From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: 01/01: gnu: curl: Update replacement to 7.52.0 [fixes CVE-2016-{9586, 9952, 9953}]. Date: Fri, 23 Dec 2016 09:12:36 +0000 Message-ID: <87h95vrou3.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> References: <20161221140321.28790.1100@vcs.savannah.gnu.org> <20161221140321.922BB220166@vcs.savannah.gnu.org> <20161221165844.GA7240@jasmine> <8737hhaxrm.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51577) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKLty-0007dh-J3 for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKLtv-0004zl-Ff for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:34 -0500 Received: from aibo.runbox.com ([91.220.196.211]:42867) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cKLtv-0004s9-9d for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:31 -0500 Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by bars.runbox.com with esmtp (Exim 4.71) (envelope-from ) id 1cKLtr-0002di-1K for guix-devel@gnu.org; Fri, 23 Dec 2016 10:12:27 +0100 Received: from [176.67.168.210] (helo=localhost) by mailfront11.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1cKLtl-0004a0-GB for guix-devel@gnu.org; Fri, 23 Dec 2016 10:12:21 +0100 In-Reply-To: <8737hhaxrm.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Marius Bakke writes: > Leo Famulari writes: > >> On Wed, Dec 21, 2016 at 02:03:21PM +0000, Marius Bakke wrote: >>> mbakke pushed a commit to branch master >>> in repository guix. >>> >>> commit 42366b35c3f9f8dc8b059d3369b8196a4b832c18 >>> Author: Marius Bakke >>> Date: Wed Dec 21 14:56:34 2016 +0100 >>> >>> gnu: curl: Update replacement to 7.52.0 [fixes CVE-2016-{9586,9952,9953}]. >>> >>> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.52.0. >>> (curl-7.51.0): Replace with ... >>> (curl-7.52.0): ... this. >> >> ng0 pointed out this message from the curl maintainers: >> >> "Attention! We will release a patch update within a few days to fix a >> serious security problem found in curl 7.52.0. You may consider holding >> off until then." >> >> https://curl.haxx.se/download.html > > Thanks for catching that! I think that message must have appeared after > I downloaded it from there, difficult to miss that notice. > > The page was updated about 25 minutes after the commit was pushed: > $ curl -v https://curl.haxx.se/download.html >/dev/null > [...] > < Last-Modified: Wed, 21 Dec 2016 14:28:41 GMT > > It was reverted around 16:52 UTC. I hope those who upgraded in between > those five hours reads this list! Today cURL 7.52.1 has been released, addressing the issue which was present only in 7.52.0: https://curl.haxx.se/docs/adv_20161223.html -- ♥Ⓐ ng0 | PGP keys and more: https://n0is.noblogs.org/ | http://ng0.chaosnet.org