Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

[ng0 <ng0@we.make.ritual.n0.is>]

[-- Attachment #1: Type: text/plain, Size: 1841 bytes --]

On 2016-06-13(12:14:14-0400), Leo Famulari wrote:
> On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote:
> > From the way it was done in Gentoo, I assume this is not needed?
> > mbedtls is a separate package, and I have libressl as the curlssl provider,
> > which is a curl built against libressl.
> >
> > If I am wrong, correct me.
> > My initial comment was a bit out of place, but I just assume it will
> > justwork™ on guix, otherwise a curl-with-mbedtls would have to be
> > created.
> >
> > Sorry for the confusion.
>
> I think the confusion was mine. Unless Hiawatha requires a curl linked
> against mbedTLS, I don't think there will be any problem with
> CVE-2016-3739 and Hiawatha.
>

I think it will work out alright. The test- and applied systems I had were
hardened gcc with libressl globally, amd64, and a hardened musl system with
openssl, amd64, in case of the musl it is curl built against openssl, the
gcc with curl libressl.

ng0@khazad-dum:~$ equery g hiawatha
 * Searching for hiawatha ...

-- snip --

 * dependency graph for www-servers/hiawatha-10.3-r99
 `--  www-servers/hiawatha-10.3-r99  [~amd64 keyword]
   `--  sys-libs/zlib-1.2.8-r1  (sys-libs/zlib) amd64
   `--  net-libs/mbedtls-2.2.1  (>=net-libs/mbedtls-2.0) amd64  [threads]
   `--  dev-libs/libxslt-1.1.29  (dev-libs/libxslt) amd64
   `--  dev-libs/libxml2-2.9.4  (dev-libs/libxml2) amd64
   `--  sys-devel/make-4.1-r1  (sys-devel/make) amd64
   `--  dev-util/cmake-3.3.1-r1  (>=dev-util/cmake-2.8.2) amd64
   `--  virtual/pkgconfig-0-r1  (virtual/pkgconfig) amd64
   `--  www-apps/hiawatha-monitor-1.3  (www-apps/hiawatha-monitor) [~amd64 keyword]
[ www-servers/hiawatha-10.3-r99 stats: packages (9), max depth (1) ]


--
♥Ⓐ ng0
For non-prism friendly talk find me on
psyced.org / loupsycedyglgamf.onion

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]