Vulnerability Roundup 28 #30959
Comments
|
🚨 ⚡️ 👍 🔥 🚒 🎆 🙌 📯 😄 😂 😹 :partyparrot: |
|
cc: @LnL7 @7c6f434c @fpletz @globin @NeQuissimus @wizeman @FRidh @vcunat @peterhoeg @ndowens @dezgeg @nh2. Note: The list of people CC'd on this issue participated in the last Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg If you would like to be CC'd on all roundups, PM me. |
|
This list needs manual cleanup since vulnix does not honour CVE patches already present. Working on this. |
|
I'm looking at freetype. |
|
freetype-2.7.1 (search, files) (CVE-2017-8105) is already patched. |
|
Sqlite needs merging #30927 AFAICT. |
|
#21161 Should resolved jquery-ui CVE. |
|
libxslt is already patched in master and 17.09. |
|
I'll take libjpeg-turbo |
libvorbis
|
|
The openldap CVE-2017-14159 is a minor issue with PID file creation. It is only really applicable if initscripts are used, so NixOS isn't even vulnerable since our openldap service neither uses nor creates a PID file. Ticked off. |
|
All the audiofile stuff seems to be mpruett/audiofile#42 |
|
sqlite - staging is already on 3.20.1 but that suffers from CVE-2017-15286, a PR is opened to update to 3.21.0 #30927 |
|
libtiff - we have patches for: CVE-2017-9937 - appears to be a incorrectly assigned, the bug is in jbigkit package - http://bugzilla.maptools.org/show_bug.cgi?id=2707 |
|
Could anyone recheck that I am not missing something? Edited to add: and, of course, renaming the patch will be a |
|
The other two ( |
|
The following So I'm marking those. |
|
Actually, CVE-2017-10790 got fixed in 1fb803c (although pretending to have fixed CVE-2017-9310), so this can be checked too. I added a commit in #31082 fixing the CVE number. |
|
jython fix comes with #31090. |
|
I've got bad news for
EDIT: |
|
I picked this round of mass rebuilds to 17.09. In case of e.g. sqlite it may have been more suitable to find and apply only specific patches instead of the upgrades; certainly feel free to do so (I don't have that much time to spare). |
|
And speaking of time, I ignored 17.03, at least for now. IIRC we used to leave only a month's overlay, so we might just drop picking to 17.03 except for really critical problems. I really have no idea how fast NixOS users migrate, but one month probably isn't too much. I believe we should at least explicitly announce such plans in advance, saying e.g. that 17.09 shall be maintained (at least) until the end of May 2018. |
|
I was also just about to also push those cherry-picks after having tested a few builds. Thanks! I'm more liberal concerning minor package bumps if they don't break any of our packages. Regarding the security support: I agree but let's wait until we have the security team and 'on call' figured out. I'll also try to fix the most important ones for 17.03. |
fpletz
added
the
1.severity: security
fpletz
added
the
9.needs: port to stable
|
All of the @matejc Is there any reason to keep so many old versions around? |
|
We have a libc problem: https://nvd.nist.gov/vuln/detail/CVE-2017-15670 Plan:
|
|
Sounds good, vcunat. Other distro bug trackers and source repos can prove
helpful to enumerate security patches we may need.
…On Sun 5. Nov 2017 at 11:34, Vladimír Čunát ***@***.***> wrote:
We have a libc problem: https://nvd.nist.gov/vuln/detail/CVE-2017-15670
Plan:
- pick just the patch for 17.09, and verify there aren't more missed
security patches
- on staging update to 2.26+stable directly, and get to
nixos-unstable* soon
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#30959 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAErrERBLoO3LiLVuJcyBM19bh7cuhxRks5szY8ZgaJpZM4QLB8y>
.
|
|
glibc: on 17.09 it's in channels (probably), and we have it on master as well, with some caveats: 6ffafc7. |
Fixes: * CVE-2017-6827 * CVE-2017-6828 * CVE-2017-6829 * CVE-2017-6830 * CVE-2017-6831 * CVE-2017-6832 * CVE-2017-6833 * CVE-2017-6834 * CVE-2017-6835 * CVE-2017-6836 * CVE-2017-6837 * CVE-2017-6838 * CVE-2017-6839 cc #30959 (cherry picked from commit a6044ad)
|
Patched the audiofile issues. |
Fixes the patches names for security tools to parse CVEs. Adds patch to fix CVE-2017-14634. cc #30959
Fixes the patches names for security tools to parse CVEs. Adds patch to fix CVE-2017-14634. cc #30959 (cherry picked from commit 58218d4)
Fixes CVE-2014-9450, CVE-2016-4338. cc #30959 (cherry picked from commit 1d66d64)
Fixes: * CVE-2016-10504 * CVE-2016-10505 * CVE-2016-10506 * CVE-2016-10507 * CVE-2016-9112 * CVE-2016-9113 * CVE-2016-9114 * CVE-2016-9115 * CVE-2016-9116 * CVE-2016-9117 * CVE-2016-9118 cc #30959 (cherry picked from commit 4e57256)
|
Fixed all remaining fixable CVEs and added comments to the remaining issues. Most can't be fixed because there is no upstream fix yet. I think we can close this issue now and do another roundup soon. |
fpletz
removed
the
9.needs: port to stable
Auto-generated from
vulnix $( nix-instantiate -I nixpkgs=. '<nixpkgs/nixos/tests/login.nix>' )on current master.audiofile-0.3.6 (search, files)
cyrus-sasl-2.1.26 (search, files)
freetype-2.7.1 (search, files)
jquery-ui-1.11.4 (search, files)
libarchive-3.3.2 (search, files)
libjpeg-turbo-1.5.2 (search, files)
libsndfile-1.0.28 (search, files)
libtasn1-4.12 (search, files)
libtiff-4.0.8 (search, files)
libvorbis-1.3.5 (search, files)
libxslt-1.1.29 (search, files)
openjpeg-2.1.2 (search, files)
openldap-2.4.45 (search, files)
pcre-8.40 (search, files)
perl-5.24.2 (search, files)
sqlite-3.20.0 (search, files)
owncloud-7.0.5 (search, files)
jython-2.7.0 (search, files)
zabbix-2.0.11 (search, files)
The text was updated successfully, but these errors were encountered: