mirror of
https://git.yoctoproject.org/poky
synced 2026-04-19 06:32:13 +02:00
8f3b0b8e9b
Add patch to fix CVE-2023-28319 UAF in SSH sha256 fingerprint check libcurl offers a feature to verify an SSH server's public key using a SHA 256hash. When this check fails, libcurl would free the memory for the fingerprintbefore it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed. Link: https://curl.se/docs/CVE-2023-28319.html (From OE-Core rev: f7d6751828683ac2adbf140e77dbf7454cfa8eb1) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>