From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: curl security update Date: Thu, 4 Aug 2016 09:11:39 -0400 Message-ID: <20160804131139.GA7359@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52458) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVIRK-0008AZ-S6 for guix-devel@gnu.org; Thu, 04 Aug 2016 09:11:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bVIRH-0000r3-OA for guix-devel@gnu.org; Thu, 04 Aug 2016 09:11:58 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:36680) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVIRG-0000pu-Gw for guix-devel@gnu.org; Thu, 04 Aug 2016 09:11:55 -0400 Received: from localhost (unknown [172.58.145.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 55373CCDCD for ; Thu, 4 Aug 2016 09:11:46 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --EuxKj2iCbKjpUGkD Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline There are some new bugs disclosed in curl: https://curl.haxx.se/docs/security.html Grafting the new version seems like the right approach to me when I consider libcurl's ABI compatibility policy: https://curl.haxx.se/libcurl/abi.html Thoughts? --vtzGhvizbBRQ85DL Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-curl-Replace-with-7.50.1-fixes-CVE-2016-3739-480.patch" Content-Transfer-Encoding: quoted-printable =46rom ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Wed, 3 Aug 2016 16:13:09 -0400 Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes CVE-2016-{3739,4802,5419,5420,5421]. * gnu/packages/curl.scm (curl)[replacement]: New field. (curl-7.50.1): New variable. --- gnu/packages/curl.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 222910b..a250bb1 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -40,6 +40,7 @@ (define-public curl (package (name "curl") + (replacement curl-7.50.1) (version "7.47.0") (source (origin (method url-fetch) @@ -123,3 +124,16 @@ tunneling, and so on.") (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")) (home-page "http://curl.haxx.se/"))) + +(define curl-7.50.1 + (package + (inherit curl) + (source + (let ((version "7.50.1")) + (origin + (method url-fetch) + (uri (string-append "https://curl.haxx.se/download/curl-" + version ".tar.lzma")) + (sha256 + (base32 + "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj"))))))) --=20 2.9.2 --vtzGhvizbBRQ85DL-- --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXoz8LAAoJECZG+jC6yn8IW+gP/RrLFYU86lVXjQvS/MqE61RS C2suJXd0Hpm39M9JBGHCsP7SZfnfZJMSpo+L9X+Qpo8hufqMazTDiSiZf12Ns0ov HKq4ey7ypFCXU/DmE3JcZiEPc0360nNBQRdEdlnqq3rKCV5+JrCXX2TaXW/sZppw rxysJx/PewTm6vjJpKVlbVxswn4UfjKIP4MZHvKayO3X5mzA21/IYED1H7GRsuot NQVeFIfGR4vn24OuyRRsbWU6zfpGoifzfMHoO24uJYdVOQPawR9XbC1o+3GH9Llg iNR+O0yQAF6rVEH5gM1Oa9ijTfL47qkIjV2zrM6smW9laDYlU/+FgDAWxzpNt2hh JvFnudtT6xlh2PGDLD9DkyThnfYkZruYk3HK9zAjzV7/g9Ysolu1fTE+k7dpmuOO SZnF5CIRAOgsUlNrVE7Vukw9+Pp+zVOlM1UR2Hx6S1ConGQvqBszF2UvW6Uujecj OsP0WyBF7mbx4vZQeWutQjb6Lvgz7vogw9yfvxhvROnxj3nMJ6Bdc1e6ss47PZjn 0Awdg2KynCaX4VpdB0gw09SlvknaaFjdnsyW8DdsXjgYXm6TITdZ2eGSFzFmSi17 TvP+EbX4xYtlZvguUleaclt2EOl7Llo3HfGO0H5ZYnFzWwnkuHua7ksgZ/pjfya4 CoKSLvkyhTVuaYrQqBBo =yRvA -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--