On 2016-06-13(05:07:23+0200), Ludovic Courtès wrote: > Leo Famulari skribis: > > > On Sun, Jun 12, 2016 at 09:02:32PM +0000, ng0 wrote: > >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > >> > Leo Famulari skribis: > >> > > >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > >> > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > >> > > certificate check by presenting any valid certificate. > >> > > > >> > > So, you might think are connecting to https://example.com, when in fact > >> > > the attacker has a certificate for any other domain. > >> > > > >> > > We don't package mbedTLS, but I still think we should provide the fixed > >> > > source code. > >> > > >> > OTOH this will incur additional grafting for no reason, WDYT? > > > > No reason for things built within our distribution, true. > > Right. > > >> fyi, > >> > >> mbedtls is on my list of packages to do, as the webserver hiawatha > >> depends on it. > >> > >> Should I announce once it is packaged and the cve fix can be applied > >> afterwards? > > > > We should definitely update curl on core-updates-next, or whatever is > > built after the current cycle, and we should not add hiawatha until the > > fixed curl is in our tree. > > Agreed on both points. Can you already push the curl update in > core-updates-next? > > Though I would like the default curl package to still used GnuTLS. So I > think curl-with-mbedtls will be a different package anyway. > > Thanks, > Ludo’. > From the way it was done in Gentoo, I assume this is not needed? mbedtls is a separate package, and I have libressl as the curlssl provider, which is a curl built against libressl. If I am wrong, correct me. My initial comment was a bit out of place, but I just assume it will justwork™ on guix, otherwise a curl-with-mbedtls would have to be created. Sorry for the confusion. -- ♥Ⓐ ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion