From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@we.make.ritual.n0.is>
Subject: Re: [PATCH 0/1] curl: Fix CVE-2016-3739.
Date: Sun, 12 Jun 2016 21:02:32 +0000
Message-ID: <20160612210232.GA5479@khazad-dum>
References: <cover.1465702340.git.leo@famulari.name> <87inxei119.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40064)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@we.make.ritual.n0.is>) id 1bCCWw-0002qu-5M
	for guix-devel@gnu.org; Sun, 12 Jun 2016 17:02:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@we.make.ritual.n0.is>) id 1bCCWr-0004Qz-5d
	for guix-devel@gnu.org; Sun, 12 Jun 2016 17:02:49 -0400
Received: from 93-95-228-168.1984.is ([93.95.228.168]:45680
	helo=beleriand.n0.is) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@we.make.ritual.n0.is>) id 1bCCWq-0004Q8-PB
	for guix-devel@gnu.org; Sun, 12 Jun 2016 17:02:45 -0400
Received: by beleriand.n0.is (OpenSMTPD) with ESMTPSA id 95e7f321
	TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO for <guix-devel@gnu.org>;
	Sun, 12 Jun 2016 21:02:38 +0000 (UTC)
Content-Disposition: inline
In-Reply-To: <87inxei119.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2016-06-12(10:51:14+0200), Ludovic Court=C3=A8s wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
> > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
> > certificate check by presenting any valid certificate.
> >
> > So, you might think are connecting to https://example.com, when in fact
> > the attacker has a certificate for any other domain.
> >
> > We don't package mbedTLS, but I still think we should provide the fixed
> > source code.
>
> OTOH this will incur additional grafting for no reason, WDYT?
>
> Thanks,
> Ludo=E2=80=99.
>

fyi,

mbedtls is on my list of packages to do, as the webserver hiawatha
depends on it.

Should I announce once it is packaged and the cve fix can be applied
afterwards?

--
=E2=99=A5=E2=92=B6 ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

--x+6KMIRAuhnl3hBn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iF4EARYKAAYFAlddzegACgkQhhoAchyzrCC4+QD/auxq0vbx4sbeffJb1BQnUXqR
mHBPgUSmvbSegxrs2hgBALHxlXfdpsfLq/j6YHKiS8FoB1Vrbn69cLGVnv9QwlUP
=HFhL
-----END PGP SIGNATURE-----

--x+6KMIRAuhnl3hBn--