New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl: 8.0.1 -> 8.1.1 #232531
curl: 8.0.1 -> 8.1.1 #232531
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm. Thank you for contributing to Nixpkgs!
curl 8.1.1 is available now: https://curl.se/mail/lib-2023-05/0040.html |
Assume we'll be backporting this to 23.05? |
The question was just whether we go with 8.1.1 or pick the patches like for 22.11. |
https://daniel.haxx.se/blog/2023/05/17/curl-8-1-0-http2-over-proxy/ https://curl.se/changes.html#8_1_0 https://curl.se/changes.html#8_1_1 https://www.openwall.com/lists/oss-security/2023/05/17/1 https://www.openwall.com/lists/oss-security/2023/05/17/2 https://www.openwall.com/lists/oss-security/2023/05/17/3 https://www.openwall.com/lists/oss-security/2023/05/17/4 Fixes: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322
Built |
Successfully created backport PR for |
This broke build of EDIT: details Hydra only has darwin logs for now, but I confirmed on linux locally: |
ngtcp2 certainly does suffer from incompatible changes coming relatively often (on most of minor-number bumps IIRC). That's why I separated Maybe we should start keeping |
Upstream curl wrote that an update of nghttp2 to 1.53.0 is required. The PR to update ngtcp2 is there too, only to the master branch. |
I don't see any problems related to |
|
Which of the |
@Izorkin: I thought you referred to nixpkgs master, not curl master. I see them writing that nghttp2 1.52 is bad for curl, but we don't use that (yet). I don't see hint that our current version is bad. (update to 1.53 could be done, but it's a huge rebuild) EDIT: |
https://daniel.haxx.se/blog/2023/05/17/curl-8-1-0-http2-over-proxy/
https://curl.se/changes.html#8_1_0
https://curl.se/changes.html#8_1_1
https://www.openwall.com/lists/oss-security/2023/05/17/1
https://www.openwall.com/lists/oss-security/2023/05/17/2
https://www.openwall.com/lists/oss-security/2023/05/17/3
https://www.openwall.com/lists/oss-security/2023/05/17/4
Fixes: CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322
Description of changes
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)