From d88c79090add53947dc3290fb61d51f2b630301c Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Thu, 10 Aug 2017 20:35:45 +0300 Subject: [PATCH] libcurl: security bump to version 7.55.0 Fixes: glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) tftp: reject file name lengths that don't fit (CVE-2017-1000100) file: output the correct buffer to the user (CVE-2017-1000099) Switch to .tar.xz to save bandwidth. Add reference to tarball signature. Signed-off-by: Baruch Siach Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- package/libcurl/libcurl.hash | 3 ++- package/libcurl/libcurl.mk | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash index 1b8d80fc96..6d49b67428 100644 --- a/package/libcurl/libcurl.hash +++ b/package/libcurl/libcurl.hash @@ -1,2 +1,3 @@ # Locally calculated after checking pgp signature -sha256 fdfc4df2d001ee0c44ec071186e770046249263c491fcae48df0e1a3ca8f25a0 curl-7.54.1.tar.bz2 +# https://curl.haxx.se/download/curl-7.55.0.tar.xz.asc +sha256 cdd58522f8607fd4e871df79d73acb3155075e2134641e5adab12a0962df059d curl-7.55.0.tar.xz diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk index 684844919e..dd0ccbfa46 100644 --- a/package/libcurl/libcurl.mk +++ b/package/libcurl/libcurl.mk @@ -4,8 +4,8 @@ # ################################################################################ -LIBCURL_VERSION = 7.54.1 -LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.bz2 +LIBCURL_VERSION = 7.55.0 +LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.haxx.se/download LIBCURL_DEPENDENCIES = host-pkgconf \ $(if $(BR2_PACKAGE_ZLIB),zlib) \ -- 2.30.2