GNU bug report logs - #73361
[PATCH v2] gnu: curl: Fix security vulnerability.

Previous Next

Package: guix-patches;

Reported by: Ashish SHUKLA <ashish.is <at> lostca.se>

Date: Thu, 19 Sep 2024 15:19:02 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 73361 <at> debbugs.gnu.org (full text, mbox):

From: "Ashish SHUKLA" <ashish.is <at> lostca.se>
To: "John Kehayias" <john.kehayias <at> protonmail.com>
Cc: 73361 <at> debbugs.gnu.org
Subject: Re: [bug#73361] [PATCH] gnu: curl: Update to 8.10.1 [security fixes].
Date: Sat, 28 Sep 2024 01:24:05 +0000

[Message part 1 (text/plain, inline)]
On Fri Sep 27, 2024 at 8:52 PM CEST, John Kehayias wrote:
> Hello,
>
> On Thu, Sep 19, 2024 at 03:17 PM, Ashish SHUKLA wrote:
>
> > * gnu/packages/curl.scm (curl): Update to 8.10.1.
> >
>
> As curl causes a rebuild of just about everything, this will need to
> done as a graft on master. (And ungrafted with a world rebuild on a
> branch.) Would you like to take a stab at that?

Prepared a new revision (attached) to add a new package 'curl/fixed' 
with just the fix from upstream applied[0][1].

As for the actual update to 8.10.1, I can send a patch (either in this 
thread, or in separate issue report).

Please let me know if something is amiss with my patch.

References:
[0] https://curl.se/docs/CVE-2024-8096.html
[1] https://github.com/curl/curl/commit/aeb1a281cab13c7ba

Thanks!
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0

"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)


[v2-0001-gnu-curl-Fix-security-vulnerability.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 250 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.