all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* curl security update
@ 2016-08-04 13:11 Leo Famulari
  2016-08-04 14:27 ` Mark H Weaver
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Leo Famulari @ 2016-08-04 13:11 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 246 bytes --]

There are some new bugs disclosed in curl:
https://curl.haxx.se/docs/security.html

Grafting the new version seems like the right approach to me when I
consider libcurl's ABI compatibility policy:
https://curl.haxx.se/libcurl/abi.html

Thoughts?

[-- Attachment #1.2: 0001-gnu-curl-Replace-with-7.50.1-fixes-CVE-2016-3739-480.patch --]
[-- Type: text/x-diff, Size: 1376 bytes --]

From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 3 Aug 2016 16:13:09 -0400
Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes
 CVE-2016-{3739,4802,5419,5420,5421].

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.50.1): New variable.
---
 gnu/packages/curl.scm | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 222910b..a250bb1 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,6 +40,7 @@
 (define-public curl
   (package
    (name "curl")
+   (replacement curl-7.50.1)
    (version "7.47.0")
    (source (origin
             (method url-fetch)
@@ -123,3 +124,16 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "http://curl.haxx.se/")))
+
+(define curl-7.50.1
+  (package
+    (inherit curl)
+    (source
+      (let ((version "7.50.1"))
+        (origin
+          (method url-fetch)
+          (uri (string-append "https://curl.haxx.se/download/curl-"
+                              version ".tar.lzma"))
+          (sha256
+           (base32
+            "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
-- 
2.9.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-08-04 16:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-04 13:11 curl security update Leo Famulari
2016-08-04 14:27 ` Mark H Weaver
2016-08-04 14:28 ` Ludovic Courtès
2016-08-04 16:58 ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.