From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 14:22:18 2021 Received: (at 47563) by debbugs.gnu.org; 2 Apr 2021 18:22:18 +0000 Received: from localhost ([127.0.0.1]:32835 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOR0-0008IT-BW for submit@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:18 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:33641) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSOQx-0008I2-AO for 47563@debbugs.gnu.org; Fri, 02 Apr 2021 14:22:15 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 603DF140F; Fri, 2 Apr 2021 14:22:09 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Fri, 02 Apr 2021 14:22:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2uis=; b=c0nDoXjYC3OZ rcTBOVlpMc0aqFB/7tDy+JDYGd2a/U66FTcVWWoeEzYo3xQtrQXwESxtsuVOap+D F49E0ZphWI1fi/z3r+R0QVDh2VGemqvpjMHa8GAjqDq29F8vJV3ckzdd9q0AL1yj R6yVYiybvxwTSNNy5i/HAakpp5jjQp4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=WN7333Uihk+Dcj7iUGeSry1XF50ie7TW5H6Mh5Q2u is=; b=CSvo0b2cj9i1K30MSPmbcEF27rnFrckku3xdv0n4225cze58BbzC/kI9v b4cX5QrK+VA4vwefpVTTmnZsGPmcsPwgDElcurE29uWH7xuZ2d1aAx8Dd2OydwSJ 3f8TPN27Q1VVXwOKjWLX01seaOfLN+iRtxOFzI5SoH2K5y8fcnjiijUseGXqJrAg QBlS+PgSMQrFF8o0XG0XclttnrpzQXTOKrDr31DUry6U2P3i70wPedTF0X5nI9Oc zHdEmFmkuU816NsMsXZ48wVvod+QiHNyhYZVfSgcvC+qWioivjf0aVITEjqJrUJO nPipQwQHmtIQkzp+pSRHdKnvaujUQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiiedguddvudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttddunecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeejgfeileekhefgjeduteffhfefveffjeefheelfeduteevfeeujeevleff jeejjeenucffohhmrghinhepghhnuhdrohhrghdptghurhhlrdhsvgenucfkphepieelrd duvddtrdelvddrvddtkeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (ool-45785cd0.dyn.optonline.net [69.120.92.208]) by mail.messagingengine.com (Postfix) with ESMTPA id 4B0C91080057; Fri, 2 Apr 2021 14:22:08 -0400 (EDT) Date: Fri, 2 Apr 2021 14:22:06 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890. Message-ID: References: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> <20210402140940.28300-1-lle-bout@zaclys.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210402140940.28300-1-lle-bout@zaclys.net> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47563 Cc: 47563@debbugs.gnu.org, =?iso-8859-1?B?TOlv?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Fri, Apr 02, 2021 at 04:09:39PM +0200, L�o Le Bouter via Bug reports for GNU Guix wrote: > curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch > does not apply and please I need help rebasing it, it looks quite complex. > > I pushed an upgrade of curl to 7.76.0 which has been much much easier to > core-updates already as > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf > but unfortunately since curl requires so many rebuilds it seems we can't use > such commit on master for now. Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl upgrades are graftable. Curl's developers are very careful with their ABI and even maintain their own page on the subject: