git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Robert Joslyn <robert.joslyn@redrectangle.org>
	Sat, 15 Jan 2022 04:09:07 +0000 (20:09 -0800)
committer	Anuj Mittal <anuj.mittal@intel.com>
	Mon, 17 Jan 2022 02:14:53 +0000 (10:14 +0800)
commit	705718cfe243e05e0975bad3b822666363ef55df
tree	ed6a5c9beb1e250505f88a2a8de0b00c9fef84f4	tree \| snapshot
parent	3ceee568313ea7cd3afe33df8119319644e12fa4	commit \| diff

curl: Backport CVE fixes

Backport fixes for CVE-2021-22922, CVE-2021-22923, CVE-2021-22945,
CVE-2021-22946, and CVE-2021-22947.

* https://curl.se/docs/CVE-2021-22922.html
* https://curl.se/docs/CVE-2021-22923.html
* https://curl.se/docs/CVE-2021-22945.html
* https://curl.se/docs/CVE-2021-22946.html
* https://curl.se/docs/CVE-2021-22947.html

22922 and 22923 were fixed by upstream by simply removing metalink
support in newer versions. These are mitigated in older versions by
disabling metalink support, which was already done by the recipe, so
whitelist these CVEs.

22945, 22946, and 22947 are backported with only trivial patch fuzz
modifications.

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

meta/recipes-support/curl/curl/CVE-2021-22945.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2021-22946.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2021-22947.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl_7.75.0.bb		diff \| blob \| blame \| history