* [PATCH 0/1] curl: Fix CVE-2016-3739.
@ 2016-06-12 3:38 Leo Famulari
2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari
2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
0 siblings, 2 replies; 10+ messages in thread
From: Leo Famulari @ 2016-06-12 3:38 UTC (permalink / raw)
To: guix-devel
If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
certificate check by presenting any valid certificate.
So, you might think are connecting to https://example.com, when in fact
the attacker has a certificate for any other domain.
We don't package mbedTLS, but I still think we should provide the fixed
source code.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
https://curl.haxx.se/docs/adv_20160518.html
Leo Famulari (1):
gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739].
gnu/packages/curl.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.8.4
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739].
2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari
@ 2016-06-12 3:38 ` Leo Famulari
2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
1 sibling, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2016-06-12 3:38 UTC (permalink / raw)
To: guix-devel
* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl/fixed): New variable.
---
gnu/packages/curl.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 222910b..925602e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,6 +40,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl/fixed)
(version "7.47.0")
(source (origin
(method url-fetch)
@@ -123,3 +124,17 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "http://curl.haxx.se/")))
+
+(define curl/fixed
+ (package
+ (inherit curl)
+ (source
+ (let ((name "curl")
+ (version "7.49.1"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.lzma"))
+ (sha256
+ (base32
+ "033w3wyawali0rc5s15ywxpjnf476671m595r49sr4vj07idf3al")))))))
--
2.8.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari
2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari
@ 2016-06-12 20:51 ` Ludovic Courtès
2016-06-12 21:02 ` ng0
1 sibling, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2016-06-12 20:51 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> certificate check by presenting any valid certificate.
>
> So, you might think are connecting to https://example.com, when in fact
> the attacker has a certificate for any other domain.
>
> We don't package mbedTLS, but I still think we should provide the fixed
> source code.
OTOH this will incur additional grafting for no reason, WDYT?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
@ 2016-06-12 21:02 ` ng0
2016-06-13 1:12 ` Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2016-06-12 21:02 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 925 bytes --]
On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> > certificate check by presenting any valid certificate.
> >
> > So, you might think are connecting to https://example.com, when in fact
> > the attacker has a certificate for any other domain.
> >
> > We don't package mbedTLS, but I still think we should provide the fixed
> > source code.
>
> OTOH this will incur additional grafting for no reason, WDYT?
>
> Thanks,
> Ludo’.
>
fyi,
mbedtls is on my list of packages to do, as the webserver hiawatha
depends on it.
Should I announce once it is packaged and the cve fix can be applied
afterwards?
--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-12 21:02 ` ng0
@ 2016-06-13 1:12 ` Leo Famulari
2016-06-13 15:07 ` Ludovic Courtès
0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2016-06-13 1:12 UTC (permalink / raw)
To: guix-devel
On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote:
> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> >
> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> > > certificate check by presenting any valid certificate.
> > >
> > > So, you might think are connecting to https://example.com, when in fact
> > > the attacker has a certificate for any other domain.
> > >
> > > We don't package mbedTLS, but I still think we should provide the fixed
> > > source code.
> >
> > OTOH this will incur additional grafting for no reason, WDYT?
No reason for things built within our distribution, true.
> fyi,
>
> mbedtls is on my list of packages to do, as the webserver hiawatha
> depends on it.
>
> Should I announce once it is packaged and the cve fix can be applied
> afterwards?
We should definitely update curl on core-updates-next, or whatever is
built after the current cycle, and we should not add hiawatha until the
fixed curl is in our tree.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-13 1:12 ` Leo Famulari
@ 2016-06-13 15:07 ` Ludovic Courtès
2016-06-13 15:42 ` ng0
2016-06-13 16:05 ` Leo Famulari
0 siblings, 2 replies; 10+ messages in thread
From: Ludovic Courtès @ 2016-06-13 15:07 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote:
>> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote:
>> > Leo Famulari <leo@famulari.name> skribis:
>> >
>> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
>> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
>> > > certificate check by presenting any valid certificate.
>> > >
>> > > So, you might think are connecting to https://example.com, when in fact
>> > > the attacker has a certificate for any other domain.
>> > >
>> > > We don't package mbedTLS, but I still think we should provide the fixed
>> > > source code.
>> >
>> > OTOH this will incur additional grafting for no reason, WDYT?
>
> No reason for things built within our distribution, true.
Right.
>> fyi,
>>
>> mbedtls is on my list of packages to do, as the webserver hiawatha
>> depends on it.
>>
>> Should I announce once it is packaged and the cve fix can be applied
>> afterwards?
>
> We should definitely update curl on core-updates-next, or whatever is
> built after the current cycle, and we should not add hiawatha until the
> fixed curl is in our tree.
Agreed on both points. Can you already push the curl update in
core-updates-next?
Though I would like the default curl package to still used GnuTLS. So I
think curl-with-mbedtls will be a different package anyway.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-13 15:07 ` Ludovic Courtès
@ 2016-06-13 15:42 ` ng0
2016-06-13 16:14 ` Leo Famulari
2016-06-13 16:05 ` Leo Famulari
1 sibling, 1 reply; 10+ messages in thread
From: ng0 @ 2016-06-13 15:42 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2087 bytes --]
On 2016-06-13(05:07:23+0200), Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote:
> >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote:
> >> > Leo Famulari <leo@famulari.name> skribis:
> >> >
> >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> >> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> >> > > certificate check by presenting any valid certificate.
> >> > >
> >> > > So, you might think are connecting to https://example.com, when in fact
> >> > > the attacker has a certificate for any other domain.
> >> > >
> >> > > We don't package mbedTLS, but I still think we should provide the fixed
> >> > > source code.
> >> >
> >> > OTOH this will incur additional grafting for no reason, WDYT?
> >
> > No reason for things built within our distribution, true.
>
> Right.
>
> >> fyi,
> >>
> >> mbedtls is on my list of packages to do, as the webserver hiawatha
> >> depends on it.
> >>
> >> Should I announce once it is packaged and the cve fix can be applied
> >> afterwards?
> >
> > We should definitely update curl on core-updates-next, or whatever is
> > built after the current cycle, and we should not add hiawatha until the
> > fixed curl is in our tree.
>
> Agreed on both points. Can you already push the curl update in
> core-updates-next?
>
> Though I would like the default curl package to still used GnuTLS. So I
> think curl-with-mbedtls will be a different package anyway.
>
> Thanks,
> Ludo’.
>
From the way it was done in Gentoo, I assume this is not needed?
mbedtls is a separate package, and I have libressl as the curlssl provider,
which is a curl built against libressl.
If I am wrong, correct me.
My initial comment was a bit out of place, but I just assume it will
justwork™ on guix, otherwise a curl-with-mbedtls would have to be
created.
Sorry for the confusion.
--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-13 15:07 ` Ludovic Courtès
2016-06-13 15:42 ` ng0
@ 2016-06-13 16:05 ` Leo Famulari
1 sibling, 0 replies; 10+ messages in thread
From: Leo Famulari @ 2016-06-13 16:05 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Mon, Jun 13, 2016 at 05:07:23PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > We should definitely update curl on core-updates-next, or whatever is
> > built after the current cycle, and we should not add hiawatha until the
> > fixed curl is in our tree.
>
> Agreed on both points. Can you already push the curl update in
> core-updates-next?
Done as 32a8eb01e
> Though I would like the default curl package to still used GnuTLS. So I
> think curl-with-mbedtls will be a different package anyway.
I hadn't noticed that our curl package uses GnuTLS instead of OpenSSL :)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-13 15:42 ` ng0
@ 2016-06-13 16:14 ` Leo Famulari
2016-06-13 18:56 ` ng0
0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2016-06-13 16:14 UTC (permalink / raw)
To: guix-devel
On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote:
> From the way it was done in Gentoo, I assume this is not needed?
> mbedtls is a separate package, and I have libressl as the curlssl provider,
> which is a curl built against libressl.
>
> If I am wrong, correct me.
> My initial comment was a bit out of place, but I just assume it will
> justwork™ on guix, otherwise a curl-with-mbedtls would have to be
> created.
>
> Sorry for the confusion.
I think the confusion was mine. Unless Hiawatha requires a curl linked
against mbedTLS, I don't think there will be any problem with
CVE-2016-3739 and Hiawatha.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
2016-06-13 16:14 ` Leo Famulari
@ 2016-06-13 18:56 ` ng0
0 siblings, 0 replies; 10+ messages in thread
From: ng0 @ 2016-06-13 18:56 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1841 bytes --]
On 2016-06-13(12:14:14-0400), Leo Famulari wrote:
> On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote:
> > From the way it was done in Gentoo, I assume this is not needed?
> > mbedtls is a separate package, and I have libressl as the curlssl provider,
> > which is a curl built against libressl.
> >
> > If I am wrong, correct me.
> > My initial comment was a bit out of place, but I just assume it will
> > justwork™ on guix, otherwise a curl-with-mbedtls would have to be
> > created.
> >
> > Sorry for the confusion.
>
> I think the confusion was mine. Unless Hiawatha requires a curl linked
> against mbedTLS, I don't think there will be any problem with
> CVE-2016-3739 and Hiawatha.
>
I think it will work out alright. The test- and applied systems I had were
hardened gcc with libressl globally, amd64, and a hardened musl system with
openssl, amd64, in case of the musl it is curl built against openssl, the
gcc with curl libressl.
ng0@khazad-dum:~$ equery g hiawatha
* Searching for hiawatha ...
-- snip --
* dependency graph for www-servers/hiawatha-10.3-r99
`-- www-servers/hiawatha-10.3-r99 [~amd64 keyword]
`-- sys-libs/zlib-1.2.8-r1 (sys-libs/zlib) amd64
`-- net-libs/mbedtls-2.2.1 (>=net-libs/mbedtls-2.0) amd64 [threads]
`-- dev-libs/libxslt-1.1.29 (dev-libs/libxslt) amd64
`-- dev-libs/libxml2-2.9.4 (dev-libs/libxml2) amd64
`-- sys-devel/make-4.1-r1 (sys-devel/make) amd64
`-- dev-util/cmake-3.3.1-r1 (>=dev-util/cmake-2.8.2) amd64
`-- virtual/pkgconfig-0-r1 (virtual/pkgconfig) amd64
`-- www-apps/hiawatha-monitor-1.3 (www-apps/hiawatha-monitor) [~amd64 keyword]
[ www-servers/hiawatha-10.3-r99 stats: packages (9), max depth (1) ]
--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-06-13 18:56 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-12 3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari
2016-06-12 3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari
2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
2016-06-12 21:02 ` ng0
2016-06-13 1:12 ` Leo Famulari
2016-06-13 15:07 ` Ludovic Courtès
2016-06-13 15:42 ` ng0
2016-06-13 16:14 ` Leo Famulari
2016-06-13 18:56 ` ng0
2016-06-13 16:05 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).