Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[22.05] Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-2022-34749" #188031

Merged
merged 1 commit into from
Aug 23, 2022
Merged

[22.05] Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-2022-34749" #188031

merged 1 commit into from
Aug 23, 2022

Conversation

sersorrel
Copy link
Contributor

This reverts commit db8c230 (#184209/#186149).

Description of changes

Per lepture/mistune#314 (comment), Mistune 0.8.4 is not vulnerable to CVE-2022-34749, only 2.0.x versions of Mistune before 2.0.3 are. (release-22.05 now contains mistune 0.8.4 and 2.0.4, neither of which are vulnerable.)

Things done

nixpkgs-review is running, but will take a while.

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@sersorrel
Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-20…
3403041 
…22-34749"

This reverts commit db8c230.

Mistune 0.8.4 is not vulnerable to CVE-2022-34749, only 2.0.x versions
of Mistune are.
@sersorrel sersorrel changed the title Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-2022-34749" [22.05] Revert "python3Packages.mistune_0_8: mark knownVulnerabilities CVE-2022-34749" Aug 23, 2022
@FRidh
Copy link
Member

FRidh commented Aug 23, 2022

We should probably also fix on master

pkgs/top-level/python-aliases.nix:  mistune_0_8 = throw "mistune_0_8 was removed because it was outdated and insecure"; # added 2022-08-12

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Aug 23, 2022
@Ma27 Ma27 mentioned this pull request Aug 23, 2022
Closed
13 tasks
@Ma27 Ma27 merged commit 22b6dc7 into NixOS:release-22.05 Aug 23, 2022
@sersorrel sersorrel deleted the mistune-0.8-is-ok-actually branch August 23, 2022 15:24
@sersorrel sersorrel mentioned this pull request Aug 24, 2022
Closed
1 task
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/jupyter-broken-in-22-05/21108/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FRidh FRidh FRidh approved these changes

@jonringer jonringer Awaiting requested review from jonringer

Assignees
No one assigned
Labels
6.topic: python 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sersorrel @FRidh @nixos-discourse @Ma27