domenkozar
commented
8 years ago Agreed - I will propose the priority for 16.09 release should be security updates tooling and advisories.
Closed dckc closed 7 years ago
domenkozar
commented
8 years ago Agreed - I will propose the priority for 16.09 release should be security updates tooling and advisories.
dckc
commented
8 years ago I found a relevant nifty blog item; it even cites this issue. I suppose it's worth closing the loop:
grahamc
commented
7 years ago Here are some security announcements. :)
The following issues have been resolved in NixOS in unstable and 16.09. They remain potentially open on 16.03 and older. They will be released to 16.09 and unstable channels once Hydra's tested job passes for each channel.
grahamc
commented
7 years ago grahamc
commented
7 years ago On master only, upgrading KDE: https://github.com/NixOS/nixpkgs/commit/9cd8b4e2d7846d897787963d5a2e11d3c12f30e1 but a proposed upgrade for KDE in 16.09: https://github.com/NixOS/nixpkgs/pull/19706
Chromium has an outstanding issue (https://lwn.net/Vulnerabilities/703767/) without any solution yet.
Note, if you'd like to help on the next week's hunt please add a comment to issue https://github.com/NixOS/nixpkgs/issues/19678 :)
grahamc
commented
7 years ago grahamc
commented
7 years ago @domenkozar it strikes me we could address the problem reported on this issue by:
I can post these notices anywhere. Some thoughts on where:
aneeshusa
commented
7 years ago I don't think reusing a single issue thread will scale well. Keeping in mind https://github.com/NixOS/nixpkgs/issues/14819#issuecomment-215451742, IMO a RSS feed would be best; the RSS feed could be backed/generated from another system if wanted as well (e.g. a git repo).
groxxda
commented
7 years ago Every time https://github.com/NixOS/nixpkgs-channels is updated, the HEAD commit could be tagged as a release with an automatically generated release message from the the commit messages. Maybe grepping for CVE strings or something similar.. git-notes may also work..
That would give us the RSS feed.
grahamc
commented
7 years ago FWIW I'd rather avoid trying to be too automatic about it, or steeping this discussion in technical implementation details. As it stands now the process of generating the advisories is pretty trivial, especially in comparison to the effort in actually researching and applying the patches.
grahamc
commented
7 years ago Kernel updates in master and 16.09 include patches for CVE-2016-5195 (DirtyCow -- https://dirtycow.ninja/) https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
The hydra job for 16.09 (https://hydra.nixos.org/build/42415618) passed the tested job, and should be available through the channels soon. Versions at or after 2eac61e5db79783a571b4be2f26b73172f5db3c0 include the upgraded kernels. Any version before this is insecure. At time of writing the stable channel is at b8ede35, which is insecure. I will update when the channel update happens.
grahamc
commented
7 years ago Cross-posted from nix-dev:
Hello Nixers,
All Linux kernels since 2.6.22 have been vulnerable to a privilege escalation bug.
Please upgrade immediately.
This issue was discovered and patched on October 18. The fix was released yesterday, and the 16.09 channel now includes the fix for the following kernels:
When updating please ensure you have nixos-16.09.819.31c72ce or newer. The previous version (nixos-16.09.773.b8ede35 and older) do not include these patches.
For unstable, only unstable-small has the patches:
Standard unstable will move forward when all tests have passed.
All other kernels available in NixOS 16.09 and Unstable are vulnerable and have not yet received patches.
This includes:
More information can be had at https://dirtycow.ninja/
Also included in this channel update are several fixes found in the latest vulnerability hunt. See:
If you would like to help with future hunts and patches, please leave a comment on https://github.com/NixOS/nixpkgs/issues/19678 and I'll make sure to ping you.
Thank you, Graham
dckc
commented
7 years ago So the way to subscribe to security notices is to subscribe to this ticket?
If so, please update NixOS support or something nearby.
grahamc
commented
7 years ago @dckc I don't think this ticket is official designated The Way to do it. I've been doing it as a stop-gap. Note my question (https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-255234768) about where should we do it long term.
grahamc
commented
7 years ago @NeQuissimus has upgraded our Linux kernels to the latest versions released today.
| attribute | was | now | 16.09 | unstable | changelog |
|---|---|---|---|---|---|
linuxPackages_latest |
4.8.3 | 4.8.4 | ceb1d539483bb05c3b1114ca096a2c2e6d40f842 | a3989b87df42e21cb4f23ccc26bc0c5572f969d0 | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.4 |
linuxPackages_4_7 |
4.7.9 | 4.7.10 | c9d66910e6a0ebb44576a29bdec67951381ddc9c | 72d91f95cb550c24a1580898ab78f038a14214a5 | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.10 |
linuxPackages |
4.4.26 | 4.4.27 | 92047849deb2c7e03b7798b9e9652f1f6c4b6366 | aa7424642d65df16b4f9e64550cabe31850d3e2a | https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.27 |
PS: @NeQuissimus has been an incredible help on keeping our kernels up to date lately. Thank you!
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Message | Notes |
|---|---|---|---|
| 5440c1a64cd66ca481c7aa3121b32fbdfaf1ba81 | 2bc7ca7060fdd53ec4fc83a847e4a3661ac10bdb | grsecurity: 4.7.9-201610200819 -> 4.7.10-201610222037 | Fixes dirtycow (please upgrade! now in the channel!) |
| e99a81060fe071cf28a8bbf09a9dcacd66855455 | cadc55f2898983ca96df7fb4bd6e39757ebd68df | gnutls: 3.3.24 -> 3.3.25 | GNUTLS-SA-2016-3 / CVE-2016-7444 (https://www.gnutls.org/security.html) -- not available yet |
| b3f7d626c164ae591a067f78bfcbb06fc3a588b9 | 27b37f1b9532170a043468d38eaf4bf1dbf97e09 | kernel: remove 4.7 | 4.7 is now EOL (now in the channel!) |
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| d19b53f8516ca6a52918f5db216bd59a3b69a1aa | 4f0125074efac58ad829a5184831757509c6ec9e | flashplayer: 11.2.202.637 -> 11.2.202.643 | Critical security flaw: https://helpx.adobe.com/security/products/flash-player/apsb16-36.html |
| e4773819f419618f2247a5226c3390d2fd817859 | 74b319bdd4be78159a9739df1d49c4a8d9e96096 | kernel: 3.10.103 -> 3.10.104 | Includes fixes for DirtyCow |
| e5e84ecbbdc2477499626a9815c4ec8c265b18da | 9f3371bc72689c24c9a25172bb6da6b31cc6395a | kernel: 3.12.63 -> 3.12.66 | Includes fixes for DirtyCow |
| b02646f93b995dd683681fc6f2c86c056b41a2d0 | a43f80a9065bf83b662b12cd33d9d2b8f99d189a | kernel: 3.18.42 -> 3.18.44 | Includes fixes for DirtyCow |
| 89cd922a6a910164dfb63dc0389a254b079d26df | ebed0acc179c0bfc5da5888082012b774f71a4e1 | kernel: 4.1.33 -> 4.1.35 | Includes fixes for DirtyCow |
| e5ad26e48e7f74435219adf85be97f014a567eda | 59c8691b3c7019a09cc294f9aab01785675e61ec | libdwarf: 20161001 -> 20161021 for CVE-2016-8679 | n/a |
| 65a6484f792c5939a5de678a2abdf943d139babf | cc5f0af99071a42336b5d18ee1eb65aee1df57bd | libgit2: 0.24.1 -> 0.24.2 for CVE-2016-8568, CVE-2016-8569 | n/a |
| 0f7ac8b41fcc048e29d6e89fa71806d4bb185e9c | b24ae4592b2aaff12aa0352e9dc83346f57a6720 | openslp: patch for CVE-2016-7567 | n/a |
| 69e8bac9cd1b605440a28e4cb56a4acf6e2c0103 | 8c6ee842007f884b28f6461300906e1505b7d3f9 | virtualbox: 5.1.6 -> 5.1.8 for many CVEs: | n/a |
There are additional patches waiting to land:
I'll provide an update when these stragglers are complete.
Thank you, Graham
PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| 070ff88fea1ccbd7a6201afb98923b7d90442f2b | 06a9a09a0275178be8ad77b23bd253c7d4e88e0c | openjdk: 8u122-03 -> 8u122-04 | n/a |
| e9a5cf3f6f532551e9841bcb7c6364ee161be2c8 | e9a5cf3f6f532551e9841bcb7c6364ee161be2c8 | kernel: 4.9-rc1 -> 4.9-rc2 | Patches for DirtyCow |
| 354811f4bcb802a8032fdbb228ec82d73b15ebe8 | eef176fb8250fd221173a3bd11e4cb0a027b6b6f | webkitgtk214x: 2.14.0 -> 2.14.1 | (backported the creation of 2.14 for Epiphany, which now requires it.) |
| 3e18f4bc2f7d9dc89672a62fc07b071f6f32bcdd | 5b08a40da92199aaf53e191e28eac0e7bfdd804c | epiphany: 3.20.3 -> 3.20.4 | n/a |
With the exception of Chromium (https://github.com/NixOS/nixpkgs/pull/19565) this closes out https://github.com/NixOS/nixpkgs/issues/19884.
Thank you, Graham
PS: If you would like to help with future hunts and patches, please leave a comment on https://github.com/NixOS/nixpkgs/issues/19884 and I'll make sure to ping you.
nixos-16.09.877.5b08a40 includes all the patches.grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| 2b2f2733757922c0ea1fd2312662dc0442b59637 | 826a5d7aa1899c4a3ed8bb5e207d4c4c3d574a33 | cairo: add patch to fix CVE-2016-9082 | n/a |
| 1e1609da6ad87fe828973f17f1f175b3de841383 | 55dfafa4da724ada6ea5f8e17111a8c2fe7d68d9 | curl: 7.50.3 -> 7.51.0 | 11 serious CVEs |
| a7d35fdff34563ca8ccac09e9c4db2fcaa9ef076 | a64e9269fb0ce5c0eb4ff3f357580e60577bfa6d | gitlab: 8.12.6 -> 8.12.8, fix CVE-2016-9086 | n/a |
| 04db88d2474431417ed3c9276f3078c69a125af6 | eb653d96201b21d1e062191bea116c4996a6051b | graphicsmagick: add patches to fix 3 CVEs | n/a |
| dfdaea12403b31983cbfea365c76c29d4934f11e | 6189145b377819c0ecf93a6902f1c6ea6dfef3b5 | grsecurity: 4.7.10-201610222037 -> 201610262029 | n/a |
| 874abe694afe122feebd8665c71663af97b46cd6 | 4e17529a354d8100b8ce797b5708dc005fa10bba | linux: 4.8.5 -> 4.8.6 | n/a |
| a94bd88d7af53b2052035a76eaf474047a5ac614 | a29900e76335b4806cbfa917e5db93637a274fee | memcached: 1.4.20 -> 1.4.33 | n/a |
| af01fa71e0787c66c4f7e6fa88f8ee525959cd26 | 3f6c9cceeace789760b17e1998d03aeede16b93f | nixos.libvirtd: fix broken VMs due to emulator path changes | n/a |
| 68f2bc8fb351065fda55c8a7b1ee6d74ba64a9a0 | f33c5f713e1aa7c780134154e8e5072ad2081921 | perl-Image-Info: 1.38 -> 1.39 | n/a |
| b806e14a3ced762ec2b0ce162c75d400f312e897 | 74b91a85790683106a16f442c6a456f9561d94a9 | pythonPackages.django_1_8: 1.8.15 -> 1.8.16 | n/a |
| 58ad105cd43356e3de024fbf7df2d34f10d696df | abfb2e5cf9d2339fe9d8d0dc1085c0e6e715aea0 | pythonPackages.django_1_9: 1.9.10 -> 1.9.11 | n/a |
| 25c01931bb52bd2bc42b0bb017bd991236abd4fd | 924230d126a7c59d8423509cd8556558269f9316 | qemu: add patches to fix lots of CVEs | n/a |
| 9db03c1cf18e215ca9559e8f8a629dc6b1ad5385 | fc67ecc52fa7b7c25941f6cbeff29043508d8bbe | thunderbird: 45.3.0 -> 45.4.0 | n/a |
| cd67a0aada863e1510c0573aed03b20959dfdebb | 31ba04e416e4b7e318a0b8c39614c5b4868b3f68 | tre: add patch for CVE-2016-8859 | n/a |
Still outstanding is a patch for tar (difficult due to bootstrapping,) and a patch for chromium which we're testing.
P.S. Sorry for these being so late. Many of these haven't hit the stable channel yet, like the curl fixes. I'll try and shepherd these through, but am incredibly overloaded this week. Thank you to all contributors at #20078, especially @fpletz.
Note: If you'd like to participate in the next one, please leave a comment at #20078 :)
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| 66ce15a3b163753c7d0c2e237bdaa4e515d77500 | 4d5904d01ae718a6ddc8c949e0c151f0e1f45e3c | chromium: Update all channels to latest versions | n/a |
| 823f28cd1c64f6d8257a6486c085a356445c2db8 | 67805b574d891f1b5f8e03f79f5ddd7a7d7f3d9f | flashplayer: 11.2.202.643 -> 11.2.202.644 | n/a |
| ecfb8df7a77beeb8ed8e7238d928909665d2b183 | aa2f53dca107edc595e415f5883fb15abd793e77 | libressl_2_3: 2.3.8 -> 2.3.9 | n/a |
| 52f1a3789839281ab0f7fad9506f34d6dd379225 | f4b29c40b5b2a24ae4d5f1402f78a79373ebca72 | libressl_2_4: 2.4.3 -> 2.4.4 | n/a |
| 3190a6c45208bbad97ffe056f01155a2a65ac403 | 0ee0755f7dd10e14ddd41712c2d342d2d8c53800 | libwmf: add patch to fix CVE-2016-9011 | n/a |
| 579f5fd9dd644092dff29638e7d456af7607562d | bf7fbccc90d3aa27f38cbd40fff0d1d306ab1e14 | linux: 4.4.30 -> 4.4.31 | n/a |
| 0a1f39eb9125e09eba863fc4cebe6f1d105933ad | 9ab45d9631cb2119555f747440c70645ce9a8889 | linux: 4.8.6 -> 4.8.7 | n/a |
This brings us again up to date on Chromium updates. That code/test/debug loop is brutally long so thank you, @aszlig, @bendlas.
All of these updates are now available on the release channel.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| cc62ecc2d96e2aec3731de547c83bcf3c9e2a87c | a1678d4465857cde03b468170997d2026b8efcfe | linux: 3.12.66 -> 3.12.67 | n/a |
| ad19b9bde532841c727618eeb3d3457fd7b98c6d | 301fc5752beae35eb9b33a583c8f71fef7e773bc | linux: 4.9-rc3 -> 4.9-rc4 | n/a |
| bb2a67d226d2fc8b268655132fee33a720046613 | 030ffa95c8579905e3dcbcbc1ecc04afa36381d2 | openssl_1_1_0: 1.1.0b -> 1.1.0c | n/a |
All of these updates are now available on the release channel.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| 207b8d1c46e431a6ac2bfbdf14f9385098b4b51d | a6728e15cbca1d11553f01d7c3c477ae2debfd8e | firefox-esr: security-only update 45.4.0 -> 45.5.0 | n/a |
| 6f2b2daccf2735a72b51c9ac46fab7008bbb3f1c | b8d2a3e796d98397d72db889e73a09cbc837e658 | libgit2: 0.24.2 -> 0.24.3 | n/a |
| cc62ecc2d96e2aec3731de547c83bcf3c9e2a87c | a1678d4465857cde03b468170997d2026b8efcfe | linux: 3.12.66 -> 3.12.67 | n/a |
| 24c342fde7da069ddcd39f5d3afcd4ec4ec47b00 | 57959c85f9cf01faa184f543ac284e909a3f0ab4 | linux: 4.4.31 -> 4.4.32 | n/a |
| 9e851d3b110fa7548d7a9e103a4f1bd7aaa4d99e | 63e16e0eafb654e1f5df7ec0e2ebe4d6d3f277a7 | linux: 4.8.7 -> 4.8.8 | n/a |
| ad19b9bde532841c727618eeb3d3457fd7b98c6d | 301fc5752beae35eb9b33a583c8f71fef7e773bc | linux: 4.9-rc3 -> 4.9-rc4 | n/a |
| a87c8ad05f5399cd6cdfda47348d1673c6cd637f | da597361481d44f951f683915370b8f7713a1e8c | linux: 4.9-rc4 -> 4.9-rc5 | n/a |
| 0736bd2c539f4295bad38517ec389748a5635edd | a10cba4f20dce99b276c8123db8008a24fa68cc6 | mariadb: 10.1.18 -> 10.1.19 | n/a |
| 9c3eae488ef6f70da8b2fcf6d2f800bdba7d2d11 | 95a1fdc46f10d458e5ed1c215bf56b4979c79073 | opera: 40.0.2308.90 -> 41.0.2353.56 | n/a |
| 77cdbb9e3af9fcdd6edafa74695f6b00bdd89748 | ca250267989c68bead978615809c1cf9d05d00e5 | pythonPackages.cryptography: 1.5.1 -> 1.5.3 | n/a |
| d0d3330866eb74befa24d1cfbead4a22f28fae87 | 25dadd2d2d106b6e0156c52511e18c826e562c32 | shutter: add patch for CVE-2015-0854 with remote code | n/a |
| 3a3706c07f42685309865393cda23886cabd3ef9 | 6270733155c381090fc5c7de6bddc26fbf35f47f | vagrant: 1.8.6 -> 1.8.7 | n/a |
| 7ed55dc9e47443276f48908065101d1e9380929e | dd7c2715ed7836a2ab12daa36c2499faaaa8f6f0 | xinetd: patch for CVE-2013-4342 | n/a |
| 1eb545df059ef6830c518920fb6bc77d0a895120 | 39211629f8f84ad1a9a3f76194c5ae99125b12ec | jasper: 1.900.21 -> 1.900.28 | n/a |
Due to the jasper update, many things will need to rebuild before channels will update.
Note: If you'd like to participate in the next one, as always, please leave a comment at #20462.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| 6dfd4f5b08199f7c23f63318f6f7a928906a1859 | 751b9188cc714dba0db5767e56efac2085538bd6 | pepperflash: 23.0.0.205 -> 23.0.0.207 | n/a |
| e53b9025591a419c22ffc18d6362490486ccf9de | bbfa7ab83fa865d8b6a89c810cad424c0ab6dbf3 | php56: 5.6.27 -> 5.6.28 | n/a |
| 7c65e225dda6335c49783b0cb56508c3422e2377 | 085ceaf49739e8853cae1afadfb15e37bcf16038 | php70: 7.0.12 -> 7.0.13 | n/a |
| f4a318b528cacdd5c960bf66662131ecbdb2536f | daed85048fa714e237b2cc1032b68bc1b648d416 | qemu: add patches for CVE-2016-7994 & CVE-2016-8668 | n/a |
If you'd like to participate in the next security vulnerability roundup, as always, please leave a comment at https://github.com/NixOS/nixpkgs/issues/20462.
dckc
commented
7 years ago The numerous advisories in comments here actually makes it harder to tell whether there is progress on this issue: what is the security advisory mechanism for nixpkgs? What is the next step in developing one? Who has the ball? Who has mandate to decide what the process is?
This ticket is assigned to @domenkozar but I don't see anything from him since March 1.
How about moving the stop-gap process to a wiki page?
dckc
commented
7 years ago My use case is actually not nixos but nixpkgs used in docker containers. I suppose I neglected to point this out earlier.
Ideally, I could use nixpkgs security notices to establish something like Docker Security Scanning.
grahamc
commented
7 years ago @dckc I think your comments are fair, and I can appreciate the sentiment. I guess it might be helpful for me to write an update, so here we are. Markdown doesn't agree with some of the syntax, so I wrapped it up as a text blob, sorry :)
Regarding how to tell if there is progress or not is possible, but
requires reading through the lines a little bit. Let me explain a few
notable progressions:
1. Where we used to have patchy and missing coverage on security
updates, we now have a regular cadence of identifying and patching
security issues across nixpkgs.
2. While we've always had pretty good coverage of big-ticket
vulnerabilities like Heartbleed, there are hundreds of small but
important libraries that receive considerably less attention.
We now have very thorough coverage by keeping up with other distro's
release notes. While not perfect, it is considerably better than it was.
Using this process we have examined almost 1,000 issues since
2016-09-22.
I'm quite proud of this, and believe that we are now shipping a much
more secure package set.
3. A small group of people have become very regular contributors to the
security effort. While each of these people have contributed security
patches individually as well, I can always count on them to participate
and contribute to the weekly effort. Developing this team is very
important to having an effective long-term commitment to this
infrastructure.
4. Tools to support this effort are developing _in conjunction with_ the
actual effort of applying the patches. While multiple tools exist (like
Vulnix, and monitor.nixos.org,) the real blocker to forward progress
lays in the regular application of work from contributors to examine
security issues, identifying the appropriate patches, and identifying
how to properly backport the fixes to the stable channel.
Here are some tool-related improvements you can identify without too
much trouble:
1. A tool to generate the list of issues to examine. This tool has been
improved over time to make it easier to resolve the problem in nixpkgs.
2. Instructions associated with the list have improved.
3. A process has evolved to identify and include interested participants
week over week.
4. A Github Team has been created (@NixOS/security-notifications) where
people can ask to be added to receive highlights about future
vulnerability roundups.
5. A tool to identify security patches which have been applied to
master, and identify their corresponding patch to stable. This can be
plainly seen by the evolution of the notices published to this issue.
So ... where does this get us, and what is the next step? How do we
evolve from here?
Seeing as I spend about 6-10 hours every week on these patches I'm sure
you can imagine I spend a lot of time thinking about how to make it
better. Indeed, the tools we have here have been developed out of this
thought.
Firstly, I think the fairly ad-hoc approach to this whole effort has
allowed for exploration and experimentation in this space without too
much pressure to stick to anything in particular. As long as the weekly
roundup was happening, I was happy. Any changes to how each part worked
has been totally okay. I think this has been incredibly valuable. As
soon as these processes become codified in a NixOS Official Capacity, I
think it takes away some of the freedom to explore and try new things.
Not entirely, of course, but certainly some.
For "Next Steps," I think there are several places to go.
1. Having a more formal destination for storing notices, coupled with a
way to subscribe and receive notices in the traditional sense. I'm
talking about email.
2. Storing notices in a fashion that allow automation and tooling to
look at a version of nixpkgs and identify issues it is potentially
vulnerable or not vulnerable to. This is to answer the question of "Am
I vulnerable?" for the average user. The work we're doing is not
valuable if nobody upgrades. It is not valuable if people have to put in
too much work to benefit from it.
3. Building these "am I vulnerable?" tools and perhaps finding a way to
ship them by default to users.
4. Expanding the core group of security-minded contributors who spend
time each week on these vulnerabilities.
For your remaining questions of who has the ball, and who can mandate
the process... it really comes down to someone needs to do it. Someone
needs to identify what needs to happen, the details of making it work,
and thinking through the process. They then need to _actually do the
work_. Big and extravagant ideas are wonderful, but at the end of the
day me and other contributors are spending 10s of hours each week
actually reading and applying patches. This is how we got compiler
hardening in core, and multiple outputs, and the module system.
I think it is a fair assumption that as soon as someone who is doing the
work identifies how it should be formalized, it will be formalized. To
that end, I have been speaking with @rbvermaa today about taking these
next steps. I'm hoping to experiment with a few ways of accomplishing
this, though, prior to sending out a real recommendation on how we
proceed.
I hope you can see that many things have to develop in order to close
out this ticket. I believe we have started down this long path and have
made miles of progress. As you point out, though, we still have a long
way to go. I hope we will take the next leap forward soon.This is excellent progress. Thanks for the update - I couldn't see the forest for the trees without it.
I'd be quite happy for you to declare victory, at least to a certain extent, based on the existing process. Actually, I see monitor.nixos.org is on the nixpkgs page and two hops from the NixOS support page via the nixpkgs manual (though I can't actually reach the monitor page just now).
I see answers to several of my questions:
vcunat
commented
7 years ago Does 16.09 continue to get back-ported security updates after the 17.03 release?
No, probably not. So far we've been really keeping only one stable branch at a time, in addition to unstable/master. As always, if someone does the backporting work, it will be accepted easily enough.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| e38b74ba89d3d03e01ee751131d2a6dc316ac33a | f0699f7706b016d9ad37da4e062ac13ce7940393 | grsecurity: work around for #20490 | (Included so grsecurity users affected by #20490 know) |
| d3b8a77834e53d16bb11774a1aa3036a0d0f7555 | 606701bda5023e8b6739738040ec8144f4dc3ba4 | linux: 4.4.32 -> 4.4.33 | n/a |
| 250224bf019fd1a96dbe66b36b19f1e45bb662cd | 934e314246633683d91c2425a769f6f47c4b2f5c | linux: 4.8.8 -> 4.8.9 | n/a |
| 1376aeba42e405d61fd72b2382d005bc4e553ea2 | 417e04f0372a25b5621d6649dd5c3c47e518a1cb | monit: 5.19.0 -> 5.20.0 for CVE-2016-7067 | n/a |
| db66a95e5b704b8c1e9c55f186f1dccbfb6ce580 | b20a4b08bc5d7dbf3c1bb3f1502d8b0f4ca53771 | ntp: 4.2.8p8 -> 4.2.8p9 | release notes |
| 703deb0bc0dfaa352ebba98adcc6f770f5963c9d | 53eb53577f64d64ec3f75418c937a6b83a0f1af3 | slock: 1.3 -> 1.4 | CVE-2016-6866 |
| d045f8b4860c0ea7311a05188ab6d472cefbfca7 | b0a4aad87be412c4b166f6a1ea8229b9c0ff80c3 | thunderbird: maintenance 45.4.0 -> 45.5.0 | n/a |
| e9549d293cef520a5f74ca8203778d89911f1400 | 759620505595d72879d1d8c74a59c0868cce8f71 | wireshark: 2.2.0 -> 2.2.2 | n/a |
If you'd like to participate in the next security vulnerability roundup, as always, please leave a comment at #20462.
dckc
commented
7 years ago I don't quite see where to find the severity, impact, etc. of some of these vulnerability updates.
e.g. which lwn vulnerability goes with wireshark e9549d2? ah.. I see the commit message refers to various CVEs.
But what about linux: 4.4.32 -> 4.4.33 d3b8a77? How is that a security issue?
And likewise thunderbird d045f8b?
grahamc
commented
7 years ago I don't quite see where to find the severity, impact, etc. of some of these vulnerability updates.
Yes, we should probably be sending a few sentences about each one. As I'll comment more specifically later, these are not perfect.
e.g. which lwn vulnerability goes with wireshark e9549d2? ah.. I see the commit message refers to various CVEs.
It can take some effort to backtrack a particular commit / update to why that was made. Frequently looking at the commit will shed some light, or the PR it was merged in. Not perfect, I would like to improve this.
But what about linux: 4.4.32 -> 4.4.33 d3b8a77? How is that a security issue?
The Linux Kernel team generally doesn't talk about updates and commits in terms of what security problems they resolve. Problems are frequently just patched without fanfare / description/ explanation. A careful observer might be able to figure out these details, but we definitely don't have that time. Our kernel upgrade policy is to assume each patch change contains security fixes.
And likewise thunderbird d045f8b?
This one was a mistake :) sorry about that.
I'll count your (again, very valid) comments as feature requests and bug reports in the (fairly prototype) security advisory tooling.
shlevy
commented
7 years ago Our kernel upgrade policy is to assume each patch change contains security fixes.
This is also the linux kernel community's official recommendation.
grahamc
commented
7 years ago The following issues have been resolved in NixOS in unstable and release-16.09. They remain potentially vulnerable on older major releases.
These patches will be released to the unstable and release-16.09 channels when Hydra finishes building the "tested" job for each channel:
| master | release-16.09 | Subject | Notes |
|---|---|---|---|
| d62069aca47e104632171fc27b5b5a828447131a | e5fe74f5ba0bf6474393d26f67ca82a925e98da1 | linux: 4.4.33 -> 4.4.34 | n/a |
| e4a1b76457d6c078cd60f8df84fea89a26dedd7b | 4994f0ff21d0897e2fc557173faa9938f7d3545c | linux: 4.8.9 -> 4.8.10 | n/a |
| bffae65060dad819df7c3a6e8901b6fbfdca5b47 | c008fb09517e29cd8ddaeead678512ac0c72ab3f | rabbitmq-server: 3.5.6 -> 3.5.8 | for unallocated CVEs |
If you'd like to participate in the next security vulnerability roundup, as always, please leave a comment at #20462
grahamc
commented
7 years ago
The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20647.
master 16.09 Message Notes
--- --- --- ---
9118702 5f69faa libarchive: 3.2.1 -> 3.2.2 for unspecified vuln... n/a
4a5c661 1980c26 gnuchess: 6.2.3 -> 6.2.4 for CVEs n/a
a3b7468 27c390f w3m: 0.5.3-2015-12-20 -> 0.5.3+git20161120 for ... n/a
336bacf 386c980 qemu: add patch to fix CVE-2016-7907 n/a
c823eae 2292d85 graphicsmagick: Update URLs for patches n/a
9de6029 ee38d13 libtiff: 4.0.6 -> 4.0.7 for many CVEs n/a
7a6185d 0454ef9 gstreamer: 1.8.2 -> 1.10.1 (1)
286c836 fe0f9f9 pciutils: fixup finding modules to libkmod's way n/a
(1) Fixes CVE-2016-9445, CVE-2016-9446, CVE-2016-9447.
Thank you,
Graham Christensen I believe that yields the following todos on this item:
Let me know if I missed some.
8573
commented
7 years ago @grahamc: why is the security announcements mailing list invite-only?
grahamc
commented
7 years ago @8573 I'm not sure how it is configured or the implications of that. Looking in to it now, thank you for bringing that up.
7c6f434c
commented
7 years ago Maybe the list was initially intended for announcing embargoed issues (among the people working on security patches)?
vcunat
commented
7 years ago Note: the pciutils commit has no security implications, I believe (I authored it).
grahamc
commented
7 years ago Thank you, Vladimír. I thought I had removed that from the list. Sorry, my second mistake like this. I'll revisit this tooling.
Graham On Thu, Nov 24, 2016 at 4:04 PM Vladimír Čunát notifications@github.com wrote:
Note: the pciutils commit has no security implications, I believe (I authored it).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-262844417, or mute the thread https://github.com/notifications/unsubscribe-auth/AAErrFMmCI7rJaLezN4ubzPCSLiort-jks5rBfvTgaJpZM4HkmLk .
tokudan
commented
7 years ago This is the last announcement to be posted to this list. All future announcements will be sent to our new nix security list,
I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option.
grahamc
commented
7 years ago Hi,
Sorry, obviously there has been an issue with the configuration. I will update this issue until that is resolved.i will also let everyone know when the list is fixed up.
Graham
On Thu, Nov 24, 2016 at 6:28 PM Daniel Frank notifications@github.com wrote:
This is the last announcement to be posted to this list. All future announcements will be sent to our new nix security list,
I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option.
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/NixOS/nixpkgs/issues/13515#issuecomment-262855618, or mute the thread https://github.com/notifications/unsubscribe-auth/AAErrN_gj5d2ACCsCWOmnZdh9Jn5Ogfsks5rBh2JgaJpZM4HkmLk .
grahamc
commented
7 years ago Ok everyone, here is an update:
Maybe the list was initially intended for announcing embargoed issues
No, this list is not for embargoed issues. We don't currently have this infrastructure. We are planning on working on this infrastructure in the first / second quarter of 2017.
why is the security announcements mailing list invite-only?
The list was misconfigured. We want the announce list to be announce-only and no other discussion. It is now configured to allow anyone to subscribe / join, but only certain people to send mail. For discussion about issues, I would recommend emailing nix-dev.
How do I subscribe?
nix-security-announce+subscribe@googlegroups.com.why is that list not hosted on the same server as the other nix-related mailing lists?
The service which hosts the other mailing list seems to not be taking new lists. This was a problem when Rob tried to set up the list, and we agreed using a Google group should be okay, based on these criteria:
The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20814.
master 16.09 Message Notes
--- --- --- ---
16995fc d573588 boehmgc: 7.2f -> 7.2g n/a
1e17f21 e7fc018 firefox: 50.0.1 -> 50.0.2 n/a
b04e23b bd39c43 firefox: 50.0 -> 5.0.1 for CVE-2016-9078 n/a
2d341ca 3bf46ba firefox-bin: 50.0 -> 50.0.1 n/a
36f980b 22389ae firefox-esr: security 45.5.0 -> 45.5.1 (#20841) n/a
18a3225 15f6c2d linux: 3.12.67 -> 3.12.68 n/a
5afc6b5 0dcdb9b linux: 4.1.35 -> 4.1.36 n/a
cc77360 c9dafb1 linux: 4.4.34 -> 4.4.35 n/a
654f5df 33287d9 linux: 4.4.35 -> 4.4.36 n/a
b47307b 5db1d94 linux: 4.8.10 -> 4.8.11 n/a
853b649 2ddf554 linux: 4.8.11 -> 4.8.12 n/a
a8eeef6 d35e2de lxc: 2.0.4 -> 2.0.6 (security) n/a
a9611a5 3275b2f mcabber: 1.0.3 -> 1.0.4 for 'roster push attack' n/a
0707962 e6fe609 mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs n/a
5b6d52b 7fc197f nagios: 4.0.8 -> 4.2.3 n/a
c77011c a9523ed nagiosPluginsOfficial: 2.0.3 -> 2.1.4 n/a
b221fc1 d564833 nss: 3.27.1 -> 3.27.2 n/a
e700ff6 066166b perl-bignum: 0.43 -> 0.44 n/a
7d09138 d8e8bb4 perlPackages.DBDmysql: 4.033 -> 4.039 n/a
390f6a9 a5ffcd2 Revert "Revert "bzip2: patch for CVE-2016-3189"" n/a
7e40e89 997c6b9 rpcbind: patch for CVE-2015-7236 n/a
f4aab5b 4d15c98 thunderbird: 45.5.0 -> 45.5.1 n/a
5f4b3cd 24cd670 thunderbird-bin: 45.5.0 -> 45.5.1 n/a
eba91fa 8b7a082 tomcat6: 6.0.45 -> 6.0.48 n/a
3d0310d 1a0f5f8 tomcat7: 7.0.72 -> 7.0.73 n/a
42f1ae1 b036ad5 tomcat85: 8.5.5 -> 8.5.8 n/a
80a4750 c67cec2 tomcat8: 8.0.37 -> 8.0.39 n/a
5f78980 00fb14b tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13 n/a
75cdbf4 805022c torbrowser: 6.0.6 -> 6.0.7 n/aShall we close this issue? It's relatively long and seems resolved – people now can subscribe to that list.
grahamc
commented
7 years ago Good question, @vcunat, but I don't think so. Here are the remaining steps:
I think it should probably be a separate page on the nixos.org/nixos website. I've written up the following to this effect:
[% WRAPPER layout.tt title="NixOS Security" menu='nixos' %]
Updates:
1. Stable releases receive security updates until the next stable
release. After this point, diligent support ends and it falls in to
community support. Patches for security issues will be accepted, but
the security team generally doesn't work to continue support.
2. Unstable receives all security updates, however will sometimes be
quite behind due to being unstable.
You can subscribe to announcements at
https://groups.google.com/forum/#!forum/nix-security-announce or by
emailing emailing `nix-security-announce+subscribe@googlegroups.com
with the subject "subscribe".
These messages will be signed by a member of the security team, who
is currently comprised of the following people:
- Graham Christensen (fingerprint: 0xfe918c3a98c1030f)
If you would like to report a security issue with NixOS, please email
any or all of these people privately. We will ensure the issue gets
handled.
[% END %]This needs editing and formatting as HTML, and preferably someone else added to that list with a key :)
dckc
commented
7 years ago There's still the question of
Perhaps I should open a separate issue about this.
The process above is largely about source code, not compiled / installed packages. The line is more blurry in nix than other distributions, but it's still relevant.
grahamc
commented
7 years ago Yes, I think that should be a separate issue. :)
vcunat
commented
7 years ago And the use case is not to update unless your system is (potentially) vulnerable, I guess?
The problem there is that you currently can't know from the binaries themselves (in general), as e.g. applying a patch isn't observable in the name-version tuple. @domenkozar once suggested we added some files describing fixed CVEs in each binary path, but I can't see that in open tickets anymore and I don't remember why exactly it wasn't pursued in the end.
I personally believe that if you're on the level that you care for vulnerabilities of your binaries, you want to track the nix-sources for them as well (and the configuration), as it's just practical in multiple ways.
vcunat
commented
7 years ago Found the thread I meant: https://github.com/NixOS/nixpkgs/issues/15660
grahamc
commented
7 years ago 👆 🎉 🥂 😮 👍 🥇 💯 So thrilling that this took less than a year to close.
dckc
commented
7 years ago Very satisfying indeed.
Great work, everybody!
tl;dr: I suggest an issue label or combination of labels dedicated to security advisories (vulnerabilities and updates / patches).
Describe your issue here
Nix is great, and as I use it more for hobby stuff, I'm thinking about using it at work (KUMC medical informatics) where we safeguard research data about a large collection of patients.
We have a few dozen linux servers; SLES in particular. We regularly apply SLES updates, so we get those updates whether we read their SUSE Update Advisories or not. For stuff we install on top of that, our general policy is to subscribe to security notices directly. For example:
I have been looking for something similar for nix packages. I sort of expected to see something on/near NixOS support, but no joy. Then I stumbled across the issues with the 1.severity: security label.
Stuff like #12437 on ffmpeg and #13506 on openssl are exactly what I'm looking for. But #7220 also bears that label, and it's more of a wide-ranging design discussion, not a particular vulnerability or update. It would work for me to filter out the "0.kind: enhancement" label or add "9.needs: package (update)" as a constraint, provided that emerges as the norm among the nix maintainers. An explicit link from NixOS support would be most helpful.
For reference, when I asked for reference information on the current list of labels, I learned about the NixOS/Nixpkgs repository labels thread.
For inspiration, a few more lists I found while researching this request:
It seems conventional to document "how to report security issues" on the same page.
Expected result
A security update policy on/near NixOS support.
Actual result
No clear security update norms.
Steps to reproduce
Look at NixOS support and pages nearby.