Re: [ptxdist] [APPLIED] libcurl: Version bump. 8.17.0 -> 8.18.0

Fri, 23 Jan 2026 07:02:41 -0800 

Thanks, applied as 9bac0d372c8001dbfe78da9c78851fde26fcf7ec.

Michael

[sent from post-receive hook]

On Fri, 23 Jan 2026 16:01:59 +0100, Christian Melki 
<[email protected]> wrote:
> Bunch of fixes + security + minversion OpenSSL >= 3.0.0.
> https://curl.se/changes.html#8_18_0
> 
> Plugs CVEs:
> CVE-2025-15224: libssh key passphrase bypass without agent set
> CVE-2025-15079: libssh global known_hosts override
> CVE-2025-14819: OpenSSL partial chain store policy bypass
> CVE-2025-14524: bearer token leak on cross-protocol redirect
> CVE-2025-14017: broken TLS options for threaded LDAPS
> CVE-2025-13034: No QUIC certificate pinning with GnuTLS
> 
> Signed-off-by: Christian Melki <[email protected]>
> Message-Id: <[email protected]>
> Signed-off-by: Michael Olbrich <[email protected]>
> 
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index e16c30cddcff..62d9a8ccbc8d 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
>  #
>  # Paths and names
>  #
> -LIBCURL_VERSION      := 8.17.0
> -LIBCURL_MD5  := 7a9d4b772fc56d68479b0416f234105a
> +LIBCURL_VERSION      := 8.18.0
> +LIBCURL_MD5  := dae6088bf7af69d3b0a87c762de92248
>  LIBCURL              := curl-$(LIBCURL_VERSION)
>  LIBCURL_SUFFIX       := tar.xz
>  LIBCURL_URL  := https://curl.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)

Reply via email to