Vulnerability Roundup 29 #32117
Comments
|
rpcbind resolved in #32119 |
|
All of the |
|
|
|
|
|
I opened a PR to port the systemd fix to our systemd fork: NixOS/systemd#14 |
|
Redhat has closed CVE-2017-11164 with WONTFIX status https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-11164 |
|
@andir could you bump the systemd derivation? |
|
I will do later tonight. Away from the keyboard for a few hours.
…On Nov 28, 2017 7:40 PM, "Robin Gloster" ***@***.***> wrote:
@andir <https://github.com/andir> could you bump the systemd derivation?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#32117 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dK80oyb-_WGK3hE4eICr7fchgxD6ks5s7FOHgaJpZM4QsBcY>
.
|
|
Gentoo also has doubts whether CVE-2017-11164 is a valid bug or not https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-11164 I'm inclined to agree so I'm ticking this box. |
There are security fixes in multiple packages /cc #32117, so I'm merging a little earlier, with a few thousand jobs still not finished on Hydra for x86_64-darwin and aarch64-linux.
|
Got anyone an idea what's going on with CVE-2017-11551 (libid3tag)? |
|
Quick search shows that: CVE-2017-11551 seems to be OOM-only, if I understand correctly it enforces allocation of stupid amount of memory. After a quick search I have a suspicion that there is still no patch available. |
|
I think we can safely close this issue - I'll do another roundup soon. |
vcunat
added
the
1.severity: security
Obtained via
vulnix -j $(nix-instantiate -I nixpkgs=. nixos/release-small.nix)on 2f1a818. Cleaned up manually for CVEs already present in #30959. May contain false positives.libid3tag-0.15.1b (search, files)
pcre-8.41 (search, files)
pcre2-10.23 (search, files)
rpcbind-0.2.4 (search, files)
rsync-3.1.2 (search, files)
systemd-234 (search, files)
wpa_supplicant-2.6 (search, files)
The text was updated successfully, but these errors were encountered: