Scanned nixos/release-combined.nix @ 3eccd0b with vulnix-1.4.1pre (improved CVE patch detection). Filtered out previously reported CVEs. May contain false positives.
busybox-1.27.2 (search, files)
- [x] [CVE-2017-16544](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16544)
exiv2-0.26 (search, files)
- [ ] [CVE-2017-1000126](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000126)
- [ ] [CVE-2017-1000127](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000127)
- [ ] [CVE-2017-1000128](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000128)
- [ ] [CVE-2017-11336](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11336)
- [x] [CVE-2017-11337](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11337)
- [x] [CVE-2017-11338](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11338)
- [x] [CVE-2017-11339](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11339)
- [x] [CVE-2017-11340](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11340)
- [x] [CVE-2017-11553](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11553)
- [x] [CVE-2017-11591](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11591)
- [x] [CVE-2017-11592](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11592)
- [x] [CVE-2017-11683](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11683)
- [x] [CVE-2017-12955](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12955)
- [x] [CVE-2017-12956](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12956)
- [x] [CVE-2017-12957](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12957)
- [ ] [CVE-2017-14857](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14857)
- [ ] [CVE-2017-14858](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14858)
- [x] [CVE-2017-14859](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14859)
- [x] [CVE-2017-14860](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14860)
- [ ] [CVE-2017-14861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14861)
- [x] [CVE-2017-14862](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14862)
- [ ] [CVE-2017-14863](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14863)
- [x] [CVE-2017-14864](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14864)
- [ ] [CVE-2017-14865](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14865)
- [ ] [CVE-2017-14866](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14866)
ghostscript-9.20 (search, files)
- [x] [CVE-2016-10217](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10217)
- [x] [CVE-2016-10218](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10218)
- [x] [CVE-2016-10219](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219)
- [x] [CVE-2016-10220](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220)
- [ ] [CVE-2016-10317](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10317)
- [x] [CVE-2017-7207](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207)
gstreamer-0.10.36 (search, files)
- [ ] [CVE-2016-9447](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9447)
jbig2dec-0.13 (search, files)
- [x] [CVE-2017-7885](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7885)
- [x] [CVE-2017-9216](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9216)
ldns-1.7.0 (search, files)
- [x] [CVE-2017-1000231](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000231)
- [x] [CVE-2017-1000232](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000232)
libcroco-0.6.12 (search, files)
- [x] [CVE-2017-7960](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7960)
- [x] [CVE-2017-7961](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7961)
- [ ] [CVE-2017-8834](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8834)
- [ ] [CVE-2017-8871](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8871)
openexr-2.2.0 (search, files)
- [x] [CVE-2017-12596](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12596)
openslp-2.0.0 (search, files)
- [x] [CVE-2016-4912](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4912)
rsync-3.1.2 (search, files)
- [x] [CVE-2017-16548](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16548)
vte-0.28.2 (search, files)
- [x] [CVE-2012-2738](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2738)
x265-2.5 (search, files)
- [x] [CVE-2017-13666](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13666)
ckauhaus
All 16 comments
busybox: ab917a22f511610345e3112af59e8cba7b4db297 (after minimal testing seems that we had the problem and the patch does fix it) and all CVE fixes from master picked to release-17.09 in 5cb8134e54e919598fc7852f404c31651c2f869d
7c6f434c
on 8 Dec 2017
Permanent CC's: @NixOS/security-notifications, @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7
@ckauhaus could you edit the Permanent CC's from the previous kind of roundups into the issue template? I guess with some explanation how to get added/removed…
7c6f434c
on 8 Dec 2017
gstreamer: the -plugins-bad from 0.10 is a really bad package... I would just phase it out, marking it as insecure for now. Any better ideas?
vcunat
on 9 Dec 2017
Regarding vte-0.28.2 (CVE-2012-2738) we currently ship a patch https://github.com/NixOS/nixpkgs/blob/a982b20c3601e5376aa6508b8cadc809b05542b8/pkgs/desktops/gnome-2/desktop/vte/default.nix#L17-L18 that is marked as CVE-2012-2738. Going through some of the release logs you find multiple commits that are supposed to fix that issue (http://ftp.gnome.org/pub/GNOME/sources/vte/0.32/vte-0.32.2.news).
The bug gnome has assigned internally is https://bugzilla.gnome.org/show_bug.cgi?id=676090 . The changelog (http://ftp.gnome.org/pub/GNOME/sources/vte/0.32/vte-0.32.2.changes) lists both commits that are required.
From what I can see right now we are lacking at least https://git.gnome.org/browse/vte/commit/?id=98ce2f265f986fb88c38d508286bb5e3716b9e74.
I have opened a PR (#32506) that introduces the missing patch.
andir
on 9 Dec 2017
One issue that I missing from the list is
openssl-1.0.2m (https://www.openssl.org/news/secadv/20171207.txt)
- CVE-2017-3737 (moderate)
- CVE-2017-3738 (low)
both of them are fixed in version 1.0.2n.
PR #32507 has the version bump.
andir
on 9 Dec 2017
the rsync CVE is fixed in #32510
andir
on 9 Dec 2017
ghostscript: I couldn't find a commit or reference explicitly mentioning CVE-2016-10317, so I don't know whether it's fixed.
vcunat
on 9 Dec 2017
exiv2: no upstream release yet, and pulling such an amount of patches will be a bit painful, but let me try.
Exiv2 v0.27 RC1 January 2018. GM April 2018.
vcunat
on 9 Dec 2017
@7c6f434c There's not much of an issue template right now. So I guess this is the time to create one. :-)
ckauhaus
on 11 Dec 2017
QtPass needs to be updated 1.1.6 -> 1.2.1 due to a security issue with its password generator.
nh2
on 4 Jan 2018
@hrdinka should probably have a look at QtPass then
andir
on 4 Jan 2018
adisbladis
on 6 Jan 2018
CVE-2016-4912 fixed in 1aca02b51ef30af68755f5aed7f3ebe5d6ffae48 and backported to 17.09 in ecc8eb60ab971174aa32e3ea830e461060372f03
adisbladis
on 6 Jan 2018
CVE-2017-7960 & CVE-2017-7961 addressed in https://github.com/NixOS/nixpkgs/pull/33539
adisbladis
on 6 Jan 2018
@nh2 @andir The issue in QtPass was already fixed (https://github.com/NixOS/nixpkgs/pull/33445).
adisbladis
on 6 Jan 2018
nixos-17.09 EOL
ckauhaus
on 8 Oct 2018
Related issues
rzetterberg
·
3Comments
matthiasbeyer
·
3Comments
ayyess
·
3Comments
ob7
·
3Comments
grahamc
·
3Comments
Most helpful comment
gstreamer: the -plugins-bad from 0.10 is a really bad package... I would just phase it out, marking it as insecure for now. Any better ideas?