Commit Graph

28 Commits

Author SHA1 Message Date
Stijn Segers
060b7f1fbb curl: apply CVE 2017-8816 and 2017-8817 security patches
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
Curl package.

Compile-tested on ar71xx, ramips and x86.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2017-12-04 11:10:31 +01:00
Hauke Mehrtens
f483a35f08 curl: fix security problems
This fixes the following security problems:
 * CVE-2017-1000100 TFTP sends more than buffer size
 * CVE-2017-1000101 URL globbing out of bounds read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 15:27:29 +02:00
Hauke Mehrtens
7ab8bf126e curl: fix CVE-2017-7407 and CVE-2017-7468
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-07-28 23:49:39 +02:00
Hauke Mehrtens
111cf1b9f3 curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignored
This fixes the following security problem:
https://curl.haxx.se/docs/adv_20170222.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:51:20 +01:00
Rosen Penev
558680012d curl: Remove PolarSSL and adjust default to mbedTLS
luci-ssl has already made the switch since mainline support for PolarSSL is
almost over (2016).

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-01-03 14:26:41 +01:00
Hauke Mehrtens
1436e15488 curl: update to version 7.52.1
This fixes the folowing security problems:

CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
CVE-2016-9594: unititialized random

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-02 13:07:10 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Hauke Mehrtens
4e07167eff curl: update to version 7.51.0
This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-12-03 16:38:44 +01:00
Hauke Mehrtens
df9efc9497 curl: update to version 7.50.3
This fixes the following security problems:
7.50.1:
 CVE-2016-5419 TLS session resumption client cert bypass
 CVE-2016-5420 Re-using connections with wrong client cert
 CVE-2016-5421 use of connection struct after free
7.50.2:
 CVE-2016-7141 Incorrect reuse of client certificates
7.50.3:
 CVE-2016-7167 curl escape and unescape integer overflows

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:48:05 +02:00
Hauke Mehrtens
7d38128f6a curl: update to version 7.50.0
Changelog: https://curl.haxx.se/changes.html

old sizes:
libcurl_7.49.0-1_mips_34kc_dsp.ipk      97569
curl_7.49.0-1_mips_34kc_dsp.ipk         37925

new sizes:
libcurl_7.50.0-1_mips_34kc_dsp.ipk      97578
curl_7.50.0-1_mips_34kc_dsp.ipk         38017

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:04:13 +02:00
Felix Fietkau
1d0d5ddb07 curl: remove axtls config option, the library does not exist in our tree
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-05-19 16:56:34 +02:00
Dirk Neukirchen
6aebc6b16b curl: update to 7.49
fixes:
 CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL

- remove crypto auth compile fix
curl changelog of 7.46 states its fixed

- fix mbedtls and cyassl usability #19621 :
add path to certificate file (from Mozilla via curl) and
provide this in a new package

tested on ar71xx w. curl/mbedtls/wolfssl

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-05-19 16:56:34 +02:00
Hauke Mehrtens
ba97a03d7d curl: add flags to allow gc-sections to strip out unused code
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49184
2016-04-17 12:51:57 +00:00
Hauke Mehrtens
a4d646cf15 curl: add config option for NTLM support
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49183
2016-04-17 12:51:41 +00:00
Hauke Mehrtens
a2b15e6c1d curl: upstep to latest version 7.48.0
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49182
2016-04-17 12:51:19 +00:00
Hauke Mehrtens
3a2e25bc77 curl: add support for mbedtls
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 48615
2016-02-01 22:37:41 +00:00
Hauke Mehrtens
969ec949a8 curl: update curl to version 7.47.0
This fixes the following security problems:

CVE-2016-0754: remote file name path traversal in curl tool for Windows
http://curl.haxx.se/docs/adv_20160127A.html

CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use
http://curl.haxx.se/docs/adv_20160127B.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 48614
2016-02-01 22:37:05 +00:00
Hauke Mehrtens
97b14fd700 curl: update curl to version 7.43.0
This brings curl to version 7.43.0 and contains fixes for the following
security vulnerabilities:

CVE-2015-3236: lingering HTTP credentials in connection re-use
http://curl.haxx.se/docs/adv_20150617A.html

CVE-2015-3237: SMB send off unrelated memory contents
http://curl.haxx.se/docs/adv_20150617B.html

The 100-check_long_long patch is not needed any more, because the
upstream autoconf script already checks for long long when cyassl is
selected.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46169
2015-07-03 23:21:01 +00:00
John Crispin
b16cf34c95 curl: fix PKG_CONFIG_DEPENDS
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

SVN-Revision: 44925
2015-03-21 21:47:41 +00:00
John Crispin
83693349fc cURL: implement new functionality with cleanup and fixes
remove obsolete configuration settings
  --disable-thread
  --enable-nonblocking
  --without-krb4
remove SSPI support
  only supported on windows
correct --with/without-ca-path handling
  only supported with OpenSSL and PolarSSL
correct LDAP/LDAPS protocol
  add dependency libopenldap
added SCP/SFTP protocol
  default "No"
  depends on libssh2
added IDN support
  default "No"
  depends on libidn
added SMB protocol (new in 7.40)
  default "No"
  require 'cryptographic authentication' and either 'GnuTLS' or 'OpenSSL' selected
added Unix sockets support (new in 7.40)
  default "No"
added error verbose messages
  default "No"
changes to Makefile
  Increase PKG_RELEASE
  PKG_CONFIG_DEPENDS and CONFIGURE_ARGS
    extended for new functionality
    use "autoconf_bool" for all --enable/--disable options
    restructure for easier reading
changes to Config.in
  extended for new functionality
  implement dependencies
  restructure and grouping for easier reading
build tested on XUbuntu 14.10 x86 for x86 (generic) and ar71xx (WNDR3800)

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

SVN-Revision: 44243
2015-02-02 09:02:24 +00:00
Nicolas Thill
fc5cec97d2 curl: fix typo in 2 config symbols
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 44191
2015-01-29 16:37:08 +00:00
John Crispin
89df45295e cURL: Update to version 7.40.0
* Update to version 7.40.0
* remove non existing config options around enable/disable HTTPS protocoll
* remove --with-ca-path if ssl support disabled
* set proxy support as default like all versions before CC did

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

SVN-Revision: 44176
2015-01-28 12:07:47 +00:00
John Crispin
ff3448adaa curl: allow enabling https protocol
Provide optional --enable-https flag for curl.

Signed-off-by: Lars Kruse <devel@sumpfralle.de>

SVN-Revision: 43997
2015-01-17 13:57:56 +00:00
Nicolas Thill
f4417f7ad8 package/*: replace occurences of 'ln -sf' to '$(LN)'
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 43205
2014-11-06 19:35:34 +00:00
Felix Fietkau
6edad5a849 curl: only set ca path for openssl
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42662
2014-09-25 10:51:56 +00:00
Felix Fietkau
5ad7d7cc97 curl: use the system certificates
Signed-off-by: Cristian Morales Vega <cristian@samknows.com>

SVN-Revision: 42661
2014-09-25 10:37:06 +00:00
Hauke Mehrtens
275ba42c52 curl: 7.36.0 -> 7.38.0
Main changes:
- URL parser: IPv6 zone identifiers are now supported
- cyassl: Use error-ssl.h when available (drop local patch)
- polarssl: support CURLOPT_CAPATH / --capath
- mkhelp: generate code for --disable-manual as well (drop local patch)

Full release notes: http://curl.haxx.se/changes.html

MIPS 34kc binary size:
- 7.36.0 before: 82,539 bytes
- 7.38.0 after: 83,321 bytes

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 42517
2014-09-13 20:26:08 +00:00
Jo-Philipp Wich
3a1b8699b6 curl: move to core packages
SVN-Revision: 41143
2014-06-11 15:43:24 +00:00