Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last hunt
cc: @FRidh, @fpletz, @rasendubi, @NeQuissimus, @joepie91, and @NixOS/security-notifications.
_Note:_ The list of people CC'd on this issue participated in the last
hunt. If you participate on this hunt, I'll cc you on the next one. If
you don't participate in the next one, you won't be CC'd on the one
after that. If you would like to be CC'd on the next hunt. If you
would like to be CC'd on the next hunt, add a comment to the most
recent vulnerability roundup. If you would like to be CC'd on _all_
hunts, leave a comment and tell @grahamc so.
Notes on the list
- The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already. - Some issues will be duplicated, because it affects multiple packages.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed. - By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
- Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable. - Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate. - When an entire section is completed, move the section to the
"Triaged and Resolved Issues"detailsblock below.
Upon Completion ...
- [x] Review commits since last hunt for backport candidates
- [x] Update https://github.com/NixOS/nixpkgs/issues/13515 with a
summary.
Without further ado...
Assorted (19 issues)
- [x] [
#669529](https://lwn.net/Vulnerabilities/669529/) (search, files) libvirt: path traversal - [x] [
#706399](https://lwn.net/Vulnerabilities/706399/) (search, files) monit: cross-site request forgery - [x] [
#706117](https://lwn.net/Vulnerabilities/706117/) (search, files) qemu: multiple vulnerabilities - [x] [
#706117](https://lwn.net/Vulnerabilities/706117/) (search, files) qemu: multiple vulnerabilities - [x] [
#706114](https://lwn.net/Vulnerabilities/706114/) (search, files) dracut: information disclosure - [x] [
#658311](https://lwn.net/Vulnerabilities/658311/) (search, files) shutter: code execution - [x] [
#706397](https://lwn.net/Vulnerabilities/706397/) (search, files) terminology: command execution - [x] [
#619813](https://lwn.net/Vulnerabilities/619813/) (search, files) tnftp: command execution - [x] [
#706479](https://lwn.net/Vulnerabilities/706479/) (search, files) tre: code execution - [x] [
#569768](https://lwn.net/Vulnerabilities/569768/) (search, files) xinetd: privilege escalation/code execution - [x] [
#706473](https://lwn.net/Vulnerabilities/706473/) (search, files) chromium-browser: multiple vulnerabilities - [x] [
#706116](https://lwn.net/Vulnerabilities/706116/) (search, files) kernel: two vulnerabilities - [x] [
#706478](https://lwn.net/Vulnerabilities/706478/) (search, files) libgit2: unspecified - [x] [
#706021](https://lwn.net/Vulnerabilities/706021/) (search, files) mariadb: unspecified vulnerability - [x] [
#706021](https://lwn.net/Vulnerabilities/706021/) (search, files) mariadb: unspecified vulnerability - [x] [
#706401](https://lwn.net/Vulnerabilities/706401/) (search, files) mysql-community-server: multiple unspecified vulnerabilities - [x] [
#706402](https://lwn.net/Vulnerabilities/706402/) (search, files) opera: multiple vulnerabilties - [x] [
#706400](https://lwn.net/Vulnerabilities/706400/) (search, files) python-cryptography: returns empty byte-string - [x] [
#706475](https://lwn.net/Vulnerabilities/706475/) (search, files) rh-mysql56-mysql: privilege escalation
jasper (2 issues)
- [x] [
#705673](https://lwn.net/Vulnerabilities/705673/) (search, files) jasper: multiple vulnerabilities - [x] [
#705824](https://lwn.net/Vulnerabilities/705824/) (search, files) jasper: multiple vulnerabilities
ntp (4 issues)
- [x] [
#656982](https://lwn.net/Vulnerabilities/656982/) (search, files) ntp: multiple vulnerabilities - [x] [
#661765](https://lwn.net/Vulnerabilities/661765/) (search, files) ntp: multiple vulnerabilities - [x] [
#673451](https://lwn.net/Vulnerabilities/673451/) (search, files) ntp: missing check for zero originate timestamp - [x] [
#674069](https://lwn.net/Vulnerabilities/674069/) (search, files) ntp: multiple vulnerabilities
sudo (2 issues)
grahamc
All 28 comments
We have pillow 3.4.2 on master and stable so
705913 (search, files) python-imaging: two vulnerabilities
is irrelevant.
FRidh
on 16 Nov 2016
77cdbb9e3af9fcdd6edafa74695f6b00bdd89748 and ca250267989c68bead978615809c1cf9d05d00e5 fix
#706400 (search, files) python-cryptography: returns empty byte-string
FRidh
on 16 Nov 2016
Fixed jasper in https://github.com/NixOS/nixpkgs/pull/20466
grahamc
on 16 Nov 2016
Curl seems to been fixed already.
grahamc
on 16 Nov 2016
kmicu pointed out I failed to exclude vulnerability roundup 8's list, fixing... please hold.
grahamc
on 16 Nov 2016
@grahamc Hereby requesting a CC for the next roundup and every one after that :)
joepie91
on 16 Nov 2016
Fixed the list, the things which had been checked off (due to already being fixed) have been removed from this list. Resume :)
grahamc
on 16 Nov 2016
Sudo was addressed already.
grahamc
on 16 Nov 2016
With the latest kernels, we have those vulnerabilities covered.
NeQuissimus
on 16 Nov 2016
qemu has a 2.8.0-rc0, which fixed the vulns, do we want an RC?
NeQuissimus
on 16 Nov 2016
mariadb needs updates for
Fixes for the following security vulnerabilities:
CVE-2016-7440
CVE-2016-5584
https://mariadb.com/kb/en/mariadb/mariadb-10119-release-notes/
grahamc
on 16 Nov 2016
done xD
NeQuissimus
on 16 Nov 2016
I marked off rh-mysql56-mysql because we don't have 5.6
NeQuissimus
on 16 Nov 2016
qemu has a 2.8.0-rc0, which fixed the vulns, do we want an RC?
Probably not, especially since it is -> .8. Is there a patch other distros are shipping?
grahamc
on 16 Nov 2016
We are good for ntp.
For qemu, I am not sure, I just went and checked their website.
NeQuissimus
on 16 Nov 2016
Chromium is fine, we have the version that fixed the vuln.
NeQuissimus
on 16 Nov 2016
Patch for xinetd incoming. in my rollup
grahamc
on 16 Nov 2016
Shutter patch in my rollup
grahamc
on 16 Nov 2016
@rickynils do we need to be upgrading our libvirt to cover this issue? https://lwn.net/Vulnerabilities/669529/
grahamc
on 16 Nov 2016
@fpletz can you take a look at the qemu vulns? there is a big list of CVEs now.
grahamc
on 16 Nov 2016
@Mic92 how do you want to handle this monit issue? backport the patch, or backport an upgrade to monit?
grahamc
on 16 Nov 2016
@grahamc We have libvirt 2.2.0 both in master and release-16.09 and it includes the fix for CVE-2015-5313 (https://github.com/libvirt/libvirt/commit/034e47c338b13a95cf02106a3af912c1c5f818d7), so we should be fine.
rickynils
on 17 Nov 2016
Thank you for checking in to that, @rickynils -- it wasn't so clear to me. Checked it as done!
grahamc
on 17 Nov 2016
For qemu, only CVE-2016-7994 & CVE-2016-8668 had to be fixed.
Done in f4a318b528cacdd5c960bf66662131ecbdb2536f. Testing build on 16.09 right now and will push when finished.
fpletz
on 17 Nov 2016
@fpletz can you comment and CC me when you've backported the qemu fix? I have an advisory ready to post when you do. Thank you!
grahamc
on 18 Nov 2016
Requesting a cc on next hunt
phanimahesh
on 18 Nov 2016
@grahamc Went to sleep too soon. :) Pushed to release-16.09.
fpletz
on 18 Nov 2016
All done, thank you all! :) :) :)
grahamc
on 18 Nov 2016
Related issues
vaibhavsagar
路
3Comments
matthiasbeyer
路
3Comments
copumpkin
路
3Comments
domenkozar
路
3Comments
retrry
路
3Comments