[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] Update curl replacement to 7.50.2
From: |
Leo Famulari |
Subject: |
[PATCH 0/1] Update curl replacement to 7.50.2 |
Date: |
Wed, 7 Sep 2016 18:04:22 -0400 |
The curl project disclosed a bug, CVE-2016-7141 [0]:
---
libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
---
As far as I can tell, our curl package does not use NSS, but people who
use Guix as a source of free software source code (`guix build
--source`) may be vulnerable.
[0]
http://seclists.org/oss-sec/2016/q3/433
https://curl.haxx.se/docs/vuln-7.50.1.html
Leo Famulari (1):
gnu: curl: Update replacement to 7.50.2 [fixes CVE-2016-7141].
gnu/packages/curl.scm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--
2.10.0
- [PATCH 0/1] Update curl replacement to 7.50.2,
Leo Famulari <=