Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnutls: 3.6.13 -> 3.6.14 #89884

Merged
merged 1 commit into from
Jun 10, 2020
Merged

gnutls: 3.6.13 -> 3.6.14 #89884

merged 1 commit into from
Jun 10, 2020

Conversation

cole-h
Copy link
Member

@cole-h cole-h commented Jun 9, 2020
edited
Loading

Fixes CVE-2020-13777 [1].

Changes: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-13777

Motivation for this change

Saw this thread on Twitter: https://twitter.com/__agwa/status/1270054737317113857. Noticed it hadn't been updated in Nixpkgs yet, so here I am.

See https://gitlab.com/gnutls/gnutls/-/issues/1011 and the aforementioned Twitter thread for more info.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @vcunat (you merged/reviewed/dealt with the previous bump)

I built and tested against master; currently building against staging. Might take a while.

EDIT: Took a lot less time than I expected. Built fine and binaries still work fine.

@cole-h cole-h added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jun 9, 2020
@cole-h cole-h requested a review from vcunat June 9, 2020 06:25
@ofborg ofborg bot requested review from edolstra and fpletz June 9, 2020 06:32
vcunat pushed a commit that referenced this pull request Jun 9, 2020
@cole-h @vcunat
gnutls: 3.6.13 -> 3.6.14
03da878 
Fixes CVE-2020-13777 [1].

Changes: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-13777

(cherry picked from commit 1dba117, PR #89884)
@wamserma
Copy link
Member

wamserma commented Jun 9, 2020

This should be fast-tracked as this currently gets a lot of press coverage.
@cole-h Could you also take care of the backport to 20.03?

@vcunat
Copy link
Member

vcunat commented Jun 9, 2020
edited
Loading

Naturally, I consider this a very serious issue. 20.03 binaries are already being built on the farm.

@cole-h
Copy link
Member Author

cole-h commented Jun 9, 2020

@vcunat Thanks for handling the backport (I had opened this just before going to bed... lol).

@vcunat vcunat merged commit bed5bc5 into NixOS:staging Jun 10, 2020
@cole-h cole-h deleted the gnutls branch June 10, 2020 07:12
@schmittlauch
Copy link
Member

As the recent hydra evaluations of release-20.03 have all failed – at first look because of a problem with the aarch64 builders – this important security patch hasn't reached the stable channel yet.
Whom to ping for getting the build infra fixed?

@vcunat
Copy link
Member

vcunat commented Jun 11, 2020

I can do just stuff like restarts, but even after many of them it was of no use. /cc @grahamc

@vcunat
Copy link
Member

vcunat commented Jun 12, 2020

Now the critical aarch64 builds came through and release-20.03 updated past the gnutls update (and firefox as well).

vcunat pushed a commit that referenced this pull request Jun 12, 2020
@cole-h @vcunat
gnutls: 3.6.13 -> 3.6.14
716f393 
Fixes CVE-2020-13777 [1].

Changes: https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-13777

(cherry picked from commit 1dba117, PR #89884)
19.09 isn't really supported anymore, but this CVE seems very important.
@vcunat
Copy link
Member

vcunat commented Jun 12, 2020

I haven't seen these abortions anymore in the past few hours, so hopefully it's solved now.

@cole-h
Copy link
Member Author

cole-h commented Jun 12, 2020

Solved until it rears its ugly head again, at least. It was (probably) caused by a sick server: https://logs.nix.samueldr.com/nixos-dev/2020-06-11#1591912418-1591912502.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

@edolstra edolstra Awaiting requested review from edolstra

@fpletz fpletz Awaiting requested review from fpletz

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501-1000 10.rebuild-darwin: 501+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cole-h @wamserma @vcunat @schmittlauch