Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 47 (release-18.03) #47123

Closed
2 of 12 tasks
ckauhaus opened this issue Sep 21, 2018 · 5 comments
Closed
2 of 12 tasks

Vulnerability roundup 47 (release-18.03) #47123

ckauhaus opened this issue Sep 21, 2018 · 5 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@ckauhaus
Copy link
Contributor

ckauhaus commented Sep 21, 2018
edited
Loading

Scanned nixos/release-combined.nix @ d16a7ab. Filtered out previously reported CVEs. May contain false positives.

accountsservice-0.6.46 (search, files)

exempi-2.4.5 (search, files)

exiv2-0.26 (search, files)

ffmpeg-3.4.4 (search, files)

libtiff-4.0.9 (search, files)

lua-5.1.5 (search, files)

openjpeg-2.3.0 (search, files)

procps-3.3.15 (search, files)

sddm-0.17.0 (search, files)

zip-3.0 (search, files)

Cc: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7, @grahamc, @adisbladis, @fpletz, @vcunat

Contact @ckauhaus for any questions.
@ckauhaus
Copy link
Contributor Author

master is #47121

ckauhaus pushed a commit to ckauhaus/nixpkgs that referenced this issue Sep 21, 2018
lua: remove lua4 and lua5_0
544eaaa 
Both versions are not maintained anymore upstream and have open security
issues, e.g. https://nvd.nist.gov/vuln/detail/CVE-2014-5461.

The same holds for lua5_1 but that seems to be in use in some places.

Re NixOS#47122
Re NixOS#47123
@ckauhaus ckauhaus mentioned this issue Sep 21, 2018
Merged
9 tasks
@vcunat vcunat added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 23, 2018
@periklis
Copy link
Contributor

@ckauhaus i've checked our release-18.03 channel for lua and the patch is included. (See L23)

@markuskowa
Copy link
Member

There is no solution for procps-3.3.15 CVE-2018-1121.
According to the developers this is not a procps-ng bug but rather a bug of the filesystem (https://gitlab.com/procps-ng/procps/issues/107)

@ckauhaus
Copy link
Contributor Author

@markuskowa ok, then forget about this one

@vcunat
Copy link
Member

vcunat commented Dec 29, 2018

18.03 is way past its lifetime now.

@vcunat vcunat closed this as completed Dec 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@periklis @ckauhaus @vcunat @markuskowa