gnURL 7.55.0

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Marius Bakke
  • Tobias Geerinckx-Rice
  • ng0
Owner
unassigned
Submitted by
ng0
Severity
normal
N
N
ng0 wrote on 9 Aug 2017 18:00
(address . guix-patches@gnu.org)
20170809160025.2w2theyhhrba4zsd@abyayala
Appended patch.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
From: ng0 <ng0@infotropique.org>
Date: Wed, 9 Aug 2017 15:58:43 +0000
Subject: [PATCH] gnu: gnurl: Update to 7.55.0.

* gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
---
gnu/packages/gnunet.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 9ca2d9502..497afaf66 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016, 2017 ng0 <ng0@no-reply.infotropique.org>
+;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -186,14 +186,14 @@ and support for SSL3 and TLS.")
(define-public gnurl
(package
(name "gnurl")
- (version "7.54.1")
+ (version "7.55.0")
(source (origin
(method url-fetch)
(uri (string-append "https://gnunet.org/sites/default/files/"
name "-" version ".tar.bz2"))
(sha256
(base32
- "0szbj352h95sgc9kbx9wzkgjksmg3g5k6cvlc7hz3wrbdh5gb0a4"))))
+ "0i9bik76rbyag3mbxbk8j383iaxs5v7lmjkn4v36ascl6bdks6vn"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ; 1.5 MiB of man3 pages
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLMZkACgkQ4i+bv+40
hYggVQ/+JCyysLnh5NAsqAmL3tplZmC5FfZb1UflV/P1YeY88LzwNJAY7yfhuIw6
PTiPJ8L6u9GDVJoJg2SlIlGd7Z0PXRrTbpxE8E9krC16AnsXb/5J8QV7yNNuG2Wk
+EdqccwtN9m6e6unoEmQCZ8pvgYUWpiR4wMzLQnncQ1C3K/E1h0RSaE/M5a5gmp0
uQIUYioAlZT/Ik7wTmEbK3225v+0pR0OXfM10h4+zR+Nv3mCo6enPi5OyILjbXrR
1WMIrkoPootAZKbut9JQvF9HqUMGW0Z4Vu6b7ZXq7Lg7HcqzSxe8lUPXacuynCub
ADOYf7UlHvhUNdQBGoGNmRxaiIfL7P0e5m6wtzaNO8pMA3kXIGh4atrp8o5b16Q2
3TWwCTBPTlhY3chBMpNRow9Z/NZh5ClbQNjxTdnEVXB2lJWVDtAq2FSSioB3Au6M
b6wuczU4YmiwkexD0G5qQzwwfu1Sl8UJCpMxWd3TI/cc2k8S+Bt2xuhjXn23Wj92
I0RhJAlu3fUoTj+9C54QitcoBln6i7IyfxXmAka4kzT5h0RVUyudsH9SFvjCtjo+
a39FY17RLSBsrFc1wnX0LIwFs64XD/l2XeVVVbjtqyCXazXCuooYzUWAh+xsT7pH
liRqIGhtEV/GKrEe48zYp65XMxVfCqrMYU+k+hhuCog13GbADkY=
=OLSb
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 9 Aug 2017 18:25
(address . 28027-done@debbugs.gnu.org)
9e3ce4e5-de13-1fbb-5a6f-71d38fa218ce@tobias.gr
ng0 wrote on 09/08/17 at 18:00:
Toggle quote (7 lines)
> From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> From: ng0 <ng0@infotropique.org>
> Date: Wed, 9 Aug 2017 15:58:43 +0000
> Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>
> * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.

Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.

Kind regards,

T G-R
Attachment: signature.asc
Closed
L
L
Leo Famulari wrote on 9 Aug 2017 19:48
curl security update [was Re: bug#28027: gnURL 7.55.0]
20170809174842.GA24193@jasmine.lan
On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
Toggle quote (10 lines)
> ng0 wrote on 09/08/17 at 18:00:
> > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > From: ng0 <ng0@infotropique.org>
> > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> >
> > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>
> Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.

Great! Can somebody also update the curl replacement?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLSuwACgkQJkb6MLrK
fwiA1A/9H6lQXKM4qZG7E+9UVK3JcezL5T/jXFICt2uvOVEBaw4teYgFba7mT81f
ozq/d+mq+3u6uW6IX03Qm9uu6yH9LsrBb2UxcTfBaNQ/0Xcy6CvaBYwhJ7FKp3cK
VhBBdWb3PEkK7bRoK0p3XY6mwoxCpc4AQZbIKg0Wzc4sStlCqwvzM/n8ORHRT/nh
lbC1koKbrK7IgoF2vtvUQm481pA4ewHBGD8/hgG1jDKbnq9kLV3sNL0ii9cS7m25
M6x0NpSoiNXuzOgpwrl6TWqslLDooY8EObrnpQ72xoq2BWpy9tWIjiXenEyWDgkE
c1ALLDMpiB+9wlCrjJLtnX7umnBaUmMom+NqowHT4WKamYKKk3kEMw1ezHupAekX
Ej2CxDUVNcHKiwRqw1X3vJnvM3psN0RQbSLZLCilFdtuK3gMWYVSwEQEtYfL8E2n
y3i/MwCBknf2O2tf2fHd4kKkPJKAsfujLZ47NnM83v6DFcnnC+CxMfKcYhqpuqcd
4drZM3zFyUmT3d5gr4NtF42s0LlSOKUFgZ7SUJ2hWVcWnG7ssX8K1a63K3ey9Xa0
N+B+bWA4mbhigSgCHF+xhWTwWr3luoWLHM+ax3Hf2E9sFyw1CssSsPfcEvgPciXc
3xSalQGVJ6xsuHITEFV2Ecp7166DFnu9fZNOB1CPI4ioOEnIQRU=
=U/f2
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Aug 2017 20:50
20170809185007.GA1177@jasmine.lan
On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
Toggle quote (13 lines)
> On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > ng0 wrote on 09/08/17 at 18:00:
> > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > From: ng0 <ng0@infotropique.org>
> > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > >
> > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> >
> > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>
> Great! Can somebody also update the curl replacement?

Actually, I'll do it :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLWVkACgkQJkb6MLrK
fwg1pRAAx2NMSp0+uUbOou0kKT1d7Dk8aCXnao/6RVQ3pWwWLxu9XEEwGchWuuDS
AU6FxpmgdydKlR8BgUc5991h4qcCHYNyFXOCTjv3JO7POsxsyRfydoK6VXhO4ouz
gX0LQbJHBxoyw7Zv8koH886i/OzYNVLSBU8mkYxdndXDzpXN1AWxWDPacJUUIyKn
i9ogc0BLkioW5e23cvVmmoWYsTK1HYD53qXIUEoMA9KYNho3bIbTXhm2dRVd6NqK
9TL+mrQWyuY3IvJlzuXtaUb7KqZPqvUNPenJPzuOQLgfCke8agIMwJ6PO+ic3vG9
D9MerItswkbG40dsOlDRb48+sgrfqG++9+hfVhLOT+3dK2ChV3I/9ZcmN9cV0Fr5
qMw07Jk4Cft0NjhTClsxsz/mLHsOVXXE6Aoxxgh65KmGYegTl0MjZhC46ZDwIEOn
4By8OteYb7ld3HQiDcW3iUBZ8I+fn6dktHqi9XBhYf98rdhE25l1paWIWGB9Opte
5xSu0ahlTZZIMkqL3XRhICEAPTDpDeR1ATeRsHm74IrGfP1xYokWQmXP5utHwsOz
4UZufeYtisFIGOtTSwHxRnRwSZKZKvMydpyzACPu2UzceCy9hPxuoEjZwa20/A7v
1Jt6fyCcKEL9hrmb2tPnF1v71gG2dbPhozdANUG8B76moERQrUk=
=hNN3
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Aug 2017 21:20
20170809192008.GA31762@jasmine.lan
On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
Toggle quote (16 lines)
> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > ng0 wrote on 09/08/17 at 18:00:
> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > From: ng0 <ng0@infotropique.org>
> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > >
> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > >
> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> >
> > Great! Can somebody also update the curl replacement?
>
> Actually, I'll do it :)

With the attached patch, it fails to build, because the man 3 pages
aren't built and thus can't be copied into the doc output. I'm not sure
what's going on :/
From 08c84864837fdc6ca44633a05cb2ba166391a063 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 9 Aug 2017 14:42:21 -0400
Subject: [PATCH] gnu: curl: Update to 7.55.0 [fixes
CVE-2017-{1000100,1000101,1000099}].

* gnu/packages/curl.scm (curl)[replacement]: Update to 7.55.0.
(curl-7.54.1): Replace with ...
(curl-7.55): ... new variable.
---
gnu/packages/curl.scm | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index a9f219b62..82e80bf8f 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,7 +40,7 @@
(define-public curl
(package
(name "curl")
- (replacement curl-7.54.1)
+ (replacement curl-7.55)
(version "7.53.0")
(source (origin
(method url-fetch)
@@ -121,15 +121,15 @@ tunneling, and so on.")
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
-(define curl-7.54.1
+(define curl-7.55
(package
(inherit curl)
- (version "7.54.1")
+ (version "7.55.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.lzma"))
+ version ".tar.xz"))
(sha256
(base32
- "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLYGgACgkQJkb6MLrK
fwjrxQ/9GmxlJrrqOX2kYoN/GJ1MO3gEBPupnko9+QvJasUrfS0Rt//+4nZqXhE6
BjNpyrrpPSZHp48pZ9AQiqVqeMcDDmaP+QOSVe3qfTSsGNDGkTTy7eLEKgDTe+LJ
7vPNn81faVBe28ueJkrAq1yYRggYMK71AfnvipotXOpF92OZFm8Tadk1tvCUgs0n
kUFyAPn51YdNDMxgVkKrrlcmRJJ4wU90zLE2RluGYG47OhB8DsIeSHkFWIQL+6ci
VlofOzmBRW2piwKV4SMC/ZgZ1+mB28TwF2H0AAmGUR6kRl2goZp7WNsN4lGu3HUF
4QdbVfvmElPYIYCCa9Oo4wZWXGg5oa+jXzrzlu+uwv81edQzqTxaaQUaX1r/YiFX
21R1barnAlcgcVJDzGeGa2ISVBBPz5SDqSCkxSrhWFc53cQ/bqtVFzswW7LzzGyY
T6rZJ6e9rMgH2iWfpCyg7w07TrZzH5Bq5m+XNnHYkWMziKBf2ncmGsVFXcGcHS9u
sY6xM1JRwQN7sACxNUCpGt7WZ9AqL5lgdpgzJFexgI1f0YAEscF7vvMGP+E+S0ti
gZHleFbYHWc/ySGpusAVDs2wCs3Y87Q5eNldmHBTJyJZcnA4ftD3FcG9qvDVudOW
4UbC/XrTgIxvwhkIppZWMdAj2kmbR/jTYB8VtBuR5aEKRhv6RrM=
=2PVi
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 9 Aug 2017 21:54
(name . Leo Famulari)(address . leo@famulari.name)
20170809195415.zfrn3m4su53vdsb7@abyayala
Leo Famulari transcribed 1.6K bytes:
Toggle quote (16 lines)
> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > ng0 wrote on 09/08/17 at 18:00:
> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > From: ng0 <ng0@infotropique.org>
> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > >
> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > >
> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> >
> > Great! Can somebody also update the curl replacement?
>
> Actually, I'll do it :)

Heh. Bam, faster than cURL this time :)
Should I just do cURL and gnURL? I see changes in cURL when I make new
releases for gnURL, but I'm not volunteering for doing both ;)
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLaGcACgkQ4i+bv+40
hYhJDw//bHpojP1ZGvqFszr6s+y65YW4WMV99fx2w7Z0e7fhWcrblGBm97olSuJA
xf68xPv1rUvck7CyPHeRo8yNtAHzqkSTb1RA4DKALgBqlML30/pUbBtu5ki0ZVqh
Fe1S6CFoECamQNBEGIW91uX2SnjCgQ2e2z2OxI5GJ/meYpzV81mlWb5bADV4AHgB
EK2aqd8YNUSfyZEeD/ngKBxujglnOnmN8CSVenXyzBG7dwv/Ggfkp0Aa9CXAhjkg
sPRaTSuhRo5U1wkXYZOXbSiC2KmAh6K0j46oi2sqBAYI+h+EwB/GG7WwZdScYadR
16g7vplw8p/wQrktpH13vxWrG/k4LmajbbgAT2n91lfuGcp35iKC0pKxdt8jhRhg
u+nBW2j46o9jOQkb20BEndsIh+cF/MQAThU+PESHocn4f/ql+xL02JhVCQoaIDVW
z4NKUQt6StcIcGyJtmymsH/ykGh7JVivYFRdg9yLVGjRMQTuReIEESvTpm9GTBql
dsxbFYvRO2y3+clBuRiSUCUWOgfEhsOD6j8IBpqSzSEwIrL0NstVIX59pT40AlxI
/Ivt97D17nw1pP5lw0OibkP3ZO/Cpmnl+2JCL+faAXAnnoanzrnl/kszKKFriPvH
UhIS8v0L4Ju1LPVd977oLYxEyLoPwzc1wdDIpnMmHRHyhFJlQL4=
=qaca
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 9 Aug 2017 22:05
(name . Leo Famulari)(address . leo@famulari.name)
20170809200523.i5k5p23ebdcxvouc@abyayala
Leo Famulari transcribed 3.7K bytes:
Toggle quote (21 lines)
> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > > ng0 wrote on 09/08/17 at 18:00:
> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > > From: ng0 <ng0@infotropique.org>
> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > > >
> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > > >
> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> > >
> > > Great! Can somebody also update the curl replacement?
> >
> > Actually, I'll do it :)
>
> With the attached patch, it fails to build, because the man 3 pages
> aren't built and thus can't be copied into the doc output. I'm not sure
> what's going on :/

As written on IRC: Take a look at the 2 commits after tagged 7.55.0,
if you apply both you will have a successful build. I did this manually
(by hand, not taking the commits) for gnURL release.

Toggle quote (53 lines)
> From 08c84864837fdc6ca44633a05cb2ba166391a063 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Wed, 9 Aug 2017 14:42:21 -0400
> Subject: [PATCH] gnu: curl: Update to 7.55.0 [fixes
> CVE-2017-{1000100,1000101,1000099}].
>
> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.55.0.
> (curl-7.54.1): Replace with ...
> (curl-7.55): ... new variable.
> ---
> gnu/packages/curl.scm | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index a9f219b62..82e80bf8f 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -40,7 +40,7 @@
> (define-public curl
> (package
> (name "curl")
> - (replacement curl-7.54.1)
> + (replacement curl-7.55)
> (version "7.53.0")
> (source (origin
> (method url-fetch)
> @@ -121,15 +121,15 @@ tunneling, and so on.")
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> -(define curl-7.54.1
> +(define curl-7.55
> (package
> (inherit curl)
> - (version "7.54.1")
> + (version "7.55.0")
> (source
> (origin
> (method url-fetch)
> (uri (string-append "https://curl.haxx.se/download/curl-"
> - version ".tar.lzma"))
> + version ".tar.xz"))
> (sha256
> (base32
> - "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
> + "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))))
> --
> 2.14.0
>




--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLawMACgkQ4i+bv+40
hYhFxA//RD0kVwC0IoWBucg66FD0hGS+4hEzPERKhij5LydhLYL/KE05QPfsnv1V
xRh3B5SuQkDzTILNS6WJiACjhuCIunuUfC6OX8kzOiTAuAdwA9MVZN49J9SHRtlb
mN8togbjUp7SBMOKAdUXjWni7E+FcjDAbKzhhDNX60KulsuhIvsjNJ6yZNtrlFDI
Kh+iYGVLcXeH+DwrsmO9rKJrvIFQRuteI4B9MOfcEu8p52ViE1bTYwlduNmQ/BQ7
NXrpIIWuKD9RLZpYets2kG74/drE5QP9xZd8oaYk+/o0XfjYFR5NcSSIpV0miiMi
LjOlMiklIe2b9kPpkSPFb+omAYFGOmh1fmx9bJ7UrJNsF93wmLCAF8r29CS9YKXO
/l1vN8M16F80VEM3ioOh5jNjWPtq6uGiHxIRPxcM3v9SVQFv2klgd96h1J/vmgvn
eA5QyTqC5q/ElqypOenIFLejIMAfJ1e4jQ8tqgFZzLqn3grRQHb67JGNOo+5s+pY
8L6BYFmkZ67HGML1pd5LNwLQsmxjH1mOYR8/E+fcmPbc2GPiz01IWM4GcXa5MtAq
WCpYCS/M88zhsRN+Z5s5blzFAtVWrAnG60fMKJpkPU26TtAjmuU6kY2fh0zmmDJz
dDUSBBet20dQHpJ6h4h0w7ALXjMIzTrAkSjeHpCPieCcNXiQbeI=
=cS4s
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 9 Aug 2017 22:22
Re: [bug#28027] curl security update [was Re: bug#28027: gnURL 7.55.0]
87inhw4hkd.fsf@fastmail.com
ng0 <ng0@infotropique.org> writes:

Toggle quote (26 lines)
> Leo Famulari transcribed 3.7K bytes:
>> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
>> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
>> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
>> > > > ng0 wrote on 09/08/17 at 18:00:
>> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
>> > > > > From: ng0 <ng0@infotropique.org>
>> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
>> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>> > > > >
>> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>> > > >
>> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>> > >
>> > > Great! Can somebody also update the curl replacement?
>> >
>> > Actually, I'll do it :)
>>
>> With the attached patch, it fails to build, because the man 3 pages
>> aren't built and thus can't be copied into the doc output. I'm not sure
>> what's going on :/
>
> As written on IRC: Take a look at the 2 commits after tagged 7.55.0,
> if you apply both you will have a successful build. I did this manually
> (by hand, not taking the commits) for gnURL release.

Here is a patch that fixes the doc installation:
From f93502a48b368c74ba4ed1ff573f07f59b8c91f1 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)

Toggle diff (58 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index af15aa38c..0c551e108 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
@@ -40,6 +42,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.55.0)
(version "7.54.1")
(source (origin
(method url-fetch)
@@ -119,3 +122,27 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.55.0
+ (package
+ (inherit curl)
+ (version "7.55.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+ (arguments
+ `(,@(substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-before 'install 'fix-Makefile
+ ;; Fix a regression in 7.55 where docs are not installed.
+ ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+ (lambda _
+ (substitute* "Makefile"
+ (("install-data-hook:\n")
+ "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+ #t)))))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLbxIACgkQoqBt8qM6
VPoKMQf/cg9vgZks+cIKWlNG6VnwJAibcfcp22YOk61WT+E5570YRUoIY/9HDXES
x0LWdI+ibPVYlnLuOZ9sL3cT9w5t18IkPL/mgvBn1KUjyi87VBZZyeCnkKilFAk3
BL7/MnzcnplY5qC9yBgqbYcoI9CCUj4v12Xy20L7jAHsA8A6OeQeud9cpZ+/J9sJ
vEIJ8cWWXtBaaHjqgtwsZUwa7vov5ndjhTYhMQ2+4Xnt3qWg6CTeWwb8QXFMf6a2
2z4gpjCSSpaQkOXzNYQHnjVKdC2GRgNhXXho46aE0SRGjwttCys1RlkyLP7mQwlm
8IjRvSzTDSWiWAsPhrSYVkTQZc+dZw==
=5Y/L
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 9 Aug 2017 23:55
871sok4d9n.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (21 lines)
> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
>> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
>> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
>> > > ng0 wrote on 09/08/17 at 18:00:
>> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
>> > > > From: ng0 <ng0@infotropique.org>
>> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
>> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>> > > >
>> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>> > >
>> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>> >
>> > Great! Can somebody also update the curl replacement?
>>
>> Actually, I'll do it :)
>
> With the attached patch, it fails to build, because the man 3 pages
> aren't built and thus can't be copied into the doc output. I'm not sure
> what's going on :/

It seems our worked collided again. :-)

I 'ported' the earlier patch to master and will push it shortly if there
are no objections:
From 6f9bbbafd4cc857c2b093f3cced6df2e45f56aab Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index a9f219b62..d6e32e438 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
@@ -40,7 +42,7 @@
(define-public curl
(package
(name "curl")
- (replacement curl-7.54.1)
+ (replacement curl-7.55.0)
(version "7.53.0")
(source (origin
(method url-fetch)
@@ -121,15 +123,27 @@ tunneling, and so on.")
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
-(define curl-7.54.1
+(define-public curl-7.55.0
(package
(inherit curl)
- (version "7.54.1")
+ (version "7.55.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.lzma"))
+ version ".tar.xz"))
(sha256
(base32
- "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+ (arguments
+ `(,@(substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-before 'install 'fix-Makefile
+ ;; Fix a regression in 7.55.0 where docs are not installed.
+ ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+ (lambda _
+ (substitute* "Makefile"
+ (("install-data-hook:\n")
+ "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+ #t)))))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLhNQACgkQoqBt8qM6
VPp33Af9Ghlt9iJ4VRewUlx+niChr3cu9vme3VYB0ctUZONLtm+VOxtMgge2d7zZ
1qQcphoNHcBbWrXD6VTo9ljmJ5b3f6mNRFfYjLyzY7YcXyIYYAfXjJbRh5gpB8Jn
X2fWDwnAwiXWfbV47uNm4yJFUXn8dDNFSMtJzIkdIJZfD9XQY3wBLnbVIzQENjEJ
iAu1aGplDwbxVKljrzLyp2dFxicG7OYJvNrD55Ox1Yd8fBmQHhoMbncrEhcW1YqY
i9rV5VwAPN0OPfU9LYZU6MZ9scc9WDJdUy2/3gksclaStB1f/bQ+nODHivGxz+aC
Ax8lHvFFGbcWBDQV6ihlnJqE/uhlJw==
=74dL
-----END PGP SIGNATURE-----

?