gnu: libxslt: Replace with 1.1.29 [fixes CVE-2016-{1683,1684}].

* gnu/packages/xml.scm (libxslt)[replacement]: New field.
(libxslt/fixed): New variable.

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 81a71bd..812539f 100644 (file)
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
@@ -154,6 +154,7 @@ project (but it is usable outside of the Gnome platform).")
   (package
     (name "libxslt")
     (version "1.1.28")
+    (replacement libxslt/fixed)  ; CVE-2016-1683 and CVE-2016-1684
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
@@ -174,6 +175,19 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
 
+(define-public libxslt/fixed
+  (package
+    (inherit libxslt)
+    (source
+     (let ((version "1.1.29"))
+       (origin
+         (method url-fetch)
+         (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
+                             version ".tar.gz"))
+         (sha256
+          (base32
+           "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm")))))))
+
 (define-public perl-xml-parser
   (package
     (name "perl-xml-parser")