"Yaakov S (Cygwin Ports)" wrote: > 1) I don't think that we should keep libcurl2 as-is, being that it's > vulnerable. Either we could drop it entirely (and recompile > vorbis-tools against libcurl3 immediately), or rebuild curl-7.11 with > the following patch: > > http://curl.haxx.se/libcurl-ntlmbuf.patch
This is a good idea. I've created a patched libcurl2: http://dessent.net/cygwin/release/curl/libcurl2/setup.hint http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-2-src.tar.bz2 http://dessent.net/cygwin/release/curl/libcurl2/libcurl2-7.11.1-2.tar.bz2 > 2) curl-7.15 can use c-ares and libidn, both recently proposed by > Gerrit. c-ares was approved, but libidn had some packaging issues. > Maybe you could work with him to get those in the distro, then link > curl-7.15.0 with them as well (either now or for -2). I'd prefer not to block on this. However I'd be happy to refresh the curl packages as soon as these libs have been uploaded. Brian
