gnu: libssh2: Update to 1.7.0 [fixes CVE-2016-0787].

* gnu/packages/ssh.scm (libssh2): Update to 1.7.0.
  (libssh2-1.4): New variable.
* gnu/packages/curl.scm (curl)[inputs]: Use libssh4-1.4.

Modified-By: Mark H Weaver <mhw@netris.org>
This commit is contained in:
Leo Famulari 2016-02-24 15:57:30 -05:00 committed by Mark H Weaver
parent c8e26887ed
commit 78d80c5c6a
2 changed files with 34 additions and 5 deletions

View File

@ -54,7 +54,16 @@
(inputs `(("gnutls" ,gnutls)
("gss" ,gss)
("libidn" ,libidn)
("libssh2" ,libssh2)
;; XXX libssh2-1.4 is a temporary package for use only by curl,
;; to allow most users of libssh2 to get the security update for
;; CVE-2016-7087 while postponing the large number of rebuilds
;; entailed by updating curl. Soon, curl should be updated to
;; use the latest libssh2 and libssh2-1.4 should be removed.
;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787.
("libssh2" ,libssh2-1.4)
("openldap" ,openldap)
("zlib" ,zlib)))
(native-inputs

View File

@ -2,6 +2,7 @@
;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@ -85,14 +86,15 @@ remote applications.")
(define-public libssh2
(package
(name "libssh2")
(version "1.4.3")
(version "1.7.0")
(source (origin
(method url-fetch)
(uri (string-append
"http://www.libssh2.org/download/libssh2-"
"https://www.libssh2.org/download/libssh2-"
version ".tar.gz"))
(sha256 (base32
"0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))
(sha256
(base32
"116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4"))))
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
@ -108,6 +110,24 @@ a server that supports the SSH-2 protocol.")
(license license:bsd-3)
(home-page "http://www.libssh2.org/")))
;;; XXX This is a temporary package for use only by curl, to allow most users
;;; of libssh2 to get the security update sooner while postponing the large
;;; number of rebuilds entailed by updating curl.
;;;
;;; XXX This package is vulnerable to CVE-2016-7087.
;;;
;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787
(define-public libssh2-1.4
(package (inherit libssh2)
(version "1.4.3")
(source (origin
(method url-fetch)
(uri (string-append "https://www.libssh2.org/download/libssh2-"
version ".tar.gz"))
(sha256
(base32
"0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))))
(define-public openssh
(package
(name "openssh")