[PATCH 0/1] Curl security update (CVE-2016-0755)

[PATCH 0/1] Curl security update (CVE-2016-0755)

[Leo Famulari]

This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].

I built it on the core-updates branch (although it's trivial enough to
apply on another branch), and I tested it to download successfully.

Feel free to apply the patch where appropriate.

[0]
http://curl.haxx.se/docs/adv_20160127A.html

[1]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755

Leo Famulari (1):
  gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].

 gnu/packages/curl.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

-- 
2.6.3

[PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].

[Leo Famulari]

* gnu/packages/curl.scm (curl): Update to 7.47.0.
---
 gnu/packages/curl.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 16140f0..3d0e49c 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,14 +40,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.45.0")
+   (version "7.47.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://curl.haxx.se/download/curl-"
                                 version ".tar.lzma"))
             (sha256
              (base32
-              "0bamqik0mi2rmai016iakwrwmsz0s5xad1ghkbwsd3zkv08rgkcn"))))
+              "1n284wdqzwb4bkmv0fnh36zl6lhlzy3clw2b7pn28kpgdy09ly7p"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
-- 
2.6.3

Re: [PATCH 0/1] Curl security update (CVE-2016-0755)

[Andreas Enge]

On Wed, Jan 27, 2016 at 01:57:22PM -0500, Leo Famulari wrote:
> This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].

Ouch!

guix refresh -l curl
Building the following 318 packages would ensure 772 dependent packages are rebuilt

This is about a quarter of all packages.

> Feel free to apply the patch where appropriate.

I would suggest the following: Quickly merge core-updates once the packages
on x86_64 are built (there are not many left, and qt-5 did build successfully
sequentially, so this could be done tomorrow), then create a new
security-updates branch with the patch for curl.

What do you think?

Andreas

Re: [PATCH 0/1] Curl security update (CVE-2016-0755)

[Leo Famulari]

On Wed, Jan 27, 2016 at 09:03:45PM +0100, Andreas Enge wrote:
> On Wed, Jan 27, 2016 at 01:57:22PM -0500, Leo Famulari wrote:
> > This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].
> 
> Ouch!
> 
> guix refresh -l curl
> Building the following 318 packages would ensure 772 dependent packages are rebuilt
> 
> This is about a quarter of all packages.
> 
> > Feel free to apply the patch where appropriate.
> 
> I would suggest the following: Quickly merge core-updates once the packages
> on x86_64 are built (there are not many left, and qt-5 did build successfully
> sequentially, so this could be done tomorrow), then create a new
> security-updates branch with the patch for curl.
> 
> What do you think?

Civodul and mark_weaver discussed how best to apply it on #guix. I think
the plan is to build it in a branch with tomorrow's OpenSSL security
update.

> 
> Andreas
> 

Re: [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/curl.scm (curl): Update to 7.47.0.

I pushed this to the new 'security-updates' branch, along with an update
to OpenSSL 1.0.2f, and asked hydra to build it out.

     Thanks!
       Mark

Re: [PATCH 0/1] Curl security update (CVE-2016-0755)

[Andreas Enge]

On Wed, Jan 27, 2016 at 05:30:58PM -0500, Leo Famulari wrote:
> Civodul and mark_weaver discussed how best to apply it on #guix. I think
> the plan is to build it in a branch with tomorrow's OpenSSL security
> update.

Very well.

Some garbage managed to crawl into the commit message:
    gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].
    
    To: guix-devel@gnu.org
    Date: Wed, 27 Jan 2016 13:57:23 -0500 (19 hours, 58 minutes, 42 seconds ago)
    
    * gnu/packages/curl.scm (curl): Update to 7.47.0.

So once the branch is built, I would suggest to not merge it back into
master, but instead to cherry-pick the two commits and to fix the commit
message for curl.

Thanks for all this important work!

Andreas