git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Yogita Urade <yogita.urade@windriver.com>
	Tue, 8 Jul 2025 08:57:28 +0000 (14:27 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Tue, 8 Jul 2025 16:05:09 +0000 (09:05 -0700)
commit	87823ff05a4f90b42c138902639a59231fa17def
tree	8f56d0361421ace9bd092aaa32f1bd120e6d8710	tree \| snapshot
parent	cd589717c05b887986b9d61f5193e764f4deb3ee	commit \| diff

curl: fix CVE-2024-11053

When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-11053
https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053-pre1.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95
https://git.launchpad.net/ubuntu/+source/curl/diff/debian/patches/CVE-2024-11053.patch?id=2126676d86041cabd7b1aa302fc1fdf47989df95

Upstream patch:
https://github.com/curl/curl/commit/9bee39bfed2c413b4cc4eb306a57ac92a1854907
https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch	[new file with mode: 0644]	blob
meta/recipes-support/curl/curl_7.82.0.bb		diff \| blob \| blame \| history