[v2] curl: upgrade 8.19.0 -> 8.20.0

Message ID	20260601185900.294639-2-tim.orling@konsulko.com
State	New
Headers	show Return-Path: <tim.orling@konsulko.com> ip: 209.85.216.53, mailfrom: tim.orling@konsulko.com) From: tim.orling@konsulko.com To: openembedded-core@lists.openembedded.org Cc: Tim Orling <tim.orling@konsulko.com> Subject: [PATCH v2] curl: upgrade 8.19.0 -> 8.20.0 Date: Mon, 1 Jun 2026 11:59:00 -0700 Message-ID: <20260601185900.294639-2-tim.orling@konsulko.com> In-Reply-To: <20260531213732.3220315-2-tim.orling@konsulko.com> References: <20260531213732.3220315-2-tim.orling@konsulko.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[v2] curl: upgrade 8.19.0 -> 8.20.0 \| expand [v2] curl: upgrade 8.19.0 -> 8.20.0

Message ID

20260601185900.294639-2-tim.orling@konsulko.com

State

New

Headers

From: tim.orling@konsulko.com
To: openembedded-core@lists.openembedded.org
Cc: Tim Orling <tim.orling@konsulko.com>
Subject: [PATCH v2] curl: upgrade 8.19.0 -> 8.20.0
Date: Mon,  1 Jun 2026 11:59:00 -0700
Message-ID: <20260601185900.294639-2-tim.orling@konsulko.com>
In-Reply-To: <20260531213732.3220315-2-tim.orling@konsulko.com>
References: <20260531213732.3220315-2-tim.orling@konsulko.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[v2] curl: upgrade 8.19.0 -> 8.20.0 | expand

Commit Message

Tim Orling June 1, 2026, 6:59 p.m. UTC

From: Tim Orling <tim.orling@konsulko.com>

* Backport patch to avoid 100% CPU load:
  https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
* Remove PACKAGECONFIG[rtmpdump]:
  ceae02db04 rtmp: drop support

CVE: CVE-2026-4873
CVE: CVE-2026-5545
CVE: CVE-2026-5773
CVE: CVE-2026-6253
CVE: CVE-2026-6276
CVE: CVE-2026-6429
CVE: CVE-2026-7009
CVE: CVE-2026-7168

For changelog, see [1].
For full comparison of changes, see [2].

[1] https://curl.se/ch/8.20.0.html
[2] https://github.com/curl/curl/compare/curl-8_19_0...curl-8_20_0

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
Changes in v2:
Backport patch suggested by Ross Burton in patch review meeting

ptests still pass on qemux86-64 core-image-ptest-curl:
TESTDONE: 1897 tests were considered during 42 seconds.
TESTDONE: 928 tests out of 928 reported OK: 100%
DURATION: 43
END: /usr/lib/curl/ptest
2026-06-01T18:55
STOP: ptest-runner
TOTAL: 1 FAIL: 0

 .../0001-event-fix-wakeup-consumption.patch   | 39 +++++++++++++++++++
 .../curl/{curl_8.19.0.bb => curl_8.20.0.bb}   |  4 +-
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
 rename meta/recipes-support/curl/{curl_8.19.0.bb => curl_8.20.0.bb} (97%)

Comments

patchtest@automation.yoctoproject.org June 1, 2026, 7:15 p.m. UTC | #1

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/v2-curl-upgrade-8.19.0---8.20.0.patch

FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format)

PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

diff --git a/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
new file mode 100644
index 0000000000..7f22e19c05
--- /dev/null
+++ b/meta/recipes-support/curl/curl/0001-event-fix-wakeup-consumption.patch
@@ -0,0 +1,39 @@ 
+From 590e31dff8aa4c5ff8be761128e38ac751aed875 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Mon, 11 May 2026 14:56:04 +0200
+Subject: [PATCH] event: fix wakeup consumption
+
+The events on a multi wakeup socketpair were only consumed via
+curl_multi_poll()/curl_multi_wait() but not in event based processing on
+a curl_multi_socket() call. That led to busy loops as reported in
+
+Fixes #21547
+Reported-by: Earnestly on github
+Closes #21549
+
+Upstream-Status: Backport ["2a2104f event: fix wakeup consumption"]
+Suggested-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Tim Orling <tim.orling@konsulk.com>
+---
+ lib/multi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 7520253d70..a0012d8faf 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -2479,6 +2479,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+   Curl_uint32_bset_remove(&multi->dirty, data->mid);
+ 
+   if(data == multi->admin) {
++#ifdef ENABLE_WAKEUP
++    /* Consume any pending wakeup signals before processing.
++     * This is necessary for event based processing. See #21547 */
++    (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
++#endif
+ #ifdef USE_RESOLV_THREADED
+     Curl_async_thrdd_multi_process(multi);
+ #endif
+-- 
+2.47.3
+
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.20.0.bb
similarity index 97%
rename from meta/recipes-support/curl/curl_8.19.0.bb
rename to meta/recipes-support/curl/curl_8.20.0.bb
index b9251336b8..0408657f40 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.20.0.bb
@@ -14,13 +14,14 @@  SRC_URI = " \
     file://run-ptest \
     file://disable-tests \
     file://no-test-timeout.patch \
+    file://0001-event-fix-wakeup-consumption.patch \
 "
 
 SRC_URI:append:class-nativesdk = " \
     file://environment.d-curl.sh \
 "
 
-SRC_URI[sha256sum] = "4eb41489790d19e190d7ac7e18e82857cdd68af8f4e66b292ced562d333f11df"
+SRC_URI[sha256sum] = "63fe2dc148ba0ceae89922ef838f7e5c946272c2e78b7c59fab4b79d3ce2b896"
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
@@ -63,7 +64,6 @@  PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2"
 PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl"
 PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3,"
 PACKAGECONFIG[proxy] = "--enable-proxy,--disable-proxy,"
-PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump"
 PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp,"
 PACKAGECONFIG[schannel] = "--with-schannel,--without-schannel,"
 PACKAGECONFIG[smb] = "--enable-smb,--disable-smb,"