Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 39 (master) #38993

Closed
30 of 85 tasks
ckauhaus opened this issue Apr 16, 2018 · 18 comments
Closed
30 of 85 tasks

Vulnerability roundup 39 (master) #38993

ckauhaus opened this issue Apr 16, 2018 · 18 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@ckauhaus
Copy link
Contributor

ckauhaus commented Apr 16, 2018
edited by c0bw3b
Loading

Scanned nixos/release-combined.nix @ 911a6da. Filtered out previously reported CVEs. May contain false positives.

This is a fresh start - CVEs filtered out for 18.03 are included here. Please look especially for those packages that had no upstream fix a while ago.

bazaar-2.7.0 (search, files)

binutils-2.30 (search, files)

@Ericson2314

coreutils-8.29 (search, files)

@edolstra

cyrus-sasl-2.1.26 (search, files)

exiv2-0.26 (search, files)

ffmpeg-3.4.2 (search, files)

@codyopel @Fuuzetsu

gstreamer-0.10.36 (search, files)

jasper-2.0.14 (search, files)

@pSub

jquery-ui-1.11.4 (search, files)

libarchive-3.3.2 (search, files)

@jamescun

libcroco-0.6.12 (search, files)

libgcrypt-1.8.2 (search, files)

@wkennington @vrthra

libid3tag-0.15.1b (search, files)

@Fuuzetsu

libimobiledevice-1.2.0 (search, files)

libmad-0.15.1b (search, files)

@lovek323

libsndfile-1.0.28 (search, files)

@lovek323

libtiff-4.0.9 (search, files)

libusbmuxd-1.0.10 (search, files)

net-snmp-5.7.3 (search, files)

@wkennington

openjpeg-2.3.0 (search, files)

@codyopel

openldap-2.4.45 (search, files)

@lovek323

openvpn-2.4.5 (search, files)

@viric

patch-2.7.6 (search, files)

pcre-8.41 (search, files)

python-2.7.14 (search, files)

@FRidh

rsync-3.1.3 (search, files)

shadow-4.5 (search, files)

sharutils-4.15.2 (search, files)

@ndowens

sqlite-3.22.0 (search, files)

@np

util-linux-2.31.1 (search, files)

wildmidi-0.4.2 (search, files)

@bjornfor

wpa_supplicant-2.6 (search, files)

@MarcWeber @wkennington

Cc: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7, @grahamc, @adisbladis, @fpletz

Contact @ckauhaus for any questions.
This was referenced Apr 16, 2018
Closed
Closed
@nlewo
Copy link
Member

nlewo commented Apr 16, 2018
edited
Loading

CVE-2017-16548 (rsync) is fixed in our rsync release (latest one).
See the first security fix in https://download.samba.org/pub/rsync/src/rsync-3.1.3-NEWS

@jamescun
Copy link
Contributor

@ckauhaus I think you've mistakenly tagged me for libarchive. I do not own this package nor use NixOS 😄.

@ckauhaus
Copy link
Contributor Author

@jamescun oops sorry

@FRidh
Copy link
Member

FRidh commented Apr 16, 2018

The Python 2.7 CVE is considered a regular bug by the PSRT (Python Security Response Team), and is known for already half a year. Since no patch for it has been accepted by upstream, I am ignoring it.

@FRidh FRidh added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Apr 16, 2018
@nlewo
Copy link
Member

nlewo commented Apr 17, 2018

CVE-2018-6952 (gnupatch) no patch are available (https://savannah.gnu.org/bugs/index.php?53133)

@nlewo nlewo mentioned this issue Apr 17, 2018
Closed
pSub added a commit that referenced this issue Apr 17, 2018
@pSub
jasper: add patch to fix CVE-2018-9055
32f08fe 
Part of vulnerability roundup 39 (issue #38993)

(cherry picked from commit bbbbbbc)
pSub added a commit that referenced this issue Apr 17, 2018
@pSub
jasper: add patch to fix CVE-2018-9055
bbbbbbc 
Part of vulnerability roundup 39 (issue #38993)
@pSub
Copy link
Member

pSub commented Apr 17, 2018

I've applied the patch for jasper-2.0.14 in master and release-18.03. release-17.09 has version 2.0.13 which should not be affected.

@dotlambda
Copy link
Member

The wildmidi CVEs seem to have been fixed in the 0.4.2 release (https://github.com/Mindwerks/wildmidi/releases/tag/wildmidi-0.4.2), which is only missing in 17.09.

@ckauhaus
Copy link
Contributor Author

@dotlambda That's interesting - the CVEs list 0.4.2 as vulnerable. Probably they've got the version number wrong. Marking wildmidi as fixed on master. A backport to 17.09 would be sensible.

@adisbladis
Copy link
Member

bazaar (CVE-2017-14176): 19bc90f

@vcunat
Copy link
Member

vcunat commented Apr 21, 2018

libgcrypt: no fix upstream yet; one proposed way is documentation-only fix (1).

@pSub
Copy link
Member

pSub commented Apr 21, 2018
edited
Loading

cyrus_sasl vulnerability CVE-2013-4122 was fixed in 5d41dda. I've included (6ccc17f) the CVE in the patch name for vulnix auto-detection.

@pSub
Copy link
Member

pSub commented Apr 22, 2018
edited
Loading

I've also included the CVE tag in the patch for CVE-2016-5104, libimobiledevice-1.2.0. (29e5da8).
Edit: Same for libusbmuxd in (7395480).

@dotlambda dotlambda mentioned this issue May 4, 2018
Closed
4 tasks
@vcunat
Copy link
Member

vcunat commented May 5, 2018

coreutils: my understanding of upstream ML messages and their commits is that they decided the risk is not really fixable and updated the documentation. We could rush applying the doc updates like e.g. Fedora, but I don't think it's really worth the mass rebuilds now.

@vcunat
Copy link
Member

vcunat commented May 5, 2018

util-linux: fixed in staging by #37814

vcunat added a commit to vcunat/nixpkgs that referenced this issue May 5, 2018
@vcunat
python: 2.7.14 -> 2.7.15 (bugfix + security)
77b8311 
Fixes CVE-2018-1000030, /cc NixOS#38993.

The ncurses patch no longer applied, and it appears the problems have
been resolved upstream https://bugs.python.org/issue25720
python/cpython@6ba0b583d67
@vcunat vcunat mentioned this issue May 5, 2018
Closed
8 tasks
FRidh pushed a commit that referenced this issue May 9, 2018
@vcunat @FRidh
python: 2.7.14 -> 2.7.15 (bugfix + security)
fee3493 
Fixes CVE-2018-1000030, /cc #38993.

The ncurses patch no longer applied, and it appears the problems have
been resolved upstream https://bugs.python.org/issue25720
python/cpython@6ba0b583d67
FRidh pushed a commit that referenced this issue May 9, 2018
@vcunat @FRidh
python: 2.7.14 -> 2.7.15 (bugfix + security)
59beaf7 
Fixes CVE-2018-1000030, /cc #38993.

The ncurses patch no longer applied, and it appears the problems have
been resolved upstream https://bugs.python.org/issue25720
python/cpython@6ba0b583d67
FRidh pushed a commit that referenced this issue May 27, 2018
@vcunat @FRidh
python: 2.7.14 -> 2.7.15 (bugfix + security)
30ff9ca 
Fixes CVE-2018-1000030, /cc #38993.

The ncurses patch no longer applied, and it appears the problems have
been resolved upstream https://bugs.python.org/issue25720
python/cpython@6ba0b583d67

(cherry picked from commit 59beaf7)
@ckauhaus ckauhaus mentioned this issue Sep 21, 2018
Closed
3 tasks
@vcunat vcunat mentioned this issue Sep 23, 2018
Closed
78 tasks
@stammon
Copy link
Contributor

stammon commented Oct 27, 2018

openjpeg: fixed in Openjpeg Patching CVE-2018-7648 #49262

@ckauhaus ckauhaus mentioned this issue Oct 30, 2018
Closed
9 tasks
@c0bw3b c0bw3b mentioned this issue Oct 31, 2018
Merged
9 tasks
@ckauhaus
Copy link
Contributor Author

This issue needs review. Many of the affected packages reported here are still present on master or 18.09.

@c0bw3b
Copy link
Contributor

c0bw3b commented Dec 8, 2018

CVE-2017-17480 fixed in a4700aa on master and b3aff3a for 18.09

@vcunat vcunat mentioned this issue Mar 10, 2019
Closed
1 task
@ckauhaus
Copy link
Contributor Author

18.09 is EOL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@adisbladis @pSub @jamescun @ckauhaus @vcunat @FRidh @nlewo @stammon @dotlambda @c0bw3b