mirror of
https://git.yoctoproject.org/poky
synced 2026-03-06 23:39:40 +01:00
33d7811e07
curl v7.79.0 contained fixes for three CVEs: The description of CVE-2021-22945[1] contains: > This flaw was introduced in commit 2522903b79 but since MQTT support > was marked 'experimental' then and not enabled in the build by default > until curl 7.73.0 (October 14, 2020) we count that as the first flawed > version. which I believe means that curl v7.69.1 is not vulnerable. curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3]. These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches applied without conflicts, but I used devtool to regenerate them to avoid fuzz warnings. [1] https://curl.se/docs/CVE-2021-22945.html [2] https://curl.se/docs/CVE-2021-22946.html [3] https://curl.se/docs/CVE-2021-22947.html (From OE-Core rev: b9b343704afc28a6182f699ef17943afacd482a8) Signed-off-by: Mike Crowe <mac@mcrowe.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>