Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

third_party: update libcurl from 8.5.0 to 8.7.1 #9885

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

third_party: update libcurl from 8.5.0 to 8.7.1 #9885

wants to merge 4 commits into from

Commits on May 21, 2024

  1. third_party: update libcurl from 8.5.0+patch to 8.6.0 

    The patch updates curl module to the version 8.6.0 [1][2] that
brings a number of functional fixes, and updates CMake module for
building curl library.

Changes in CMake module:

- Option `ENABLE_CURL_MANUAL` was added and disabled by default [3]
- Option `BUILD_LIBCURL_DOCS` was added and disabled by default [3]

The patch follows up commit 9bdf2ba ("httpc: fix reading data
in a chunked request") where curl submodule was updated to
a version based on 8.5.0 release with applied patch with fix [4].

The Changelog entry has been removed because duplicate entries
about bumps confuses end users.

This bump was blocked by a regression in libcurl [5].

1. https://curl.se/changes.html#8_6_0
2. curl/curl@curl-8_5_0...curl-8_6_0
3. curl/curl@a808aab
4. curl/curl@cdd905a
5. curl/curl@b8c0038

NO_DOC=libcurl submodule bump
NO_TEST=libcurl submodule bump
    @ligurio
    ligurio committed May 21, 2024
    Configuration menu
    Copy the full SHA
    a4772d9 View commit details
    Browse the repository at this point in the history

  2. third_party: update libcurl from 8.6.0 to 8.7.1 

    The patch updates curl module to the version 8.7.1 [1][2] that
brings a number of functional and security fixes, and updates
CMake module for building curl library.

Security fixes:

- CVE-2024-2004: Usage of disabled protocol. (low)
- CVE-2024-2398: HTTP/2 push headers memory-leak. (medium)
- CVE-2024-2379: QUIC certificate check bypass with wolfSSL. (low)
- CVE-2024-2466: TLS certificate check bypass with mbedTLS. (medium)

Changes in CMake module:

- Option `USE_OPENSSL_QUIC` was added and disabled by default [3]

Changelog entry has been removed because duplicate entries about
bumps confuses end users.

The bump was blocked by a regression in libcurl [4][5].

Closes #9612

1. https://curl.se/changes.html#8_7_1
2. curl/curl@curl-8_6_0...curl-8_7_1
3. curl/curl@8e74164
4. https://curl.se/mail/lib-2024-03/0059.html
5. curl/curl#13260

NO_DOC=libcurl submodule bump
NO_CHANGELOG=libcurl submodule bump
NO_TEST=libcurl submodule bump
    @ligurio
    ligurio committed May 21, 2024
    Configuration menu
    Copy the full SHA
    3c42360 View commit details
    Browse the repository at this point in the history

  3. third_party: bump curl [WIP] 

    [001] #4  0x65481f151c11 in luaT_httpc_io_cleanup+33
[001] #5  0x65481f19ee63 in lj_BC_FUNCC+70
[001] #6  0x65481f1aa5d5 in gc_call_finalizer+133
[001] #7  0x65481f1ab1e3 in gc_onestep+211
[001] #8  0x65481f1aba68 in lj_gc_fullgc+120
[001] #9  0x65481f1a5fb5 in lua_gc+149
[001] #10 0x65481f1b57cf in lj_cf_collectgarbage+127
[001] #11 0x65481f19ee63 in lj_BC_FUNCC+70
[001] #12 0x65481f1a5c15 in lua_pcall+117
[001] #13 0x65481f14559f in luaT_call+15
[001] #14 0x65481f13c7e1 in lua_main+97
[001] #15 0x65481f13d000 in run_script_f+2032

NO_CHANGELOG=internal
NO_DOC=internal
NO_TEST=internal
    @ligurio
    ligurio committed May 21, 2024
    Configuration menu
    Copy the full SHA
    88f6ed4 View commit details
    Browse the repository at this point in the history

  4. third_party/curl: rollback to last known good commit 

    curl/curl@cfc65fd

NO_CHANGELOG=internal
NO_DOC=internal
NO_TEST=internal
    @ligurio
    ligurio committed May 21, 2024
    Configuration menu
    Copy the full SHA
    b4d5862 View commit details
    Browse the repository at this point in the history