* curl security update
@ 2016-08-04 13:11 Leo Famulari
2016-08-04 14:27 ` Mark H Weaver
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Leo Famulari @ 2016-08-04 13:11 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 246 bytes --]
There are some new bugs disclosed in curl:
https://curl.haxx.se/docs/security.html
Grafting the new version seems like the right approach to me when I
consider libcurl's ABI compatibility policy:
https://curl.haxx.se/libcurl/abi.html
Thoughts?
[-- Attachment #1.2: 0001-gnu-curl-Replace-with-7.50.1-fixes-CVE-2016-3739-480.patch --]
[-- Type: text/x-diff, Size: 1376 bytes --]
From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 3 Aug 2016 16:13:09 -0400
Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes
CVE-2016-{3739,4802,5419,5420,5421].
* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.50.1): New variable.
---
gnu/packages/curl.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 222910b..a250bb1 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,6 +40,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.50.1)
(version "7.47.0")
(source (origin
(method url-fetch)
@@ -123,3 +124,16 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "http://curl.haxx.se/")))
+
+(define curl-7.50.1
+ (package
+ (inherit curl)
+ (source
+ (let ((version "7.50.1"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.lzma"))
+ (sha256
+ (base32
+ "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
--
2.9.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: curl security update
2016-08-04 13:11 curl security update Leo Famulari
@ 2016-08-04 14:27 ` Mark H Weaver
2016-08-04 14:28 ` Ludovic Courtès
2016-08-04 16:58 ` Leo Famulari
2 siblings, 0 replies; 4+ messages in thread
From: Mark H Weaver @ 2016-08-04 14:27 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> There are some new bugs disclosed in curl:
> https://curl.haxx.se/docs/security.html
>
> Grafting the new version seems like the right approach to me when I
> consider libcurl's ABI compatibility policy:
> https://curl.haxx.se/libcurl/abi.html
>
> Thoughts?
Looks good to me! Please push.
Thanks,
Mark
> From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Wed, 3 Aug 2016 16:13:09 -0400
> Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes
> CVE-2016-{3739,4802,5419,5420,5421].
>
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl-7.50.1): New variable.
> ---
> gnu/packages/curl.scm | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 222910b..a250bb1 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -40,6 +40,7 @@
> (define-public curl
> (package
> (name "curl")
> + (replacement curl-7.50.1)
> (version "7.47.0")
> (source (origin
> (method url-fetch)
> @@ -123,3 +124,16 @@ tunneling, and so on.")
> (license (license:non-copyleft "file://COPYING"
> "See COPYING in the distribution."))
> (home-page "http://curl.haxx.se/")))
> +
> +(define curl-7.50.1
> + (package
> + (inherit curl)
> + (source
> + (let ((version "7.50.1"))
> + (origin
> + (method url-fetch)
> + (uri (string-append "https://curl.haxx.se/download/curl-"
> + version ".tar.lzma"))
> + (sha256
> + (base32
> + "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: curl security update
2016-08-04 13:11 curl security update Leo Famulari
2016-08-04 14:27 ` Mark H Weaver
@ 2016-08-04 14:28 ` Ludovic Courtès
2016-08-04 16:58 ` Leo Famulari
2 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2016-08-04 14:28 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> There are some new bugs disclosed in curl:
> https://curl.haxx.se/docs/security.html
>
> Grafting the new version seems like the right approach to me when I
> consider libcurl's ABI compatibility policy:
> https://curl.haxx.se/libcurl/abi.html
Sounds good.
> From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Wed, 3 Aug 2016 16:13:09 -0400
> Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes
> CVE-2016-{3739,4802,5419,5420,5421].
Strangely ‘guix lint -c cve’ only reports CVE-2016-3739, annoying.
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl-7.50.1): New variable.
LGTM!
Thank you!
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: curl security update
2016-08-04 13:11 curl security update Leo Famulari
2016-08-04 14:27 ` Mark H Weaver
2016-08-04 14:28 ` Ludovic Courtès
@ 2016-08-04 16:58 ` Leo Famulari
2 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-08-04 16:58 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 172 bytes --]
On Thu, Aug 04, 2016 at 09:11:39AM -0400, Leo Famulari wrote:
> * gnu/packages/curl.scm (curl)[replacement]: New field.
> (curl-7.50.1): New variable.
Pushed as e686e633a
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-08-04 16:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-04 13:11 curl security update Leo Famulari
2016-08-04 14:27 ` Mark H Weaver
2016-08-04 14:28 ` Ludovic Courtès
2016-08-04 16:58 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).