From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: curl security update Date: Thu, 04 Aug 2016 10:27:18 -0400 Message-ID: <87fuqky5h5.fsf@netris.org> References: <20160804131139.GA7359@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49054) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVJcV-0005BP-Ip for guix-devel@gnu.org; Thu, 04 Aug 2016 10:27:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bVJcR-0003xr-Ce for guix-devel@gnu.org; Thu, 04 Aug 2016 10:27:35 -0400 Received: from world.peace.net ([50.252.239.5]:39512) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bVJcR-0003xj-8p for guix-devel@gnu.org; Thu, 04 Aug 2016 10:27:31 -0400 In-Reply-To: <20160804131139.GA7359@jasmine> (Leo Famulari's message of "Thu, 4 Aug 2016 09:11:39 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > There are some new bugs disclosed in curl: > https://curl.haxx.se/docs/security.html > > Grafting the new version seems like the right approach to me when I > consider libcurl's ABI compatibility policy: > https://curl.haxx.se/libcurl/abi.html > > Thoughts? Looks good to me! Please push. Thanks, Mark > From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Wed, 3 Aug 2016 16:13:09 -0400 > Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes > CVE-2016-{3739,4802,5419,5420,5421]. > > * gnu/packages/curl.scm (curl)[replacement]: New field. > (curl-7.50.1): New variable. > --- > gnu/packages/curl.scm | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm > index 222910b..a250bb1 100644 > --- a/gnu/packages/curl.scm > +++ b/gnu/packages/curl.scm > @@ -40,6 +40,7 @@ > (define-public curl > (package > (name "curl") > + (replacement curl-7.50.1) > (version "7.47.0") > (source (origin > (method url-fetch) > @@ -123,3 +124,16 @@ tunneling, and so on.") > (license (license:non-copyleft "file://COPYING" > "See COPYING in the distribution.")) > (home-page "http://curl.haxx.se/"))) > + > +(define curl-7.50.1 > + (package > + (inherit curl) > + (source > + (let ((version "7.50.1")) > + (origin > + (method url-fetch) > + (uri (string-append "https://curl.haxx.se/download/curl-" > + version ".tar.lzma")) > + (sha256 > + (base32 > + "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))