271497 – ftp/curl: security update to 8.1.0

Bug 271497 - ftp/curl: security update to 8.1.0

Summary: ftp/curl: security update to 8.1.0

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Po-Chuan Hsieh

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-18 21:21 UTC by R. Christian McDonald
Modified:	2023-05-19 21:08 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (sunpoet)

Attachments
ftp/curl: update to 8.1.0 (1.97 KB, patch) 2023-05-18 21:21 UTC, R. Christian McDonald	no flags	Details \| Diff
vuxml entry (2.06 KB, patch) 2023-05-18 21:21 UTC, R. Christian McDonald	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description R. Christian McDonald 2023-05-18 21:21:18 UTC

Created attachment 242259 [details]
ftp/curl: update to 8.1.0

https://curl.se/docs/security.html

This security update addresses 4 CVEs:
* CVE-2023-28319: UAF in SSH sha256 fingerprint check
* CVE-2023-28320: siglongjmp race condition
* CVE-2023-28321: IDN wildcard match
* CVE-2023-28322: more POST-after-PUT confusion

Comment 1 R. Christian McDonald 2023-05-18 21:21:45 UTC

Created attachment 242260 [details]
vuxml entry

Comment 2 commit-hook freebsd_committer

2023-05-19 21:07:36 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5fae3323ed2f9a1d203ccaed617ed49dec9d85ce

commit 5fae3323ed2f9a1d203ccaed617ed49dec9d85ce
Author:     R. Christian McDonald <rcm@rcm.sh>
AuthorDate: 2023-05-18 03:51:54 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-05-19 21:00:50 +0000

    ftp/curl: Update to 8.1.0

    PR:             271497
    Security:       CVE-2023-28319
                    CVE-2023-28320
                    CVE-2023-28321
                    CVE-2023-28322
    Sponsored by:   Rubicon Communications, LLC ("Netgate")

 ftp/curl/Makefile  | 2 +-
 ftp/curl/distinfo  | 6 +++---
 ftp/curl/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)

Comment 3 commit-hook freebsd_committer

2023-05-19 21:07:37 UTC

A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=41870dd5977cf29a572c231ac0d9aea40df978b8

commit 41870dd5977cf29a572c231ac0d9aea40df978b8
Author:     R. Christian McDonald <rcm@rcm.sh>
AuthorDate: 2023-05-18 03:51:54 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-05-19 21:07:05 +0000

    ftp/curl: Update to 8.1.0

    PR:             271497
    Security:       CVE-2023-28319
                    CVE-2023-28320
                    CVE-2023-28321
                    CVE-2023-28322
    Sponsored by:   Rubicon Communications, LLC ("Netgate")

    (cherry picked from commit 5fae3323ed2f9a1d203ccaed617ed49dec9d85ce)

 ftp/curl/Makefile  | 2 +-
 ftp/curl/distinfo  | 6 +++---
 ftp/curl/pkg-plist | 2 ++
 3 files changed, 6 insertions(+), 4 deletions(-)