From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Mon, 8 Apr 2024 13:01:24 +0000 (+0100)
Subject: curl: Upgrade 8.6.0 -> 8.7.1
X-Git-Tag: 2024-04-scarthgap~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e27b472d1bc872c6da2b22f57b30d36e231d745;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

curl: Upgrade 8.6.0 -> 8.7.1

This includes 4 security fixes:

CVE-2024-2466 - TLS certificate check bypass with mbedTLS
CVE-2024-2398 - HTTP/2 push headers memory-leak
CVE-2024-2379 - QUIC certificate check bypass with wolfSSL
CVE-2024-2004 - Usage of disabled protocol

Along with many other changes, mostly bugfixes: https://curl.se/changes.html

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-support/curl/curl/no-test-timeout.patch b/meta/recipes-support/curl/curl/no-test-timeout.patch
index b4cfe716db7..7122b6f0435 100644
--- a/meta/recipes-support/curl/curl/no-test-timeout.patch
+++ b/meta/recipes-support/curl/curl/no-test-timeout.patch
@@ -1,10 +1,17 @@
-Set the max-time timeout to 600 so the timeout is 10 minutes instead of 13 seconds.
+From 42cddb52e821cfc2f09f1974742714e5f2f1856e Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Fri, 15 Mar 2024 14:37:37 +0000
+Subject: [PATCH] Set the max-time timeout to 600 so the timeout is 10 minutes
+ instead of 13 seconds.
 
 Upstream-Status: Inappropriate
 Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tests/servers.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/tests/servers.pm b/tests/servers.pm
-index d4472d509..aeab62c47 100644
+index d4472d5..9999938 100644
 --- a/tests/servers.pm
 +++ b/tests/servers.pm
 @@ -120,7 +120,7 @@ my $sshdverstr;  # for socks server, ssh daemon version string
diff --git a/meta/recipes-support/curl/curl_8.6.0.bb b/meta/recipes-support/curl/curl_8.7.1.bb
similarity index 98%
rename from meta/recipes-support/curl/curl_8.6.0.bb
rename to meta/recipes-support/curl/curl_8.7.1.bb
index 49ba0cb4a7e..c6654bbad6d 100644
--- a/meta/recipes-support/curl/curl_8.6.0.bb
+++ b/meta/recipes-support/curl/curl_8.7.1.bb
@@ -15,7 +15,7 @@ SRC_URI = " \
     file://disable-tests \
     file://no-test-timeout.patch \
 "
-SRC_URI[sha256sum] = "3ccd55d91af9516539df80625f818c734dc6f2ecf9bada33c76765e99121db15"
+SRC_URI[sha256sum] = "6fea2aac6a4610fbd0400afb0bcddbe7258a64c63f1f68e5855ebc0c659710cd"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"