aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-06-24 20:24:30 +0200
committerMarius Bakke <marius@gnu.org>2020-06-24 22:10:58 +0200
commitaf91d13385d0f6239a0d7a777d6a72e11a40af2e (patch)
treee5d36ea7665fd3cfce9331e6cc96c8ba4078ca99
parentf9cb49d761c911b57d4d7aac5881eea0e89d45c6 (diff)
downloadguix-af91d13385d0f6239a0d7a777d6a72e11a40af2e.tar
guix-af91d13385d0f6239a0d7a777d6a72e11a40af2e.tar.gz
gnu: cURL: Replace with 7.71.0 [fixes CVE-2020-8169, CVE-2020-8177].
* gnu/packages/curl.scm (curl-7.71.0): New variable. (curl)[replacement]: New field.
-rw-r--r--gnu/packages/curl.scm26
1 files changed, 26 insertions, 0 deletions
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 48d7dd40bd..bf93639716 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -52,6 +52,7 @@
(package
(name "curl")
(version "7.69.1")
+ (replacement curl-7.71.0)
(source (origin
(method url-fetch)
(uri (string-append "https://curl.haxx.se/download/curl-"
@@ -168,6 +169,31 @@ tunneling, and so on.")
(name "curl-minimal")
(inputs (alist-delete "openldap" (package-inputs curl))))))
+;; Replacement package to fix CVE-2020-8169 and CVE-2020-8177.
+(define curl-7.71.0
+ (package
+ (inherit curl)
+ (version "7.71.0")
+ (source (origin
+ (inherit (package-source curl))
+ (uri (string-append "https://curl.haxx.se/download/curl-"
+ version ".tar.xz"))
+ (sha256
+ (base32
+ "0wlppmx9iry8slh4pqcxj7lwc6fqwnlhh9ri2pcym2rx76a8gwfd"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments curl)
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (replace 'check
+ (lambda _
+ ;; Test 1510 is now disabled upstream, and the test runner
+ ;; complains that it can not disable a non-existing test.
+ ;; Thus, override the phase to not delete the test.
+ (substitute* "tests/runtests.pl"
+ (("/bin/sh") (which "sh")))
+ (invoke "make" "-C" "tests" "test")))))))))
+
(define-public kurly
(package
(name "kurly")