search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
278 stars 117 forks source link

CVE-2023-32681 - outdated python3.10-requests-2.29.0 #144

Open ghostbuster91 opened 9 months ago

ghostbuster91 commented 9 months ago

Nix refuses to build openconnect-sso with provided flake due to outdated and vulnerable dependency.

building the system configuration...
error: Package ‘python3.10-requests-2.29.0’ in /nix/store/6s86padm2iikrwhlq8nwfv0lw9d1sbvq-source/pkgs/development/tools/poetry2nix/poetry2nix/pkgs/poetry/poetry.lock:0 is marked as insecure, refusing to evaluate.

       Known issues:
        - CVE-2023-32681

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘python3.10-requests-2.29.0’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.10-requests-2.29.0"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.10-requests-2.29.0’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.10-requests-2.29.0"
              ];
            }
(use '--show-trace' to show detailed location information)
unode commented 9 months ago

Also python3.10-cryptography-40.0.1:

       Known issues:
        - CVE-2023-2650
        - CVE-2023-2975
        - CVE-2023-3446
        - CVE-2023-3817
        - CVE-2023-38325

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

        Note: For `nix shell`, `nix build`, `nix develop` or any other Nix 2.4+
        (Flake) command, `--impure` must be passed in order to read this
        environment variable.

       b) for `nixos-rebuild` you can add ‘python3.10-cryptography-40.0.1’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.10-cryptography-40.0.1"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.10-cryptography-40.0.1’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.10-cryptography-40.0.1"
              ];
            }
ThinkChaos commented 8 months ago

I'm pretty sure the requests issue is actually an issue in poetry2nix since poetry.lock already uses 2.31.0 which fixes the CVE.
See https://github.com/nix-community/poetry2nix/issues/1331.

ThinkChaos commented 7 months ago

Spent a lot of my weekend on getting openconnect-sso to work with a recent NixOS and happy to say I got it done!
See #152, hopefully that can help any of you :)