Nixpkgs: how to subscribe to security advisory notices for nixpkgs / nixos?

Agreed - I will propose the priority for 16.09 release should be security updates tooling and advisories.

I found a relevant nifty blog item; it even cites this issue. I suppose it's worth closing the loop:

• Introducing vulnix – a vulnerability scanner for NixOS May 20, 2016 by Maksim Bronsky

Here are some security announcements. :)

The following issues have been resolved in NixOS in unstable and 16.09. They remain potentially open on 16.03 and older. They will be released to 16.09 and unstable channels once Hydra's tested job passes for each channel.

Fixes from September 22 (https://github.com/NixOS/nixpkgs/issues/18856)

• https://github.com/NixOS/nixpkgs/issues/18859 Tomcat 7.0.70 -> 7.0.72
• https://github.com/NixOS/nixpkgs/issues/18860 php5: 5.6.25 -> 5.6.26
• https://github.com/NixOS/nixpkgs/issues/18874 nginxMainline: 1.11.3 -> 1.11.4
• https://github.com/NixOS/nixpkgs/issues/18875 openjdk7: 1.7.0-91 -> 1.7.0-111
• https://github.com/NixOS/nixpkgs/issues/18877 openvpn: 2.3.11 -> 2.3.12
• https://github.com/NixOS/nixpkgs/issues/18878 Drop JDK 1.6 and 1.7
• https://github.com/NixOS/nixpkgs/issues/18879 curl: 7.50.1 -> 7.50.3
• https://github.com/NixOS/nixpkgs/issues/18880 bind: 9.10.4 -> 9.10.4-P2
• https://github.com/NixOS/nixpkgs/issues/18882 mariadb: 10.1.16 -> 10.1.17
• https://github.com/NixOS/nixpkgs/issues/18884 mysql55: 5.5.50 -> 5.5.52
• https://github.com/NixOS/nixpkgs/issues/18899 ikiwiki: 3.20150614 -> 3.20160905
• https://github.com/NixOS/nixpkgs/issues/18900 mailman: 2.1.18 -> 2.1.23
• https://github.com/NixOS/nixpkgs/issues/18904 as31: Apply Debian patch for CVE-2012-0808
• https://github.com/NixOS/nixpkgs/issues/18905 ffmpeg: 2.8.7 -> 2.8.8
• https://github.com/NixOS/nixpkgs/issues/18908 jq: Fix CVE-2015-8863 and CVE-2016-4074
• https://github.com/NixOS/nixpkgs/commit/fc0f3ebb20c303c1b6812c465ade23709d61f7b0 / https://github.com/NixOS/nixpkgs/commit/55a1fb157a6406a716d1be34525b319eaf0a193c jansson: 2.7 -> 2.8
• https://github.com/NixOS/nixpkgs/issues/18909 flex: 2.6.0 -> 2.6.1
• https://github.com/NixOS/nixpkgs/issues/18910 lighttpd: 1.4.40 -> 1.4.41
• https://github.com/NixOS/nixpkgs/issues/18916 monit: 5.10 -> 5.19.0
• https://github.com/NixOS/nixpkgs/issues/18919 fcgi: Patch to protect against stack smashing
• https://github.com/NixOS/nixpkgs/issues/18921 Spice: Upgrade all the spice packages
• https://github.com/NixOS/nixpkgs/issues/18911 giflib: 5.1.0 -> 5.1.4
• https://github.com/NixOS/nixpkgs/issues/18923 davfs2: 1.5.2 -> 1.5.3
• https://github.com/NixOS/nixpkgs/issues/18924 mysql_jdbc: 5.1.38 -> 5.1.39
• https://github.com/NixOS/nixpkgs/issues/18925 nettle: 3.1.1 -> 3.2
• https://github.com/NixOS/nixpkgs/commit/fa6c6dae76a84dbbededa9b1053e4a90243b673f / https://github.com/NixOS/nixpkgs/commit/e891f0d16d16d8918c7a60c3678e1f12e05a6f9a imagemagick: 6.9.5-2 -> 6.9.5-10
• https://github.com/NixOS/nixpkgs/issues/18927 owncloud: update minor versions, init 9.1.1
• https://github.com/NixOS/nixpkgs/commit/6244be2d0a07778b51eb4ff41f5ecefc187b54a8 / https://github.com/NixOS/nixpkgs/commit/a6f58636d25d27babe05efb5a3e10e6bdfca3ebe pcre: 8.38 -> 8.39
• https://github.com/NixOS/nixpkgs/issues/18931 libupnp: 1.6.19 -> 1.6.20 for CVE-2016-6255
• https://github.com/NixOS/nixpkgs/commit/ee8fed46974156e0a6f7e2e800ba824dbb347978 / https://github.com/NixOS/nixpkgs/commit/142ee90ef703d56de4e2d5ff1c4499e0597fa16d librsvg: 2.40.9 -> 2.40.16
• https://github.com/NixOS/nixpkgs/commit/072917ea5d94a3d52901a46a5c7702eb82e93a30 / https://github.com/NixOS/nixpkgs/commit/0ce6bbd1270776d20edc907b31eebe16274cb3b4 chromium: update to latest channel releases
• https://github.com/NixOS/nixpkgs/issues/18943 busybox: 1.23.2 -> 1.24.2
• https://github.com/NixOS/nixpkgs/issues/18949 openjpeg: 2.1.0 -> 2.1.1 for critical bugfixes and no ABI break
• https://github.com/NixOS/nixpkgs/issues/18951 lcms: fix cve-2013-4276
• https://github.com/NixOS/nixpkgs/issues/18954 / https://github.com/NixOS/nixpkgs/issues/18959 Update qemu (build without stack protection)
• https://github.com/NixOS/nixpkgs/issues/18965 webkitgtk: 2.12.4 -> 2.12.5
• https://github.com/NixOS/nixpkgs/issues/18966 file-roller: 3.20.2 -> 3.20.3
• https://github.com/NixOS/nixpkgs/issues/18967 mplayer: 1.1.1 -> 1.3.0
• https://github.com/NixOS/nixpkgs/issues/18968 libdwarf: 20121130 -> 20160613
• https://github.com/NixOS/nixpkgs/issues/18975 jdkdistro: remove oraclejdk6, not maintained anymore
• https://github.com/NixOS/nixpkgs/issues/18989 wordpress: 4.3.1 -> 4.6.1 + add a test
• https://github.com/NixOS/nixpkgs/issues/18994 mediawiki: 1.23.13 -> 1.27.1
• https://github.com/NixOS/nixpkgs/issues/18996 firebird: 2.5.2.26540-0 -> 2.5.6.27020-0
• https://github.com/NixOS/nixpkgs/issues/6962 apache-httpd: adding subservice moodle
• https://github.com/NixOS/nixpkgs/issues/16735 librsvg: 2.40.9 -> 2.40.16 (WIP)
• https://github.com/NixOS/nixpkgs/issues/19007 jasper: Apply patches for CVES
• https://github.com/NixOS/nixpkgs/commit/b5ab13a5ff147c0bb61a3222270691e8acea8b73 / https://github.com/NixOS/nixpkgs/commit/9ae2d387706b1eda07aa4952035faec88ed62b91 pidgin: 2.10.11 -> 2.11.0
• https://github.com/NixOS/nixpkgs/commit/d5adf2cc0bd4d1d436dd81f33a8503a6db8e1762 / https://github.com/NixOS/nixpkgs/commit/da5eb83903a1c00a25e18c70c73f6f00b6a73ee7 dhcp: 4.3.3 -> 4.3.4
• https://github.com/grahamc/nixpkgs/commit/527ec17dc976f6c7136b7e676628b76fb4b5a4d1 / https://github.com/NixOS/nixpkgs/commit/7767b1850680a0ec45f8528af244ea1af3e1f1a0 moodle: mark as broken
• https://github.com/NixOS/nixpkgs/commit/851efbb1f9c4692d086310703b57095f31cd7944 mesos: mark as broken
• https://github.com/NixOS/nixpkgs/commit/148417713361bce6d679ce2f1ebcc49dabc69457 openstack-neutron: mark as broken
• https://github.com/NixOS/nixpkgs/commit/f90e982321719d866d6e92e7c4e6f797ab872e60 redmine: mark as broken
• https://github.com/NixOS/nixpkgs/commit/41fbcc24001366eb2d446c467efb8b0223cad094 cryptopp: mark as broken
• https://github.com/NixOS/nixpkgs/commit/655017d5cac9a84ecdc221282631dd6ef3030f00 asterisk: mark as broken

Fixes from September 29 (https://github.com/NixOS/nixpkgs/issues/19075)

• https://github.com/NixOS/nixpkgs/commit/e452ef563d38839f5aa4d8fba029375c76778df8 / https://github.com/NixOS/nixpkgs/commit/4c0b07ce1eb680f67cb28cf952ef14657779cf6a freerdp: Mark stable as broken

Fixes from October 5 (https://github.com/NixOS/nixpkgs/issues/19253)

• https://github.com/NixOS/nixpkgs/commit/8b09ba32d3d42392480c9691f0964dfc934de730 Systemd fixes
• https://github.com/NixOS/nixpkgs/issues/19275 openjpeg: 2.1.1 -> 2.1.2 for CVE-2016-7163
• https://github.com/NixOS/nixpkgs/issues/19274 bash: fix CVE-2016-7543 in 16.09
• https://github.com/NixOS/nixpkgs/issues/19276 c-ares: 1.10.0 -> 1.12.0 for CVE-2016-5180
• https://github.com/NixOS/nixpkgs/issues/19297 openssh: apply patch to fix NEWKEYS null pointer deref

Fixes from October 12 (https://github.com/NixOS/nixpkgs/issues/19481)

• https://github.com/NixOS/nixpkgs/commit/f75529944374c3f0569035cf7641222b7fd7e98f / https://github.com/NixOS/nixpkgs/commit/53612bb0f5511d1c1c4b27bcffc2484ea7c44b89 xorg: security fixes
• https://github.com/NixOS/nixpkgs/pull/19510 Nodejs: Upgrades for security patches
• https://github.com/NixOS/nixpkgs/issues/19511 mujs: 2016-02-22 -> 2016-09-21
• https://github.com/NixOS/nixpkgs/issues/19507 imagemagick: 6.9.5-10 -> 6.9.6-2 for CVEs (and other fixing from the subsequent breakage.)
• https://github.com/NixOS/nixpkgs/commit/4771ccd896e8355a025900d75a9c4b104d6439e1 / https://github.com/NixOS/nixpkgs/commit/9711bb0c8be6b53ad8931f9b5ef84759e0b7c864 graphicsmagick: apply patches to fix security issues
• https://github.com/NixOS/nixpkgs/issues/19558 xen: 4.5.2 -> 4.5.5, drop old versions

Fix from this morning, October 18, to be released to 16.09 and unstable once hydra builds:

• https://github.com/NixOS/nixpkgs/pull/19634 Fixes a security hole that could be exploited for a denial of service attack against a tor client, relay, hidden service, or authority. Details at https://trac.torproject.org/projects/tor/ticket/20384.

Fixes from October 19 (https://github.com/NixOS/nixpkgs/issues/19678), to be released to 16.09 and unstable once hydra builds:

• #19679 mpg123: 1.22.2 -> 1.23.8 for CVE-2016-1000247
• #19614 guile: 2.0.12 -> 2.0.13 (for CVE)
• #19681 ghostscript: 9.18 -> 9.20 for multiple CVEs
• #19682 dbus: 1.10.10 -> 1.10.12 for CVE-2015-0245
• #19683 ffmpeg: 3.1.3 -> 3.1.4
• #19685 nsd: 4.1.12 -> 4.1.13 for CVE-2016-6173
• #19687 quagga: 1.0.20160315 -> 1.0.20161017 for CVE-2016-1245
• #19702 tracker: 1.8.0 -> 1.10.1 (16.09)
• #19707 oraclejdk: 8u101/102 -> 8u111/112
• #19708 mysql: 5.5.52 -> 5.5.53
• #19709 mysql: 5.7.15 -> 5.7.16
• #19710 libtiff: patch for many CVEs
• pythonPackages.suds: mark as broken in 58e46e2 / 7145fec.

On master only, upgrading KDE: https://github.com/NixOS/nixpkgs/commit/9cd8b4e2d7846d897787963d5a2e11d3c12f30e1 but a proposed upgrade for KDE in 16.09: https://github.com/NixOS/nixpkgs/pull/19706

Chromium has an outstanding issue (https://lwn.net/Vulnerabilities/703767/) without any solution yet.

Note, if you'd like to help on the next week's hunt please add a comment to issue https://github.com/NixOS/nixpkgs/issues/19678 :)

Fixes from October 20 to be released to 16.09 and unstable once hydra builds:

• https://github.com/NixOS/nixpkgs/pull/19730 openssh: Patch CVE-2016-8858

@domenkozar it strikes me we could address the problem reported on this issue by:

1. linking to the comments on this issue :)
2. putting these notices elsewhere, and linking to that ...

I can post these notices anywhere. Some thoughts on where:

• a separate github repository where issues are alerts, people can "watch" the repo for notifications.
• an RSS feed (could be consumed by the homepage)
• a JSON document (?) (could also be consumed by the homepage or something like that)
• a special email list ?
• literally anywhere else. I don't need to be posting to this issue, and could post anywhere (as long as it is easy.)
• here. People can click "Subscribe" and get notified.

I don't think reusing a single issue thread will scale well. Keeping in mind https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-215451742, IMO a RSS feed would be best; the RSS feed could be backed/generated from another system if wanted as well (e.g. a git repo).

Every time https://github.com/NixOS/nixpkgs-channels is updated, the HEAD commit could be tagged as a release with an automatically generated release message from the the commit messages. Maybe grepping for CVE strings or something similar.. git-notes may also work..
That would give us the RSS feed.

FWIW I'd rather avoid trying to be too automatic about it, or steeping this discussion in technical implementation details. As it stands now the process of generating the advisories is pretty trivial, especially in comparison to the effort in actually researching and applying the patches.

Update, October 20: Privilege escalation vulnerability in the All Linux Kernels

Kernel updates in master and 16.09 include patches for CVE-2016-5195 (DirtyCow -- https://dirtycow.ninja/) https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

The hydra job for 16.09 (https://hydra.nixos.org/build/42415618) passed the tested job, and should be available through the channels soon. Versions at or after 2eac61e5db79783a571b4be2f26b73172f5db3c0 include the upgraded kernels. Any version before this is insecure. At time of writing the stable channel is at b8ede35, which is insecure. I will update when the channel update happens.

Cross-posted from nix-dev:

Hello Nixers,

All Linux kernels since 2.6.22 have been vulnerable to a privilege escalation bug.

Please upgrade immediately.

This issue was discovered and patched on October 18. The fix was released yesterday, and the 16.09 channel now includes the fix for the following kernels:

• linuxPackages: 4.4.25 -> 4.4.26 (https://github.com/NixOS/nixpkgs/commit/0b20f6daba35575a7d4d2a61f42830d793a12892)
• linuxPackages_4_7: 4.7.8 -> 4.7.9 (https://github.com/NixOS/nixpkgs/commit/7e5cfb7d82bbe29cb83333638e2d0ead60260c6e)
• linuxPackages_latest: 4.8.2 -> 4.8.3 (https://github.com/NixOS/nixpkgs/commit/0ed0d08c7291da58b4c20c68d2ae89b2934555ab)

When updating please ensure you have nixos-16.09.819.31c72ce or newer. The previous version (nixos-16.09.773.b8ede35 and older) do not include these patches.

For unstable, only unstable-small has the patches:

• linuxPackages: 4.4.25 -> 4.4.26 (https://github.com/NixOS/nixpkgs-channels/commit/76a57d83b5a4df7c3ac85b25c5ab10d6fb415eb2)
• linuxPackages_4_7: 4.7.8 -> 4.7.9 (https://github.com/NixOS/nixpkgs-channels/commit/fabfb0a900b8bc732f0561d696ee72a800cba708)
• linuxPackages_latest: 4.8.2 -> 4.8.3 (https://github.com/NixOS/nixpkgs-channels/commit/0c3e5217fcf61ea652cdb3c661808c254eaa54df)

Standard unstable will move forward when all tests have passed.

All other kernels available in NixOS 16.09 and Unstable are vulnerable and have not yet received patches.

This includes:

• linuxPackages_mptcp
• linuxPackages_rpi
• linuxPackages_3_10
• linuxPackages_3_10_tuxonice
• linuxPackages_3_12
• linuxPackages_3_18
• linuxPackages_4_1
• linuxPackages_testing

More information can be had at https://dirtycow.ninja/

Also included in this channel update are several fixes found in the latest vulnerability hunt. See:

• https://github.com/NixOS/nixpkgs/issues/19678
• https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-255272275
• https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-255230815
• https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-254993182

If you would like to help with future hunts and patches, please leave a comment on https://github.com/NixOS/nixpkgs/issues/19678 and I'll make sure to ping you.

Thank you,
Graham

So the way to subscribe to security notices is to subscribe to this ticket?

If so, please update NixOS support or something nearby.

@dckc I don't think this ticket is official designated The Way to do it. I've been doing it as a stop-gap. Note my question (https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-255234768) about where should we do it long term.

Update, October 22: Kernel buffer overflow patched. Not sure of severity.

@NeQuissimus has upgraded our Linux kernels to the latest versions released today.

| attribute | was | now | 16.09 | unstable | changelog |
| --- | --- | --- | --- | --- | --- |
| linuxPackages_latest | 4.8.3 | 4.8.4 | ceb1d539483bb05c3b1114ca096a2c2e6d40f842 | a3989b87df42e21cb4f23ccc26bc0c5572f969d0 | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.4 |
| linuxPackages_4_7 | 4.7.9 | 4.7.10 | c9d66910e6a0ebb44576a29bdec67951381ddc9c | 72d91f95cb550c24a1580898ab78f038a14214a5 | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.10 |
| linuxPackages | 4.4.26 | 4.4.27 | 92047849deb2c7e03b7798b9e9652f1f6c4b6366 | aa7424642d65df16b4f9e64550cabe31850d3e2a | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.27 |

PS: @NeQuissimus has been an incredible help on keeping our kernels up to date lately. Thank you!

Security fixes from 2016-10-26 01:54 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Message | Notes |
| --- | --- | --- | --- |
| 5440c1a64cd66ca481c7aa3121b32fbdfaf1ba81 | 2bc7ca7060fdd53ec4fc83a847e4a3661ac10bdb | grsecurity: 4.7.9-201610200819 -> 4.7.10-201610222037 | Fixes dirtycow (please upgrade! now in the channel!) |
| e99a81060fe071cf28a8bbf09a9dcacd66855455 | cadc55f2898983ca96df7fb4bd6e39757ebd68df | gnutls: 3.3.24 -> 3.3.25 | GNUTLS-SA-2016-3 / CVE-2016-7444 (https://www.gnutls.org/security.html) -- not available yet |
| b3f7d626c164ae591a067f78bfcbb06fc3a588b9 | 27b37f1b9532170a043468d38eaf4bf1dbf97e09 | kernel: remove 4.7 | 4.7 is now EOL (now in the channel!) |

Security fixes from 2016-10-27 12:50 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| d19b53f8516ca6a52918f5db216bd59a3b69a1aa | 4f0125074efac58ad829a5184831757509c6ec9e | flashplayer: 11.2.202.637 -> 11.2.202.643 | Critical security flaw: https://helpx.adobe.com/security/products/flash-player/apsb16-36.html |
| e4773819f419618f2247a5226c3390d2fd817859 | 74b319bdd4be78159a9739df1d49c4a8d9e96096 | kernel: 3.10.103 -> 3.10.104 | Includes fixes for DirtyCow |
| e5e84ecbbdc2477499626a9815c4ec8c265b18da | 9f3371bc72689c24c9a25172bb6da6b31cc6395a | kernel: 3.12.63 -> 3.12.66 | Includes fixes for DirtyCow |
| b02646f93b995dd683681fc6f2c86c056b41a2d0 | a43f80a9065bf83b662b12cd33d9d2b8f99d189a | kernel: 3.18.42 -> 3.18.44 | Includes fixes for DirtyCow |
| 89cd922a6a910164dfb63dc0389a254b079d26df | ebed0acc179c0bfc5da5888082012b774f71a4e1 | kernel: 4.1.33 -> 4.1.35 | Includes fixes for DirtyCow |
| e5ad26e48e7f74435219adf85be97f014a567eda | 59c8691b3c7019a09cc294f9aab01785675e61ec | libdwarf: 20161001 -> 20161021 for CVE-2016-8679 | n/a |
| 65a6484f792c5939a5de678a2abdf943d139babf | cc5f0af99071a42336b5d18ee1eb65aee1df57bd | libgit2: 0.24.1 -> 0.24.2 for CVE-2016-8568, CVE-2016-8569 | n/a |
| 0f7ac8b41fcc048e29d6e89fa71806d4bb185e9c | b24ae4592b2aaff12aa0352e9dc83346f57a6720 | openslp: patch for CVE-2016-7567 | n/a |
| 69e8bac9cd1b605440a28e4cb56a4acf6e2c0103 | 8c6ee842007f884b28f6461300906e1505b7d3f9 | virtualbox: 5.1.6 -> 5.1.8 for many CVEs: | n/a |

There are additional patches waiting to land:

• https://github.com/NixOS/nixpkgs/pull/19877 OpenJDK, in master, working to land in 16.09
• https://github.com/NixOS/nixpkgs/pull/19891 linux_testing, in master, working to land in 16.09
• https://github.com/NixOS/nixpkgs/pull/19917 Epiphany and WebkitGTK 2.14.1 update, not yet merged
• https://github.com/NixOS/nixpkgs/issues/19565 Chromium: We're still running an out of date version, and are working on fixing the build system.

I'll provide an update when these stragglers are complete.

Thank you,
Graham

PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you.

Security advisories from 2016-10-27 22:37 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| 070ff88fea1ccbd7a6201afb98923b7d90442f2b | 06a9a09a0275178be8ad77b23bd253c7d4e88e0c | openjdk: 8u122-03 -> 8u122-04 | n/a |
| e9a5cf3f6f532551e9841bcb7c6364ee161be2c8 | e9a5cf3f6f532551e9841bcb7c6364ee161be2c8 | kernel: 4.9-rc1 -> 4.9-rc2 | Patches for DirtyCow |
| 354811f4bcb802a8032fdbb228ec82d73b15ebe8 | eef176fb8250fd221173a3bd11e4cb0a027b6b6f | webkitgtk214x: 2.14.0 -> 2.14.1 | (backported the creation of 2.14 for Epiphany, which now requires it.) |
| 3e18f4bc2f7d9dc89672a62fc07b071f6f32bcdd | 5b08a40da92199aaf53e191e28eac0e7bfdd804c | epiphany: 3.20.3 -> 3.20.4 | n/a |

With the exception of Chromium (https://github.com/NixOS/nixpkgs/pull/19565) this closes out https://github.com/NixOS/nixpkgs/issues/19884.

Thank you,
Graham

PS: If you would like to help with future hunts and patches, please leave a comment on https://github.com/NixOS/nixpkgs/issues/19884 and I'll make sure to ping you.

Update: 16.09's channel has moved forward and nixos-16.09.877.5b08a40 includes all the patches.

Security advisories from 2016-11-05 01:12 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| 2b2f2733757922c0ea1fd2312662dc0442b59637 | 826a5d7aa1899c4a3ed8bb5e207d4c4c3d574a33 | cairo: add patch to fix CVE-2016-9082 | n/a |
| 1e1609da6ad87fe828973f17f1f175b3de841383 | 55dfafa4da724ada6ea5f8e17111a8c2fe7d68d9 | curl: 7.50.3 -> 7.51.0 | 11 serious CVEs |
| a7d35fdff34563ca8ccac09e9c4db2fcaa9ef076 | a64e9269fb0ce5c0eb4ff3f357580e60577bfa6d | gitlab: 8.12.6 -> 8.12.8, fix CVE-2016-9086 | n/a |
| 04db88d2474431417ed3c9276f3078c69a125af6 | eb653d96201b21d1e062191bea116c4996a6051b | graphicsmagick: add patches to fix 3 CVEs | n/a |
| dfdaea12403b31983cbfea365c76c29d4934f11e | 6189145b377819c0ecf93a6902f1c6ea6dfef3b5 | grsecurity: 4.7.10-201610222037 -> 201610262029 | n/a |
| 874abe694afe122feebd8665c71663af97b46cd6 | 4e17529a354d8100b8ce797b5708dc005fa10bba | linux: 4.8.5 -> 4.8.6 | n/a |
| a94bd88d7af53b2052035a76eaf474047a5ac614 | a29900e76335b4806cbfa917e5db93637a274fee | memcached: 1.4.20 -> 1.4.33 | n/a |
| af01fa71e0787c66c4f7e6fa88f8ee525959cd26 | 3f6c9cceeace789760b17e1998d03aeede16b93f | nixos.libvirtd: fix broken VMs due to emulator path changes | n/a |
| 68f2bc8fb351065fda55c8a7b1ee6d74ba64a9a0 | f33c5f713e1aa7c780134154e8e5072ad2081921 | perl-Image-Info: 1.38 -> 1.39 | n/a |
| b806e14a3ced762ec2b0ce162c75d400f312e897 | 74b91a85790683106a16f442c6a456f9561d94a9 | pythonPackages.django_1_8: 1.8.15 -> 1.8.16 | n/a |
| 58ad105cd43356e3de024fbf7df2d34f10d696df | abfb2e5cf9d2339fe9d8d0dc1085c0e6e715aea0 | pythonPackages.django_1_9: 1.9.10 -> 1.9.11 | n/a |
| 25c01931bb52bd2bc42b0bb017bd991236abd4fd | 924230d126a7c59d8423509cd8556558269f9316 | qemu: add patches to fix lots of CVEs | n/a |
| 9db03c1cf18e215ca9559e8f8a629dc6b1ad5385 | fc67ecc52fa7b7c25941f6cbeff29043508d8bbe | thunderbird: 45.3.0 -> 45.4.0 | n/a |
| cd67a0aada863e1510c0573aed03b20959dfdebb | 31ba04e416e4b7e318a0b8c39614c5b4868b3f68 | tre: add patch for CVE-2016-8859 | n/a |

Still outstanding is a patch for tar (difficult due to bootstrapping,) and a patch for chromium which we're testing.

P.S. Sorry for these being so late. Many of these haven't hit the stable channel yet, like the curl fixes. I'll try and shepherd these through, but am incredibly overloaded this week. Thank you to all contributors at #20078, especially @fpletz.

Note: If you'd like to participate in the next one, please leave a comment at #20078 :)

Update: These patches are available in the 16.09 channel.

Security advisories from 2016-11-11 11:58 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| 66ce15a3b163753c7d0c2e237bdaa4e515d77500 | 4d5904d01ae718a6ddc8c949e0c151f0e1f45e3c | chromium: Update all channels to latest versions | n/a |
| 823f28cd1c64f6d8257a6486c085a356445c2db8 | 67805b574d891f1b5f8e03f79f5ddd7a7d7f3d9f | flashplayer: 11.2.202.643 -> 11.2.202.644 | n/a |
| ecfb8df7a77beeb8ed8e7238d928909665d2b183 | aa2f53dca107edc595e415f5883fb15abd793e77 | libressl_2_3: 2.3.8 -> 2.3.9 | n/a |
| 52f1a3789839281ab0f7fad9506f34d6dd379225 | f4b29c40b5b2a24ae4d5f1402f78a79373ebca72 | libressl_2_4: 2.4.3 -> 2.4.4 | n/a |
| 3190a6c45208bbad97ffe056f01155a2a65ac403 | 0ee0755f7dd10e14ddd41712c2d342d2d8c53800 | libwmf: add patch to fix CVE-2016-9011 | n/a |
| 579f5fd9dd644092dff29638e7d456af7607562d | bf7fbccc90d3aa27f38cbd40fff0d1d306ab1e14 | linux: 4.4.30 -> 4.4.31 | n/a |
| 0a1f39eb9125e09eba863fc4cebe6f1d105933ad | 9ab45d9631cb2119555f747440c70645ce9a8889 | linux: 4.8.6 -> 4.8.7 | n/a |

This brings us again up to date on Chromium updates. That code/test/debug loop is brutally long so thank you, @aszlig, @bendlas.

All of these updates are now available on the release channel.

Security advisories from 2016-11-12 12:07 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| cc62ecc2d96e2aec3731de547c83bcf3c9e2a87c | a1678d4465857cde03b468170997d2026b8efcfe | linux: 3.12.66 -> 3.12.67 | n/a |
| ad19b9bde532841c727618eeb3d3457fd7b98c6d | 301fc5752beae35eb9b33a583c8f71fef7e773bc | linux: 4.9-rc3 -> 4.9-rc4 | n/a |
| bb2a67d226d2fc8b268655132fee33a720046613 | 030ffa95c8579905e3dcbcbc1ecc04afa36381d2 | openssl_1_1_0: 1.1.0b -> 1.1.0c | n/a |

All of these updates are now available on the release channel.

Security advisories from 2016-11-17 03:07 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| 207b8d1c46e431a6ac2bfbdf14f9385098b4b51d | a6728e15cbca1d11553f01d7c3c477ae2debfd8e | firefox-esr: security-only update 45.4.0 -> 45.5.0 | n/a |
| 6f2b2daccf2735a72b51c9ac46fab7008bbb3f1c | b8d2a3e796d98397d72db889e73a09cbc837e658 | libgit2: 0.24.2 -> 0.24.3 | n/a |
| cc62ecc2d96e2aec3731de547c83bcf3c9e2a87c | a1678d4465857cde03b468170997d2026b8efcfe | linux: 3.12.66 -> 3.12.67 | n/a |
| 24c342fde7da069ddcd39f5d3afcd4ec4ec47b00 | 57959c85f9cf01faa184f543ac284e909a3f0ab4 | linux: 4.4.31 -> 4.4.32 | n/a |
| 9e851d3b110fa7548d7a9e103a4f1bd7aaa4d99e | 63e16e0eafb654e1f5df7ec0e2ebe4d6d3f277a7 | linux: 4.8.7 -> 4.8.8 | n/a |
| ad19b9bde532841c727618eeb3d3457fd7b98c6d | 301fc5752beae35eb9b33a583c8f71fef7e773bc | linux: 4.9-rc3 -> 4.9-rc4 | n/a |
| a87c8ad05f5399cd6cdfda47348d1673c6cd637f | da597361481d44f951f683915370b8f7713a1e8c | linux: 4.9-rc4 -> 4.9-rc5 | n/a |
| 0736bd2c539f4295bad38517ec389748a5635edd | a10cba4f20dce99b276c8123db8008a24fa68cc6 | mariadb: 10.1.18 -> 10.1.19 | n/a |
| 9c3eae488ef6f70da8b2fcf6d2f800bdba7d2d11 | 95a1fdc46f10d458e5ed1c215bf56b4979c79073 | opera: 40.0.2308.90 -> 41.0.2353.56 | n/a |
| 77cdbb9e3af9fcdd6edafa74695f6b00bdd89748 | ca250267989c68bead978615809c1cf9d05d00e5 | pythonPackages.cryptography: 1.5.1 -> 1.5.3 | n/a |
| d0d3330866eb74befa24d1cfbead4a22f28fae87 | 25dadd2d2d106b6e0156c52511e18c826e562c32 | shutter: add patch for CVE-2015-0854 with remote code | n/a |
| 3a3706c07f42685309865393cda23886cabd3ef9 | 6270733155c381090fc5c7de6bddc26fbf35f47f | vagrant: 1.8.6 -> 1.8.7 | n/a |
| 7ed55dc9e47443276f48908065101d1e9380929e | dd7c2715ed7836a2ab12daa36c2499faaaa8f6f0 | xinetd: patch for CVE-2013-4342 | n/a |
| 1eb545df059ef6830c518920fb6bc77d0a895120 | 39211629f8f84ad1a9a3f76194c5ae99125b12ec | jasper: 1.900.21 -> 1.900.28 | n/a |

Due to the jasper update, many things will need to rebuild before channels will update.

Note: If you'd like to participate in the next one, as always, please leave a comment at #20462.

Security advisories from 2016-11-18 11:51 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

| master | release-16.09 | Subject | Notes |
| --- | --- | --- | --- |
| 6dfd4f5b08199f7c23f63318f6f7a928906a1859 | 751b9188cc714dba0db5767e56efac2085538bd6 | pepperflash: 23.0.0.205 -> 23.0.0.207 | n/a |
| e53b9025591a419c22ffc18d6362490486ccf9de | bbfa7ab83fa865d8b6a89c810cad424c0ab6dbf3 | php56: 5.6.27 -> 5.6.28 | n/a |
| 7c65e225dda6335c49783b0cb56508c3422e2377 | 085ceaf49739e8853cae1afadfb15e37bcf16038 | php70: 7.0.12 -> 7.0.13 | n/a |
| f4a318b528cacdd5c960bf66662131ecbdb2536f | daed85048fa714e237b2cc1032b68bc1b648d416 | qemu: add patches for CVE-2016-7994 & CVE-2016-8668 | n/a |

If you'd like to participate in the next security vulnerability roundup, as always, please leave a comment at https://github.com/NixOS/nixpkgs/issues/20462.

The numerous advisories in comments here actually makes it _harder_ to tell whether there is progress on this issue: what is the security advisory mechanism for nixpkgs? What is the next step in developing one? Who has the ball? Who has mandate to decide what the process is?

This ticket is assigned to @domenkozar but I don't see anything from him since March 1.

How about moving the stop-gap process to a wiki page?

My use case is actually not nixos but nixpkgs used in docker containers. I suppose I neglected to point this out earlier.

Ideally, I could use nixpkgs security notices to establish something like Docker Security Scanning.

@dckc I think your comments are fair, and I can appreciate the
sentiment. I guess it might be helpful for me to write an update, so
here we are. Markdown doesn't agree with some of the syntax, so I
wrapped it up as a text blob, sorry :)

Regarding how to tell if there is progress or not is possible, but
requires reading through the lines a little bit. Let me explain a few
notable progressions:

1. Where we used to have patchy and missing coverage on security
updates, we now have a regular cadence of identifying and patching
security issues across nixpkgs.

2. While we've always had pretty good coverage of big-ticket
vulnerabilities like Heartbleed, there are hundreds of small but
important libraries that receive considerably less attention.

We now have very thorough coverage by keeping up with other distro's
release notes. While not perfect, it is considerably better than it was.
Using this process we have examined almost 1,000 issues since
2016-09-22.

I'm quite proud of this, and believe that we are now shipping a much
more secure package set.

3. A small group of people have become very regular contributors to the
security effort. While each of these people have contributed security
patches individually as well, I can always count on them to participate
and contribute to the weekly effort. Developing this team is very
important to having an effective long-term commitment to this
infrastructure.

4. Tools to support this effort are developing _in conjunction with_ the
actual effort of applying the patches. While multiple tools exist (like
Vulnix, and monitor.nixos.org,) the real blocker to forward progress
lays in the regular application of work from contributors to examine
security issues, identifying the appropriate patches, and identifying
how to properly backport the fixes to the stable channel.

Here are some tool-related improvements you can identify without too
much trouble:

1. A tool to generate the list of issues to examine. This tool has been
improved over time to make it easier to resolve the problem in nixpkgs.

2. Instructions associated with the list have improved.

3. A process has evolved to identify and include interested participants
week over week.

4. A Github Team has been created (@NixOS/security-notifications) where
people can ask to be added to receive highlights about future
vulnerability roundups.

5. A tool to identify security patches which have been applied to
master, and identify their corresponding patch to stable. This can be
plainly seen by the evolution of the notices published to this issue.

So ... where does this get us, and what is the next step? How do we
evolve from here?

Seeing as I spend about 6-10 hours every week on these patches I'm sure
you can imagine I spend a lot of time thinking about how to make it
better. Indeed, the tools we have here have been developed out of this
thought.

Firstly, I think the fairly ad-hoc approach to this whole effort has
allowed for exploration and experimentation in this space without too
much pressure to stick to anything in particular. As long as the weekly
roundup was happening, I was happy. Any changes to how each part worked
has been totally okay. I think this has been incredibly valuable. As
soon as these processes become codified in a NixOS Official Capacity, I
think it takes away some of the freedom to explore and try new things.
Not entirely, of course, but certainly some.

For "Next Steps," I think there are several places to go.

1. Having a more formal destination for storing notices, coupled with a
way to subscribe and receive notices in the traditional sense. I'm
talking about email.

2. Storing notices in a fashion that allow automation and tooling to
look at a version of nixpkgs and identify issues it is potentially
vulnerable or not vulnerable to. This is to answer the question of "Am
I vulnerable?" for the average user. The work we're doing is not
valuable if nobody upgrades. It is not valuable if people have to put in
too much work to benefit from it.

3. Building these "am I vulnerable?" tools and perhaps finding a way to
ship them by default to users.

4. Expanding the core group of security-minded contributors who spend
time each week on these vulnerabilities.

For your remaining questions of who has the ball, and who can mandate
the process... it really comes down to someone needs to do it. Someone
needs to identify what needs to happen, the details of making it work,
and thinking through the process. They then need to _actually do the
work_. Big and extravagant ideas are wonderful, but at the end of the
day me and other contributors are spending 10s of hours each week
actually reading and applying patches. This is how we got compiler
hardening in core, and multiple outputs, and the module system.

I think it is a fair assumption that as soon as someone who is doing the
work identifies how it should be formalized, it will be formalized. To
that end, I have been speaking with @rbvermaa today about taking these
next steps. I'm hoping to experiment with a few ways of accomplishing
this, though, prior to sending out a real recommendation on how we
proceed.

I hope you can see that many things have to develop in order to close
out this ticket. I believe we have started down this long path and have
made miles of progress. As you point out, though, we still have a long
way to go. I hope we will take the next leap forward soon.

This is excellent progress. Thanks for the update - I couldn't see the forest for the trees without it.

I'd be quite happy for you to declare victory, at least to a certain extent, based on the existing process. Actually, I see monitor.nixos.org is on the nixpkgs page and two hops from the NixOS support page via the nixpkgs manual (though I can't actually reach the monitor page just now).

I see answers to several of my questions:

• [x] what is the security update policy and process?
  
  
  
  • nixpkgs tracks other distros via https://lwn.net/Vulnerabilities/
  
  
  • security fixes are back-ported to the stable 16.09 release
  
  
  • [ ] Does 16.09 continue to get back-ported security updates after the 17.03 release?
  
  
• [x] how to subscribe to package update notices?
  
  
  
  • use the hydra channels:
  
  
  • https://hydra.nixos.org/job/nixos/release-16.09/tested
  
  
  • https://hydra.nixos.org/job/nixos/trunk-combined/tested
  
  
• [ ] How can I tell if a given set of packages is vulnerable?
  
  
  
  • try monitor.nixos.org, though it's early days
  
  
• [x] what is the next step in developing a process?
  
  
  
  • Vulnerability Roundup 10, where roundup 9 was #20462 and so on
  
  
• [x] who has the ball?
  
  
  
  • @grahamc along with the participants of roundup 9 #20462
  
  
  • [ ] the Assignees of this ticket are a little misleading. Delete? update?
  
  
• [x] Who has mandate to decide what the process is?
  
  
  
  • following the principle of "they who do the work make the rules", the folks who participate in the weekly vulnerability review
  
  

Does 16.09 continue to get back-ported security updates after the 17.03 release?

No, probably not. So far we've been really keeping only one stable branch at a time, in addition to unstable/master. As always, if someone does the backporting work, it will be accepted easily enough.

Security advisories from 2016-11-21 22:28 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master|release-16.09|Subject|Notes
---|---|---|---
e38b74ba89d3d03e01ee751131d2a6dc316ac33a|f0699f7706b016d9ad37da4e062ac13ce7940393|grsecurity: work around for #20490|(Included so grsecurity users affected by #20490 know)
d3b8a77834e53d16bb11774a1aa3036a0d0f7555|606701bda5023e8b6739738040ec8144f4dc3ba4|linux: 4.4.32 -> 4.4.33|n/a
250224bf019fd1a96dbe66b36b19f1e45bb662cd|934e314246633683d91c2425a769f6f47c4b2f5c|linux: 4.8.8 -> 4.8.9|n/a
1376aeba42e405d61fd72b2382d005bc4e553ea2|417e04f0372a25b5621d6649dd5c3c47e518a1cb|monit: 5.19.0 -> 5.20.0 for CVE-2016-7067|n/a
db66a95e5b704b8c1e9c55f186f1dccbfb6ce580|b20a4b08bc5d7dbf3c1bb3f1502d8b0f4ca53771|ntp: 4.2.8p8 -> 4.2.8p9|release notes
703deb0bc0dfaa352ebba98adcc6f770f5963c9d|53eb53577f64d64ec3f75418c937a6b83a0f1af3|slock: 1.3 -> 1.4|CVE-2016-6866
d045f8b4860c0ea7311a05188ab6d472cefbfca7|b0a4aad87be412c4b166f6a1ea8229b9c0ff80c3|thunderbird: maintenance 45.4.0 -> 45.5.0|n/a
e9549d293cef520a5f74ca8203778d89911f1400|759620505595d72879d1d8c74a59c0868cce8f71|wireshark: 2.2.0 -> 2.2.2|n/a

If you'd like to participate in the next security vulnerability
roundup, as always, please leave a comment at #20462.

I don't quite see where to find the severity, impact, etc. of some of these vulnerability updates.

e.g. which lwn vulnerability goes with wireshark e9549d2? ah.. I see the commit message refers to various CVEs.

But what about linux: 4.4.32 -> 4.4.33 d3b8a77? How is that a security issue?

And likewise thunderbird d045f8b?

I don't quite see where to find the severity, impact, etc. of some of these vulnerability updates.

Yes, we should probably be sending a few sentences about each one. As I'll comment more specifically later, these are not perfect.

e.g. which lwn vulnerability goes with wireshark e9549d2? ah.. I see the commit message refers to various CVEs.

It can take some effort to backtrack a particular commit / update to why that was made. Frequently looking at the commit will shed some light, or the PR it was merged in. Not perfect, I would like to improve this.

But what about linux: 4.4.32 -> 4.4.33 d3b8a77? How is that a security issue?

The Linux Kernel team generally doesn't talk about updates and commits in terms of what security problems they resolve. Problems are frequently just patched without fanfare / description/ explanation. A careful observer might be able to figure out these details, but we definitely don't have that time. Our kernel upgrade policy is to assume each patch change contains security fixes.

And likewise thunderbird d045f8b?

This one was a mistake :) sorry about that.

I'll count your (again, very valid) comments as feature requests and bug reports in the (fairly prototype) security advisory tooling.

Our kernel upgrade policy is to assume each patch change contains security fixes.

This is also the linux kernel community's official recommendation.

Security advisories from 2016-11-22 12:55 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master|release-16.09|Subject|Notes
---|---|---|---
d62069aca47e104632171fc27b5b5a828447131a|e5fe74f5ba0bf6474393d26f67ca82a925e98da1|linux: 4.4.33 -> 4.4.34|n/a
e4a1b76457d6c078cd60f8df84fea89a26dedd7b|4994f0ff21d0897e2fc557173faa9938f7d3545c|linux: 4.8.9 -> 4.8.10|n/a
bffae65060dad819df7c3a6e8901b6fbfdca5b47|c008fb09517e29cd8ddaeead678512ac0c72ab3f|rabbitmq-server: 3.5.6 -> 3.5.8 | for unallocated CVEs

If you'd like to participate in the next security vulnerability
roundup, as always, please leave a comment at #20462

1. The latest roundup has yielded the following results:

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

 - https://hydra.nixos.org/job/nixos/release-16.09/tested
 - https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20647.

master   16.09    Message                                             Notes
---      ---      ---                                                 ---
9118702  5f69faa  libarchive: 3.2.1 -> 3.2.2 for unspecified vuln...  n/a
4a5c661  1980c26  gnuchess: 6.2.3 -> 6.2.4 for CVEs                   n/a
a3b7468  27c390f  w3m: 0.5.3-2015-12-20 -> 0.5.3+git20161120 for ...  n/a
336bacf  386c980  qemu: add patch to fix CVE-2016-7907                n/a
c823eae  2292d85  graphicsmagick: Update URLs for patches             n/a
9de6029  ee38d13  libtiff: 4.0.6 -> 4.0.7 for many CVEs               n/a
7a6185d  0454ef9  gstreamer: 1.8.2 -> 1.10.1                        (1)
286c836  fe0f9f9  pciutils: fixup finding modules to libkmod's way  n/a

(1) Fixes CVE-2016-9445, CVE-2016-9446, CVE-2016-9447. 
Thank you,
Graham Christensen 

1. This is _the last_ announcement to be posted to this list. All future announcements will be sent to our new nix security list, which can be found here: https://groups.google.com/forum/#!forum/nix-security-announce

I believe that yields the following todos on this item:

• [x] Publish the mailing list on the website.
• [x] Publish GPG keys of people sending vulnerability announcements.
• [x] Document a way to report security issues, privately
• [ ] Document our security update policy, re: unstable, stable, and older versions.

Let me know if I missed some.

@grahamc: why is the security announcements mailing list invite-only?

@8573 I'm not sure how it is configured or the implications of that. Looking in to it now, thank you for bringing that up.

Maybe the list was initially intended for announcing embargoed issues
(among the people working on security patches)?

Note: the pciutils commit has no security implications, I believe (I authored it).

Thank you, Vladimír. I thought I had removed that from the list. Sorry, my
second mistake like this. I'll revisit this tooling.

Graham
On Thu, Nov 24, 2016 at 4:04 PM Vladimír Čunát notifications@github.com
wrote:

Note: the pciutils commit has no security implications, I believe (I
authored it).

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-262844417,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAErrFMmCI7rJaLezN4ubzPCSLiort-jks5rBfvTgaJpZM4HkmLk
.

This is the last announcement to be posted to this list. All future announcements will be sent to our new nix security list,

I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option.

Hi,

Sorry, obviously there has been an issue with the configuration. I will
update this issue until that is resolved.i will also let everyone know when
the list is fixed up.

Graham

On Thu, Nov 24, 2016 at 6:28 PM Daniel Frank notifications@github.com
wrote:

This is the last announcement to be posted to this list. All future
announcements will be sent to our new nix security list,

I'm probably blind... but how do you subscribe to that forum to receive
the messages by email? I do not see any subscribe, join or any similar
option.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-262855618,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAErrN_gj5d2ACCsCWOmnZdh9Jn5Ogfsks5rBh2JgaJpZM4HkmLk
.

Ok everyone, here is an update:

Maybe the list was initially intended for announcing embargoed issues

No, this list is not for embargoed issues. We don't currently have this infrastructure. We are planning on working on this infrastructure in the first / second quarter of 2017.

why is the security announcements mailing list invite-only?

The list was misconfigured. We want the announce list to be announce-only and no other discussion. It is now configured to allow anyone to subscribe / join, but only certain people to send mail. For discussion about issues, I would recommend emailing nix-dev.

How do I subscribe?

• with a Google account, at https://groups.google.com/forum/#!forum/nix-security-announce
• without a Google account, I believe you can join the list without a Google account by emailing [email protected].

why is that list not hosted on the same server as the other nix-related mailing lists?

The service which hosts the other mailing list seems to not be taking
new lists. This was a problem when Rob tried to set up the list, and we
agreed using a Google group should be okay, based on these criteria:

• I made sure list archives can be viewed without a Google account.
• I made sure list archives can be searched without having a Google
• account.
• I also made sure Google groups can be subscribed to without a Google
  account.

Security Updates (cross-posted to the list)

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

 - https://hydra.nixos.org/job/nixos/release-16.09/tested
 - https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20814.


master   16.09    Message                                             Notes
---      ---      ---                                                 ---
16995fc  d573588  boehmgc: 7.2f -> 7.2g                               n/a
1e17f21  e7fc018  firefox: 50.0.1 -> 50.0.2                           n/a
b04e23b  bd39c43  firefox: 50.0 -> 5.0.1 for CVE-2016-9078            n/a
2d341ca  3bf46ba  firefox-bin: 50.0 -> 50.0.1                         n/a
36f980b  22389ae  firefox-esr: security 45.5.0 -> 45.5.1 (#20841)     n/a
18a3225  15f6c2d  linux: 3.12.67 -> 3.12.68                           n/a
5afc6b5  0dcdb9b  linux: 4.1.35 -> 4.1.36                             n/a
cc77360  c9dafb1  linux: 4.4.34 -> 4.4.35                             n/a
654f5df  33287d9  linux: 4.4.35 -> 4.4.36                             n/a
b47307b  5db1d94  linux: 4.8.10 -> 4.8.11                             n/a
853b649  2ddf554  linux: 4.8.11 -> 4.8.12                             n/a
a8eeef6  d35e2de  lxc: 2.0.4 -> 2.0.6 (security)                      n/a
a9611a5  3275b2f  mcabber: 1.0.3 -> 1.0.4 for 'roster push attack'    n/a
0707962  e6fe609  mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs    n/a
5b6d52b  7fc197f  nagios: 4.0.8 -> 4.2.3                              n/a
c77011c  a9523ed  nagiosPluginsOfficial: 2.0.3 -> 2.1.4               n/a
b221fc1  d564833  nss: 3.27.1 -> 3.27.2                               n/a
e700ff6  066166b  perl-bignum: 0.43 -> 0.44                           n/a
7d09138  d8e8bb4  perlPackages.DBDmysql: 4.033 -> 4.039               n/a
390f6a9  a5ffcd2  Revert "Revert "bzip2: patch for CVE-2016-3189""    n/a
7e40e89  997c6b9  rpcbind: patch for CVE-2015-7236                    n/a
f4aab5b  4d15c98  thunderbird: 45.5.0 -> 45.5.1                       n/a
5f4b3cd  24cd670  thunderbird-bin: 45.5.0 -> 45.5.1                   n/a
eba91fa  8b7a082  tomcat6: 6.0.45 -> 6.0.48                           n/a
3d0310d  1a0f5f8  tomcat7: 7.0.72 -> 7.0.73                           n/a
42f1ae1  b036ad5  tomcat85: 8.5.5 -> 8.5.8                            n/a
80a4750  c67cec2  tomcat8: 8.0.37 -> 8.0.39                           n/a
5f78980  00fb14b  tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13              n/a
75cdbf4  805022c  torbrowser: 6.0.6 -> 6.0.7                          n/a

Shall we close this issue? It's relatively long and seems resolved – people now can subscribe to that list.

Good question, @vcunat, but I don't think so. Here are the remaining steps:

• [x] Publish the mailing list on the website.
• [ ] Publish GPG keys of people sending vulnerability announcements.
• [ ] Document a way to report security issues, privately
• [ ] Document our security update policy, re: unstable, stable, and older versions.

I think it should probably be a separate page on the nixos.org/nixos website. I've written up the following to this effect:

[% WRAPPER layout.tt title="NixOS Security" menu='nixos' %]

Updates:

1. Stable releases receive security updates until the next stable
release. After this point, diligent support ends and it falls in to
community support. Patches for security issues will be accepted, but
the security team generally doesn't work to continue support.
2. Unstable receives all security updates, however will sometimes be
quite behind due to being unstable.

You can subscribe to announcements at
https://groups.google.com/forum/#!forum/nix-security-announce or by
emailing emailing `[email protected]
with the subject "subscribe".

These messages will be signed by a member of the security team, who
is currently comprised of the following people:

 - Graham Christensen (fingerprint: 0xfe918c3a98c1030f)

If you would like to report a security issue with NixOS, please email
any or all of these people privately. We will ensure the issue gets
handled.


[% END %]

This needs editing and formatting as HTML, and preferably someone else added to that list with a key :)

There's still the question of

• [ ] How can I tell if a given set of packages is vulnerable?

Perhaps I should open a separate issue about this.

The process above is largely about source code, not compiled / installed packages. The line is more blurry in nix than other distributions, but it's still relevant.

Yes, I think that should be a separate issue. :)

And the use case is not to update unless your system is (potentially) vulnerable, I guess?

The problem there is that you currently can't know from the binaries themselves (in general), as e.g. applying a patch isn't observable in the name-version tuple. @domenkozar once suggested we added some files describing fixed CVEs in each binary path, but I can't see that in open tickets anymore and I don't remember why exactly it wasn't pursued in the end.

I personally believe that if you're on the level that you care for vulnerabilities of your binaries, you want to track the nix-sources for them as well (and the configuration), as it's just practical in multiple ways.

Found the thread I meant: https://github.com/NixOS/nixpkgs/issues/15660

👆 🎉 🥂 😮 👍 🥇 💯 So thrilling that this took less than a year to close.

Very satisfying indeed.

Great work, everybody!

Hmm... the "Stable releases receive security updates ..." policy text isn't on the new security page.

There hasn't been a decision against that, has there? Some variation of it will appear in due course, yes?

@dckc looks like the decision has been in place for a few years now: https://nixos.org/nixos/manual/#sec-upgrading do you think we should duplicate this policy on the security page as well? (sorry I didn't note that I found those docs here)

I didn't mean to refer to the issue of how far back security patches get ported but rather to the fact that there's a security update policy at all. That manual section has very little to say about security.

Perhaps it suffices to say "As noted in _Upgrading NixOS_, we provide security updates to stable releases."

But it would be nicer to elaborate, as in "We regularly review the LWN vulnerability list and make a best effort to see that these are addressed in stable releases of nixpkgs."

There's nothing about security explicitly, so it could be more explicit, as security updates seem (currently) to be main purpose of the stable branch(es).

The mailing list has gone silent since last year. The website only mentions this list. Is there a replacement to subscribe advisories somewhere?

I see not much really, beyond what you get from the github label. Christian has stopped doing the roundups a few week ago (you can see them on that link), apparently, but the tool itself if public IIRC.

Have opened https://github.com/NixOS/nixpkgs/issues/65105. What if we used GitHub for NixOS security advisories?