From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: 01/01: gnu: curl: Update replacement to 7.52.0 [fixes CVE-2016-{9586, 9952, 9953}]. Date: Fri, 23 Dec 2016 15:31:56 +0100 Message-ID: <87inqaaf8j.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20161221140321.28790.1100@vcs.savannah.gnu.org> <20161221140321.922BB220166@vcs.savannah.gnu.org> <20161221165844.GA7240@jasmine> <8737hhaxrm.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87h95vrou3.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55737) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cKQtC-0004C4-1i for guix-devel@gnu.org; Fri, 23 Dec 2016 09:32:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cKQt7-0002MS-Ey for guix-devel@gnu.org; Fri, 23 Dec 2016 09:32:06 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:44422) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cKQt7-0002MC-5y for guix-devel@gnu.org; Fri, 23 Dec 2016 09:32:01 -0500 In-Reply-To: <87h95vrou3.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ng0 , guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable ng0 writes: > Marius Bakke writes: > >> Leo Famulari writes: >> >>> On Wed, Dec 21, 2016 at 02:03:21PM +0000, Marius Bakke wrote: >>>> mbakke pushed a commit to branch master >>>> in repository guix. >>>>=20 >>>> commit 42366b35c3f9f8dc8b059d3369b8196a4b832c18 >>>> Author: Marius Bakke >>>> Date: Wed Dec 21 14:56:34 2016 +0100 >>>>=20 >>>> gnu: curl: Update replacement to 7.52.0 [fixes CVE-2016-{9586,9952= ,9953}]. >>>>=20=20=20=20=20 >>>> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.52.0. >>>> (curl-7.51.0): Replace with ... >>>> (curl-7.52.0): ... this. >>> >>> ng0 pointed out this message from the curl maintainers: >>> >>> "Attention! We will release a patch update within a few days to fix a >>> serious security problem found in curl 7.52.0. You may consider holding >>> off until then." >>> >>> https://curl.haxx.se/download.html >> >> Thanks for catching that! I think that message must have appeared after >> I downloaded it from there, difficult to miss that notice. >> >> The page was updated about 25 minutes after the commit was pushed: >> $ curl -v https://curl.haxx.se/download.html >/dev/null >> [...] >> < Last-Modified: Wed, 21 Dec 2016 14:28:41 GMT >> >> It was reverted around 16:52 UTC. I hope those who upgraded in between >> those five hours reads this list! > > Today cURL 7.52.1 has been released, addressing the issue which > was present only in 7.52.0: https://curl.haxx.se/docs/adv_20161223.html Thanks for the heads-up, I've pushed the update. I added the CVE identifier for the 7.52.0 bug in the commit log since we had it for a short while, and removed the WinCE specific identifiers (thanks Leo!). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlhdNVwACgkQoqBt8qM6 VPoG7wf/UCdDIBpnT5+2a5k9Kdn6r7COSUq2mVNeNcRFAJUQOvpnz8vuI5R/cNRT Hp3BJB2cFIkljv3OXDiTNUpn3X5nCKey8JEtqUZAVjxWmS0QkvCE5+NMVSuOK6v+ AyxGcoCMSXXOuerm2un6df2bhA6tHPlxAhd5kfgvsId3HX5un7jcSY2ZiVjsSiiD OfUmOIB0nzZi5JKCQd4JNQyTsmWU5VGxAK4P/aT5CGvKEhglHVrfV9qC3ulinSMe VA1oQ/XRrXA2g6wKVoEhYWyU39J/bXgOE9+kTYk9zNhBqhzchqtD10lVyVppfU9G ASAD2Hq9lFM8clO7TiM1y5s77mpwuA== =0lZW -----END PGP SIGNATURE----- --=-=-=--