gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].
* gnu/packages/curl.scm (curl)[inputs]: Use libssh2. * gnu/packages/ssh.scm (libssh2-1.4): Remove variable.
This commit is contained in:
parent
aa5946edb2
commit
8d5ceb120d
|
@ -54,16 +54,7 @@
|
|||
(inputs `(("gnutls" ,gnutls)
|
||||
("gss" ,gss)
|
||||
("libidn" ,libidn)
|
||||
|
||||
;; XXX libssh2-1.4 is a temporary package for use only by curl,
|
||||
;; to allow most users of libssh2 to get the security update for
|
||||
;; CVE-2016-7087 while postponing the large number of rebuilds
|
||||
;; entailed by updating curl. Soon, curl should be updated to
|
||||
;; use the latest libssh2 and libssh2-1.4 should be removed.
|
||||
|
||||
;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787.
|
||||
("libssh2" ,libssh2-1.4)
|
||||
|
||||
("libssh2" ,libssh2)
|
||||
("openldap" ,openldap)
|
||||
("zlib" ,zlib)))
|
||||
(native-inputs
|
||||
|
|
|
@ -112,24 +112,6 @@ a server that supports the SSH-2 protocol.")
|
|||
(license license:bsd-3)
|
||||
(home-page "http://www.libssh2.org/")))
|
||||
|
||||
;;; XXX This is a temporary package for use only by curl, to allow most users
|
||||
;;; of libssh2 to get the security update sooner while postponing the large
|
||||
;;; number of rebuilds entailed by updating curl.
|
||||
;;;
|
||||
;;; XXX This package is vulnerable to CVE-2016-7087.
|
||||
;;;
|
||||
;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787
|
||||
(define-public libssh2-1.4
|
||||
(package (inherit libssh2)
|
||||
(version "1.4.3")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "https://www.libssh2.org/download/libssh2-"
|
||||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))))
|
||||
|
||||
(define-public openssh
|
||||
(package
|
||||
(name "openssh")
|
||||
|
|
Loading…
Reference in New Issue