From f48c87e97a4d6da6673d3144edd7bc8fc2a544fe Mon Sep 17 00:00:00 2001 From: Harvey Tuch Date: Wed, 16 Dec 2020 18:26:30 +0000 Subject: [PATCH] dependencies: upgrade libcurl to 7.74.0. Address CVE scanner reports. These don't appear to impact Envoy extension use of libcurl, so fixing in the open, the update is belt-and-braces. CVE ID: CVE-2020-8284 CVSS v3 score: 3.7 Severity: LOW Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Affected CPEs: - cpe:2.3:o:fedoraproject:fedora:33 - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8285 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. Affected CPEs: - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8286 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. Affected CPEs: - cpe:2.3:a:haxx:curl:* Signed-off-by: Harvey Tuch --- bazel/foreign_cc/curl.patch | 9 --------- bazel/repository_locations.bzl | 6 +++--- test/dependencies/curl_test.cc | 2 +- 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/bazel/foreign_cc/curl.patch b/bazel/foreign_cc/curl.patch index 7c2a7bc129e0..e602ba03dc44 100644 --- a/bazel/foreign_cc/curl.patch +++ b/bazel/foreign_cc/curl.patch @@ -18,12 +18,3 @@ index ec1cfa782..0c5a72f00 100644 + string(REGEX REPLACE "/MD" "/MT" ${flags_var} "${${flags_var}}") + endif() + endforeach() -diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt -index 911c9096d..ba6af1bf1 100644 ---- a/lib/CMakeLists.txt -+++ b/lib/CMakeLists.txt -@@ -91,4 +91,0 @@ add_library( --if(MSVC AND NOT BUILD_SHARED_LIBS) -- set_target_properties(${LIB_NAME} PROPERTIES STATIC_LIBRARY_FLAGS ${CMAKE_EXE_LINKER_FLAGS}) --endif() -- diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 458c69f1f82b..b2b2ead78bce 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -649,8 +649,8 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "curl", project_desc = "Library for transferring data with URLs", project_url = "https://curl.haxx.se", - version = "7.72.0", - sha256 = "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2", + version = "7.74.0", + sha256 = "e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7", strip_prefix = "curl-{version}", urls = ["https://github.com/curl/curl/releases/download/curl-{underscore_version}/curl-{version}.tar.gz"], use_category = ["dataplane_ext", "observability_ext"], @@ -660,7 +660,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( "envoy.grpc_credentials.aws_iam", "envoy.tracers.opencensus", ], - release_date = "2020-08-19", + release_date = "2020-12-09", cpe = "cpe:2.3:a:haxx:curl:*", ), com_googlesource_chromium_v8 = dict( diff --git a/test/dependencies/curl_test.cc b/test/dependencies/curl_test.cc index 36bf8e149ed2..e046db65a95d 100644 --- a/test/dependencies/curl_test.cc +++ b/test/dependencies/curl_test.cc @@ -40,7 +40,7 @@ TEST(CurlTest, BuiltWithExpectedFeatures) { EXPECT_EQ(0, info->features & CURL_VERSION_HTTPS_PROXY); EXPECT_EQ(0, info->features & CURL_VERSION_MULTI_SSL); EXPECT_EQ(0, info->features & CURL_VERSION_BROTLI); - EXPECT_EQ(0, info->features & CURL_VERSION_ALTSVC); + EXPECT_NE(0, info->features & CURL_VERSION_ALTSVC); EXPECT_EQ(0, info->features & CURL_VERSION_HTTP3); EXPECT_NE(0, info->ares_num); }