From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [PATCH 0/1] curl: Fix CVE-2016-3739. Date: Mon, 13 Jun 2016 18:56:22 +0000 Message-ID: <20160613185622.GA3892@khazad-dum> References: <87inxei119.fsf@gnu.org> <20160612210232.GA5479@khazad-dum> <20160613011231.GA13522@jasmine> <87eg81cel0.fsf@gnu.org> <20160613154247.GB4065@khazad-dum> <20160613161414.GB14259@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46608) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCX2S-0003Yh-GW for guix-devel@gnu.org; Mon, 13 Jun 2016 14:56:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bCX2O-0004Ln-Bx for guix-devel@gnu.org; Mon, 13 Jun 2016 14:56:43 -0400 Received: from 93-95-228-168.1984.is ([93.95.228.168]:45749 helo=beleriand.n0.is) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCX2F-0004L1-Oh for guix-devel@gnu.org; Mon, 13 Jun 2016 14:56:40 -0400 Received: by beleriand.n0.is (OpenSMTPD) with ESMTPSA id 3b690d0b TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO for ; Mon, 13 Jun 2016 18:56:26 +0000 (UTC) Content-Disposition: inline In-Reply-To: <20160613161414.GB14259@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2016-06-13(12:14:14-0400), Leo Famulari wrote: > On Mon, Jun 13, 2016 at 03:42:47PM +0000, ng0 wrote: > > From the way it was done in Gentoo, I assume this is not needed? > > mbedtls is a separate package, and I have libressl as the curlssl provi= der, > > which is a curl built against libressl. > > > > If I am wrong, correct me. > > My initial comment was a bit out of place, but I just assume it will > > justwork=E2=84=A2 on guix, otherwise a curl-with-mbedtls would have to = be > > created. > > > > Sorry for the confusion. > > I think the confusion was mine. Unless Hiawatha requires a curl linked > against mbedTLS, I don't think there will be any problem with > CVE-2016-3739 and Hiawatha. > I think it will work out alright. The test- and applied systems I had were hardened gcc with libressl globally, amd64, and a hardened musl system with openssl, amd64, in case of the musl it is curl built against openssl, the gcc with curl libressl. ng0@khazad-dum:~$ equery g hiawatha * Searching for hiawatha ... -- snip -- * dependency graph for www-servers/hiawatha-10.3-r99 `-- www-servers/hiawatha-10.3-r99 [~amd64 keyword] `-- sys-libs/zlib-1.2.8-r1 (sys-libs/zlib) amd64 `-- net-libs/mbedtls-2.2.1 (>=3Dnet-libs/mbedtls-2.0) amd64 [threads] `-- dev-libs/libxslt-1.1.29 (dev-libs/libxslt) amd64 `-- dev-libs/libxml2-2.9.4 (dev-libs/libxml2) amd64 `-- sys-devel/make-4.1-r1 (sys-devel/make) amd64 `-- dev-util/cmake-3.3.1-r1 (>=3Ddev-util/cmake-2.8.2) amd64 `-- virtual/pkgconfig-0-r1 (virtual/pkgconfig) amd64 `-- www-apps/hiawatha-monitor-1.3 (www-apps/hiawatha-monitor) [~amd64 = keyword] [ www-servers/hiawatha-10.3-r99 stats: packages (9), max depth (1) ] -- =E2=99=A5=E2=92=B6 ng0 For non-prism friendly talk find me on psyced.org / loupsycedyglgamf.onion --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iF4EARYKAAYFAldfAdEACgkQhhoAchyzrCBwKAD+MiJpGzc0GK9fqwiDtIZnD2MY ca7+NbEolV640Vqk7gIBANs+60R5myK3jOp9a2s5xgRqNKMpG4fiK0CeucVwmYgF =435E -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--