From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
Date: Sun, 12 Jun 2016 21:12:31 -0400
Message-ID: <20160613011231.GA13522@jasmine>
References: <cover.1465702340.git.leo@famulari.name> <87inxei119.fsf@gnu.org>
	<20160612210232.GA5479@khazad-dum>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50439)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bCGQs-0001eu-AU
	for guix-devel@gnu.org; Sun, 12 Jun 2016 21:12:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bCGQn-0007o8-8a
	for guix-devel@gnu.org; Sun, 12 Jun 2016 21:12:49 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:60762)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1bCGQk-0007n1-Pr
	for guix-devel@gnu.org; Sun, 12 Jun 2016 21:12:45 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 38F38CCDAB
	for <guix-devel@gnu.org>; Sun, 12 Jun 2016 21:12:33 -0400 (EDT)
Content-Disposition: inline
In-Reply-To: <20160612210232.GA5479@khazad-dum>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote:
> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> >
> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> > > certificate check by presenting any valid certificate.
> > >
> > > So, you might think are connecting to https://example.com, when in fact
> > > the attacker has a certificate for any other domain.
> > >
> > > We don't package mbedTLS, but I still think we should provide the fixed
> > > source code.
> >
> > OTOH this will incur additional grafting for no reason, WDYT?

No reason for things built within our distribution, true.

> fyi,
> 
> mbedtls is on my list of packages to do, as the webserver hiawatha
> depends on it.
> 
> Should I announce once it is packaged and the cve fix can be applied
> afterwards?

We should definitely update curl on core-updates-next, or whatever is
built after the current cycle, and we should not add hiawatha until the
fixed curl is in our tree.