Nixpkgs: openssl 1.0.2 is not supported anymore

Created on 11 Jan 2020  路  6Comments  路  Source: NixOS/nixpkgs

Upstream ended 1.0.2 support with 2019, but we still have many packages depending on it.

$ (git grep -l openssl_1_0_2 pkgs/; grep openssl_1_0_2 pkgs/top-level/all-packages.nix) | wc -l
65

I know of no issues since the last release, so I'm not marking it as vulnerable _yet_, but the dependents would better start migrating in advance.

Stable: it's unclear to me what we do about these in 19.09, but perhaps there won't be any notable vulnerabilities before 19.09 support ends :-) _1.0.2 is the default in 19.03, but we don't support that anymore._

bug security
Source
picture vcunat
👍4

Most helpful comment

BTW, it's still a decision to make, as there's surely some LTS distro
that will still ship 1.0.2 for some time, so patching the worst
probably won't be too difficult. I'm personally _not_ willing to
invest significant time into it, though :-)

Best way to motivate somebody to volunteer is to mark it as insecure. ;)

picture alyssais on 11 Jan 2020
😄2

All 6 comments

List of files:

pkgs/applications/blockchains/pivx.nix
pkgs/applications/networking/cluster/hadoop/default.nix
pkgs/applications/version-management/git-and-tools/git-dit/default.nix
pkgs/applications/version-management/p4v/default.nix
pkgs/development/compilers/crystal/default.nix
pkgs/development/compilers/mint/default.nix
pkgs/development/interpreters/python/pypy/default.nix
pkgs/development/interpreters/python/pypy/prebuilt.nix
pkgs/development/libraries/globalplatform/default.nix
pkgs/development/libraries/globalplatform/gppcscconnectionplugin.nix
pkgs/development/libraries/openssl/default.nix
pkgs/development/mobile/androidenv/lldb.nix
pkgs/misc/emulators/epsxe/default.nix
pkgs/os-specific/darwin/apple-source-releases/network_cmds/default.nix
pkgs/servers/sql/postgresql/default.nix
pkgs/shells/powershell/default.nix
pkgs/tools/misc/mongodb-tools/default.nix
pkgs/tools/security/pbis/default.nix
pkgs/top-level/all-packages.nix
pkgs/top-level/beam-packages.nix
pkgs/top-level/perl-packages.nix
pkgs/top-level/python-packages.nix
pkgs/top-level/static.nix
flokli picture flokli on 11 Jan 2020

I think we should mark it vulnerable. Other EOL packages have been marked vulnerable because of the EOL before, e.g. Firefox, and if there鈥檚 any package we should be extra-careful with, its OpenSSL.

alyssais picture alyssais on 11 Jan 2020
👍1

I bumped it to fix the last CVE minutes before opening this ticket, so I was obviously biased against marking it immediately ;-)

vcunat picture vcunat on 11 Jan 2020

BTW, it's still a decision to make, as there's surely some LTS distro that will keep shipping 1.0.2 for some time, so patching the worst probably won't be too difficult. I'm personally _not_ willing to invest significant time into it, though :-)

vcunat picture vcunat on 11 Jan 2020

BTW, it's still a decision to make, as there's surely some LTS distro
that will still ship 1.0.2 for some time, so patching the worst
probably won't be too difficult. I'm personally _not_ willing to
invest significant time into it, though :-)

Best way to motivate somebody to volunteer is to mark it as insecure. ;)

alyssais picture alyssais on 11 Jan 2020
😄2

OK, I think the we've given enough time and now we should press on a bit: https://github.com/NixOS/nixpkgs/pull/80746

vcunat picture vcunat on 21 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

grahamc picture grahamc  路  3Comments
domenkozar picture domenkozar  路  3Comments
yawnt picture yawnt  路  3Comments
vaibhavsagar picture vaibhavsagar  路  3Comments
ghost picture ghost  路  3Comments