unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] curl: Fix CVE-2016-3739.
@ 2016-06-12  3:38 Leo Famulari
  2016-06-12  3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari
  2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
  0 siblings, 2 replies; 10+ messages in thread
From: Leo Famulari @ 2016-06-12  3:38 UTC (permalink / raw)
  To: guix-devel

If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
certificate check by presenting any valid certificate.

So, you might think are connecting to https://example.com, when in fact
the attacker has a certificate for any other domain.

We don't package mbedTLS, but I still think we should provide the fixed
source code.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
https://curl.haxx.se/docs/adv_20160518.html

Leo Famulari (1):
  gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739].

 gnu/packages/curl.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.8.4

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2016-06-13 18:56 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-12  3:38 [PATCH 0/1] curl: Fix CVE-2016-3739 Leo Famulari
2016-06-12  3:38 ` [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739] Leo Famulari
2016-06-12 20:51 ` [PATCH 0/1] curl: Fix CVE-2016-3739 Ludovic Courtès
2016-06-12 21:02   ` ng0
2016-06-13  1:12     ` Leo Famulari
2016-06-13 15:07       ` Ludovic Courtès
2016-06-13 15:42         ` ng0
2016-06-13 16:14           ` Leo Famulari
2016-06-13 18:56             ` ng0
2016-06-13 16:05         ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).