libcurl: security bump to version 7.40.0

Fixes:
CVE-2014-8150 - When libcurl sends a request to a server via a HTTP
proxy, it copies the entire URL into the request and sends if off.
If the given URL contains line feeds and carriage returns those will be
sent along to the proxy too, which allows the program to for example
send a separate HTTP request injected embedded in the URL.

CVE-2014-8151 - libcurl stores TLS Session IDs in its associated Session
ID cache when it connects to TLS servers. In subsequent connects it
re-uses the entry in the cache to resume the TLS connection faster than
when doing a full TLS handshake. The actual implementation for the
Session ID caching varies depending on the underlying TLS backend.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 4c3b8acd62074992c10a614862b65ce3cadadf54..546ad3a6a3bb0f29dcc032d0154c68dba3662fc3 100644 (file)
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 b222566e7087cd9701b301dd6634b360ae118cc1cbc7697e534dc451102ea4e0        curl-7.39.0.tar.bz2
+sha256 899109eb3900fa6b8a2f995df7f449964292776a04763e94fae640700f883fba        curl-7.40.0.tar.bz2

diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 62ea5fb8733ee7f3e494c9ec31f7053ac1e9a1f0..db5fdb76d3b7ae26ca3506a0ab00cd9be3099bbb 100644 (file)
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.39.0
+LIBCURL_VERSION = 7.40.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2
 LIBCURL_SITE = http://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \