There are some new bugs disclosed in curl: https://curl.haxx.se/docs/security.html
Grafting the new version seems like the right approach to me when I consider libcurl's ABI compatibility policy: https://curl.haxx.se/libcurl/abi.html Thoughts?
From ef6ae3732facb1eba77e82c6a6066832784bca5d Mon Sep 17 00:00:00 2001
From: Leo Famulari <l...@famulari.name>
Date: Wed, 3 Aug 2016 16:13:09 -0400
Subject: [PATCH] gnu: curl: Replace with 7.50.1 [fixes
CVE-2016-{3739,4802,5419,5420,5421].
* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.50.1): New variable.
---
gnu/packages/curl.scm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 222910b..a250bb1 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -40,6 +40,7 @@
(define-public curl
(package
(name "curl")
+ (replacement curl-7.50.1)
(version "7.47.0")
(source (origin
(method url-fetch)
@@ -123,3 +124,16 @@ tunneling, and so on.")
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))
(home-page "http://curl.haxx.se/";)))
+
+(define curl-7.50.1
+ (package
+ (inherit curl)
+ (source
+ (let ((version "7.50.1"))
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://curl.haxx.se/download/curl-";
+ version ".tar.lzma"))
+ (sha256
+ (base32
+ "0qc3qp3h18v24irzw7dgg1jf39v4hnz8irv83v9lbn9rxzrpdcdj")))))))
--
2.9.2
signature.asc
Description: PGP signature
