summaryrefslogtreecommitdiff
path: root/package/network/utils/curl/patches
Commit message (Collapse)AuthorAgeFilesLines
* curl: fix some security problemsHauke Mehrtens2018-08-1011-44/+384
| | | | | | | | | | | | | | This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: fix libcurl/mbedtls async interfaceDarren Tucker2018-01-241-0/+27
| | | | | | | | | | | | When using mbedtls, curl's nonblocking interface will report a request as done immediately after the socket is written to and never read from the connection. This will result in a HTTP status code of 0 and zero length replies. Cherry-pick the patch from curl 7.53.0 to fix this (https://github.com/curl/curl/commit/b993d2cc). Fixes https://bugs.openwrt.org/index.php?do=details&task_id=1285. Signed-off-by: Darren Tucker <dtucker@dtucker.net>
* curl: apply CVE 2017-8816 and 2017-8817 security patchesStijn Segers2017-12-042-0/+208
| | | | | | | | | This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
* curl: fix security problemsHauke Mehrtens2017-09-302-0/+74
| | | | | | | | This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: fix CVE-2017-7407 and CVE-2017-7468Hauke Mehrtens2017-07-282-0/+429
| | | | | | | | This fixes the following security problems: * CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html * CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: fix CVE-2017-2629 SSL_VERIFYSTATUS ignoredHauke Mehrtens2017-03-132-4/+35
| | | | | | | This fixes the following security problem: https://curl.haxx.se/docs/adv_20170222.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: fix HTTPS network timeouts with OpenSSLStijn Segers2017-01-161-0/+36
| | | | | | | | | Backport an upstream change to fix HTTPS timeouts with OpenSSL. Upstream curl bug #1174. Signed-off-by: Stijn Segers <francesco.borromini@inventati.org> [Jo-Philipp Wich: reword commit message, rename patch to 001-*] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* curl: Remove PolarSSL and adjust default to mbedTLSRosen Penev2017-01-032-22/+11
| | | | | | | luci-ssl has already made the switch since mainline support for PolarSSL is almost over (2016). Signed-off-by: Rosen Penev <rosenp@gmail.com>
* curl: update to version 7.52.1Hauke Mehrtens2017-01-021-2/+2
| | | | | | | | | | | This fixes the folowing security problems: CVE-2016-9586: printf floating point buffer overflow CVE-2016-9952: Win CE schannel cert wildcard matches too much CVE-2016-9953: Win CE schannel cert name out of buffer read CVE-2016-9594: unititialized random Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: update to version 7.51.0Hauke Mehrtens2016-12-032-4/+4
| | | | | | | | | | | | | | | | | This fixes the following security problems: CVE-2016-8615: cookie injection for other servers CVE-2016-8616: case insensitive password comparison CVE-2016-8617: OOB write via unchecked multiplication CVE-2016-8618: double-free in curl_maprintf CVE-2016-8619: double-free in krb5 code CVE-2016-8620: glob parser write/read out of bounds CVE-2016-8621: curl_getdate read out of bounds CVE-2016-8622: URL unescape heap overflow via integer truncation CVE-2016-8623: Use-after-free via shared cookies CVE-2016-8624: invalid URL parsing with '#' CVE-2016-8625: IDNA 2003 makes curl use wrong host Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: update to version 7.50.3Hauke Mehrtens2016-09-241-1/+1
| | | | | | | | | | | | | | This fixes the following security problems: 7.50.1: CVE-2016-5419 TLS session resumption client cert bypass CVE-2016-5420 Re-using connections with wrong client cert CVE-2016-5421 use of connection struct after free 7.50.2: CVE-2016-7141 Incorrect reuse of client certificates 7.50.3: CVE-2016-7167 curl escape and unescape integer overflows Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: update to version 7.50.0Hauke Mehrtens2016-07-241-2/+2
| | | | | | | | | | | | | | Changelog: https://curl.haxx.se/changes.html old sizes: libcurl_7.49.0-1_mips_34kc_dsp.ipk 97569 curl_7.49.0-1_mips_34kc_dsp.ipk 37925 new sizes: libcurl_7.50.0-1_mips_34kc_dsp.ipk 97578 curl_7.50.0-1_mips_34kc_dsp.ipk 38017 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* curl: update to 7.49Dirk Neukirchen2016-05-193-32/+7
| | | | | | | | | | | | | | | | fixes: CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL - remove crypto auth compile fix curl changelog of 7.46 states its fixed - fix mbedtls and cyassl usability #19621 : add path to certificate file (from Mozilla via curl) and provide this in a new package tested on ar71xx w. curl/mbedtls/wolfssl Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
* curl: upstep to latest version 7.48.0Hauke Mehrtens2016-04-173-4/+4
| | | | | | | Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49182
* curl: add support for mbedtlsHauke Mehrtens2016-02-011-0/+11
| | | | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 48615
* curl: update curl to version 7.47.0Hauke Mehrtens2016-02-012-5/+5
| | | | | | | | | | | | | | This fixes the following security problems: CVE-2016-0754: remote file name path traversal in curl tool for Windows http://curl.haxx.se/docs/adv_20160127A.html CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use http://curl.haxx.se/docs/adv_20160127B.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 48614
* curl: update curl to version 7.43.0Hauke Mehrtens2015-07-034-20/+10
| | | | | | | | | | | | | | | | | | | This brings curl to version 7.43.0 and contains fixes for the following security vulnerabilities: CVE-2015-3236: lingering HTTP credentials in connection re-use http://curl.haxx.se/docs/adv_20150617A.html CVE-2015-3237: SMB send off unrelated memory contents http://curl.haxx.se/docs/adv_20150617B.html The 100-check_long_long patch is not needed any more, because the upstream autoconf script already checks for long long when cyassl is selected. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 46169
* curl: replace polarssl run-time version check with a compile-time oneFelix Fietkau2015-05-051-0/+11
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 45609
* curl: fix build with --disable-crypto-auth (#18838)Jo-Philipp Wich2015-01-291-0/+25
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 44192
* cURL: Update to version 7.40.0John Crispin2015-01-282-4/+4
| | | | | | | | | | | * Update to version 7.40.0 * remove non existing config options around enable/disable HTTPS protocoll * remove --with-ca-path if ssl support disabled * set proxy support as default like all versions before CC did Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> SVN-Revision: 44176
* curl: 7.36.0 -> 7.38.0Hauke Mehrtens2014-09-134-63/+5
| | | | | | | | | | | | | | | | | | Main changes: - URL parser: IPv6 zone identifiers are now supported - cyassl: Use error-ssl.h when available (drop local patch) - polarssl: support CURLOPT_CAPATH / --capath - mkhelp: generate code for --disable-manual as well (drop local patch) Full release notes: http://curl.haxx.se/changes.html MIPS 34kc binary size: - 7.36.0 before: 82,539 bytes - 7.38.0 after: 83,321 bytes Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> SVN-Revision: 42517
* curl: move to core packagesJo-Philipp Wich2014-06-114-0/+90
SVN-Revision: 41143
generated by cgit v1.1 at 2025-08-09 16:36:28 +0000