CVE-2018-14618:NTLM buffer overflow via integer overflow

This meets the CVE policy for providing a fix to stx.2.0 as well as master.

we are investigating on it,
if make any progress,
we will update on launchpad.

As we investigate,
currently libcurl version of starlingx is libcurl-7.29.0-51.el7.x86_64.rpm.
since curl before version 7.61.1 is vulnerable to a buffer overrun. (we are in the scope of vulnerable)
so we should update version to 7.61.1 or more.

but when we search from upstream where url: https://rpmfind.net/linux/rpm2html/search.php?query=libcurl&submit=Search+...&system=centos&arch=x86_64
we find curl version for centos, libcurl-7.29.0-51.el7.x86_64.rpm is already the latest version.
so we don't own upstream rpm package for starlingx to upgrade.

shall we build latest libcurl rpm with source tarball by ourself,
or we not update curl version until upstream curl upgrade latest version.
or every guys have any suggestions, please let me know.

<email address hidden>

Per link https://access.redhat.com/errata/RHSA-2019:1880
This issue is fixed in libcurl-7.29.0-51.el7_6.3.x86_64.rpm for RHEL/CentOS.

we have modified code and compiled to bootimage.iso

and currently we are proceeding to deploy test.

can you please upload the patch so that we can review it before you do more testing?

I have upload the patch for this issue.

https://review.opendev.org/#/c/678980

please help review. thanks!

we have test deploy and test basic function.
use curl command to test http access.
launch cirros instance and run.
all test case have been passed.

patch https://review.opendev.org/#/c/678980 has been merged to master. Please cherry pick to stx.2.0 after the branch is open. Mark it as "fix released" for now.

Change is merged in r/stx.2.0:
https://review.opendev.org/#/c/682202/