Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last hunt.
Notes on the list
- The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already. - Some issues will be duplicated, because it affects multiple packages.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed. By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.Instructions:
Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.- Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate. - When an entire section is completed, move the section to the
"Triaged and Resolved Issues"detailsblock below.
Upon Completion ...
- [x] Update https://github.com/NixOS/nixpkgs/issues/13515 with a
summary.
Without further ado...
Assorted (7 issues)
- [x] [
#703983](https://lwn.net/Vulnerabilities/703983/) (search, files) epiphany: unspecified - [x] [
#704470](https://lwn.net/Vulnerabilities/704470/) (search, files) libX11: insufficient validation - [x] [
#704249](https://lwn.net/Vulnerabilities/704249/) (search, files) openslp: code execution - [x] [
#703983](https://lwn.net/Vulnerabilities/703983/) (search, files) epiphany: unspecified - [ ] [
#703767](https://lwn.net/Vulnerabilities/703767/) (search, files) chromium-browser: multiple vulnerabilities - [x] [
#703987](https://lwn.net/Vulnerabilities/703987/) (search, files) asterisk: denial of service [x] [
#703975](https://lwn.net/Vulnerabilities/703975/) (search, files) java-1.8.0-openjdk: multiple vulnerabilitieskernel (2 issues)
[x] [
#704120](https://lwn.net/Vulnerabilities/704120/) (search, files) kernel: multiple vulnerabilities- [x] [
#704469](https://lwn.net/Vulnerabilities/704469/) (search, files) kernel: denial of service
Total remaining: 9
Triaged and Resolved Issues
Assorted (10 issues)
- [x] [
#704466](https://lwn.net/Vulnerabilities/704466/) (search, files) php: multiple vulnerabilities - [x] [
#704467](https://lwn.net/Vulnerabilities/704467/) (search, files) php-pecl-zip: multiple vulnerabilities - [x] [
#704248](https://lwn.net/Vulnerabilities/704248/) (search, files) bind: denial of service - [x] [
#704589](https://lwn.net/Vulnerabilities/704589/) (search, files) mysql: multiple unspecified vulnerabilities - [x] [
#703978](https://lwn.net/Vulnerabilities/703978/) (search, files) dwarfutils: three vulnerabilities - [x] [
#704586](https://lwn.net/Vulnerabilities/704586/) (search, files) virtualbox: multiple unspecified vulnerabilities - [x] [
#704468](https://lwn.net/Vulnerabilities/704468/) (search, files) kdump: denial of service - [x] [
#703977](https://lwn.net/Vulnerabilities/703977/) (search, files) tor: denial of service - [x] [
#703979](https://lwn.net/Vulnerabilities/703979/) (search, files) libgd2: two vulnerabilities [x] [
#703984](https://lwn.net/Vulnerabilities/703984/) (search, files) libgit2: two vulnerabilitiesqemu (2 issues)
[x] [
#704471](https://lwn.net/Vulnerabilities/704471/) (search, files) qemu: denial of service- [x] [
#703985](https://lwn.net/Vulnerabilities/703985/) (search, files) qemu: three vulnerabilities
Total done: 12
grahamc
All 25 comments
5456d8f00729a5591d66208bd175cee24bd6fb59 0f42ee7c8893cf62d9a15402ad32f58d5c381e1b were ported in 732930b and bd2568a (php upgrades) to 16.09
grahamc
on 26 Oct 2016
cc people who participated in the last one: @DamienCassou @NeQuissimus @aszlig @jgeerds.
grahamc
on 26 Oct 2016
Firefox updates by @edolstra (thank you for backporting) https://github.com/NixOS/nixpkgs/compare/bd2568a2f927...0195ab84607a
grahamc
on 26 Oct 2016
I'll take care of the kernel notifications. We need to update 4.1.x
NeQuissimus
on 26 Oct 2016
Thank you :) Looks like 4.9 is out of date (rc2?) -- could you also look to see if the other kernels are seriously out of date, and just make a note here?
grahamc
on 26 Oct 2016
I think qemu is covered by what we have.
NeQuissimus
on 26 Oct 2016
The OpenJDK one is definitely covered, I updated that yesterday
NeQuissimus
on 26 Oct 2016
I was just dreading that update :)
grahamc
on 26 Oct 2016
I just collapsed the done items to make the rest easier to find.
grahamc
on 26 Oct 2016
Whoa, I didn't actually expect updates on all the kernels! :100: :trophy:
grahamc
on 26 Oct 2016
Might as well :D
I let each of them go beyond the asking for modules, which is generally where they fail if anything is wrong. I don't have the time to build 5 full kernels right now :D
NeQuissimus
on 26 Oct 2016
I'll do a merge and build them all on my build box today.
grahamc
on 26 Oct 2016
It would take me a while:
â–¶ cat /proc/cpuinfo | grep 'model name' | head -1
model name : Intel(R) Core(TM) m3-6Y30 CPU @ 0.90GHz
You have the same epiphany notice twice and I would think it is not covered. But it seems to be part of GNOME 3.20/3.22 and I know there are a few PRs for that right now. Not sure if we'd break something... The epiphany files are auto-generated. (currently 3.20.3, needs 3.20.4)
NeQuissimus
on 26 Oct 2016
I usually ping @DamienCassou about Gnome issues (is @DamienCassou the one for that? :))
grahamc
on 26 Oct 2016
And I can't find libX11 in nixpkgs. I am not very familiar with X, so it might be in some other file but I am not sure where to look.
NeQuissimus
on 26 Oct 2016
Not sure who to ping on X11. I bet @vcunat knows?
grahamc
on 26 Oct 2016
grahamc
on 26 Oct 2016
https://github.com/NixOS/nixpkgs/commit/9db03c1cf18e215ca9559e8f8a629dc6b1ad5385 should probably be backported.
grahamc
on 26 Oct 2016
FRidh
on 26 Oct 2016
That X advisory was fixed weeks ago in 53612bb0f. EDIT: it seems to me that SUSE guys were just rather late in this case.
vcunat
on 26 Oct 2016
For future reference, I do seem to be the most active in updating basic X packages, and I do watch their announcement ML.
vcunat
on 26 Oct 2016
@NeQuissimus re epiphany being listed twice, the second search is for webkitgtk.
grahamc
on 27 Oct 2016
OK FWIW everything in the list (except Chromium) has a PR in for it. I'm running builds for the remaining PRs now and will hopefully have most of them done by morning, where we'll merge. OpenJDK hasn't been backported because the patch doesn't apply cleanly. I'm hoping Tim will check that out.
grahamc
on 27 Oct 2016
Thank you everyone, for your great help! #6 is done :)
grahamc
on 28 Oct 2016
Related issues
vaibhavsagar
·
3Comments
copumpkin
·
3Comments
ob7
·
3Comments
matthiasbeyer
·
3Comments
copumpkin
·
3Comments
Most helpful comment
For future reference, I do seem to be the most active in updating basic X packages, and I do watch their announcement ML.