all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Curl security update (CVE-2016-0755)
@ 2016-01-27 18:57 Leo Famulari
  2016-01-27 18:57 ` [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755] Leo Famulari
  2016-01-27 20:03 ` [PATCH 0/1] Curl security update (CVE-2016-0755) Andreas Enge
  0 siblings, 2 replies; 6+ messages in thread
From: Leo Famulari @ 2016-01-27 18:57 UTC (permalink / raw)
  To: guix-devel

This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].

I built it on the core-updates branch (although it's trivial enough to
apply on another branch), and I tested it to download successfully.

Feel free to apply the patch where appropriate.

[0]
http://curl.haxx.se/docs/adv_20160127A.html

[1]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755

Leo Famulari (1):
  gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].

 gnu/packages/curl.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

-- 
2.6.3

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].
  2016-01-27 18:57 [PATCH 0/1] Curl security update (CVE-2016-0755) Leo Famulari
@ 2016-01-27 18:57 ` Leo Famulari
  2016-01-28 15:09   ` Mark H Weaver
  2016-01-27 20:03 ` [PATCH 0/1] Curl security update (CVE-2016-0755) Andreas Enge
  1 sibling, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-01-27 18:57 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/curl.scm (curl): Update to 7.47.0.
---
 gnu/packages/curl.scm | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 16140f0..3d0e49c 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,14 +40,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.45.0")
+   (version "7.47.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://curl.haxx.se/download/curl-"
                                 version ".tar.lzma"))
             (sha256
              (base32
-              "0bamqik0mi2rmai016iakwrwmsz0s5xad1ghkbwsd3zkv08rgkcn"))))
+              "1n284wdqzwb4bkmv0fnh36zl6lhlzy3clw2b7pn28kpgdy09ly7p"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
-- 
2.6.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Curl security update (CVE-2016-0755)
  2016-01-27 18:57 [PATCH 0/1] Curl security update (CVE-2016-0755) Leo Famulari
  2016-01-27 18:57 ` [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755] Leo Famulari
@ 2016-01-27 20:03 ` Andreas Enge
  2016-01-27 22:30   ` Leo Famulari
  1 sibling, 1 reply; 6+ messages in thread
From: Andreas Enge @ 2016-01-27 20:03 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On Wed, Jan 27, 2016 at 01:57:22PM -0500, Leo Famulari wrote:
> This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].

Ouch!

guix refresh -l curl
Building the following 318 packages would ensure 772 dependent packages are rebuilt

This is about a quarter of all packages.

> Feel free to apply the patch where appropriate.

I would suggest the following: Quickly merge core-updates once the packages
on x86_64 are built (there are not many left, and qt-5 did build successfully
sequentially, so this could be done tomorrow), then create a new
security-updates branch with the patch for curl.

What do you think?

Andreas

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Curl security update (CVE-2016-0755)
  2016-01-27 20:03 ` [PATCH 0/1] Curl security update (CVE-2016-0755) Andreas Enge
@ 2016-01-27 22:30   ` Leo Famulari
  2016-01-28 17:28     ` Andreas Enge
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-01-27 22:30 UTC (permalink / raw)
  To: Andreas Enge; +Cc: guix-devel

On Wed, Jan 27, 2016 at 09:03:45PM +0100, Andreas Enge wrote:
> On Wed, Jan 27, 2016 at 01:57:22PM -0500, Leo Famulari wrote:
> > This patch updates curl to 7.47.0, fixing CVE-2016-0755 [0][1].
> 
> Ouch!
> 
> guix refresh -l curl
> Building the following 318 packages would ensure 772 dependent packages are rebuilt
> 
> This is about a quarter of all packages.
> 
> > Feel free to apply the patch where appropriate.
> 
> I would suggest the following: Quickly merge core-updates once the packages
> on x86_64 are built (there are not many left, and qt-5 did build successfully
> sequentially, so this could be done tomorrow), then create a new
> security-updates branch with the patch for curl.
> 
> What do you think?

Civodul and mark_weaver discussed how best to apply it on #guix. I think
the plan is to build it in a branch with tomorrow's OpenSSL security
update.

> 
> Andreas
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].
  2016-01-27 18:57 ` [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755] Leo Famulari
@ 2016-01-28 15:09   ` Mark H Weaver
  0 siblings, 0 replies; 6+ messages in thread
From: Mark H Weaver @ 2016-01-28 15:09 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/curl.scm (curl): Update to 7.47.0.

I pushed this to the new 'security-updates' branch, along with an update
to OpenSSL 1.0.2f, and asked hydra to build it out.

     Thanks!
       Mark

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 0/1] Curl security update (CVE-2016-0755)
  2016-01-27 22:30   ` Leo Famulari
@ 2016-01-28 17:28     ` Andreas Enge
  0 siblings, 0 replies; 6+ messages in thread
From: Andreas Enge @ 2016-01-28 17:28 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On Wed, Jan 27, 2016 at 05:30:58PM -0500, Leo Famulari wrote:
> Civodul and mark_weaver discussed how best to apply it on #guix. I think
> the plan is to build it in a branch with tomorrow's OpenSSL security
> update.

Very well.

Some garbage managed to crawl into the commit message:
    gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755].
    
    To: guix-devel@gnu.org
    Date: Wed, 27 Jan 2016 13:57:23 -0500 (19 hours, 58 minutes, 42 seconds ago)
    
    * gnu/packages/curl.scm (curl): Update to 7.47.0.

So once the branch is built, I would suggest to not merge it back into
master, but instead to cherry-pick the two commits and to fix the commit
message for curl.

Thanks for all this important work!

Andreas

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-01-28 17:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-27 18:57 [PATCH 0/1] Curl security update (CVE-2016-0755) Leo Famulari
2016-01-27 18:57 ` [PATCH 1/1] gnu: curl: Update to 7.47.0 [fixes CVE-2016-0755] Leo Famulari
2016-01-28 15:09   ` Mark H Weaver
2016-01-27 20:03 ` [PATCH 0/1] Curl security update (CVE-2016-0755) Andreas Enge
2016-01-27 22:30   ` Leo Famulari
2016-01-28 17:28     ` Andreas Enge

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.