Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

third_party: update libcurl from 8.5.0 to 8.7.1 #9885

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

third_party: update libcurl from 8.5.0 to 8.7.1 #9885

wants to merge 2 commits into from

Conversation

ligurio
Copy link
Member

@ligurio ligurio commented Mar 28, 2024 

    
    The patch updates curl module to the version 8.7.1 [1][2] that
    brings a number of functional and security fixes, and updates
    CMake module for building curl library.
    
    Security fixes:
    
    - CVE-2024-2004: Usage of disabled protocol. (low)
    - CVE-2024-2398: HTTP/2 push headers memory-leak. (medium)
    - CVE-2024-2379: QUIC certificate check bypass with wolfSSL. (low)
    - CVE-2024-2466: TLS certificate check bypass with mbedTLS. (medium)
    
    Changes in CMake module:
    
    - Option `USE_OPENSSL_QUIC` was added and disabled by default [3]
    
    Changelog entry has been removed because duplicate entries about
    bumps confuses end users.
    
    1. https://curl.se/changes.html#8_7_1
    2. https://github.com/curl/curl/compare/curl-8_6_0...curl-8_7_1
    3. https://github.com/curl/curl/commit/8e741644a229c3791963b4f5cae1dcfccba842dd

    third_party: update libcurl from 8.5.0+patch to 8.6.0
    
    The patch updates curl module to the version 8.6.0 [1][2] that brings a
    number of functional fixes, and updates CMake module for building curl
    library.
    
    Changes in CMake module:
    
    - Option `ENABLE_CURL_MANUAL` was added and disabled by default [3]
    - Option `BUILD_LIBCURL_DOCS` was added and disabled by default [3]
    
    The patch follows up commit 9bdf2bab97d4 ("httpc: fix reading data in a
    chunked request") where curl submodule was updated to a version based on
    8.5.0 release with applied patch with fix [5].
    
    Changelog entry has been removed because duplicate entries about bumps
    confuses end users.
    
    1. https://curl.se/changes.html#8_6_0
    2. https://github.com/curl/curl/compare/curl-8_5_0...curl-8_6_0
    3. https://github.com/curl/curl/commit/a808aab06851d4364ab1773c664df3d906a497a9
    5. https://github.com/curl/curl/commit/cdd905a9854305657ebbe645095e1189dcda28c7

@ligurio
third_party: update libcurl from 8.5.0+patch to 8.6.0
1c9b749 
The patch updates curl module to the version 8.6.0 [1][2] that brings a
number of functional fixes, and updates CMake module for building curl
library.

Changes in CMake module:

- Option `ENABLE_CURL_MANUAL` was added and disabled by default [3]
- Option `BUILD_LIBCURL_DOCS` was added and disabled by default [3]

The patch follows up commit 9bdf2ba ("httpc: fix reading data in a
chunked request") where curl submodule was updated to a version based on
8.5.0 release with applied patch with fix [5].

Changelog entry has been removed because duplicate entries about bumps
confuses end users.

1. https://curl.se/changes.html#8_6_0
2. curl/curl@curl-8_5_0...curl-8_6_0
3. curl/curl@a808aab
5. curl/curl@cdd905a

NO_DOC=libcurl submodule bump
NO_TEST=libcurl submodule bump
@ligurio
third_party: update libcurl from 8.6.0 to 8.7.1
7275216 
The patch updates curl module to the version 8.7.1 [1][2] that
brings a number of functional and security fixes, and updates
CMake module for building curl library.

Security fixes:

- CVE-2024-2004: Usage of disabled protocol. (low)
- CVE-2024-2398: HTTP/2 push headers memory-leak. (medium)
- CVE-2024-2379: QUIC certificate check bypass with wolfSSL. (low)
- CVE-2024-2466: TLS certificate check bypass with mbedTLS. (medium)

Changes in CMake module:

- Option `USE_OPENSSL_QUIC` was added and disabled by default [3]

Changelog entry has been removed because duplicate entries about
bumps confuses end users.

1. https://curl.se/changes.html#8_7_1
2. curl/curl@curl-8_6_0...curl-8_7_1
3. curl/curl@8e74164

NO_DOC=libcurl submodule bump
NO_CHANGELOG=libcurl submodule bump
NO_TEST=libcurl submodule bump
@ligurio ligurio requested a review from a team as a code owner March 28, 2024 10:32
@ligurio ligurio added the full-ci Enables all tests for a pull request label Mar 28, 2024
@ligurio ligurio mentioned this pull request Mar 28, 2024
Closed
@coveralls
Copy link

Coverage Status

coverage: 87.012% (-0.03%) from 87.037%
when pulling 7275216 on ligurio/bump-curl-8.6.0
into ff7d8f0
on master.

@ligurio ligurio marked this pull request as draft March 29, 2024 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xuniq xuniq xuniq approved these changes

Assignees
No one assigned
Labels
full-ci Enables all tests for a pull request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ligurio @coveralls @xuniq