[PATCH 0/1] Update curl replacement to 7.50.2

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [PATCH 0/1] Update curl replacement to 7.50.2
@ 2016-09-07 22:04 Leo Famulari
  2016-09-07 22:04 ` [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141] Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-09-07 22:04 UTC (permalink / raw)
  To: guix-devel

The curl project disclosed a bug, CVE-2016-7141 [0]:

---
libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
---

As far as I can tell, our curl package does not use NSS, but people who
use Guix as a source of free software source code (`guix build
--source`) may be vulnerable.

[0]
http://seclists.org/oss-sec/2016/q3/433
https://curl.haxx.se/docs/vuln-7.50.1.html

Leo Famulari (1):
  gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].

 gnu/packages/curl.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

-- 
2.10.0

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].
  2016-09-07 22:04 [PATCH 0/1] Update curl replacement to 7.50.2 Leo Famulari
@ 2016-09-07 22:04 ` Leo Famulari
  2016-09-08  5:40   ` Efraim Flashner
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-09-07 22:04 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/curl.scm (curl)[replacement]: Update to 7.50.2
(curl-7.50.1): Replace with ...
(curl-7.50.2): ... this.
---
 gnu/packages/curl.scm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index a250bb1..f3c0ade 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,7 +40,7 @@
 (define-public curl
   (package
    (name "curl")
-   (replacement curl-7.50.1)
+   (replacement curl-7.50.2)
    (version "7.47.0")
    (source (origin
             (method url-fetch)
@@ -125,15 +125,15 @@ tunneling, and so on.")
                                   "See COPYING in the distribution."))
    (home-page "http://curl.haxx.se/")))
 
-(define curl-7.50.1
+(define curl-7.50.2
   (package
     (inherit curl)
     (source
-      (let ((version "7.50.1"))
+      (let ((version "7.50.2"))
         (origin
           (method url-fetch)
           (uri (string-append "https://curl.haxx.se/download/curl-"
                               version ".tar.lzma"))
           (sha256
            (base32
-            "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
+            "0d5ly1xms0hh5zkv0m77d50c1816ywmbvmi1m158jyl70ndi9gby")))))))
-- 
2.10.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].
  2016-09-07 22:04 ` [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141] Leo Famulari
@ 2016-09-08  5:40   ` Efraim Flashner
  2016-09-08 15:45     ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2016-09-08  5:40 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]

On Wed, Sep 07, 2016 at 06:04:23PM -0400, Leo Famulari wrote:
> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.50.2
> (curl-7.50.1): Replace with ...
> (curl-7.50.2): ... this.
> ---
>  gnu/packages/curl.scm | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index a250bb1..f3c0ade 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -40,7 +40,7 @@
>  (define-public curl
>    (package
>     (name "curl")
> -   (replacement curl-7.50.1)
> +   (replacement curl-7.50.2)
>     (version "7.47.0")
>     (source (origin
>              (method url-fetch)
> @@ -125,15 +125,15 @@ tunneling, and so on.")
>                                    "See COPYING in the distribution."))
>     (home-page "http://curl.haxx.se/")))
>  
> -(define curl-7.50.1
> +(define curl-7.50.2
>    (package
>      (inherit curl)
>      (source
> -      (let ((version "7.50.1"))
> +      (let ((version "7.50.2"))
>          (origin
>            (method url-fetch)
>            (uri (string-append "https://curl.haxx.se/download/curl-"
>                                version ".tar.lzma"))
>            (sha256
>             (base32
> -            "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
> +            "0d5ly1xms0hh5zkv0m77d50c1816ywmbvmi1m158jyl70ndi9gby")))))))
> -- 
> 2.10.0
> 

Looks good!

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].
  2016-09-08  5:40   ` Efraim Flashner
@ 2016-09-08 15:45     ` Leo Famulari
  2016-09-09  9:57       ` ng0
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-09-08 15:45 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

On Thu, Sep 08, 2016 at 08:40:12AM +0300, Efraim Flashner wrote:
> On Wed, Sep 07, 2016 at 06:04:23PM -0400, Leo Famulari wrote:
> > * gnu/packages/curl.scm (curl)[replacement]: Update to 7.50.2
> > (curl-7.50.1): Replace with ...
> > (curl-7.50.2): ... this.

> Looks good!

Thanks, pushed!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].
  2016-09-08 15:45     ` Leo Famulari
@ 2016-09-09  9:57       ` ng0
  0 siblings, 0 replies; 5+ messages in thread
From: ng0 @ 2016-09-09  9:57 UTC (permalink / raw)
  To: Leo Famulari, Efraim Flashner; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:

> [ Unknown signature status ]
> On Thu, Sep 08, 2016 at 08:40:12AM +0300, Efraim Flashner wrote:
>> On Wed, Sep 07, 2016 at 06:04:23PM -0400, Leo Famulari wrote:
>> > * gnu/packages/curl.scm (curl)[replacement]: Update to 7.50.2
>> > (curl-7.50.1): Replace with ...
>> > (curl-7.50.2): ... this.
>
>> Looks good!
>
> Thanks, pushed!

Thanks for bringing this to attention, I'll work releasing gnurl update
and then prepare a patch for Guix to version bump gnurl.
-- 
ng0
For non-prism friendly talk find me on http://www.psyced.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-09-09  9:57 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-07 22:04 [PATCH 0/1] Update curl replacement to 7.50.2 Leo Famulari
2016-09-07 22:04 ` [PATCH 1/1] gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141] Leo Famulari
2016-09-08  5:40   ` Efraim Flashner
2016-09-08 15:45     ` Leo Famulari
2016-09-09  9:57       ` ng0

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).