01/01: gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].

From:	Mark H. Weaver
Subject:	01/01: gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].
Date:	Tue, 01 Mar 2016 01:09:36 +0000

mhw pushed a commit to branch master
in repository guix.

commit 8d5ceb120d34eab6ab557a82af9d4cd594dc35b7
Author: Mark H Weaver <address@hidden>
Date:   Fri Feb 26 21:55:52 2016 -0500

    gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].
    
    * gnu/packages/curl.scm (curl)[inputs]: Use libssh2.
    * gnu/packages/ssh.scm (libssh2-1.4): Remove variable.
---
 gnu/packages/curl.scm |   11 +----------
 gnu/packages/ssh.scm  |   18 ------------------
 2 files changed, 1 insertions(+), 28 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 46e0fa0..222910b 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -54,16 +54,7 @@
    (inputs `(("gnutls" ,gnutls)
              ("gss" ,gss)
              ("libidn" ,libidn)
-
-             ;; XXX libssh2-1.4 is a temporary package for use only by curl,
-             ;; to allow most users of libssh2 to get the security update for
-             ;; CVE-2016-7087 while postponing the large number of rebuilds
-             ;; entailed by updating curl.  Soon, curl should be updated to
-             ;; use the latest libssh2 and libssh2-1.4 should be removed.
-
-             ;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787.
-             ("libssh2" ,libssh2-1.4)
-
+             ("libssh2" ,libssh2)
              ("openldap" ,openldap)
              ("zlib" ,zlib)))
    (native-inputs
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 081c7cb..1b4a4b4 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -112,24 +112,6 @@ a server that supports the SSH-2 protocol.")
    (license license:bsd-3)
    (home-page "http://www.libssh2.org/";)))
 
-;;; XXX This is a temporary package for use only by curl, to allow most users
-;;; of libssh2 to get the security update sooner while postponing the large
-;;; number of rebuilds entailed by updating curl.
-;;;
-;;; XXX This package is vulnerable to CVE-2016-7087.
-;;;
-;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787
-(define-public libssh2-1.4
-  (package (inherit libssh2)
-    (version "1.4.3")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "https://www.libssh2.org/download/libssh2-";
-                                 version ".tar.gz"))
-             (sha256
-              (base32
-                "0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))))
-
 (define-public openssh
   (package
    (name "openssh")

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (aa5946e -> 8d5ceb1), Mark H. Weaver, 2016/02/29
- 01/01: gnu: curl: Use updated libssh2 [fixes CVE-2016-7087]., Mark H. Weaver <=

Prev by Date: branch master updated (aa5946e -> 8d5ceb1)
Next by Date: branch security-updates deleted (was 82b8a44)
Previous by thread: branch master updated (aa5946e -> 8d5ceb1)
Next by thread: branch security-updates deleted (was 82b8a44)
Index(es):
- Date
- Thread