partial literal IP addresses
properly when parsing received HTTP cookies, libcurl can be fooled to both
sending cookies to wrong sites and into allowing arbitrary sites to set cookies
for others.

(From OE-Core rev: 985ef933208da1dd1f17645613ce08e6ad27e2c1)

Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: add PACKAGECONFIG option to use libssh2 2014-10-10T09:39:12+00:00 Fabrice Coulon fabrice@axis.com 2014-10-03T08:21:49+00:00 d425e005d274cac0ef7160f53c41bda175444f69 The user can enable libssh2 via conf/local.conf or custom distro configuration, this will pull in libssh2, which is not used by default. For example, a curl_x.y.z.bbappend file containing the following line: PACKAGECONFIG += "libssh2" Signed-off-by: Fabrice Coulon <fabrice.coulon@axis.com> Signed-off-by: Olof Johansson <olof.johansson@axis.com> 
The user can enable libssh2 via conf/local.conf or custom distro
configuration, this will pull in libssh2, which is not used by default.

For example, a curl_x.y.z.bbappend file containing the following line:
PACKAGECONFIG += "libssh2"

Signed-off-by: Fabrice Coulon <fabrice.coulon@axis.com>
Signed-off-by: Olof Johansson <olof.johansson@axis.com>
curl: add a PACKAGECONFIG for librtmp 2014-09-29T11:12:35+00:00 Ross Burton ross.burton@intel.com 2014-09-25T22:58:06+00:00 8521d4d6b73c93ae60cca3d04673cdd02c27446c Otherwise this is a non-deterministic build dependency. Signed-off-by: Ross Burton <ross.burton@intel.com> 
Otherwise this is a non-deterministic build dependency.

Signed-off-by: Ross Burton <ross.burton@intel.com>
curl: --with-random is only applicable with openssl 2014-08-15T17:19:53+00:00 Andre McCurdy armccurdy@gmail.com 2014-08-13T07:36:55+00:00 482493b54d97c455bf4849efed3e543340412d7b Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: let configure find gnutls via pkg-config 2014-08-15T17:19:53+00:00 Andre McCurdy armccurdy@gmail.com 2014-08-13T07:36:54+00:00 3682d661f3b3a6fa7d9ef37968746cbaf1ede078 Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl: add zlib PACKAGECONFIG and remove hardcoded DEPENDS 2014-08-15T17:19:53+00:00 Andre McCurdy armccurdy@gmail.com 2014-08-13T07:36:53+00:00 e668c79de927eff635f29fb5ff001f6b106ccc81 Add a zlib PACKAGECONFIG control and update PACKAGECONFIG[ssl] to include the openssl dependency. Older hardcoded DEPENDS can then be removed. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Add a zlib PACKAGECONFIG control and update PACKAGECONFIG[ssl] to
include the openssl dependency. Older hardcoded DEPENDS can then
be removed.

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>