dependencies: upgrade libcurl to 7.74.0.

Address CVE scanner reports. These don't appear to impact Envoy extension use of libcurl, so fixing in the open, the update is belt-and-braces. CVE ID: CVE-2020-8284 CVSS v3 score: 3.7 Severity: LOW Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Affected CPEs: - cpe:2.3:o:fedoraproject:fedora:33 - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8285 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. Affected CPEs: - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8286 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. Affected CPEs: - cpe:2.3:a:haxx:curl:* Signed-off-by: Harvey Tuch <htuch@google.com>
envoyproxy · Dec 16, 2020 · f48c87e · f48c87e
1 parent 09134ff
commit f48c87e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 13 deletions.
diff --git a/bazel/foreign_cc/curl.patch b/bazel/foreign_cc/curl.patch
@@ -18,12 +18,3 @@ index ec1cfa782..0c5a72f00 100644
 +      string(REGEX REPLACE "/MD" "/MT" ${flags_var} "${${flags_var}}")
 +    endif()
 +  endforeach()
-diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
-index 911c9096d..ba6af1bf1 100644
---- a/lib/CMakeLists.txt
-+++ b/lib/CMakeLists.txt
-@@ -91,4 +91,0 @@ add_library(
--if(MSVC AND NOT BUILD_SHARED_LIBS)
--  set_target_properties(${LIB_NAME} PROPERTIES STATIC_LIBRARY_FLAGS ${CMAKE_EXE_LINKER_FLAGS})
--endif()
--
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -649,8 +649,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "curl",
         project_desc = "Library for transferring data with URLs",
         project_url = "https://curl.haxx.se",
-        version = "7.72.0",
-        sha256 = "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2",
+        version = "7.74.0",
+        sha256 = "e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7",
         strip_prefix = "curl-{version}",
         urls = ["https://github.com/curl/curl/releases/download/curl-{underscore_version}/curl-{version}.tar.gz"],
         use_category = ["dataplane_ext", "observability_ext"],
@@ -660,7 +660,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.grpc_credentials.aws_iam",
             "envoy.tracers.opencensus",
         ],
-        release_date = "2020-08-19",
+        release_date = "2020-12-09",
         cpe = "cpe:2.3:a:haxx:curl:*",
     ),
     com_googlesource_chromium_v8 = dict(

diff --git a/test/dependencies/curl_test.cc b/test/dependencies/curl_test.cc
@@ -40,7 +40,7 @@ TEST(CurlTest, BuiltWithExpectedFeatures) {
   EXPECT_EQ(0, info->features & CURL_VERSION_HTTPS_PROXY);
   EXPECT_EQ(0, info->features & CURL_VERSION_MULTI_SSL);
   EXPECT_EQ(0, info->features & CURL_VERSION_BROTLI);
-  EXPECT_EQ(0, info->features & CURL_VERSION_ALTSVC);
+  EXPECT_NE(0, info->features & CURL_VERSION_ALTSVC);
   EXPECT_EQ(0, info->features & CURL_VERSION_HTTP3);
   EXPECT_NE(0, info->ares_num);
 }