gnu: curl: Use updated libssh2 [fixes CVE-2016-7087].

* gnu/packages/curl.scm (curl)[inputs]: Use libssh2.
* gnu/packages/ssh.scm (libssh2-1.4): Remove variable.
This commit is contained in:
Mark H Weaver 2016-02-26 21:55:52 -05:00
parent aa5946edb2
commit 8d5ceb120d
2 changed files with 1 additions and 28 deletions

View file

@ -54,16 +54,7 @@ (define-public curl
(inputs `(("gnutls" ,gnutls)
("gss" ,gss)
("libidn" ,libidn)
;; XXX libssh2-1.4 is a temporary package for use only by curl,
;; to allow most users of libssh2 to get the security update for
;; CVE-2016-7087 while postponing the large number of rebuilds
;; entailed by updating curl. Soon, curl should be updated to
;; use the latest libssh2 and libssh2-1.4 should be removed.
;; XXX libssh2-1.4 is vulnerable to CVE-2016-0787.
("libssh2" ,libssh2-1.4)
("libssh2" ,libssh2)
("openldap" ,openldap)
("zlib" ,zlib)))
(native-inputs

View file

@ -112,24 +112,6 @@ (define-public libssh2
(license license:bsd-3)
(home-page "http://www.libssh2.org/")))
;;; XXX This is a temporary package for use only by curl, to allow most users
;;; of libssh2 to get the security update sooner while postponing the large
;;; number of rebuilds entailed by updating curl.
;;;
;;; XXX This package is vulnerable to CVE-2016-7087.
;;;
;;; https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0787
(define-public libssh2-1.4
(package (inherit libssh2)
(version "1.4.3")
(source (origin
(method url-fetch)
(uri (string-append "https://www.libssh2.org/download/libssh2-"
version ".tar.gz"))
(sha256
(base32
"0vdr478dbhbdgnniqmirawjb7mrcxckn4slhhrijxnzrkmgziipa"))))))
(define-public openssh
(package
(name "openssh")