curl: upgrade 8.19.0 -> 8.20.0

* Backport patch to avoid 100% CPU load:
  https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
* Remove PACKAGECONFIG[rtmpdump]:
  ceae02db04 rtmp: drop support

CVE: CVE-2026-4873
CVE: CVE-2026-5545
CVE: CVE-2026-5773
CVE: CVE-2026-6253
CVE: CVE-2026-6276
CVE: CVE-2026-6429
CVE: CVE-2026-7009
CVE: CVE-2026-7168

For changelog, see [1].
For full comparison of changes, see [2].

[1] https://curl.se/ch/8.20.0.html
[2] https://github.com/curl/curl/compare/curl-8_19_0...curl-8_20_0

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
new file mode 100644 (file)
index 0000000..7f22e19
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
@@ -0,0 +1,39 @@
+From 590e31dff8aa4c5ff8be761128e38ac751aed875 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Mon, 11 May 2026 14:56:04 +0200
+Subject: [PATCH] event: fix wakeup consumption
+
+The events on a multi wakeup socketpair were only consumed via
+curl_multi_poll()/curl_multi_wait() but not in event based processing on
+a curl_multi_socket() call. That led to busy loops as reported in
+
+Fixes #21547
+Reported-by: Earnestly on github
+Closes #21549
+
+Upstream-Status: Backport ["2a2104f event: fix wakeup consumption"]
+Suggested-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Tim Orling <tim.orling@konsulk.com>
+---
+ lib/multi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 7520253d70..a0012d8faf 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2479,6 +2479,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+   Curl_uint32_bset_remove(&multi->dirty, data->mid);
+ 
+   if(data == multi->admin) {
++#ifdef ENABLE_WAKEUP
++    /* Consume any pending wakeup signals before processing.
++     * This is necessary for event based processing. See #21547 */
++    (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
++#endif
+ #ifdef USE_RESOLV_THREADED
+     Curl_async_thrdd_multi_process(multi);
+ #endif
+-- 
+2.47.3
+

diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.20.0.bb
similarity index 97%
rename from meta/recipes-support/curl/curl_8.19.0.bb
rename to meta/recipes-support/curl/curl_8.20.0.bb
index 4287b7b7da565d4638638ae36ba434218d123dc0..f4a0a2af71228ebddbeeef79e09744d4cf2a254e 100644 (file)
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.20.0.bb
@@ -15,13 +15,14 @@ SRC_URI = " \
     file://disable-tests \
     file://no-test-timeout.patch \
     file://mbedtls.patch \
+    file://0001-event-fix-wakeup-consumption.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \
     file://environment.d-curl.sh \
 "
 
-SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d333f11df"
+SRC_URI[sha256sum] = "63fe2dc148ba0ceae89922ef838f7e5c946272c2e78b7c59fab4b79d3ce2b896"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
@@ -64,7 +65,6 @@ PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
 PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy,"
-PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[schannel] = "--with-schannel,--without-schannel,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"