Changelog:
* Adding missing man pages to the tar release file.
(From OE-Core rev: 7e4915c4be7dca35a63a912a55bcfa525a532e22)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 0f6da8601fd4d992550e8afe7b09ba7c491250fd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
==========
- Translation updates for ISO 3166-1
- Translation updates for ISO 3166-3
- Translation updates for ISO 639-2
- Translation updates for ISO 3166-1
- Translation updates for ISO 3166-2
- Translation updates for ISO 3166-3
- Translation updates for ISO 639-2
- Translation updates for ISO 639-3
- Translation updates for ISO 639-5
- Translation updates for ISO 4217
- Translation updates for ISO 15924
* ISO 3166-2: Fix wrong Spanish translation
(From OE-Core rev: 86e8e31a413fdbb8ffa825c41d0fe83c292a6b76)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 355f2f9fe8a1e6c5e78f136cb3ed77c9004fb75c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit b189240b211e5d8f40747a0128834ed83c38a8f4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Correction of backport link inside the patch with correct commit link as
below
Link: cb49e67303
(From OE-Core rev: 4691bc257d0bf2372e31535f0b90cf49ef0ed0d8)
Signed-off-by: Sourav Kumar Pramanik <pramanik.souravkumar@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add patches to fix CVE-2023-28322
more POST-after-PUT confusion
When doing HTTP(S) transfers, libcurl might erroneously use the read
callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when
the `CURLOPT_POSTFIELDS` option has been set, if the same handle
previously was used to issue a `PUT` request which used that callback.
This flaw may surprise the application and cause it to misbehave and
either send off the wrong data or use memory after free or similar in
the second transfer.The problem exists in the logic for a reused
handle when it is (expected tobe) changed from a PUT to a POST.
CVE-2023-28322-1.patch is a supporting patch to resolve hunk
error in the actual patch file : CVE-2023-28322-2.patch
Link: https://curl.se/docs/CVE-2023-28322.html
(From OE-Core rev: 9ef793eca87ac568d9c22067aa854a50837cf92f)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add patch to fix CVE-2023-28321
IDN wildcard match
curl supports matching of wildcard patterns when listed as
"Subject Alternative Name" in TLS server certificates. curl can be
built to use its own name matching function for TLS rather than one
provided by a TLS library. This private wildcard matching function
would match IDN (International Domain Name)hosts incorrectly and
could as a result accept patterns that otherwise should mismatch.
IDN hostnames are converted to puny code before used for certificate
checks. Puny coded names always start with `xn--` and should not be
allowed to pattern match, but the wildcard check in curl could still
check for `x*`,which would match even though the IDN name most likely
contained nothing even resembling an `x`.
Link: https://curl.se/docs/CVE-2023-28321.html
(From OE-Core rev: 75d8593ab3b090266fd2cde27ddc56ad88de7ac7)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add patch to fix CVE-2023-28320
siglongjmp race condition
libcurl provides several different backends for resolving host names,
selectedat build time. If it is built to use the synchronous resolver,
it allows nameresolves to time-out slow operations using `alarm()` and
`siglongjmp()`.
When doing this, libcurl used a global buffer that was not mutex
protected anda multi-threaded application might therefore
crash or otherwise misbehave.
Link: https://curl.se/docs/CVE-2023-28320.html
(From OE-Core rev: c761d822be5ffc4a88600fbd7282c469b1e9902a)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add patch to fix CVE-2023-28319
UAF in SSH sha256 fingerprint check
libcurl offers a feature to verify an SSH server's public key using
a SHA 256hash. When this check fails, libcurl would free the memory
for the fingerprintbefore it returns an error message containing the
(now freed) hash.
This flaw risks inserting sensitive heap-based data into the error
message that might be shown to users or otherwise get
leaked and revealed.
Link: https://curl.se/docs/CVE-2023-28319.html
(From OE-Core rev: f7d6751828683ac2adbf140e77dbf7454cfa8eb1)
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This recipe is needed to build softhsm (in meta-oe) in with p11-kit
support, which is useful when multiple PKCS#11 modules need to be used.
(From OE-Core rev: 19498bea309f19d841187a7063286b2a68ce2587)
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4942a42d5a071b283fe49047dcb4fee2c96422e8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
By default there is nothing in nghttp2-client and nghttp2-server ,nghttp2-client
and nghttp2-server aren't created. So there are dependences error if install
main package.
Problem: conflicting requests
- nothing provides nghttp2-client >= 1.52.0 needed by nghttp2-1.52.0-r0.core2_64
- nothing provides nghttp2-server >= 1.52.0 needed by nghttp2-1.52.0-r0.core2_64
Upstream-Status: Backport [OE-core d2cbe060955c598bd81923ecd554fbe82c17af99]
(From OE-Core rev: 619a643f71eceab73bbbe4dacd1eb42b6d6b01d1)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
BSD-4-Clause is only applicable to the {PN}-doc package as when I
check for the source code I find below files which only uses the
license BSD-4-Clause
~/sources/libbsd$ grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort
COPYING
man/arc4random.3bsd
man/getprogname.3bsd
~/sources/libbsd$ grep -rnB5 "BSD-4"
COPYING-9-Files:
COPYING-10- man/arc4random.3bsd
COPYING-11-Copyright:
COPYING-12- Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
COPYING-13- All rights reserved.
COPYING:14:License: BSD-4-clause-Niels-Provos
(From OE-Core rev: aa5bdac99e187801db56ca4bcc4d5f18b2403f40)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Clause II.3 of the Vim license states that any distribution of Vim that
has been extended or modified must _at least_ indicate in the :version
output that this is the case.
Handily, Vim has a --with-modified-by argument to add a line in that
text, so use MAINTAINER. This is the distribution maintainer contact,
by default it is OE-Core Developers
<openembedded-core@lists.openembedded.org>.
(From OE-Core rev: ec594fe190f0f41f8c0388904d72015fce0cfa55)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit acc007e23445aa53182e13902dd9509c39dd5645)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This incorporates fixes for CVE-2023-1127, CVE-2023-1170, CVE-2023-1175.
Also remove runtime/doc/uganda.txt from the license checksum: the Vim
license is also in the top-level LICENSE file so this is redundant.
(From OE-Core rev: 2d9a183467def574bf3c4a2e2f9bc59965797f6e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 71111e6b62d37c5e6853d7940dec2993df127a35)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Vim uses pkgconfig to find dependencies but it wasn't present, so it
silently doesn't enable features like GTK+ UI.
[ YOCTO #15044 ]
(From OE-Core rev: 01eeabdd6f01c47fa637cee81e4ae3c61c2a9bb9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 70900616298f5e70732a34e7406e585e323479ed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added
=========
- ISO 3166-1: Add missing common names for Laos, Iran, and Syria.
Fixes#32
Changed
===========
- Translation updates for ISO 3166-1
- Kazakh from Debian BTS. Closes: #1025423
- Catalan from Debian BTS. Closes: #1026972
- Translation updates for ISO 3166-2
- Translation updates for ISO 3166-3
- Translation updates for ISO 639-2
- Translation updates for ISO 639-3
- Translation updates for ISO 639-5
- Translation updates for ISO 4217
- Translation updates for ISO 15924
Fixed
==========
- ISO 3166-3: Fix withdrawal dates of AN, CS and YU. Fixes#28
(From OE-Core rev: e2c6593b1e2bd004c233e6b9fd27170365e00c95)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit f2c8b9c9a97ba5ec9c5da94da84ebe216650d6cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove branching that depends on secret data.
since the `ok` variable isn't used any more, we can remove all code
used to calculate it
(From OE-Core rev: 05b1222815bec400d573f7b06c0ad6b7b2d78a80)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Martin Jansa spotted patchreview.py reports Malformed Upstream-Status in a
patch in this recipe. The patch is not being applied since there is no ptest
override.
The test in question was also disabled due to an issue with new versions of
openssh.
Add a workaround for the broken test, enable it, drop the broken patch.
(From OE-Core rev: 2c05ee17d58774fc628b8a5b55a14551590fadaa)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9f2cc084638ce9cb5339df611e473c30f0e40b1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
openldap is added as a dependency so the build will not fail,
as otherwise ldap headers are not found during configure phase
Note: due to upstream bug (now fixed) building LDAP/LDAPS support
with minimal configurations can sometimes not work, see details at:
https://github.com/curl/curl/pull/10445
(From OE-Core rev: e6a001c22ec1b0d5487027148dda099847474272)
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a999f62f5692687a5557f7a50c7c768c50f3d7d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes:
libgit2, when compiled using the optional, included libssh2 backend, fails to verify SSH keys by default.
Description
When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key checking by default. Users can still override the default behavior using the certificate_check function.
The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
(From OE-Core rev: 6c64dc88b5dac910f3760e9cd1003cc83df3ffad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a security release with multiple changes.
This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.
A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.
A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).
The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.
(From OE-Core rev: 4bc31ac89eb0562bae37e2246e8001b4286f61da)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes with APR-util 1.6.3
*) Correct a packaging issue in 1.6.2. The contents of the release were
correct, but the top level directory was misnamed.
Changes with APR-util 1.6.2
*) SECURITY: CVE-2022-25147 (cve.mitre.org)
Integer Overflow or Wraparound vulnerability in apr_base64 functions
of Apache Portable Runtime Utility (APR-util) allows an attacker to
write beyond bounds of a buffer.
*) Teach configure how to find and build against MariaDB 10.2. PR 61517
[Kris Karas <bugs-a17 moonlit-rail.com>]
*) apr_crypto_commoncrypto: Remove stray reference to -lcrypto that
prevented commoncrypto being enabled. [Graham Leggett]
*) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov]
*) apr_dbm_gdbm: Fix handling of error codes. This makes gdbm 1.14 work.
apr_dbm_gdbm will now also return error codes starting with
APR_OS_START_USEERR, as apr_dbm_berkleydb does, instead of always
returning APR_EGENERAL. [Stefan Fritsch]
Drop backport.
(From OE-Core rev: e24b38a14b3520648ec418783fb74fcf61df7ff2)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dca707f9fecc805503e17f6db3e4c88069ac0125)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 43cd36b178ebb602edd5919c26f8b8642736a3a8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes for APR 1.7.2
*) Correct a packaging issue in 1.7.1. The contents of the release were
correct, but the top level directory was misnamed.
Changes for APR 1.7.1
*) SECURITY: CVE-2022-24963 (cve.mitre.org)
Integer Overflow or Wraparound vulnerability in apr_encode functions of
Apache Portable Runtime (APR) allows an attacker to write beyond bounds
of a buffer.
*) SECURITY: CVE-2022-28331 (cve.mitre.org)
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond
the end of a stack based buffer in apr_socket_sendv(). This is a result
of integer overflow.
*) SECURITY: CVE-2021-35940 (cve.mitre.org)
Restore fix for out-of-bounds array dereference in apr_time_exp*() functions.
(This issue was addressed as CVE-2017-12613 in APR 1.6.3 and
later 1.6.x releases, but was missing in 1.7.0.) [Stefan Sperling]
*) configure: Fix various build issues for compilers enforcing
strict C99 compliance. PR 66396, 66408, 66426.
[Florian Weimer <fweimer redhat.com>, Sam James <sam gentoo.org>]
*) apr_atomic_read64(): Fix non-atomic read on 32-bit Windows [Ivan Zhakov]
*) configure: Prefer posix name-based shared memory over SysV IPC.
[Jim Jagielski]
*) configure: Add --disable-sctp argument to forcibly disable SCTP
support, or --enable-sctp which fails if SCTP support is not
detected. [Lubos Uhliarik <luhliari redhat.com>, Joe Orton]
*) Fix handle leak in the Win32 apr_uid_current implementation.
PR 61165. [Ivan Zhakov]
*) Add error handling for lseek() failures in apr_file_write() and
apr_file_writev(). [Joe Orton]
*) Don't silently set APR_FOPEN_NOCLEANUP for apr_file_mktemp() created file
to avoid a fd and inode leak when/if later passed to apr_file_setaside().
[Yann Ylavic]
*) APR's configure script uses AC_TRY_RUN to detect whether the return type
of strerror_r is int. When cross-compiling this defaults to no.
This commit adds an AC_CACHE_CHECK so users who cross-compile APR may
influence the outcome with a configure variable. [Sebastian Kemper
<sebastian_ml gmx net>]
*) Add a cache check with which users who cross-compile APR
can influence the outcome of the /dev/zero test by setting the variable
ac_cv_mmap__dev_zero=yes [Sebastian Kemper <sebastian_ml gmx net>]
*) Trick autoconf into printing the correct default prefix in the help.
[Stefan Fritsch]
*) Don't try to use PROC_PTHREAD by default when cross compiling.
[Yann Ylavic]
*) Add the ability to cross compile APR. [Graham Leggett]
*) While cross-compiling, the tools/gen_test_char could not
be executed at build time, use AX_PROG_CC_FOR_BUILD to
build native tools/gen_test_char
Support explicit libtool by variable assigning before buildcheck.sh,
it is helpful for cross-compiling (such as libtool=aarch64-linux-libtool)
[Hongxu Jia <hongxu.jia windriver.com>]
*) Avoid an overflow on 32 bit platforms. [René Hjortskov Nielsen
<r... hjortskov.dk>]
*) Use AC_CHECK_SIZEOF, so as to support cross compiling. PR 56053.
[Mike Frysinger <vapier gentoo.org>]
*) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov]
*) apr_pools: Fix pool debugging output so that creation events are
always emitted before allocation events and subpool destruction
events are emitted on pool clear/destroy for proper accounting.
[Brane Čibej]
*) apr_socket_listen: Allow larger listen backlog values on Windows 8+.
[Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
*) Fixed: apr_get_oslevel() was returning APR_WIN_XP on Windows 10
*) Fix attempt to free invalid memory on exit when apr_app is used
on Windows. [Ivan Zhakov]
*) Fix double free on exit when apr_app is used on Windows. [Ivan Zhakov]
*) Fix a regression in apr_stat() for root path on Windows. [Ivan Zhakov]
Dropped patches have all been merged, addressed separately or are backports.
(From OE-Core rev: c291aefb531431b9a256740766dcb03cbdf84481)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ffae93f24bb1e3954b232099153fd059cfd7daf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit e5326ea0ac7e55b2d671a27c1e035c43b8bbc70d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This makes build use compiler to decide from where to get atomics
instead of assuming that it should always come from libatomic, helps
sharing build artifacts with OSes which may not have libatomic installed
because it is not required on those hosts.
(From OE-Core rev: c660d75211352a47797c3d400dd504759675a0f6)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a026d9afcbe07a8324ca951ba3439373dcb3771c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
when current test platform doesn't have 2 or more CPU node, the test
case would report FAIL, according to numa test script and numademo
code, when return code=77 should be skip test, so using SKIP instead
of FAIL in test script.
(From OE-Core rev: 218cf38bd3879df009e70f516c0dcb484376bf2e)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fd0a82400d419bce8605a9445db9b20b8ddc01a7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Noteworthy changes in version 1.6.3 (2022-12-06)
Fix another integer overflow in the CRL parser. [T6284,CVE-2022-47629]
(From OE-Core rev: 0c1829b0e7e085ba8aef0d47852abf520ef9d635)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 83f3f21b1b84ab9e7b461ac966691c80f4ed4e97)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit f098cb5073051eb371f4142678b4b3d5e7b52426)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Prepare for stable version bump which includes this fix
This reverts commit e4cb0bf273ea556db91699594046a47514c8583c.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add patch to fix the security issue "curl can be asked to tunnel
virtually all protocols it supports through an HTTP proxy. HTTP proxies
can (and often do) deny such tunnel operations using an appropriate HTTP
error response code." as per below link
Link: https://curl.se/docs/CVE-2022-43552.html
(From OE-Core rev: a0db3ddf6f2efe733271ff7f6c68fda4d215b1bb)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add patch to fix the security issue "curl's HSTS check could be bypassed
to trick it to keep using HTTP. Using its HSTS support, curl can be
instructed to use HTTPS instead of using an insecure clear-text HTTP
step even when HTTP is provided in the URL." as per below link
Link: https://curl.se/docs/CVE-2022-43551.html
(From OE-Core rev: baa18f2cf107af7a5e1c7b7befad46e6c48f4222)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LICENSE for curl is set to MIT-open-group which is wrong and proper
license is 'curl'
I check below link and the line "Curl and libcurl are licensed under
the license below, which is inspired by MIT/X, but not identical." says
that the license is identical to MIT but actual license is identical
from the file "meta/files/common-licenses/curl"
Link: https://curl.se/docs/copyright.html
Also, I do not find the MIT-open-group license text in the entire
source-code
(From OE-Core rev: 34b228bd3a80a74bf4d84ef7ee362f4ab1e3a466)
(From OE-Core rev: 95b5df5c9e0bdef55d0f977fb814f9de74363e68)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4a246e06cb)
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
