From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <ng0@libertad.pw>
Subject: Re: 01/01: gnu: curl: Update replacement to
	7.52.0	[fixes	CVE-2016-{9586, 9952, 9953}].
Date: Fri, 23 Dec 2016 09:12:36 +0000
Message-ID: <87h95vrou3.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
References: <20161221140321.28790.1100@vcs.savannah.gnu.org>
	<20161221140321.922BB220166@vcs.savannah.gnu.org>
	<20161221165844.GA7240@jasmine>
	<8737hhaxrm.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51577)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ng0@libertad.pw>) id 1cKLty-0007dh-J3
	for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:35 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@libertad.pw>) id 1cKLtv-0004zl-Ff
	for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:34 -0500
Received: from aibo.runbox.com ([91.220.196.211]:42867)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ng0@libertad.pw>) id 1cKLtv-0004s9-9d
	for guix-devel@gnu.org; Fri, 23 Dec 2016 04:12:31 -0500
Received: from [10.9.9.211] (helo=mailfront11.runbox.com)
	by bars.runbox.com with esmtp (Exim 4.71)
	(envelope-from <ng0@libertad.pw>) id 1cKLtr-0002di-1K
	for guix-devel@gnu.org; Fri, 23 Dec 2016 10:12:27 +0100
Received: from [176.67.168.210] (helo=localhost)
	by mailfront11.runbox.com with esmtpsa (uid:892961 )
	(TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1cKLtl-0004a0-GB
	for guix-devel@gnu.org; Fri, 23 Dec 2016 10:12:21 +0100
In-Reply-To: <8737hhaxrm.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Marius Bakke <mbakke@fastmail.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Wed, Dec 21, 2016 at 02:03:21PM +0000, Marius Bakke wrote:
>>> mbakke pushed a commit to branch master
>>> in repository guix.
>>> 
>>> commit 42366b35c3f9f8dc8b059d3369b8196a4b832c18
>>> Author: Marius Bakke <mbakke@fastmail.com>
>>> Date:   Wed Dec 21 14:56:34 2016 +0100
>>> 
>>>     gnu: curl: Update replacement to 7.52.0 [fixes CVE-2016-{9586,9952,9953}].
>>>     
>>>     * gnu/packages/curl.scm (curl)[replacement]: Update to 7.52.0.
>>>     (curl-7.51.0): Replace with ...
>>>     (curl-7.52.0): ... this.
>>
>> ng0 pointed out this message from the curl maintainers:
>>
>> "Attention! We will release a patch update within a few days to fix a
>> serious security problem found in curl 7.52.0. You may consider holding
>> off until then."
>>
>> https://curl.haxx.se/download.html
>
> Thanks for catching that! I think that message must have appeared after
> I downloaded it from there, difficult to miss that notice.
>
> The page was updated about 25 minutes after the commit was pushed:
> $ curl -v https://curl.haxx.se/download.html >/dev/null
> [...]
> < Last-Modified: Wed, 21 Dec 2016 14:28:41 GMT
>
> It was reverted around 16:52 UTC. I hope those who upgraded in between
> those five hours reads this list!

Today cURL 7.52.1 has been released, addressing the issue which
was present only in 7.52.0: https://curl.haxx.se/docs/adv_20161223.html

-- 
♥Ⓐ  ng0  | PGP keys and more: https://n0is.noblogs.org/
         |                    http://ng0.chaosnet.org