libcurl: security bump to version 7.39.0

Fixes:
CVE-2014-3707 - libcurl's function curl_easy_duphandle() has a bug that
can lead to libcurl eventually sending off sensitive data that was not
intended for sending.

Removed patch that was upstream and now in the release.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/libcurl/libcurl-0001-fixtimeout.patch b/package/libcurl/libcurl-0001-fixtimeout.patch
deleted file mode 100644 (file)
index f897ca4..0000000
--- a/package/libcurl/libcurl-0001-fixtimeout.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-This fixes a timeout problem with xbmc.
-
-Backported from upstream:
-https://github.com/bagder/curl/commit/d9762a7cdb35e70f8cb0bf1c2f8019e8391616e1
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
-
-From d9762a7cdb35e70f8cb0bf1c2f8019e8391616e1 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 23 Sep 2014 11:44:03 +0200
-Subject: [PATCH] threaded-resolver: revert Curl_expire_latest() switch
-
-The switch to using Curl_expire_latest() in commit cacdc27f52b was a
-mistake and was against the advice even mentioned in that commit. The
-comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
-Curl_expire() the suitable function to use.
-
-Bug: http://curl.haxx.se/bug/view.cgi?id=1426
-Reported-By: graysky
----
- lib/asyn-thread.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
-index e4ad32b..6cdc9ad 100644
---- a/lib/asyn-thread.c
-+++ b/lib/asyn-thread.c
-@@ -541,7 +541,7 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn,
-       td->poll_interval = 250;
- 
-     td->interval_end = elapsed + td->poll_interval;
--    Curl_expire_latest(conn->data, td->poll_interval);
-+    Curl_expire(conn->data, td->poll_interval);
-   }
- 
-   return CURLE_OK;

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 7eded039581cc78689df6b93fe7f7249fdf68bfd..4c3b8acd62074992c10a614862b65ce3cadadf54 100644 (file)
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 035bd41e99aa1a4e64713f4cea5ccdf366ca8199e9be1b53d5a043d5165f9eba        curl-7.38.0.tar.bz2
+sha256 b222566e7087cd9701b301dd6634b360ae118cc1cbc7697e534dc451102ea4e0        curl-7.39.0.tar.bz2

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 4af73b12db445a84e5e16322b6f2c87dd74ba127..62ea5fb8733ee7f3e494c9ec31f7053ac1e9a1f0 100644 (file)
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.38.0
+LIBCURL_VERSION = 7.39.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = http://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \