diff options
author | Leo Famulari <leo@famulari.name> | 2019-03-21 13:34:24 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2019-03-21 13:37:01 -0400 |
commit | af8f7eb4f2a664c2d0fb3faabaf2e80c72993ef6 (patch) | |
tree | 0b749834d579ec6f5ec4be5d00d888b68941ef19 | |
parent | 1e70d72b18207292a60cdf153d4e7efb9ee767ff (diff) | |
download | guix-af8f7eb4f2a664c2d0fb3faabaf2e80c72993ef6.tar guix-af8f7eb4f2a664c2d0fb3faabaf2e80c72993ef6.tar.gz |
gnu: libssh2: Update to 1.8.1 [security fixes].
Fixes CVE-2019-{3855,3856,3857,3858,3859,3860,3861,3862,3863}.
* gnu/packages/ssh.scm (libssh2): Update to 1.8.1.
(libssh2-1.8.0): New variable.
* gnu/packages/curl.scm (curl)[inputs]: Use libssh2-1.8.0.
-rw-r--r-- | gnu/packages/curl.scm | 10 | ||||
-rw-r--r-- | gnu/packages/ssh.scm | 24 |
2 files changed, 28 insertions, 6 deletions
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index 456a18012d..a36a1ee4a6 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz> ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org> -;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name> ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr> @@ -66,10 +66,14 @@ (inputs `(("gnutls" ,gnutls) ("gss" ,gss) ("libidn" ,libidn) - ("libssh2" ,libssh2) ("openldap" ,openldap) ("nghttp2" ,nghttp2 "lib") - ("zlib" ,zlib))) + ("zlib" ,zlib) + ;; TODO XXX <https://bugs.gnu.org/34927> + ;; Curl doesn't actually use or refer to libssh2 because the build + ;; is not configured with '--with-libssh2'. Remove this input when + ;; a mass rebuild is appropriate (e.g. core-updates). + ("libssh2" ,libssh2-1.8.0))) (native-inputs `(("perl" ,perl) ;; to enable the --manual option and make test 1026 pass diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index dc81736f06..5b5890aae6 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015, 2016, 2018 Efraim Flashner <efraim@flashner.co.il> -;;; Copyright © 2016 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr> ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org> ;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr> @@ -111,7 +111,7 @@ applications.") (define-public libssh2 (package (name "libssh2") - (version "1.8.0") + (version "1.8.1") (source (origin (method url-fetch) (uri (string-append @@ -119,7 +119,7 @@ applications.") version ".tar.gz")) (sha256 (base32 - "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr")) + "0ngif3ynk6xqzy5nlfjs7bsmfm81g9f145av0z86kf0vbgrigda0")) (patches (search-patches "libssh2-fix-build-failure-with-gcrypt.patch")))) (build-system gnu-build-system) @@ -143,6 +143,24 @@ a server that supports the SSH-2 protocol.") (license license:bsd-3) (home-page "https://www.libssh2.org/"))) +;; XXX A hidden special obsolete libssh2 for temporary use in the curl package. +;; <https://bugs.gnu.org/34927> +(define-public libssh2-1.8.0 + (hidden-package + (package + (inherit libssh2) + (version "1.8.0") + (source (origin + (method url-fetch) + (uri (string-append + "https://www.libssh2.org/download/libssh2-" + version ".tar.gz")) + (sha256 + (base32 + "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr")) + (patches + (search-patches "libssh2-fix-build-failure-with-gcrypt.patch"))))))) + (define-public openssh (package (name "openssh") |