summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/curl/curl_7.75.0.bb
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/curl/curl_7.75.0.bb')
-rw-r--r--meta/recipes-support/curl/curl_7.75.0.bb8
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl_7.75.0.bb b/meta/recipes-support/curl/curl_7.75.0.bb
index d64e5e1f79..accede604c 100644
--- a/meta/recipes-support/curl/curl_7.75.0.bb
+++ b/meta/recipes-support/curl/curl_7.75.0.bb
@@ -21,6 +21,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2021-22901.patch \
file://CVE-2021-22924.patch \
file://CVE-2021-22926.patch \
+ file://CVE-2021-22945.patch \
+ file://CVE-2021-22946.patch \
+ file://CVE-2021-22947.patch \
"
SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb316d026"
@@ -28,6 +31,10 @@ SRC_URI[sha256sum] = "50552d4501c178e4cc68baaecc487f466a3d6d19bbf4e50a01869effb3
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+# These only apply when using --with-libmetalink, but --without-libmetalink is
+# set below.
+CVE_CHECK_WHITELIST += "CVE-2021-22922 CVE-2021-22923"
+
inherit autotools pkgconfig binconfig multilib_header
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
@@ -65,6 +72,7 @@ PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threade
PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
+# Keep --without-libmetalink to mitigate CVE-2021-22922 and CVE-2021-22923
EXTRA_OECONF = " \
--disable-libcurl-option \
--disable-ntlm-wb \