GNU bug report logs - #47563
curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 2 Apr 2021 14:05:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix <at> gnu.org>
Cc: 47563 <at> debbugs.gnu.org,
 Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and
 CVE-2021-22890.
Date: Fri, 2 Apr 2021 14:22:06 -0400

On Fri, Apr 02, 2021 at 04:09:39PM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
> does not apply and please I need help rebasing it, it looks quite complex.
> 
> I pushed an upgrade of curl to 7.76.0 which has been much much easier to
> core-updates already as
> https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf
> but unfortunately since curl requires so many rebuilds it seems we can't use
> such commit on master for now.

Can we try grafting an "upgrade" to 7.76.0? In my experience, most curl
upgrades are graftable.

Curl's developers are very careful with their ABI and even maintain
their own page on the subject: <https://curl.se/libcurl/abi.html>
This bug report was last modified 4 years and 49 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.