Security fix galore. And the slew of bugfixes.
https://curl.se/ch/8.21.0.html

Plugs CVEs:
CVE-2026-12064: proto-default skips SSH verification
CVE-2026-11856: cross-origin Digest auth state leak
CVE-2026-11586: WS Auto-PONG memory exhaustion
CVE-2026-11564: Native CA trust persist
CVE-2026-11352: QUIC zero-length UDP datagrams busy-loop
CVE-2026-10536: HTTP/2 stream-dependency tree UAF
CVE-2026-9547: SSH improper host validation
CVE-2026-9546: sending old referer
CVE-2026-9545: exposing HTTP/3 early data
CVE-2026-9080: UAF after pause in socket callback
CVE-2026-9079: stale proxy password leak
CVE-2026-8932: incomplete mTLS config matching in conn reuse
CVE-2026-8927: env-set cross-proxy Digest auth state leak
CVE-2026-8926: password leak with netrc and user in URL
CVE-2026-8925: SASL double-free
CVE-2026-8924: trailing dot domain super cookie
CVE-2026-8458: wrong reuse for different services
CVE-2026-8286: wrong STARTTLS connection reuse

Signed-off-by: Christian Melki <[email protected]>
---
 rules/libcurl.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/libcurl.make b/rules/libcurl.make
index 918dc71b6..3c5b00adb 100644
--- a/rules/libcurl.make
+++ b/rules/libcurl.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_LIBCURL) += libcurl
 #
 # Paths and names
 #
-LIBCURL_VERSION        := 8.20.0
-LIBCURL_SHA256 := 
63fe2dc148ba0ceae89922ef838f7e5c946272c2e78b7c59fab4b79d3ce2b896
+LIBCURL_VERSION        := 8.21.0
+LIBCURL_SHA256 := 
aa1b66a70eace83dc624508745646c08ae561de512ab403adffb93ac87fc72e6
 LIBCURL                := curl-$(LIBCURL_VERSION)
 LIBCURL_SUFFIX := tar.xz
 LIBCURL_URL    := https://curl.se/download/$(LIBCURL).$(LIBCURL_SUFFIX)
-- 
2.43.0


Reply via email to