This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [ITP-adopt] curl 7.15.0

From: Brian Dessent <brian at dessent dot net>
To: cygwin-apps at cygwin dot com
Date: Thu, 24 Nov 2005 15:21:31 -0800
Subject: Re: [ITP-adopt] curl 7.15.0
References: <112420052313.23899.43864936000A55A100005D5B22058861720A050E040D0C079D0A@comcast.net>

Eric Blake wrote:

> > In any case, this is a minor nit.  At this point, it's more important to
> > get curl updated for the security flaw, so I'm calling this GTG.
> >
> > Please, though, try to get c-ares and libidn included when you can.
> 
> I have just uploaded curl-7.15.0-3, based on this recommendation.
> I deleted all remnants of 7.10.8-1, but was unsure whether to remove
> the old curl/curl-7.11.1-1* in favor of the new curl/libcurl2/*7.11.1*
> files.  Please advise.

I'd like to leave the current 7.11.1 package around for a while as prev
until until it's clear that I didn't fubar anything.  The problem of
course is that it includes cygcurl-2.dll.  So if the user chooses this
prev version of the package it will overwrite the security-patched
cygcurl-2.dll in the new libcurl2.  There's really no way around this as
far as I can tell.

I suppose what I can do is just mention this in the announcement, that
if you choose to stick with the 7.11.1 package you are responsible for
ensuring that the patched libcurl2 gets used.  Worst case, the user gets
the vulnerable libcurl2, which is all that is currently available anyway
so I suppose it does no harm.

Brian

References:
- Re: [ITP-adopt] curl 7.15.0
  - From: Eric Blake

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]