Eric Blake wrote: > > In any case, this is a minor nit. At this point, it's more important to > > get curl updated for the security flaw, so I'm calling this GTG. > > > > Please, though, try to get c-ares and libidn included when you can. > > I have just uploaded curl-7.15.0-3, based on this recommendation. > I deleted all remnants of 7.10.8-1, but was unsure whether to remove > the old curl/curl-7.11.1-1* in favor of the new curl/libcurl2/*7.11.1* > files. Please advise.
I'd like to leave the current 7.11.1 package around for a while as prev until until it's clear that I didn't fubar anything. The problem of course is that it includes cygcurl-2.dll. So if the user chooses this prev version of the package it will overwrite the security-patched cygcurl-2.dll in the new libcurl2. There's really no way around this as far as I can tell. I suppose what I can do is just mention this in the announcement, that if you choose to stick with the 7.11.1 package you are responsible for ensuring that the patched libcurl2 gets used. Worst case, the user gets the vulnerable libcurl2, which is all that is currently available anyway so I suppose it does no harm. Brian
