[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 01/01: gnu: curl: Update replacement to 7.51.0 [fixes CVE-2016-{8615
From: |
Leo Famulari |
Subject: |
Re: 01/01: gnu: curl: Update replacement to 7.51.0 [fixes CVE-2016-{8615..8625}]. |
Date: |
Thu, 3 Nov 2016 00:03:25 -0400 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Wed, Nov 02, 2016 at 12:02:27PM +0000, Marius Bakke wrote:
> commit cbf5889fe542dafe71c6eedf9cc72673495fcc88
> Author: Marius Bakke <address@hidden>
> Date: Wed Nov 2 09:01:36 2016 +0000
>
> gnu: curl: Update replacement to 7.51.0 [fixes CVE-2016-{8615..8625}].
>
> * gnu/packages/curl.scm (curl)[replacement]: Update to 7.51.0.
> (curl-7.50.3): Replace with ...
> (curl-7.51.0): ... this.
It turns out that with 7.50.1, curl changed their provider of
internationalized domain name support from libidn to libidn2, which we
don't have a package for yet.
You can see the change in this standalone patch for CVE-2016-8625:
https://curl.haxx.se/docs/adv_20161102K.html
And here Daniel Stenberg, the curl maintainer, recommends we simply
disable IDN support for the time being, since the fix is incomplete:
https://curl.haxx.se/mail/lib-2016-11/0033.html
This is already the case; here is an excerpt from the build log:
------
2797 checking whether to enable Windows native IDN (Windows native builds
only)... no
2798 checking whether to build with libidn2... (assumed) yes
2799 checking for pkg-config... (cached)
/gnu/store/9z40bkd8q9s8krjkhqysrn262gwsww4p-pkg-config-0.29/bin/pkg-config
2800 checking for libidn2 options with pkg-config... no
2801 configure: IDN_LIBS: "-lidn2"
2802 configure: IDN_LDFLAGS: ""
2803 configure: IDN_CPPFLAGS: ""
2804 configure: IDN_DIR: ""
2805 checking if idn2_lookup_ul can be linked... no
2806 checking idn2.h usability... no
2807 checking idn2.h presence... no
2808 checking for idn2.h... no
2809 configure: WARNING: Cannot find libraries for IDN support: IDN disabled
[...]
3309 IDN support: no (--with-{libidn2,winidn})
------
I hope this doesn't break the interface with any packages referring to
the new curl with a graft.
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: 01/01: gnu: curl: Update replacement to 7.51.0 [fixes CVE-2016-{8615..8625}].,
Leo Famulari <=