[security] Please upgrade to curl 7.78

[bluesmoon]

Due to security issues in prior versions of curl, it is recommended to upgrade the dependency to curl 7.78.0

[omus]

That should happen automatically if you update LibCURL_jll here: https://github.com/JuliaPackaging/Yggdrasil/blob/master/L/LibCURL/build_tarballs.jl

[bluesmoon]

Thanks, I've proposed the change.

As a secondary question, do you know how I can specify LibCURL_jll v7.73.0+2 as a dependency? (I'm using Julia 1.5). If I try to install it directly, I get this:

pkg> add LibCURL_jll@7.73.0+2
ERROR: ArgumentError: invalid version range: "7.73.0+2"

[omus]

Pkg doesn't understand the build number. You should be able to leave it off (e.g. add LibCURL_jll@7.73.0) and it should use the latest build

[bluesmoon]

The problem is that the latest build is "7.73.0+6" which does not work with julia 1.5, so I get unsatisfiable dependencies.

[omus]

The problem is that the latest build is "7.73.0+6" which does not work with julia 1.5, so I get unsatisfiable dependencies.

Essh, that's definitely not great.

As a secondary question, do you know how I can specify LibCURL_jll v7.73.0+2 as a dependency? (I'm using Julia 1.5).

I did a little digging and found https://github.com/JuliaLang/Pkg.jl/issues/1568 which is the issue for supporting build numbers in Pkg. The work around seems to be using the commit SHA. So a workaround for you would be:

pkg> add LibCURL_jll#1711b0b

That's the short commit SHA for LibCURL_jll v7.73.0+2

[bluesmoon]

Thanks. I was able to install it with the SHA, but then I get this:

julia> using LibCURL
ERROR: InitError: could not load library "/home/ubuntu/.julia/artifacts/987abeee1b538b19bb506476319e47ae1fdea638/lib/libcurl.so"
libmbedtls.so.13: cannot open shared object file: No such file or directory

Perhaps something has to be rebuilt, but not sure what.