Sorry for the noise but my last email on this subject contained an early draft of the annotation. It's possible the patches were an earlier revision as well, so I'm resending here.
Please disregard the first version. These patches address CVE-2016-0739 (libssh) and CVE-2016-0786 (libssh2) [0]. For libssh, we update to the latest upstream release, 0.7.3 [1]. Guile-ssh depends on a private package of an older version of libssh [2], so we update that private package to the latest version supported by guile-ssh, 0.6.5. This happens to be the previous version of our public libssh package. This allows us to remove the patch for CVE-2014-0017, which was fixed in libssh-0.6.3 [3]. For libssh2, we update to the latest upstream release, 1.7.0. [4] Many packages depend on libssh2, including curl, so we create a temporary package of the old, vulnerable version, 1.4. When we have rebuilt all packages affected by CVE-2016-0786, this temporary package should be removed and curl should be made to depend on the latest version. That future commit should state "Fixes CVE-2016-7087". Please double check that curl does not need to be rebuilt before applying these patches. Feel free to reorganize them changes or alter the commit messages as desired. [0] http://seclists.org/oss-sec/2016/q1/408 http://www.libssh.org/archive/libssh/2016-02/0000013.html https://libssh2.org/changes.html [1] http://www.libssh.org/archive/libssh/2016-02/0000013.html [2] https://github.com/artyom-poptsov/guile-ssh#requirements [3] https://www.libssh.org/2014/03/04/libssh-0-6-3-security-release/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0017 [4] https://libssh2.org/changes.html Leo Famulari (2): gnu: libssh2: Update to 1.7.0. gnu: libssh: Update to 0.7.3. gnu-system.am | 1 - gnu/packages/curl.scm | 2 +- gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 ------------------------- gnu/packages/ssh.scm | 48 +++++++++---- 4 files changed, 35 insertions(+), 105 deletions(-) delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch -- 2.7.1
