# HG changeset patch
# User Rich Burridge <rich.burridge@oracle.com>
# Date 1420734919 28800
# Node ID 4da1857767d1d3497cb5504b5663b4ac74cc8b0e
# Parent  5fdeba1e317cd9a77df36689e66e1d12a9e825fc
20306075 problem in LIBRARY/CURL
20306105 problem in LIBRARY/CURL

diff -r 5fdeba1e317c -r 4da1857767d1 components/curl/patches/011-CVE-2014-8151.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-CVE-2014-8151.patch	Thu Jan 08 08:35:19 2015 -0800
@@ -0,0 +1,32 @@
+From fafbab1a3a52a383d92d2b5b1fb63785a15f2d73 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 19 Dec 2014 08:50:00 +0100
+Subject: [PATCH] darwinssl: fix session ID keys to only reuse identical
+ sessions
+
+...to avoid a session ID getting cached without certificate checking and
+then after a subsequent _enabling_ of the check libcurl could still
+re-use the session done without cert checks.
+
+Bug: http://curl.haxx.se/docs/adv_20150108A.html
+Reported-by: Marc Hesse
+---
+ lib/vtls/curl_darwinssl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+This fix is already available upstream in curl version 7.40.0
+
+--- lib/vtls/curl_darwinssl.c.orig	2015-01-05 16:57:56.063227733 -0800
++++ lib/vtls/curl_darwinssl.c	2015-01-05 16:58:54.820470409 -0800
+@@ -1483,7 +1483,10 @@
+   else {
+     CURLcode retcode;
+ 
+-    ssl_sessionid = malloc(256*sizeof(char));
++    ssl_sessionid =
++      aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE],
++              data->set.ssl.verifypeer, data->set.ssl.verifyhost,
++              conn->host.name, conn->remote_port);
+     ssl_sessionid_len = snprintf(ssl_sessionid, 256, "curl:%s:%hu",
+       conn->host.name, conn->remote_port);
+     err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
diff -r 5fdeba1e317c -r 4da1857767d1 components/curl/patches/012-CVE-2014-8150.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2014-8150.patch	Thu Jan 08 08:35:19 2015 -0800
@@ -0,0 +1,29 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+This fix is already available upstream in curl version 7.40.0
+
+--- lib/url.c.orig	2015-01-05 17:02:35.129777364 -0800
++++ lib/url.c	2015-01-05 17:03:35.687969097 -0800
+@@ -3807,6 +3807,13 @@
+ 
+   *prot_missing = FALSE;
+ 
++  /* We might pass the entire URL into the request so we need to make sure
++   * there are no bad characters in there.*/
++  if(strpbrk(data->change.url, "\r\n")) {
++    failf(data, "Illegal characters found in URL");
++    return CURLE_URL_MALFORMAT;
++  }
++
+   /*************************************************************
+    * Parse the URL.
+    *