Message ID | 20240728075247.4724-1-bernd@kuhls.net |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/libcurl: security bump to version 8.9.0 | expand |
Hi Bernd, Thanks for the update. On Sun, Jul 28 2024, Bernd Kuhls wrote: > Removed patch which is included in this release. > > Changelog: https://curl.se/changes.html#8_9_0 > > Fixes > CVE-2024-6197: https://curl.se/docs/CVE-2024-6197.html According to the advisory the issue was introduced in version 8.6.0. Both stable branches 2024.02.x and 2024.05.x are affected. baruch > CVE-2024-6874 (Apple-only): https://curl.se/docs/CVE-2024-6874.html > > Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > --- > ...-mbedtls-check-version-for-cipher-id.patch | 56 ------------------- > package/libcurl/libcurl.hash | 4 +- > package/libcurl/libcurl.mk | 2 +- > 3 files changed, 3 insertions(+), 59 deletions(-) > delete mode 100644 package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch > > diff --git a/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch > b/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch > deleted file mode 100644 > index b7d674acfe..0000000000 > --- a/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch > +++ /dev/null > @@ -1,56 +0,0 @@ > -From 0c4b4c1e93c8e869af230090f32346fdfd548f21 Mon Sep 17 00:00:00 2001 > -From: Stefan Eissing <stefan@eissing.org> > -Date: Wed, 22 May 2024 14:44:56 +0200 > -Subject: [PATCH] mbedtls: check version for cipher id > - > -mbedtls_ssl_get_ciphersuite_id_from_ssl() seems to have been added in > -mbedtls 3.2.0. Check for that version. > - > -Closes #13749 > - > -Signed-off-by: Baruch Siach <baruch@tkos.co.il> > -Upstream: https://github.com/curl/curl/commit/0c4b4c1e93c8e869af230090f32346fdfd548f21 > ---- > - lib/vtls/mbedtls.c | 19 ++++++++++++------- > - 1 file changed, 12 insertions(+), 7 deletions(-) > - > -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c > -index ec0b10dd9a9f..98a4ea01b183 100644 > ---- a/lib/vtls/mbedtls.c > -+++ b/lib/vtls/mbedtls.c > -@@ -902,8 +902,6 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) > - (struct mbed_ssl_backend_data *)connssl->backend; > - struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); > - const mbedtls_x509_crt *peercert; > -- char cipher_str[64]; > -- uint16_t cipher_id; > - #ifndef CURL_DISABLE_PROXY > - const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)? > - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: > -@@ -932,11 +930,18 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) > - return CURLE_SSL_CONNECT_ERROR; > - } > - > -- cipher_id = (uint16_t) > -- mbedtls_ssl_get_ciphersuite_id_from_ssl(&backend->ssl); > -- mbed_cipher_suite_get_str(cipher_id, cipher_str, sizeof(cipher_str), true); > -- infof(data, "mbedTLS: Handshake complete, cipher is %s", cipher_str); > -- > -+#if MBEDTLS_VERSION_NUMBER >= 0x03020000 > -+ { > -+ char cipher_str[64]; > -+ uint16_t cipher_id; > -+ cipher_id = (uint16_t) > -+ mbedtls_ssl_get_ciphersuite_id_from_ssl(&backend->ssl); > -+ mbed_cipher_suite_get_str(cipher_id, cipher_str, sizeof(cipher_str), true); > -+ infof(data, "mbedTLS: Handshake complete, cipher is %s", cipher_str); > -+ } > -+#else > -+ infof(data, "mbedTLS: Handshake complete"); > -+#endif > - ret = mbedtls_ssl_get_verify_result(&backend->ssl); > - > - if(!conn_config->verifyhost) > --- > -2.43.0 > - > diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash > index 7ba45b79d7..fa325efd7d 100644 > --- a/package/libcurl/libcurl.hash > +++ b/package/libcurl/libcurl.hash > @@ -1,5 +1,5 @@ > # Locally calculated after checking pgp signature > -# https://curl.se/download/curl-8.8.0.tar.xz.asc > +# https://curl.se/download/curl-8.9.0.tar.xz.asc > # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 > -sha256 0f58bb95fc330c8a46eeb3df5701b0d90c9d9bfcc42bd1cd08791d12551d4400 curl-8.8.0.tar.xz > +sha256 ff09b2791ca56d25fd5c3f3a4927dce7c8a9dc4182200c487ca889fba1fdd412 curl-8.9.0.tar.xz > sha256 adb1fc06547fd136244179809f7b7c2d2ae6c4534f160aa513af9b6a12866a32 COPYING > diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk > index 172dd22071..966885aeda 100644 > --- a/package/libcurl/libcurl.mk > +++ b/package/libcurl/libcurl.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBCURL_VERSION = 8.8.0 > +LIBCURL_VERSION = 8.9.0 > LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz > LIBCURL_SITE = https://curl.se/download > LIBCURL_DEPENDENCIES = host-pkgconf \
On Sun, 28 Jul 2024 09:52:47 +0200 Bernd Kuhls <bernd@kuhls.net> wrote: > Removed patch which is included in this release. > > Changelog: https://curl.se/changes.html#8_9_0 > > Fixes > CVE-2024-6197: https://curl.se/docs/CVE-2024-6197.html > CVE-2024-6874 (Apple-only): https://curl.se/docs/CVE-2024-6874.html > > Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > --- > ...-mbedtls-check-version-for-cipher-id.patch | 56 ------------------- > package/libcurl/libcurl.hash | 4 +- > package/libcurl/libcurl.mk | 2 +- > 3 files changed, 3 insertions(+), 59 deletions(-) > delete mode 100644 package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch Applied to master, thanks. Thomas
>>>>> "Baruch" == Baruch Siach via buildroot <buildroot@buildroot.org> writes: > Hi Bernd, > Thanks for the update. > On Sun, Jul 28 2024, Bernd Kuhls wrote: >> Removed patch which is included in this release. >> >> Changelog: https://curl.se/changes.html#8_9_0 >> >> Fixes >> CVE-2024-6197: https://curl.se/docs/CVE-2024-6197.html > According to the advisory the issue was introduced in version > 8.6.0. Both stable branches 2024.02.x and 2024.05.x are affected. Thanks for the heads up. Committed to 2024.02.x and 2024.05.x, thanks.
diff --git a/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch b/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch deleted file mode 100644 index b7d674acfe..0000000000 --- a/package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 0c4b4c1e93c8e869af230090f32346fdfd548f21 Mon Sep 17 00:00:00 2001 -From: Stefan Eissing <stefan@eissing.org> -Date: Wed, 22 May 2024 14:44:56 +0200 -Subject: [PATCH] mbedtls: check version for cipher id - -mbedtls_ssl_get_ciphersuite_id_from_ssl() seems to have been added in -mbedtls 3.2.0. Check for that version. - -Closes #13749 - -Signed-off-by: Baruch Siach <baruch@tkos.co.il> -Upstream: https://github.com/curl/curl/commit/0c4b4c1e93c8e869af230090f32346fdfd548f21 ---- - lib/vtls/mbedtls.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index ec0b10dd9a9f..98a4ea01b183 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -902,8 +902,6 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) - (struct mbed_ssl_backend_data *)connssl->backend; - struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); - const mbedtls_x509_crt *peercert; -- char cipher_str[64]; -- uint16_t cipher_id; - #ifndef CURL_DISABLE_PROXY - const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: -@@ -932,11 +930,18 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) - return CURLE_SSL_CONNECT_ERROR; - } - -- cipher_id = (uint16_t) -- mbedtls_ssl_get_ciphersuite_id_from_ssl(&backend->ssl); -- mbed_cipher_suite_get_str(cipher_id, cipher_str, sizeof(cipher_str), true); -- infof(data, "mbedTLS: Handshake complete, cipher is %s", cipher_str); -- -+#if MBEDTLS_VERSION_NUMBER >= 0x03020000 -+ { -+ char cipher_str[64]; -+ uint16_t cipher_id; -+ cipher_id = (uint16_t) -+ mbedtls_ssl_get_ciphersuite_id_from_ssl(&backend->ssl); -+ mbed_cipher_suite_get_str(cipher_id, cipher_str, sizeof(cipher_str), true); -+ infof(data, "mbedTLS: Handshake complete, cipher is %s", cipher_str); -+ } -+#else -+ infof(data, "mbedTLS: Handshake complete"); -+#endif - ret = mbedtls_ssl_get_verify_result(&backend->ssl); - - if(!conn_config->verifyhost) --- -2.43.0 - diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 7ba45b79d7..fa325efd7d 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.se/download/curl-8.8.0.tar.xz.asc +# https://curl.se/download/curl-8.9.0.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 0f58bb95fc330c8a46eeb3df5701b0d90c9d9bfcc42bd1cd08791d12551d4400 curl-8.8.0.tar.xz +sha256 ff09b2791ca56d25fd5c3f3a4927dce7c8a9dc4182200c487ca889fba1fdd412 curl-8.9.0.tar.xz sha256 adb1fc06547fd136244179809f7b7c2d2ae6c4534f160aa513af9b6a12866a32 COPYING diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 172dd22071..966885aeda 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 8.8.0 +LIBCURL_VERSION = 8.9.0 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.se/download LIBCURL_DEPENDENCIES = host-pkgconf \
Removed patch which is included in this release. Changelog: https://curl.se/changes.html#8_9_0 Fixes CVE-2024-6197: https://curl.se/docs/CVE-2024-6197.html CVE-2024-6874 (Apple-only): https://curl.se/docs/CVE-2024-6874.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> --- ...-mbedtls-check-version-for-cipher-id.patch | 56 ------------------- package/libcurl/libcurl.hash | 4 +- package/libcurl/libcurl.mk | 2 +- 3 files changed, 3 insertions(+), 59 deletions(-) delete mode 100644 package/libcurl/0001-mbedtls-check-version-for-cipher-id.patch