gnURL 7.55.0

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Famulari
  • Marius Bakke
  • Tobias Geerinckx-Rice
  • ng0
Owner
unassigned
Submitted by
ng0
Severity
normal
N
N
ng0 wrote on 9 Aug 2017 18:00
(address . guix-patches@gnu.org)
20170809160025.2w2theyhhrba4zsd@abyayala
Appended patch.
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
From: ng0 <ng0@infotropique.org>
Date: Wed, 9 Aug 2017 15:58:43 +0000
Subject: [PATCH] gnu: gnurl: Update to 7.55.0.

* gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
---
gnu/packages/gnunet.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (32 lines)
diff --git a/gnu/packages/gnunet.scm b/gnu/packages/gnunet.scm
index 9ca2d9502..497afaf66 100644
--- a/gnu/packages/gnunet.scm
+++ b/gnu/packages/gnunet.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016, 2017 ng0 <ng0@no-reply.infotropique.org>
+;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -186,14 +186,14 @@ and support for SSL3 and TLS.")
(define-public gnurl
(package
(name "gnurl")
- (version "7.54.1")
+ (version "7.55.0")
(source (origin
(method url-fetch)
(uri (string-append "https://gnunet.org/sites/default/files/"
name "-" version ".tar.bz2"))
(sha256
(base32
- "0szbj352h95sgc9kbx9wzkgjksmg3g5k6cvlc7hz3wrbdh5gb0a4"))))
+ "0i9bik76rbyag3mbxbk8j383iaxs5v7lmjkn4v36ascl6bdks6vn"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ; 1.5 MiB of man3 pages
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLMZkACgkQ4i+bv+40
hYggVQ/+JCyysLnh5NAsqAmL3tplZmC5FfZb1UflV/P1YeY88LzwNJAY7yfhuIw6
PTiPJ8L6u9GDVJoJg2SlIlGd7Z0PXRrTbpxE8E9krC16AnsXb/5J8QV7yNNuG2Wk
+EdqccwtN9m6e6unoEmQCZ8pvgYUWpiR4wMzLQnncQ1C3K/E1h0RSaE/M5a5gmp0
uQIUYioAlZT/Ik7wTmEbK3225v+0pR0OXfM10h4+zR+Nv3mCo6enPi5OyILjbXrR
1WMIrkoPootAZKbut9JQvF9HqUMGW0Z4Vu6b7ZXq7Lg7HcqzSxe8lUPXacuynCub
ADOYf7UlHvhUNdQBGoGNmRxaiIfL7P0e5m6wtzaNO8pMA3kXIGh4atrp8o5b16Q2
3TWwCTBPTlhY3chBMpNRow9Z/NZh5ClbQNjxTdnEVXB2lJWVDtAq2FSSioB3Au6M
b6wuczU4YmiwkexD0G5qQzwwfu1Sl8UJCpMxWd3TI/cc2k8S+Bt2xuhjXn23Wj92
I0RhJAlu3fUoTj+9C54QitcoBln6i7IyfxXmAka4kzT5h0RVUyudsH9SFvjCtjo+
a39FY17RLSBsrFc1wnX0LIwFs64XD/l2XeVVVbjtqyCXazXCuooYzUWAh+xsT7pH
liRqIGhtEV/GKrEe48zYp65XMxVfCqrMYU+k+hhuCog13GbADkY=
=OLSb
-----END PGP SIGNATURE-----


T
T
Tobias Geerinckx-Rice wrote on 9 Aug 2017 18:25
(address . 28027-done@debbugs.gnu.org)
9e3ce4e5-de13-1fbb-5a6f-71d38fa218ce@tobias.gr
ng0 wrote on 09/08/17 at 18:00:
Toggle quote (7 lines)
> From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> From: ng0 <ng0@infotropique.org>
> Date: Wed, 9 Aug 2017 15:58:43 +0000
> Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>
> * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.

Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.

Kind regards,

T G-R
Attachment: signature.asc
Closed
L
L
Leo Famulari wrote on 9 Aug 2017 19:48
curl security update [was Re: bug#28027: gnURL 7.55.0]
20170809174842.GA24193@jasmine.lan
On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
Toggle quote (10 lines)
> ng0 wrote on 09/08/17 at 18:00:
> > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > From: ng0 <ng0@infotropique.org>
> > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> >
> > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>
> Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.

Great! Can somebody also update the curl replacement?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLSuwACgkQJkb6MLrK
fwiA1A/9H6lQXKM4qZG7E+9UVK3JcezL5T/jXFICt2uvOVEBaw4teYgFba7mT81f
ozq/d+mq+3u6uW6IX03Qm9uu6yH9LsrBb2UxcTfBaNQ/0Xcy6CvaBYwhJ7FKp3cK
VhBBdWb3PEkK7bRoK0p3XY6mwoxCpc4AQZbIKg0Wzc4sStlCqwvzM/n8ORHRT/nh
lbC1koKbrK7IgoF2vtvUQm481pA4ewHBGD8/hgG1jDKbnq9kLV3sNL0ii9cS7m25
M6x0NpSoiNXuzOgpwrl6TWqslLDooY8EObrnpQ72xoq2BWpy9tWIjiXenEyWDgkE
c1ALLDMpiB+9wlCrjJLtnX7umnBaUmMom+NqowHT4WKamYKKk3kEMw1ezHupAekX
Ej2CxDUVNcHKiwRqw1X3vJnvM3psN0RQbSLZLCilFdtuK3gMWYVSwEQEtYfL8E2n
y3i/MwCBknf2O2tf2fHd4kKkPJKAsfujLZ47NnM83v6DFcnnC+CxMfKcYhqpuqcd
4drZM3zFyUmT3d5gr4NtF42s0LlSOKUFgZ7SUJ2hWVcWnG7ssX8K1a63K3ey9Xa0
N+B+bWA4mbhigSgCHF+xhWTwWr3luoWLHM+ax3Hf2E9sFyw1CssSsPfcEvgPciXc
3xSalQGVJ6xsuHITEFV2Ecp7166DFnu9fZNOB1CPI4ioOEnIQRU=
=U/f2
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Aug 2017 20:50
20170809185007.GA1177@jasmine.lan
On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
Toggle quote (13 lines)
> On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > ng0 wrote on 09/08/17 at 18:00:
> > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > From: ng0 <ng0@infotropique.org>
> > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > >
> > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> >
> > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>
> Great! Can somebody also update the curl replacement?

Actually, I'll do it :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLWVkACgkQJkb6MLrK
fwg1pRAAx2NMSp0+uUbOou0kKT1d7Dk8aCXnao/6RVQ3pWwWLxu9XEEwGchWuuDS
AU6FxpmgdydKlR8BgUc5991h4qcCHYNyFXOCTjv3JO7POsxsyRfydoK6VXhO4ouz
gX0LQbJHBxoyw7Zv8koH886i/OzYNVLSBU8mkYxdndXDzpXN1AWxWDPacJUUIyKn
i9ogc0BLkioW5e23cvVmmoWYsTK1HYD53qXIUEoMA9KYNho3bIbTXhm2dRVd6NqK
9TL+mrQWyuY3IvJlzuXtaUb7KqZPqvUNPenJPzuOQLgfCke8agIMwJ6PO+ic3vG9
D9MerItswkbG40dsOlDRb48+sgrfqG++9+hfVhLOT+3dK2ChV3I/9ZcmN9cV0Fr5
qMw07Jk4Cft0NjhTClsxsz/mLHsOVXXE6Aoxxgh65KmGYegTl0MjZhC46ZDwIEOn
4By8OteYb7ld3HQiDcW3iUBZ8I+fn6dktHqi9XBhYf98rdhE25l1paWIWGB9Opte
5xSu0ahlTZZIMkqL3XRhICEAPTDpDeR1ATeRsHm74IrGfP1xYokWQmXP5utHwsOz
4UZufeYtisFIGOtTSwHxRnRwSZKZKvMydpyzACPu2UzceCy9hPxuoEjZwa20/A7v
1Jt6fyCcKEL9hrmb2tPnF1v71gG2dbPhozdANUG8B76moERQrUk=
=hNN3
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Aug 2017 21:20
20170809192008.GA31762@jasmine.lan
On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
Toggle quote (16 lines)
> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > ng0 wrote on 09/08/17 at 18:00:
> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > From: ng0 <ng0@infotropique.org>
> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > >
> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > >
> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> >
> > Great! Can somebody also update the curl replacement?
>
> Actually, I'll do it :)

With the attached patch, it fails to build, because the man 3 pages
aren't built and thus can't be copied into the doc output. I'm not sure
what's going on :/
From 08c84864837fdc6ca44633a05cb2ba166391a063 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 9 Aug 2017 14:42:21 -0400
Subject: [PATCH] gnu: curl: Update to 7.55.0 [fixes
CVE-2017-{1000100,1000101,1000099}].

* gnu/packages/curl.scm (curl)[replacement]: Update to 7.55.0.
(curl-7.54.1): Replace with ...
(curl-7.55): ... new variable.
---
gnu/packages/curl.scm | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index a9f219b62..82e80bf8f 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,7 +40,7 @@
(define-public curl
(package
(name "curl")
- (replacement curl-7.54.1)
+ (replacement curl-7.55)
(version "7.53.0")
(source (origin
(method url-fetch)
@@ -121,15 +121,15 @@ tunneling, and so on.")
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
-(define curl-7.54.1
+(define curl-7.55
(package
(inherit curl)
- (version "7.54.1")
+ (version "7.55.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.lzma"))
+ version ".tar.xz"))
(sha256
(base32
- "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmLYGgACgkQJkb6MLrK
fwjrxQ/9GmxlJrrqOX2kYoN/GJ1MO3gEBPupnko9+QvJasUrfS0Rt//+4nZqXhE6
BjNpyrrpPSZHp48pZ9AQiqVqeMcDDmaP+QOSVe3qfTSsGNDGkTTy7eLEKgDTe+LJ
7vPNn81faVBe28ueJkrAq1yYRggYMK71AfnvipotXOpF92OZFm8Tadk1tvCUgs0n
kUFyAPn51YdNDMxgVkKrrlcmRJJ4wU90zLE2RluGYG47OhB8DsIeSHkFWIQL+6ci
VlofOzmBRW2piwKV4SMC/ZgZ1+mB28TwF2H0AAmGUR6kRl2goZp7WNsN4lGu3HUF
4QdbVfvmElPYIYCCa9Oo4wZWXGg5oa+jXzrzlu+uwv81edQzqTxaaQUaX1r/YiFX
21R1barnAlcgcVJDzGeGa2ISVBBPz5SDqSCkxSrhWFc53cQ/bqtVFzswW7LzzGyY
T6rZJ6e9rMgH2iWfpCyg7w07TrZzH5Bq5m+XNnHYkWMziKBf2ncmGsVFXcGcHS9u
sY6xM1JRwQN7sACxNUCpGt7WZ9AqL5lgdpgzJFexgI1f0YAEscF7vvMGP+E+S0ti
gZHleFbYHWc/ySGpusAVDs2wCs3Y87Q5eNldmHBTJyJZcnA4ftD3FcG9qvDVudOW
4UbC/XrTgIxvwhkIppZWMdAj2kmbR/jTYB8VtBuR5aEKRhv6RrM=
=2PVi
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 9 Aug 2017 21:54
(name . Leo Famulari)(address . leo@famulari.name)
20170809195415.zfrn3m4su53vdsb7@abyayala
Leo Famulari transcribed 1.6K bytes:
Toggle quote (16 lines)
> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > ng0 wrote on 09/08/17 at 18:00:
> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > From: ng0 <ng0@infotropique.org>
> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > >
> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > >
> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> >
> > Great! Can somebody also update the curl replacement?
>
> Actually, I'll do it :)

Heh. Bam, faster than cURL this time :)
Should I just do cURL and gnURL? I see changes in cURL when I make new
releases for gnURL, but I'm not volunteering for doing both ;)
--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLaGcACgkQ4i+bv+40
hYhJDw//bHpojP1ZGvqFszr6s+y65YW4WMV99fx2w7Z0e7fhWcrblGBm97olSuJA
xf68xPv1rUvck7CyPHeRo8yNtAHzqkSTb1RA4DKALgBqlML30/pUbBtu5ki0ZVqh
Fe1S6CFoECamQNBEGIW91uX2SnjCgQ2e2z2OxI5GJ/meYpzV81mlWb5bADV4AHgB
EK2aqd8YNUSfyZEeD/ngKBxujglnOnmN8CSVenXyzBG7dwv/Ggfkp0Aa9CXAhjkg
sPRaTSuhRo5U1wkXYZOXbSiC2KmAh6K0j46oi2sqBAYI+h+EwB/GG7WwZdScYadR
16g7vplw8p/wQrktpH13vxWrG/k4LmajbbgAT2n91lfuGcp35iKC0pKxdt8jhRhg
u+nBW2j46o9jOQkb20BEndsIh+cF/MQAThU+PESHocn4f/ql+xL02JhVCQoaIDVW
z4NKUQt6StcIcGyJtmymsH/ykGh7JVivYFRdg9yLVGjRMQTuReIEESvTpm9GTBql
dsxbFYvRO2y3+clBuRiSUCUWOgfEhsOD6j8IBpqSzSEwIrL0NstVIX59pT40AlxI
/Ivt97D17nw1pP5lw0OibkP3ZO/Cpmnl+2JCL+faAXAnnoanzrnl/kszKKFriPvH
UhIS8v0L4Ju1LPVd977oLYxEyLoPwzc1wdDIpnMmHRHyhFJlQL4=
=qaca
-----END PGP SIGNATURE-----


N
N
ng0 wrote on 9 Aug 2017 22:05
(name . Leo Famulari)(address . leo@famulari.name)
20170809200523.i5k5p23ebdcxvouc@abyayala
Leo Famulari transcribed 3.7K bytes:
Toggle quote (21 lines)
> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
> > > > ng0 wrote on 09/08/17 at 18:00:
> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
> > > > > From: ng0 <ng0@infotropique.org>
> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
> > > > >
> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
> > > >
> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
> > >
> > > Great! Can somebody also update the curl replacement?
> >
> > Actually, I'll do it :)
>
> With the attached patch, it fails to build, because the man 3 pages
> aren't built and thus can't be copied into the doc output. I'm not sure
> what's going on :/

As written on IRC: Take a look at the 2 commits after tagged 7.55.0,
if you apply both you will have a successful build. I did this manually
(by hand, not taking the commits) for gnURL release.

Toggle quote (53 lines)
> From 08c84864837fdc6ca44633a05cb2ba166391a063 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Wed, 9 Aug 2017 14:42:21 -0400
> Subject: [PATCH] gnu: curl: Update to 7.55.0 [fixes
> CVE-2017-{1000100,1000101,1000099}].
>
> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.55.0.
> (curl-7.54.1): Replace with ...
> (curl-7.55): ... new variable.
> ---
> gnu/packages/curl.scm | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index a9f219b62..82e80bf8f 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
> @@ -40,7 +40,7 @@
> (define-public curl
> (package
> (name "curl")
> - (replacement curl-7.54.1)
> + (replacement curl-7.55)
> (version "7.53.0")
> (source (origin
> (method url-fetch)
> @@ -121,15 +121,15 @@ tunneling, and so on.")
> "See COPYING in the distribution."))
> (home-page "https://curl.haxx.se/")))
>
> -(define curl-7.54.1
> +(define curl-7.55
> (package
> (inherit curl)
> - (version "7.54.1")
> + (version "7.55.0")
> (source
> (origin
> (method url-fetch)
> (uri (string-append "https://curl.haxx.se/download/curl-"
> - version ".tar.lzma"))
> + version ".tar.xz"))
> (sha256
> (base32
> - "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
> + "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))))
> --
> 2.14.0
>




--
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlmLawMACgkQ4i+bv+40
hYhFxA//RD0kVwC0IoWBucg66FD0hGS+4hEzPERKhij5LydhLYL/KE05QPfsnv1V
xRh3B5SuQkDzTILNS6WJiACjhuCIunuUfC6OX8kzOiTAuAdwA9MVZN49J9SHRtlb
mN8togbjUp7SBMOKAdUXjWni7E+FcjDAbKzhhDNX60KulsuhIvsjNJ6yZNtrlFDI
Kh+iYGVLcXeH+DwrsmO9rKJrvIFQRuteI4B9MOfcEu8p52ViE1bTYwlduNmQ/BQ7
NXrpIIWuKD9RLZpYets2kG74/drE5QP9xZd8oaYk+/o0XfjYFR5NcSSIpV0miiMi
LjOlMiklIe2b9kPpkSPFb+omAYFGOmh1fmx9bJ7UrJNsF93wmLCAF8r29CS9YKXO
/l1vN8M16F80VEM3ioOh5jNjWPtq6uGiHxIRPxcM3v9SVQFv2klgd96h1J/vmgvn
eA5QyTqC5q/ElqypOenIFLejIMAfJ1e4jQ8tqgFZzLqn3grRQHb67JGNOo+5s+pY
8L6BYFmkZ67HGML1pd5LNwLQsmxjH1mOYR8/E+fcmPbc2GPiz01IWM4GcXa5MtAq
WCpYCS/M88zhsRN+Z5s5blzFAtVWrAnG60fMKJpkPU26TtAjmuU6kY2fh0zmmDJz
dDUSBBet20dQHpJ6h4h0w7ALXjMIzTrAkSjeHpCPieCcNXiQbeI=
=cS4s
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 9 Aug 2017 22:22
Re: [bug#28027] curl security update [was Re: bug#28027: gnURL 7.55.0]
87inhw4hkd.fsf@fastmail.com
ng0 <ng0@infotropique.org> writes:

Toggle quote (26 lines)
> Leo Famulari transcribed 3.7K bytes:
>> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
>> > On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
>> > > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
>> > > > ng0 wrote on 09/08/17 at 18:00:
>> > > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
>> > > > > From: ng0 <ng0@infotropique.org>
>> > > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
>> > > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>> > > > >
>> > > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>> > > >
>> > > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>> > >
>> > > Great! Can somebody also update the curl replacement?
>> >
>> > Actually, I'll do it :)
>>
>> With the attached patch, it fails to build, because the man 3 pages
>> aren't built and thus can't be copied into the doc output. I'm not sure
>> what's going on :/
>
> As written on IRC: Take a look at the 2 commits after tagged 7.55.0,
> if you apply both you will have a successful build. I did this manually
> (by hand, not taking the commits) for gnURL release.

Here is a patch that fixes the doc installation:
From f93502a48b368c74ba4ed1ff573f07f59b8c91f1 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)

Toggle diff (58 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index af15aa38c..0c551e108 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
@@ -40,6 +42,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.55.0)
(version "7.54.1")
(source (origin
(method url-fetch)
@@ -119,3 +122,27 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.55.0
+ (package
+ (inherit curl)
+ (version "7.55.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+ (arguments
+ `(,@(substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-before 'install 'fix-Makefile
+ ;; Fix a regression in 7.55 where docs are not installed.
+ ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+ (lambda _
+ (substitute* "Makefile"
+ (("install-data-hook:\n")
+ "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+ #t)))))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLbxIACgkQoqBt8qM6
VPoKMQf/cg9vgZks+cIKWlNG6VnwJAibcfcp22YOk61WT+E5570YRUoIY/9HDXES
x0LWdI+ibPVYlnLuOZ9sL3cT9w5t18IkPL/mgvBn1KUjyi87VBZZyeCnkKilFAk3
BL7/MnzcnplY5qC9yBgqbYcoI9CCUj4v12Xy20L7jAHsA8A6OeQeud9cpZ+/J9sJ
vEIJ8cWWXtBaaHjqgtwsZUwa7vov5ndjhTYhMQ2+4Xnt3qWg6CTeWwb8QXFMf6a2
2z4gpjCSSpaQkOXzNYQHnjVKdC2GRgNhXXho46aE0SRGjwttCys1RlkyLP7mQwlm
8IjRvSzTDSWiWAsPhrSYVkTQZc+dZw==
=5Y/L
-----END PGP SIGNATURE-----

M
M
Marius Bakke wrote on 9 Aug 2017 23:55
871sok4d9n.fsf@fastmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (21 lines)
> On Wed, Aug 09, 2017 at 02:50:07PM -0400, Leo Famulari wrote:
>> On Wed, Aug 09, 2017 at 01:48:42PM -0400, Leo Famulari wrote:
>> > On Wed, Aug 09, 2017 at 06:25:39PM +0200, Tobias Geerinckx-Rice wrote:
>> > > ng0 wrote on 09/08/17 at 18:00:
>> > > > From 13129d51ac4dd5ac7f5e7b74997297139a40be12 Mon Sep 17 00:00:00 2001
>> > > > From: ng0 <ng0@infotropique.org>
>> > > > Date: Wed, 9 Aug 2017 15:58:43 +0000
>> > > > Subject: [PATCH] gnu: gnurl: Update to 7.55.0.
>> > > >
>> > > > * gnu/packages/gnunet.scm (gnurl): Update to 7.55.0.
>> > >
>> > > Thanks! Pushed as 28e12d6c81cef2aca7f792f3c99037a649faa9b0.
>> >
>> > Great! Can somebody also update the curl replacement?
>>
>> Actually, I'll do it :)
>
> With the attached patch, it fails to build, because the man 3 pages
> aren't built and thus can't be copied into the doc output. I'm not sure
> what's going on :/

It seems our worked collided again. :-)

I 'ported' the earlier patch to master and will push it shortly if there
are no objections:
From 6f9bbbafd4cc857c2b093f3cced6df2e45f56aab Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
gnu/packages/curl.scm | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index a9f219b62..d6e32e438 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2015 Tomáš ?ech <sleep_walker@suse.cz>
;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (guix download)
+ #:use-module (guix utils)
#:use-module (guix build-system gnu)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
@@ -40,7 +42,7 @@
(define-public curl
(package
(name "curl")
- (replacement curl-7.54.1)
+ (replacement curl-7.55.0)
(version "7.53.0")
(source (origin
(method url-fetch)
@@ -121,15 +123,27 @@ tunneling, and so on.")
"See COPYING in the distribution."))
(home-page "https://curl.haxx.se/")))
-(define curl-7.54.1
+(define-public curl-7.55.0
(package
(inherit curl)
- (version "7.54.1")
+ (version "7.55.0")
(source
(origin
(method url-fetch)
(uri (string-append "https://curl.haxx.se/download/curl-"
- version ".tar.lzma"))
+ version ".tar.xz"))
(sha256
(base32
- "0vnv3cz0s1l5cjby86hm0x6pgzqijmdm97qa9q5px200956z6yib"))))))
+ "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+ (arguments
+ `(,@(substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (add-before 'install 'fix-Makefile
+ ;; Fix a regression in 7.55.0 where docs are not installed.
+ ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+ (lambda _
+ (substitute* "Makefile"
+ (("install-data-hook:\n")
+ "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+ #t)))))))))
--
2.14.0
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmLhNQACgkQoqBt8qM6
VPp33Af9Ghlt9iJ4VRewUlx+niChr3cu9vme3VYB0ctUZONLtm+VOxtMgge2d7zZ
1qQcphoNHcBbWrXD6VTo9ljmJ5b3f6mNRFfYjLyzY7YcXyIYYAfXjJbRh5gpB8Jn
X2fWDwnAwiXWfbV47uNm4yJFUXn8dDNFSMtJzIkdIJZfD9XQY3wBLnbVIzQENjEJ
iAu1aGplDwbxVKljrzLyp2dFxicG7OYJvNrD55Ox1Yd8fBmQHhoMbncrEhcW1YqY
i9rV5VwAPN0OPfU9LYZU6MZ9scc9WDJdUy2/3gksclaStB1f/bQ+nODHivGxz+aC
Ax8lHvFFGbcWBDQV6ihlnJqE/uhlJw==
=74dL
-----END PGP SIGNATURE-----

?
Your comment

This issue is archived.

To comment on this conversation send an email to 28027@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28027
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch