Currently, curl (and libcurl) is built without debug info, making the
curl-dbg package rather useless. Since debug symbols are automatically
stripped and put in that package by the build system, making sure that
curl is built with -g shouldn't hurt anything, but will help those
that try to debug a libcurl-using application and hence explicitly
include curl-dbg in their rootfs.
Unfortunately, setting --enable-debug then changes the default value
of the optimize option from (assume yes) to (assume no), while also
changing the default value of the curldebug option [which is a
separate thing that actually changes generated code to add some memory
tracking] from (assume no) to (assume yes). So explicitly pass the
appropriate options that make those two have the same value as they
used to have by default.
(From OE-Core rev: 278242619eec5f5f143d57e92b109012001f1f91)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Specify exclusive package configs for glew and curl to make sure that
conflict package configs will NOT set at same time.
(From OE-Core rev: 8579673bdb314dbc554f40fc4c4c1db3d0bb0d63)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes:
curl: add %{stderr} and %{stdout} for --write-out
curl: add undocumented option --dump-module-paths for win32
setopt: add CURLOPT_CURLU
For full list of changes see:
https://curl.haxx.se/changes.html
(From OE-Core rev: 2837266edbe097dcd9ff5fcdf29bb56f38bf564d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are now missed in the reports.
Hence, switch "CVE_PRODUCT" to a space separated list
of the items.
(From OE-Core rev: 69ff709c2450c42139fd9705e3a74464221ad754)
Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For some reason, the copyright part was left out of the license
information included in LIC_FILES_CHKSUM, preventing it from being
used in, e.g., documentation to satisfy the requirements of the
license.
License-Update: Include the complete license information
(From OE-Core rev: 390becd2dcf4fe791ec3715a74e34a46bd457e7a)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that oe-core has libidn2 we can enable it by default in target curl builds.
(From OE-Core rev: aae20d0277feb768ca290492ccfad30962bb8706)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The --libcurl command line option causes curl to generate C source
code which, when compiled and linked with libcurl, creates a binary
which behaves in the same way as curl when run with the other options
passed on the curl command line.
https://curl.haxx.se/docs/manpage.html#--libcurl
It's a development tool and not generally useful on the target,
especially if the target doesn't contain a toolchain etc.
(From OE-Core rev: a1cda48761f70b5989bb8b9c91d71c0b3a03466e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Add PACKAGECONFIG option for brotli (disable by default)
- Add PACKAGECONFIG option for built-in manpages (disabled by
default). Embedding a copy of the manpages within the curl binary
adds approx 60k of gzipped data and duplicates the contents of the
curl-doc package.
- Add PACKAGECONFIG option for verbose error messages (enabled by
default)
- Disable legacy NTLM http authentication via delegation to the
external winbind ntlm_auth helper (which isn't going to work
without a runtime dependency on samba).
(From OE-Core rev: 0bf3637a07228576d78cf4c71de92781ec143d7f)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since v7.51.0, libidn2 is the only available option, libidn
support was dropped.
The configure option was renamed as of v7.53.0
Therefore, curl unconditionally tries to build against libidn2,
which in particular is a problem for curl-native, as that might
or might not build against the build-machine's libidn2 now,
which furthermore causes problems when trying to share sstate
between multiple build machines.
We therefore see the following in the config log:
...
checking whether to build with libidn2... (assumed) yes
...
checking for libidn2 options with pkg-config... no
configure: IDN_LIBS: "-lidn2"
configure: IDN_LDFLAGS: ""
configure: IDN_CPPFLAGS: ""
configure: IDN_DIR: ""
checking if idn2_lookup_ul can be linked... yes
checking idn2.h usability... yes
checking idn2.h presence... yes
checking for idn2.h... yes
...
IDN support: enabled (libidn2)
...
even though this recipe tries to disable that.
While libidn2 isn't available in OE, this change at least:
* prevents curl-native to silently build against libidn2 if
that is installed on build machine, even if not requested
* alerts people who use the PACKAGECONFIG option that it's
not actually doing what they intend to do
(From OE-Core rev: 705eaea991622bdbb2ee83eefa8df8e665e3efe4)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.Upgrade curl from 7.54.1 to 7.57.0.
2.Delete CVE-2017-1000099.patch, CVE-2017-1000100.patch, CVE-2017-1000101.patch, CVE-2017-1000254.patch, reproducible-mkhelp.patch, since it is integrated upstream.
3.Remove "do_install_append()" from curl_7.57.0.bb, since curl/curlbuild.h has been removed.
(From OE-Core rev: 215d5677004537fc190b5381157ac8b94db6d7e8)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Improve reproducible build of curl-dev and curl-dbg packages.
curl-dev: Correctly remove build host references from curl-config
curl-dbg: Do not generate time stamps in files generated by mkhelp.pl
(From OE-Core rev: 6bc323ac9315712e75a0282cddb292bc84afc6f1)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This build time option is needed to use the '--dns-interface' runtime
parameter to instruct 'curl' to use a specific interface for DNS
resolution.
Not enabled by default, as it depends on 'c-ares' package from
meta-openembedded (meta-networking).
(From OE-Core rev: 4fe0aa3791db0ee6c85e7a068f69def6e7c0da46)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With default --without-nghttp2 flag set there was no way to get
http2 protocol support using nghttp2 library. Instead moved it to
PACKAGECONFIG options
(From OE-Core rev: bcc8560300c8b1218b1f3709f5a7732e17fbfa46)
Signed-off-by: baali <shantanu@senic.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Multi-threaded applications using libcurl crash
on DNS timeouts when built using OE.
The reason is as follows:
By default, libcurl implements DNS timeouts using a
timer (alarm()) and a pair of setjmp()/longjmp().
This approach is unsafe in multi-threaded applications
for various reasons, as e.g. explained in the relevant
man-pages.
To avoid this, libcurl can be compiled with a built-in
threaded resolver, or against the c-ares asynchronous
resolver library.
To keep extra dependencies to a minimum, and to mimic
other distributions (debian at least), and because
c-ares is not available in OE-core, add a PACKAGECONFIG
to be able to enable use of of the built-in threaded
resolver and enable it by default.
(From OE-Core rev: 41f1e44fce976c4140cda62a41349e91e69d04ef)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE fixed in 7.51.0:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
To see complete log access link bellow:
https://curl.haxx.se/changes.html#7_51_0
(From OE-Core rev: 0154ff997db8021f93e6ffe8f7a0627d7a1d9b89)
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
