Issue 126896 - bundled curl version 7.19.7 has many vulnerabilities
Summary: bundled curl version 7.19.7 has many vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Build Tools
Classification: Code
Component: external prerequisites (show other issues)
Version: 4.2.0-dev
Hardware: All All
: P5 (lowest) Normal (vote)
Target Milestone: 4.2.0
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-28 23:23 UTC by Don Lewis
Modified: 2016-07-28 21:35 UTC (History)
2 users (show)

See Also:
Issue Type: PATCH
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
patch to ugprade bundled curl to version 7.48.0 (7.23 KB, patch)
2016-03-28 23:23 UTC, Don Lewis 		no flags Details | Diff
patch to ugprade bundled curl to version 7.49.1 (10.72 KB, patch)
2016-07-24 19:15 UTC, Don Lewis 		no flags Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Don Lewis 2016-03-28 23:23:17 UTC 
Created attachment 85374 [details]
patch to ugprade bundled curl to version 7.48.0

The curl-7.19.7 software bundled with Openoffice has these security vulnerabilities:

    CVE-2010-0734
    CVE-2011-2192
    CVE-2013-2174
    CVE-2014-3143
    CVE-2014-3144
    CVE-2014-3145
    CVE-2014-3148
    CVE-2014-8150
    CVE-2015-3153
    CVE-2016-0755

The attached patch upgrades curl to version 7.48.0 which has no
publicly disclosed vulnerabilities at this time.

This version of curl appears to require no patches to integrate it
with OpenOffice.
Comment 1 oooforum (fr) 2016-03-29 13:31:52 UTC 
Set status as PATCH
Comment 2 Don Lewis 2016-07-24 19:15:09 UTC 
Created attachment 85615 [details]
patch to ugprade bundled curl to version 7.49.1

The latest version of curl is now 7.49.1.

Update LICENSE info (copyright date and contributor info).

This has been tested on FreeBSD, CentOS, and Windows by doing:
  File->Open and specifying an ftp URL.

Note: We have a tarball of the old version of curl checked into svn under ext_sources.  Should this be removed and the new version checked in?
Comment 3 Don Lewis 2016-07-24 19:28:11 UTC 
Curl did need a patch for Windows to produce a library with the name that we expect.
Comment 4 SVN Robot 2016-07-28 21:29:07 UTC 
"truckman" committed SVN revision 1754469 into trunk:
#i126896#:  bundled curl version 7.19.7 has many vulnerabilities
Comment 5 Don Lewis 2016-07-28 21:35:08 UTC 
Patch to upgrade to curl 7.49.1 committed.