In native/nativesdk builds, sysconfdir refers to a recipe sysroot
directory, which will disappear once the workdir is cleaned up, breaking
libcurl's HTTPS connections.
By simply not setting --with-ca-bundle at all in non-target builds, curl
defaults to the host system's CA certificates, which is desirable anyways
to allow builds in environments that require local CA certificates.
(From OE-Core rev: 4909a46e93ba774c960c3d3c277e2a669af3fea6)
(From OE-Core rev: 0f98fecda8a0436f760e6fd9f3b7eb510e5258b8)
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
(From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If openssl packageconfig is enabled, set CVE_STATUS as not-applicable.
This CVE is applicable only when curl built with wolfSSL support.
Reference: https://curl.se/docs/CVE-2025-5025.html
(From OE-Core rev: 8f50b0761fc4d49fae8d174956052e3ff9024a5e)
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When asked to use a `.netrc` file for credentials *and* to
follow HTTP redirects, curl could leak the password used
for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a
`default` entry that omits both login and password. A
rare circumstance.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0167
Upstream patch:
https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
(From OE-Core rev: b74dba43f2d6896245232373f2a9fdf07086a237)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-0725 can only trigger for curl when using a runtime
zlib version 1.2.0.3 or older and scarthgap supports
zlib 1.3.1 version, hence ignore cve for scarthgap
https://curl.se/docs/CVE-2025-0725.html
(From OE-Core rev: 8c3b4a604b40260e7ca9575715dd8017e17d35c0)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since commit 148de08220 [ curl: Update from 8.2.1 to 8.3.0 ],
--enable-crypto-auth option was removed and split into separate options
for basic-auth, bearer-auth, digest-auth, kerberos-auth negotiate-auth,
and aws. In this commit, --enable-crypto-auth is removed from
EXTRA_OECONF, and the separate options is added into PACKAGECONFIG for
target. But not added into PACKAGECONFIG for native/nativesdk, this make
curl/git in buildtools not works well to connect basic auth https
server.
Failed commands:
git ls-remote https://xxx(input username/passwd)
curl -u name:passwd https://xxx
Error:
Authentication failed xxx
HTTP/1.1 401 Unauthorized
(From OE-Core rev: 67b98253ea70a1e2850a78bb101c934093d30937)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The musl-locales package provides this too, so we can depend without a
libc override.
(From OE-Core rev: 1cab8d06ce5df7a8d00cff8531965a84d90d265a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c8f1d51f4eb6df6c041707d38f60549d13ddab7f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
bitbake-selftest was failing on a github url on hosts using buildtools.
The issue was tracked down to the curl upgrade 8.6.0 -> 8.7.1. Whilst there
is a fix in upstream git to workaround the issue in this version, backport
the fix from curl upstream to ensure there are no other related issues to
the bug.
(From OE-Core rev: 28ee90b07c70cafbba9149dd4dbe26cae9e214c7)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes 4 security fixes:
CVE-2024-2466 - TLS certificate check bypass with mbedTLS
CVE-2024-2398 - HTTP/2 push headers memory-leak
CVE-2024-2379 - QUIC certificate check bypass with wolfSSL
CVE-2024-2004 - Usage of disabled protocol
Along with many other changes, mostly bugfixes: https://curl.se/changes.html
(From OE-Core rev: 8e27b472d1bc872c6da2b22f57b30d36e231d745)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
