GNU bug report logs - #47563
curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 2 Apr 2021 14:05:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47563 <at> debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: bug#47563: [PATCH 0/1] gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.
Date: Fri,  2 Apr 2021 16:09:39 +0200

curl-CVE-2021-22876.patch was rebased onto 7.74.0, but curl-CVE-2021-22890.patch
does not apply and please I need help rebasing it, it looks quite complex.

I pushed an upgrade of curl to 7.76.0 which has been much much easier to
core-updates already as
https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=2e0b1b62e94b926041ca9af70537dd9b3ab64edf
but unfortunately since curl requires so many rebuilds it seems we can't use
such commit on master for now.

Léo Le Bouter (1):
  gnu: curl: Fix CVE-2021-22876 and CVE-2021-22890.

 gnu/local.mk                                  |   2 +
 gnu/packages/curl.scm                         |   4 +-
 .../patches/curl-CVE-2021-22876.patch         | 147 ++++++
 .../patches/curl-CVE-2021-22890.patch         | 499 ++++++++++++++++++
 4 files changed, 651 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22876.patch
 create mode 100644 gnu/packages/patches/curl-CVE-2021-22890.patch

-- 
2.31.1

This bug report was last modified 4 years and 49 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #47563 curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

GNU bug report logs - #47563
curl is vulnerable to CVE-2021-22890 and CVE-2021-22876