From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: OpenSSL updates Date: Thu, 22 Sep 2016 12:33:15 -0400 Message-ID: <87twd7dhdg.fsf@netris.org> References: <20160922135527.GA13557@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47979) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bn6wR-0001Ji-Ou for guix-devel@gnu.org; Thu, 22 Sep 2016 12:33:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bn6wN-00074Q-Gw for guix-devel@gnu.org; Thu, 22 Sep 2016 12:33:42 -0400 Received: from world.peace.net ([50.252.239.5]:33308) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bn6wN-00070B-DH for guix-devel@gnu.org; Thu, 22 Sep 2016 12:33:39 -0400 In-Reply-To: <20160922135527.GA13557@jasmine> (Leo Famulari's message of "Thu, 22 Sep 2016 09:55:27 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > Here are patches to replace openssl with openssl-1.0.2i and to update > openssl-next to openssl@1.1.0a. > > From 1f020e2cb580941a36aa98737cd679a8605cdc4d Mon Sep 17 00:00:00 2001 > From: Leo Famulari > Date: Thu, 22 Sep 2016 09:38:56 -0400 > Subject: [PATCH 1/2] gnu: openssl: Replace with 1.0.2i [security fixes]. > > Fixes CVE-2016-{2177,2178,2179,2180,2181,2182,2183,6302,6303,6304,6306,6308}. > > * gnu/packages/tls.scm (openssl)[replacement]: New field. > (openssl-1.0.2i): New variable. > --- > gnu/packages/tls.scm | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm > index 0762703..198d298 100644 > --- a/gnu/packages/tls.scm > +++ b/gnu/packages/tls.scm > @@ -229,6 +229,7 @@ required structures.") > (define-public openssl > (package > (name "openssl") > + (replacement openssl-1.0.2i) > (version "1.0.2h") > (source (origin > (method url-fetch) > @@ -367,6 +368,24 @@ required structures.") > (license license:openssl) > (home-page "http://www.openssl.org/"))) > > +(define-public openssl-1.0.2i Should this be kept private? Otherwise, both patches look good to me, please push. Thanks! Mark