Security fix galore. And the slew of bugfixes. https://curl.se/ch/8.21.0.html
Plugs CVEs: CVE-2026-12064: proto-default skips SSH verification CVE-2026-11856: cross-origin Digest auth state leak CVE-2026-11586: WS Auto-PONG memory exhaustion CVE-2026-11564: Native CA trust persist CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop CVE-2026-10536: HTTP/2 stream-dependency tree UAF CVE-2026-9547: SSH improper host validation CVE-2026-9546: sending old referer CVE-2026-9545: exposing HTTP/3 early data CVE-2026-9080: UAF after pause in socket callback CVE-2026-9079: stale proxy password leak CVE-2026-8932: incomplete mTLS config matching in conn reuse CVE-2026-8927: env-set cross-proxy Digest auth state leak CVE-2026-8926: password leak with netrc and user in URL CVE-2026-8925: SASL double-free CVE-2026-8924: trailing dot domain super cookie CVE-2026-8458: wrong reuse for different services CVE-2026-8286: wrong STARTTLS connection reuse Signed-off-by: Christian Melki <[email protected]> --- rules/libcurl.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/libcurl.make b/rules/libcurl.make index 918dc71b6..3c5b00adb 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl # # Paths and names # -LIBCURL_VERSION := 8.20.0 -LIBCURL_SHA256 := 63fe2dc148ba0ceae89922ef838f7e5c946272c2e78b7c59fab4b79d3ce2b896 +LIBCURL_VERSION := 8.21.0 +LIBCURL_SHA256 := aa1b66a70eace83dc624508745646c08ae561de512ab403adffb93ac87fc72e6 LIBCURL := curl-$(LIBCURL_VERSION) LIBCURL_SUFFIX := tar.xz LIBCURL_URL := https://curl.se/download/$(LIBCURL).$(LIBCURL_SUFFIX) -- 2.43.0
