mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-28 01:28:59 +00:00
111cf1b9f3
This fixes the following security problem: https://curl.haxx.se/docs/adv_20170222.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Sun, 22 Jan 2017 18:11:55 +0100
|
|
Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
|
|
|
|
The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
|
|
and thus even if the status couldn't be verified, the connection would
|
|
be allowed and the user would not be told about the failed verification.
|
|
|
|
Regression since cb4e2be7c6d42ca
|
|
|
|
CVE-2017-2629
|
|
Bug: https://curl.haxx.se/docs/adv_20170222.html
|
|
|
|
Reported-by: Marcus Hoffmann
|
|
---
|
|
lib/url.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/lib/url.c
|
|
+++ b/lib/url.c
|
|
@@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
|
|
conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
|
|
conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
|
|
|
|
+ conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
|
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
|
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
|
+ conn->proxy_ssl_config.verifystatus =
|
|
+ data->set.proxy_ssl.primary.verifystatus;
|
|
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
|
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
|
|