NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.07k stars 14.12k forks source link

Vulnerability Roundup 31 #33470

Closed ckauhaus closed 6 years ago

ckauhaus commented 6 years ago

Scanned nixos/release-combined.nix @ f59a0f7. Filtered out previously reported CVEs. May contain false positives.

exiv2-0.26 (search, files)

gedit-3.22.1 (search, files)

imagemagick-6.9.9-26 (search, files)

openjpeg-2.3.0 (search, files)

openssl-1.1.0g (search, files)

postgresql-9.6.5 (search, files)

rsync-3.1.2 (search, files)

taglib-1.11.1 (search, files)

linux-4.9.73 (added manually for Meltdown)

Cc: @NixOS/security-notifications, @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7

Contact @ckauhaus for any questions.

adisbladis commented 6 years ago

Imagemagick was fixed by https://github.com/NixOS/nixpkgs/pull/33324

adisbladis commented 6 years ago

Postgresql was fixed by https://github.com/NixOS/nixpkgs/pull/33300

adisbladis commented 6 years ago

Meltdown was fixed in 4.9.74 (https://github.com/NixOS/nixpkgs/commit/56f91dcb7b57449e171a05836b714c88e1e56f4b). Latest kernel in the 4.9 series is 4.9.75 (https://github.com/NixOS/nixpkgs/commit/19eb5d6c273d0d31ff4e3e6954d8ff2fc6f3c686).

adisbladis commented 6 years ago

Taglib was fixed in https://github.com/NixOS/nixpkgs/commit/2e00e2b27667cd2da433996a5c957bb36520aa77

adisbladis commented 6 years ago

CVE-2017-3738 is considered to be low impact and will be fixed in OpenSSL 1.1.0h.

adisbladis commented 6 years ago

rsync fixed in 5e85657ba5763b496388b9820519ec99a238f613

adisbladis commented 6 years ago

Neither OpenJPEG CVE (CVE-2017-17479 & CVE-2017-17480) has upstream patches yet.

adisbladis commented 6 years ago

CVE-2017-14108 has no patch but is very low severity (DoS on crafted files).

7c6f434c commented 6 years ago

exiv2: https://github.com/Exiv2/exiv2/issues/187 — no upstream patch yet, attempts to debug the problem are ongoing.

ckauhaus commented 6 years ago

Yeah - every issue listed in the ticket has either a fix or some indication of fix (un-)availibity. That was really fast. Now it's time for backports.

adisbladis commented 6 years ago

I forgot to mention I fixed the OpenSSL CVE in https://github.com/NixOS/nixpkgs/pull/33544

ckauhaus commented 6 years ago

nixos-17.09 is EOL