[OE-core] [PATCH v2] curl: upgrade 8.19.0 -> 8.20.0

Mon, 01 Jun 2026 12:00:34 -0700 

From: Tim Orling <[email protected]>

* Backport patch to avoid 100% CPU load:
  https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
* Remove PACKAGECONFIG[rtmpdump]:
  ceae02db04 rtmp: drop support

CVE: CVE-2026-4873
CVE: CVE-2026-5545
CVE: CVE-2026-5773
CVE: CVE-2026-6253
CVE: CVE-2026-6276
CVE: CVE-2026-6429
CVE: CVE-2026-7009
CVE: CVE-2026-7168

For changelog, see [1].
For full comparison of changes, see [2].

[1] https://curl.se/ch/8.20.0.html
[2] https://github.com/curl/curl/compare/curl-8_19_0...curl-8_20_0

Signed-off-by: Tim Orling <[email protected]>
---
Changes in v2:
Backport patch suggested by Ross Burton in patch review meeting

ptests still pass on qemux86-64 core-image-ptest-curl:
TESTDONE: 1897 tests were considered during 42 seconds.
TESTDONE: 928 tests out of 928 reported OK: 100%
DURATION: 43
END: /usr/lib/curl/ptest
2026-06-01T18:55
STOP: ptest-runner
TOTAL: 1 FAIL: 0

 .../0001-event-fix-wakeup-consumption.patch   | 39 +++++++++++++++++++
 .../curl/{curl_8.19.0.bb => curl_8.20.0.bb}   |  4 +-
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 
meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
 rename meta/recipes-support/curl/{curl_8.19.0.bb => curl_8.20.0.bb} (97%)

diff --git 
a/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch 
b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
new file mode 100644
index 0000000000..7f22e19c05
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
@@ -0,0 +1,39 @@
+From 590e31dff8aa4c5ff8be761128e38ac751aed875 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <[email protected]>
+Date: Mon, 11 May 2026 14:56:04 +0200
+Subject: [PATCH] event: fix wakeup consumption
+
+The events on a multi wakeup socketpair were only consumed via
+curl_multi_poll()/curl_multi_wait() but not in event based processing on
+a curl_multi_socket() call. That led to busy loops as reported in
+
+Fixes #21547
+Reported-by: Earnestly on github
+Closes #21549
+
+Upstream-Status: Backport ["2a2104f event: fix wakeup consumption"]
+Suggested-by: Ross Burton <[email protected]>
+Signed-off-by: Tim Orling <[email protected]>
+---
+ lib/multi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 7520253d70..a0012d8faf 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2479,6 +2479,11 @@ static CURLMcode multi_runsingle(struct Curl_multi 
*multi,
+   Curl_uint32_bset_remove(&multi->dirty, data->mid);
+ 
+   if(data == multi->admin) {
++#ifdef ENABLE_WAKEUP
++    /* Consume any pending wakeup signals before processing.
++     * This is necessary for event based processing. See #21547 */
++    (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
++#endif
+ #ifdef USE_RESOLV_THREADED
+     Curl_async_thrdd_multi_process(multi);
+ #endif
+-- 
+2.47.3
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb 
b/meta/recipes-support/curl/curl_8.20.0.bb
similarity index 97%
rename from meta/recipes-support/curl/curl_8.19.0.bb
rename to meta/recipes-support/curl/curl_8.20.0.bb
index b9251336b8..0408657f40 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.20.0.bb
@@ -14,13 +14,14 @@ SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://0001-event-fix-wakeup-consumption.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \
     file://environment.d-curl.sh \
 "
 
-SRC_URI[sha256sum] = 
"4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d333f11df"
+SRC_URI[sha256sum] = 
"63fe2dc148ba0ceae89922ef838f7e5c946272c2e78b7c59fab4b79d3ce2b896"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl 
daniel_stenberg:curl"
@@ -63,7 +64,6 @@ PACKAGECONFIG[nghttp2] = 
"--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
 PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy,"
-PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[schannel] = "--with-schannel,--without-schannel,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237985): 
https://lists.openembedded.org/g/openembedded-core/message/237985
Mute This Topic: https://lists.openembedded.org/mt/119598903/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to