Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-13 Thread ng0
On 2016-06-13(12:14:14-0400), Leo Famulari wrote: > On Mon, Jun 13, 2016 at 03:42:47PM +, ng0 wrote: > > From the way it was done in Gentoo, I assume this is not needed? > > mbedtls is a separate package, and I have libressl as the curlssl provider, > > which is a curl built against libressl. >

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-13 Thread Leo Famulari
On Mon, Jun 13, 2016 at 03:42:47PM +, ng0 wrote: > From the way it was done in Gentoo, I assume this is not needed? > mbedtls is a separate package, and I have libressl as the curlssl provider, > which is a curl built against libressl. > > If I am wrong, correct me. > My initial comment was a

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-13 Thread Leo Famulari
On Mon, Jun 13, 2016 at 05:07:23PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > We should definitely update curl on core-updates-next, or whatever is > > built after the current cycle, and we should not add hiawatha until the > > fixed curl is in our tree. > > Agreed on both points.

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-13 Thread ng0
On 2016-06-13(05:07:23+0200), Ludovic Courtès wrote: > Leo Famulari skribis: > > > On Sun, Jun 12, 2016 at 09:02:32PM +, ng0 wrote: > >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > >> > Leo Famulari skribis: > >> > > >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL),

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-13 Thread Ludovic Courtès
Leo Famulari skribis: > On Sun, Jun 12, 2016 at 09:02:32PM +, ng0 wrote: >> On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: >> > Leo Famulari skribis: >> > >> > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a >> > > bug in curl [CVE-2016-3739] that allows an atta

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-12 Thread Leo Famulari
On Sun, Jun 12, 2016 at 09:02:32PM +, ng0 wrote: > On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > > Leo Famulari skribis: > > > > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > > > c

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-12 Thread ng0
On 2016-06-12(10:51:14+0200), Ludovic Courtès wrote: > Leo Famulari skribis: > > > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > > certificate check by presenting any valid certificate. > > > > So,

Re: [PATCH 0/1] curl: Fix CVE-2016-3739.

2016-06-12 Thread Ludovic Courtès
Leo Famulari skribis: > If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a > bug in curl [CVE-2016-3739] that allows an attacker to bypass the full > certificate check by presenting any valid certificate. > > So, you might think are connecting to https://example.com, when in fa