Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup
This roundup is different from previous' due to Christmas: http://lists.science.uu.nl/pipermail/nix-dev/2016-December/022367.html
I will update this issue tomorrow and Wednesday with new issues.
cc: @NeQuissimus @bachp @domenkozar @makefu.
_Note:_ The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
If you would like to be CC'd on _all_ roundups, leave a comment and
tell @grahamc so.
Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
details
block below.reformat
one last timeWithout further ado...
#709844
](https://lwn.net/Vulnerabilities/709844/) (search, files) ceph: denial of service#709839
](https://lwn.net/Vulnerabilities/709839/) (search, files) gstreamer-plugins-good: denial of service#709841
](https://lwn.net/Vulnerabilities/709841/) (search, files) flightgear: file overwrites#709146
](https://lwn.net/Vulnerabilities/709146/) (search, files) python-html5lib: cross-site scripting#709843
](https://lwn.net/Vulnerabilities/709843/) (search, files) dcmtk: buffer overflows/underflows#709842
](https://lwn.net/Vulnerabilities/709842/) (search, files) python-bottle: CRLF attacks#709847
](https://lwn.net/Vulnerabilities/709847/) (search, files) zlib: multiple vulnerabilities#709745
](https://lwn.net/Vulnerabilities/709745/) (search, files) openjpeg2: two vulnerabilities#709743
](https://lwn.net/Vulnerabilities/709743/) (search, files) freeipa: two vulnerabilities#709664
](https://lwn.net/Vulnerabilities/709664/) (search, files) most: command execution#709666
](https://lwn.net/Vulnerabilities/709666/) (search, files) nagios: two vulnerabilities#709742
](https://lwn.net/Vulnerabilities/709742/) (search, files) tor: denial of service#709363
](https://lwn.net/Vulnerabilities/709363/) (search, files) apport: three vulnerabilities#709149
](https://lwn.net/Vulnerabilities/709149/) (search, files) apt: code execution#709669
](https://lwn.net/Vulnerabilities/709669/) (search, files) kernel: out of bounds stack read#709466
](https://lwn.net/Vulnerabilities/709466/) (search, files) libupnp: code execution#709661
](https://lwn.net/Vulnerabilities/709661/) (search, files) samba: three vulnerabilities#709162
](https://lwn.net/Vulnerabilities/709162/) (search, files) w3m: multiple vulnerabilities#709468
](https://lwn.net/Vulnerabilities/709468/) (search, files) firefox: denial of service#709140
](https://lwn.net/Vulnerabilities/709140/) (search, files) mozilla: multiple vulnerabilities#709141
](https://lwn.net/Vulnerabilities/709141/) (search, files) mozilla: multiple vulnerabilities#709663
](https://lwn.net/Vulnerabilities/709663/) (search, files) game-music-emu: multiple vulnerabilities#709341
](https://lwn.net/Vulnerabilities/709341/) (search, files) game-music-emu: code execution#709853
](https://lwn.net/Vulnerabilities/709853/) (search, files) kernel: code execution#709851
](https://lwn.net/Vulnerabilities/709851/) (search, files) kernel: two vulnerabilities#709662
](https://lwn.net/Vulnerabilities/709662/) (search, files) tomcat: two vulnerabilities#709342
](https://lwn.net/Vulnerabilities/709342/) (search, files) tomcat: denial of serviceA fix for #709669 was included in 4.8.14
Commit https://github.com/NixOS/nixpkgs/commit/86cf682cda6c3fc6bfbf783d20d93b75773ec1b1 fixes #709468
firefox: denial of service. Can be marked as done.
libupnp is actually pupnp and can be found here: http://pupnp.sourceforge.net/ where it says 1.6.21 is out, but the downloads are all for 1.6.20. If anyone wants to investigate that, please!
~most needs updating to 5.0.0a and application of patches from debian, I think: https://security-tracker.debian.org/tracker/source-package/most~
Looks like Xen needs more patches. Also, our Xen is running out of time. @michalpalka -- you seem to open issues about Xen, would you like to try upgrading Xen?
@grahamc My schedule is full for the next 2 days, but will look at it on Friday
That will be really helpful. Thank you so much, @michalpalka!
We should quite likely drop samba3.
../auth/kerberos/kerberos_pac.c: In function 'check_pac_checksum':
../auth/kerberos/kerberos_pac.c:46:7: error: 'CKSUMTYPE_HMAC_SHA1_96_AES_256' undeclared (first use in this function)
case CKSUMTYPE_HMAC_SHA1_96_AES_256:
^
../auth/kerberos/kerberos_pac.c:46:7: note: each undeclared identifier is reported only once for each function it appears in
../auth/kerberos/kerberos_pac.c:52:7: error: 'CKSUMTYPE_HMAC_SHA1_96_AES_128' undeclared (first use in this function)
case CKSUMTYPE_HMAC_SHA1_96_AES_128:
^
Waf: Leaving directory `/tmp/nix-build-samba-4.4.8.drv-0/samba-4.4.8/bin'
Build failed: -> task failed (err #1):
{task: cc kerberos_pac.c -> kerberos_pac_1.o}
make: *** [Makefile:8: all] Error 1
@abbradar, @wkennington any ideas on what is wrong with samba here?
@grahamc I've tried to update libkrb5 and Cyrus-SASL -- no luck so far. I'll spend more time on this later since this is a security issue but have no idea what happens. I left Samba 4.5.3 to build in the background but this is not an option for the release, isn't it?...
Thank you for looking, @abbradar. Unfortunately backporting an update to 4.5.x wouldn't be good. I definitely wouldn't mind seeing unstable updated though, especially before 17.03 goes stable ( @michalpalka -- that is when I'd like Xen to be upgraded at the latest, hopefully)
Samba, libkrb5 and Cyrus-SASL updates are in staging, because Cyrus-SASL is a systemd dependency. We now need to determine how to build new 4.4.* -- I'm on it but with no ideas currently.
I did some investigation on libupnp. There is a 1.6.21 tag available but no tarball.
@abbradar can you link each of those commits here to make it easier to keep track / ensure they get backported?
https://github.com/NixOS/nixpkgs/commit/b0a1028a1a18932aced53f36f0a80a3a213f91e4 covers Samba in staging. Others don't have a security issue assigned IIUC. I want to avoid having it backported as is now -- instead I'll try to have a maintenance release building.
16.09 is covered by b2e80a53cab7890024036f373a78ab8a560b4285
This might work for libupnp https://github.com/NixOS/nixpkgs/pull/21317.
Just updated the list with more vulnerabilities.
I suspect we need to apply patches to xen, see: https://xenbits.xen.org/xsa/advisory-200.html and: an enterprising contributor may go back through old advisories and see if we missed anything :)
We don't run debian's version of most, so we don't need patches.
I just push my roundup branch which contains fixes for everything but the html5lib, will merge shortly.
Merged and backported the branch. Just updated this issue with new vulnerabilities. :)
(this issue is like the gift that keeps giving!)
@the-kenny can you update flightgear?
Just pushed patches for zlib to staging, will push to 16.09 shortly.
@wkennington can you patch ceph? We're pretty old, I might mark it as broken otherwise.
@grahamc The libupnp tarball would be available now: https://sourceforge.net/projects/pupnp/files/
Thank you, @bachp I already switched to their github mirror since it already had a good tag.
Sorry, I couldn't get around to finishing the html5lib update, got busy with work-related issues.
It requires a few dependencies (webencodings, and others I don't recollect) that have to be added to nixpkgs. My schedule for today and tomorrow is chaotic, not sure if I'll be able to clean it up. If anyone can, please comment on the issue and pitch in. I'll get to it as soon as I can make some time for it.
Sorry it took so long. Holidays. Just pushed
bdc880e49df1515c92c2c9f4f2600d57ad7d686b to master.
I'm not sure if this should be backported to our current stable release
as we skipped quite a few major releases. Any other comments on this?
Cheers
Moritz
Moritz Ulrich moritz@tarn-vedra.de writes:
Graham Christensen notifications@github.com writes:
@the-kenny can you update flightgear?
will do!
--
@the-kenny does neither not look like a critical network-facing service to me nor a serious security issue (I would not expect that malicious Nasal scripts are sent as email attachments any time soon). On the other hand it does not look the typical application, where people would expect the version to be stable all the time. I think both approaches (upgrading or not upgrading) are fine.
The PR from f3287b0 needs to be backported.
Also, the html5lib changes would be good to backport.
@FRidh -- thank you for merging that!
@bjornfor -- I agree, I try really hard to test all my changes. Even still, a few mistakes come through. I always feel bad about it.
@grahamc the new html5lib has quite some extra dependencies. I'll have a look at it.
@bjornfor -- I agree, I try really hard to test all my changes. Even still, a few mistakes come through. I always feel bad about it.
It's frustrating when breakage happens, but I do appreciate the work you and everyone else put into keeping NixOS updated and secure :-)
We now have the latest html5lib in stable as well.
It seems like openssh has fallen through the cracks. I didn't manage to fully fix it (yet) 661b5a9875c.
@vcunat openssh hasn't fallen through the cracks, it hadn't been released yet when this was created. I just checked, it'll appear on next week's.
Oh, now I see the tarball timestamp is Dec.19; I originally misread it as ~week earlier.
I'm going to close out what we have and let the remainders come back next run.
Good work, everyone - thank you all!
Most helpful comment
Merged and backported the branch. Just updated this issue with new vulnerabilities. :)
(this issue is like the gift that keeps giving!)