how to subscribe to security advisory notices for nixpkgs / nixos?

[dckc]

tl;dr: I suggest an issue label or combination of labels dedicated to security advisories (vulnerabilities and updates / patches).

Describe your issue here

Nix is great, and as I use it more for hobby stuff, I'm thinking about using it at work (KUMC medical informatics) where we safeguard research data about a large collection of patients.

We have a few dozen linux servers; SLES in particular. We regularly apply SLES updates, so we get those updates whether we read their SUSE Update Advisories or not. For stuff we install on top of that, our general policy is to subscribe to security notices directly. For example:

• Oracle Critical Patch Updates, Security Alerts and Third Party Bulletin esp. JDK/JRE updates
• Apache Security Updates

I have been looking for something similar for nix packages. I sort of expected to see something on/near NixOS support, but no joy. Then I stumbled across the issues with the 1.severity: security label.

Stuff like #12437 on ffmpeg and #13506 on openssl are exactly what I'm looking for. But #7220 also bears that label, and it's more of a wide-ranging design discussion, not a particular vulnerability or update. It would work for me to filter out the "0.kind: enhancement" label or add "9.needs: package (update)" as a constraint, provided that emerges as the norm among the nix maintainers. An explicit link from NixOS support would be most helpful.

For reference, when I asked for reference information on the current list of labels, I learned about the NixOS/Nixpkgs repository labels thread.

For inspiration, a few more lists I found while researching this request:

• Debian security advisories
• Node.js security updates

It seems conventional to document "how to report security issues" on the same page.

Expected result

A security update policy on/near NixOS support.

Actual result

No clear security update norms.

Steps to reproduce

Look at NixOS support and pages nearby.

[domenkozar]

Agreed - I will propose the priority for 16.09 release should be security updates tooling and advisories.

[dckc]

I found a relevant nifty blog item; it even cites this issue. I suppose it's worth closing the loop:

• Introducing vulnix – a vulnerability scanner for NixOS May 20, 2016 by Maksim Bronsky

[grahamc]

Here are some security announcements. :)

The following issues have been resolved in NixOS in unstable and 16.09. They remain potentially open on 16.03 and older. They will be released to 16.09 and unstable channels once Hydra's tested job passes for each channel.

Fixes from September 22 (#18856)

• Tomcat: 7.0.70 -> 7.0.72 for CVE (HTTPoxy) #18859 Tomcat 7.0.70 -> 7.0.72
• php5: 5.6.25 -> 5.6.26 for CVEs #18860 php5: 5.6.25 -> 5.6.26
• nginxMainline: 1.11.3 -> 1.11.4 #18874 nginxMainline: 1.11.3 -> 1.11.4
• openjdk7: 1.7.0-91 -> 1.7.0-111 #18875 openjdk7: 1.7.0-91 -> 1.7.0-111
• openvpn: 2.3.11 -> 2.3.12 #18877 openvpn: 2.3.11 -> 2.3.12
• Drop JDK 1.6 and 1.7 #18878 Drop JDK 1.6 and 1.7
• curl: 7.50.1 -> 7.50.3 #18879 curl: 7.50.1 -> 7.50.3
• bind: 9.10.4 -> 9.10.4-P2 #18880 bind: 9.10.4 -> 9.10.4-P2
• mariadb: 10.1.16 -> 10.1.17 #18882 mariadb: 10.1.16 -> 10.1.17
• mysql55: 5.5.50 -> 5.5.52 #18884 mysql55: 5.5.50 -> 5.5.52
• ikiwiki: 3.20150614 -> 3.20160905 #18899 ikiwiki: 3.20150614 -> 3.20160905
• mailman: 2.1.18 -> 2.1.23 #18900 mailman: 2.1.18 -> 2.1.23
• as31: Apply Debian patch for CVE-2012-0808 #18904 as31: Apply Debian patch for CVE-2012-0808
• ffmpeg: 2.8.7 -> 2.8.8 #18905 ffmpeg: 2.8.7 -> 2.8.8
• jq: Fix CVE-2015-8863 and CVE-2016-4074 #18908 jq: Fix CVE-2015-8863 and CVE-2016-4074
• fc0f3eb / 55a1fb1 jansson: 2.7 -> 2.8
• flex: 2.6.0 -> 2.6.1 #18909 flex: 2.6.0 -> 2.6.1
• lighttpd: 1.4.40 -> 1.4.41 #18910 lighttpd: 1.4.40 -> 1.4.41
• monit: 5.10 -> 5.19.0 #18916 monit: 5.10 -> 5.19.0
• fcgi: Patch to protect against stack smashing #18919 fcgi: Patch to protect against stack smashing
• Spice: Upgrade all the spice packages #18921 Spice: Upgrade all the spice packages
• giflib: 5.1.0 -> 5.1.4 #18911 giflib: 5.1.0 -> 5.1.4
• davfs2: 1.5.2 -> 1.5.3 #18923 davfs2: 1.5.2 -> 1.5.3
• mysql_jdbc: 5.1.38 -> 5.1.39 #18924 mysql_jdbc: 5.1.38 -> 5.1.39
• nettle: 3.1.1 -> 3.2 #18925 nettle: 3.1.1 -> 3.2
• fa6c6da / e891f0d imagemagick: 6.9.5-2 -> 6.9.5-10
• owncloud: update minor versions, init 9.1.1 #18927 owncloud: update minor versions, init 9.1.1
• 6244be2 / a6f5863 pcre: 8.38 -> 8.39
• libupnp: 1.6.19 -> 1.6.20 for CVE-2016-6255 #18931 libupnp: 1.6.19 -> 1.6.20 for CVE-2016-6255
• ee8fed4 / 142ee90 librsvg: 2.40.9 -> 2.40.16
• 072917e / 0ce6bbd chromium: update to latest channel releases
• busybox: 1.23.2 -> 1.24.2 #18943 busybox: 1.23.2 -> 1.24.2
• openjpeg: 2.1.0 -> 2.1.1 for critical bugfixes and no ABI break #18949 openjpeg: 2.1.0 -> 2.1.1 for critical bugfixes and no ABI break
• lcms: fix cve-2013-4276 #18951 lcms: fix cve-2013-4276
• Update qemu (build without stack protection) #18954 / qemu: 2.6.1 -> 2.7.0 for CVEs #18959 Update qemu (build without stack protection)
• webkitgtk: 2.12.4 -> 2.12.5 #18965 webkitgtk: 2.12.4 -> 2.12.5
• file-roller: 3.20.2 -> 3.20.3 #18966 file-roller: 3.20.2 -> 3.20.3
• mplayer: 1.1.1 -> 1.3.0 #18967 mplayer: 1.1.1 -> 1.3.0
• libdwarf: 20121130 -> 20160613 #18968 libdwarf: 20121130 -> 20160613
• jdkdistro: remove oraclejdk6, not maintained anymore #18975 jdkdistro: remove oraclejdk6, not maintained anymore
• wordpress: 4.3.1 -> 4.6.1 + add a test #18989 wordpress: 4.3.1 -> 4.6.1 + add a test
• mediawiki: 1.23.13 -> 1.27.1 #18994 mediawiki: 1.23.13 -> 1.27.1
• firebird: 2.5.2.26540-0 -> 2.5.6.27020-0 #18996 firebird: 2.5.2.26540-0 -> 2.5.6.27020-0
• apache-httpd: adding subservice moodle #6962 apache-httpd: adding subservice moodle
• librsvg: 2.40.9 -> 2.40.16 (WIP) #16735 librsvg: 2.40.9 -> 2.40.16 (WIP)
• jasper: Apply patches for CVES #19007 jasper: Apply patches for CVES
• b5ab13a / 9ae2d38 pidgin: 2.10.11 -> 2.11.0
• d5adf2c / da5eb83 dhcp: 4.3.3 -> 4.3.4
• grahamc@527ec17 / 7767b18 moodle: mark as broken
• 851efbb mesos: mark as broken
• 1484177 openstack-neutron: mark as broken
• f90e982 redmine: mark as broken
• 41fbcc2 cryptopp: mark as broken
• 655017d asterisk: mark as broken

Fixes from September 29 (#19075)

• e452ef5 / 4c0b07c freerdp: Mark stable as broken

Fixes from October 5 (#19253)

• 8b09ba3 Systemd fixes
• openjpeg: 2.1.1 -> 2.1.2 for CVE-2016-7163 #19275 openjpeg: 2.1.1 -> 2.1.2 for CVE-2016-7163
• bash: fix CVE-2016-7543 in 16.09 #19274 bash: fix CVE-2016-7543 in 16.09
• c-ares: 1.10.0 -> 1.12.0 for CVE-2016-5180 #19276 c-ares: 1.10.0 -> 1.12.0 for CVE-2016-5180
• openssh: apply patch to fix NEWKEYS null pointer deref #19297 openssh: apply patch to fix NEWKEYS null pointer deref

Fixes from October 12 (#19481)

• f755299 / 53612bb xorg: security fixes
• Nodejs: Upgrades for security patches #19510 Nodejs: Upgrades for security patches
• mujs: 2016-02-22 -> 2016-09-21 #19511 mujs: 2016-02-22 -> 2016-09-21
• imagemagick: 6.9.5-10 -> 6.9.6-2 for CVEs (and other fixing from the subsequent breakage.) #19507 imagemagick: 6.9.5-10 -> 6.9.6-2 for CVEs (and other fixing from the subsequent breakage.)
• 4771ccd / 9711bb0 graphicsmagick: apply patches to fix security issues
• xen: 4.5.2 -> 4.5.5, drop old versions #19558 xen: 4.5.2 -> 4.5.5, drop old versions

[grahamc]

Fix from this morning, October 18, to be released to 16.09 and unstable once hydra builds:

• tor: 0.2.8.8 -> 0.2.8.9 #19634 Fixes a security hole that could be exploited for a denial of service attack against a tor client, relay, hidden service, or authority. Details at https://trac.torproject.org/projects/tor/ticket/20384.

[grahamc]

Fixes from October 19 (#19678), to be released to 16.09 and unstable once hydra builds:

• mpg123: 1.22.2 -> 1.23.8 for CVE-2016-1000247 #19679 mpg123: 1.22.2 -> 1.23.8 for CVE-2016-1000247
• guile: 2.0.12 -> 2.0.13 (for CVE) #19614 guile: 2.0.12 -> 2.0.13 (for CVE)
• ghostscript: 9.18 -> 9.20 for multiple CVEs #19681 ghostscript: 9.18 -> 9.20 for multiple CVEs
• dbus: 1.10.10 -> 1.10.12 for CVE-2015-0245 #19682 dbus: 1.10.10 -> 1.10.12 for CVE-2015-0245
• ffmpeg: 3.1.3 -> 3.1.4 #19683 ffmpeg: 3.1.3 -> 3.1.4
• nsd: 4.1.12 -> 4.1.13 for CVE-2016-6173 #19685 nsd: 4.1.12 -> 4.1.13 for CVE-2016-6173
• quagga: 1.0.20160315 -> 1.0.20161017 for CVE-2016-1245 #19687 quagga: 1.0.20160315 -> 1.0.20161017 for CVE-2016-1245
• tracker: 1.8.0 -> 1.10.1 (16.09) #19702 tracker: 1.8.0 -> 1.10.1 (16.09)
• oraclejdk: 8u101/102 -> 8u111/112 #19707 oraclejdk: 8u101/102 -> 8u111/112
• mysql: 5.5.52 -> 5.5.53 #19708 mysql: 5.5.52 -> 5.5.53
• mysql: 5.7.15 -> 5.7.16 #19709 mysql: 5.7.15 -> 5.7.16
• libtiff: patch for many CVEs #19710 libtiff: patch for many CVEs
• pythonPackages.suds: mark as broken in 58e46e2 / 7145fec.

On master only, upgrading KDE: 9cd8b4e but a proposed upgrade for KDE in 16.09: #19706

Chromium has an outstanding issue (https://lwn.net/Vulnerabilities/703767/) without any solution yet.

Note, if you'd like to help on the next week's hunt please add a comment to issue #19678 :)

[grahamc]

Fixes from October 20 to be released to 16.09 and unstable once hydra builds:

• openssh: Patch CVE-2016-8858 #19730 openssh: Patch CVE-2016-8858

[grahamc]

@domenkozar it strikes me we could address the problem reported on this issue by:

1. linking to the comments on this issue :)
2. putting these notices elsewhere, and linking to that ...

I can post these notices anywhere. Some thoughts on where:

• a separate github repository where issues are alerts, people can "watch" the repo for notifications.
• an RSS feed (could be consumed by the homepage)
• a JSON document (?) (could also be consumed by the homepage or something like that)
• a special email list ?
• literally anywhere else. I don't need to be posting to this issue, and could post anywhere (as long as it is easy.)
• here. People can click "Subscribe" and get notified.

[aneeshusa]

I don't think reusing a single issue thread will scale well. Keeping in mind #14819 (comment), IMO a RSS feed would be best; the RSS feed could be backed/generated from another system if wanted as well (e.g. a git repo).

[groxxda]

Every time https://github.com/NixOS/nixpkgs-channels is updated, the HEAD commit could be tagged as a release with an automatically generated release message from the the commit messages. Maybe grepping for CVE strings or something similar.. git-notes may also work..
That would give us the RSS feed.

[grahamc]

FWIW I'd rather avoid trying to be too automatic about it, or steeping this discussion in technical implementation details. As it stands now the process of generating the advisories is pretty trivial, especially in comparison to the effort in actually researching and applying the patches.

[grahamc]

Update, October 20: Privilege escalation vulnerability in the All Linux Kernels

Kernel updates in master and 16.09 include patches for CVE-2016-5195 (DirtyCow -- https://dirtycow.ninja/) https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

The hydra job for 16.09 (https://hydra.nixos.org/build/42415618) passed the tested job, and should be available through the channels soon. Versions at or after 2eac61e include the upgraded kernels. Any version before this is insecure. At time of writing the stable channel is at b8ede35, which is insecure. I will update when the channel update happens.

[grahamc]

Cross-posted from nix-dev:

---

Hello Nixers,

All Linux kernels since 2.6.22 have been vulnerable to a privilege escalation bug.

Please upgrade immediately.

This issue was discovered and patched on October 18. The fix was released yesterday, and the 16.09 channel now includes the fix for the following kernels:

• linuxPackages: 4.4.25 -> 4.4.26 (0b20f6d)
• linuxPackages_4_7: 4.7.8 -> 4.7.9 (7e5cfb7)
• linuxPackages_latest: 4.8.2 -> 4.8.3 (0ed0d08)

When updating please ensure you have nixos-16.09.819.31c72ce or newer. The previous version (nixos-16.09.773.b8ede35 and older) do not include these patches.

For unstable, only unstable-small has the patches:

• linuxPackages: 4.4.25 -> 4.4.26 (NixOS/nixpkgs-channels@76a57d8)
• linuxPackages_4_7: 4.7.8 -> 4.7.9 (NixOS/nixpkgs-channels@fabfb0a)
• linuxPackages_latest: 4.8.2 -> 4.8.3 (NixOS/nixpkgs-channels@0c3e521)

Standard unstable will move forward when all tests have passed.

All other kernels available in NixOS 16.09 and Unstable are vulnerable and have not yet received patches.

This includes:

• linuxPackages_mptcp
• linuxPackages_rpi
• linuxPackages_3_10
• linuxPackages_3_10_tuxonice
• linuxPackages_3_12
• linuxPackages_3_18
• linuxPackages_4_1
• linuxPackages_testing

More information can be had at https://dirtycow.ninja/

Also included in this channel update are several fixes found in the latest vulnerability hunt. See:

• Vulnerability Roundup 5 #19678
• how to subscribe to security advisory notices for nixpkgs / nixos? #13515 (comment)
• how to subscribe to security advisory notices for nixpkgs / nixos? #13515 (comment)
• how to subscribe to security advisory notices for nixpkgs / nixos? #13515 (comment)

If you would like to help with future hunts and patches, please leave a comment on #19678 and I'll make sure to ping you.

Thank you,
Graham

[dckc]

So the way to subscribe to security notices is to subscribe to this ticket?

If so, please update NixOS support or something nearby.

[grahamc]

@dckc I don't think this ticket is official designated The Way to do it. I've been doing it as a stop-gap. Note my question (#13515 (comment)) about where should we do it long term.

[grahamc]

Update, October 22: Kernel buffer overflow patched. Not sure of severity.

@NeQuissimus has upgraded our Linux kernels to the latest versions released today.

attribute	was	now	16.09	unstable	changelog
linuxPackages_latest	4.8.3	4.8.4	ceb1d53	a3989b8	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.4
linuxPackages_4_7	4.7.9	4.7.10	c9d6691	72d91f9	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.10
linuxPackages	4.4.26	4.4.27	9204784	aa74246	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.27

PS: @NeQuissimus has been an incredible help on keeping our kernels up to date lately. Thank you!

[grahamc]

Security fixes from 2016-10-26 01:54 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master	release-16.09	Message	Notes
5440c1a	2bc7ca7	grsecurity: 4.7.9-201610200819 -> 4.7.10-201610222037	Fixes dirtycow (please upgrade! now in the channel!)
e99a810	cadc55f	gnutls: 3.3.24 -> 3.3.25	GNUTLS-SA-2016-3 / CVE-2016-7444 (https://www.gnutls.org/security.html) -- not available yet
b3f7d62	27b37f1	kernel: remove 4.7	4.7 is now EOL (now in the channel!)

[grahamc]

Security fixes from 2016-10-27 12:50 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master	release-16.09	Subject	Notes
d19b53f	4f01250	flashplayer: 11.2.202.637 -> 11.2.202.643	Critical security flaw: https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
e477381	74b319b	kernel: 3.10.103 -> 3.10.104	Includes fixes for DirtyCow
e5e84ec	9f3371b	kernel: 3.12.63 -> 3.12.66	Includes fixes for DirtyCow
b02646f	a43f80a	kernel: 3.18.42 -> 3.18.44	Includes fixes for DirtyCow
89cd922	ebed0ac	kernel: 4.1.33 -> 4.1.35	Includes fixes for DirtyCow
e5ad26e	59c8691	libdwarf: 20161001 -> 20161021 for CVE-2016-8679	n/a
65a6484	cc5f0af	libgit2: 0.24.1 -> 0.24.2 for CVE-2016-8568, CVE-2016-8569	n/a
0f7ac8b	b24ae45	openslp: patch for CVE-2016-7567	n/a
69e8bac	8c6ee84	virtualbox: 5.1.6 -> 5.1.8 for many CVEs:	n/a

There are additional patches waiting to land:

• openjdk: 8u122-03 -> 8u122-04 #19877 OpenJDK, in master, working to land in 16.09
• kernel: 4.9-rc1 -> 4.9-rc2 #19891 linux_testing, in master, working to land in 16.09
• Epiphany #19917 Epiphany and WebkitGTK 2.14.1 update, not yet merged
• chromium: 53 -> 54 #19565 Chromium: We're still running an out of date version, and are working on fixing the build system.

I'll provide an update when these stragglers are complete.

Thank you,
Graham

PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you.

[grahamc]

Security advisories from 2016-10-27 22:37 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master	release-16.09	Subject	Notes
070ff88	06a9a09	openjdk: 8u122-03 -> 8u122-04	n/a
e9a5cf3	e9a5cf3	kernel: 4.9-rc1 -> 4.9-rc2	Patches for DirtyCow
354811f	eef176f	webkitgtk214x: 2.14.0 -> 2.14.1	(backported the creation of 2.14 for Epiphany, which now requires it.)
3e18f4b	5b08a40	epiphany: 3.20.3 -> 3.20.4	n/a

With the exception of Chromium (#19565) this closes out #19884.

Thank you,
Graham

PS: If you would like to help with future hunts and patches, please leave a comment on #19884 and I'll make sure to ping you.

Update: 16.09's channel has moved forward and nixos-16.09.877.5b08a40 includes all the patches.

[grahamc]

Security advisories from 2016-11-05 01:12 UTC

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major releases.

These patches will be released to the unstable and release-16.09 channels when
Hydra finishes building the "tested" job for each channel:

• https://hydra.nixos.org/job/nixos/release-16.09/tested
• https://hydra.nixos.org/job/nixos/trunk-combined/tested

master	release-16.09	Subject	Notes
2b2f273	826a5d7	cairo: add patch to fix CVE-2016-9082	n/a
1e1609d	55dfafa	curl: 7.50.3 -> 7.51.0	11 serious CVEs
a7d35fd	a64e926	gitlab: 8.12.6 -> 8.12.8, fix CVE-2016-9086	n/a
04db88d	eb653d9	graphicsmagick: add patches to fix 3 CVEs	n/a
dfdaea1	6189145	grsecurity: 4.7.10-201610222037 -> 201610262029	n/a
874abe6	4e17529	linux: 4.8.5 -> 4.8.6	n/a
a94bd88	a29900e	memcached: 1.4.20 -> 1.4.33	n/a
af01fa7	3f6c9cc	nixos.libvirtd: fix broken VMs due to emulator path changes	n/a
68f2bc8	f33c5f7	perl-Image-Info: 1.38 -> 1.39	n/a
b806e14	74b91a8	pythonPackages.django_1_8: 1.8.15 -> 1.8.16	n/a
58ad105	abfb2e5	pythonPackages.django_1_9: 1.9.10 -> 1.9.11	n/a
25c0193	924230d	qemu: add patches to fix lots of CVEs	n/a
9db03c1	fc67ecc	thunderbird: 45.3.0 -> 45.4.0	n/a
cd67a0a	31ba04e	tre: add patch for CVE-2016-8859	n/a

Still outstanding is a patch for tar (difficult due to bootstrapping,) and a patch for chromium which we're testing.

P.S. Sorry for these being so late. Many of these haven't hit the stable channel yet, like the curl fixes. I'll try and shepherd these through, but am incredibly overloaded this week. Thank you to all contributors at #20078, especially @fpletz.

Note: If you'd like to participate in the next one, please leave a comment at #20078 :)

Update: These patches are available in the 16.09 channel.

[vcunat]

Note: the pciutils commit has no security implications, I believe (I authored it).

[grahamc]

Thank you, Vladimír. I thought I had removed that from the list. Sorry, my second mistake like this. I'll revisit this tooling. Graham

…

On Thu, Nov 24, 2016 at 4:04 PM Vladimír Čunát ***@***.***> wrote: Note: the pciutils commit has no security implications, I believe (I authored it). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13515 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAErrFMmCI7rJaLezN4ubzPCSLiort-jks5rBfvTgaJpZM4HkmLk> .

[tokudan]

This is the last announcement to be posted to this list. All future announcements will be sent to our new nix security list,

I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option.

[grahamc]

Hi, Sorry, obviously there has been an issue with the configuration. I will update this issue until that is resolved.i will also let everyone know when the list is fixed up. Graham

…

On Thu, Nov 24, 2016 at 6:28 PM Daniel Frank ***@***.***> wrote: This is the last announcement to be posted to this list. All future announcements will be sent to our new nix security list, I'm probably blind... but how do you subscribe to that forum to receive the messages by email? I do not see any subscribe, join or any similar option. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13515 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAErrN_gj5d2ACCsCWOmnZdh9Jn5Ogfsks5rBh2JgaJpZM4HkmLk> .

[grahamc]

Ok everyone, here is an update:

Maybe the list was initially intended for announcing embargoed issues

No, this list is not for embargoed issues. We don't currently have this infrastructure. We are planning on working on this infrastructure in the first / second quarter of 2017.

why is the security announcements mailing list invite-only?

The list was misconfigured. We want the announce list to be announce-only and no other discussion. It is now configured to allow anyone to subscribe / join, but only certain people to send mail. For discussion about issues, I would recommend emailing nix-dev.

How do I subscribe?

• with a Google account, at https://groups.google.com/forum/#!forum/nix-security-announce
• without a Google account, I believe you can join the list without a Google account by emailing nix-security-announce+subscribe@googlegroups.com.

why is that list not hosted on the same server as the other nix-related mailing lists?

The service which hosts the other mailing list seems to not be taking
new lists. This was a problem when Rob tried to set up the list, and we
agreed using a Google group should be okay, based on these criteria:

• I made sure list archives can be viewed without a Google account.
• I made sure list archives can be searched without having a Google
• account.
• I also made sure Google groups can be subscribed to without a Google
  account.

Security Updates (cross-posted to the list)

The following issues have been resolved in NixOS in unstable and
release-16.09. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

 - https://hydra.nixos.org/job/nixos/release-16.09/tested
 - https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/20814.


master   16.09    Message                                             Notes
---      ---      ---                                                 ---
16995fc  d573588  boehmgc: 7.2f -> 7.2g                               n/a
1e17f21  e7fc018  firefox: 50.0.1 -> 50.0.2                           n/a
b04e23b  bd39c43  firefox: 50.0 -> 5.0.1 for CVE-2016-9078            n/a
2d341ca  3bf46ba  firefox-bin: 50.0 -> 50.0.1                         n/a
36f980b  22389ae  firefox-esr: security 45.5.0 -> 45.5.1 (#20841)     n/a
18a3225  15f6c2d  linux: 3.12.67 -> 3.12.68                           n/a
5afc6b5  0dcdb9b  linux: 4.1.35 -> 4.1.36                             n/a
cc77360  c9dafb1  linux: 4.4.34 -> 4.4.35                             n/a
654f5df  33287d9  linux: 4.4.35 -> 4.4.36                             n/a
b47307b  5db1d94  linux: 4.8.10 -> 4.8.11                             n/a
853b649  2ddf554  linux: 4.8.11 -> 4.8.12                             n/a
a8eeef6  d35e2de  lxc: 2.0.4 -> 2.0.6 (security)                      n/a
a9611a5  3275b2f  mcabber: 1.0.3 -> 1.0.4 for 'roster push attack'    n/a
0707962  e6fe609  mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs    n/a
5b6d52b  7fc197f  nagios: 4.0.8 -> 4.2.3                              n/a
c77011c  a9523ed  nagiosPluginsOfficial: 2.0.3 -> 2.1.4               n/a
b221fc1  d564833  nss: 3.27.1 -> 3.27.2                               n/a
e700ff6  066166b  perl-bignum: 0.43 -> 0.44                           n/a
7d09138  d8e8bb4  perlPackages.DBDmysql: 4.033 -> 4.039               n/a
390f6a9  a5ffcd2  Revert "Revert "bzip2: patch for CVE-2016-3189""    n/a
7e40e89  997c6b9  rpcbind: patch for CVE-2015-7236                    n/a
f4aab5b  4d15c98  thunderbird: 45.5.0 -> 45.5.1                       n/a
5f4b3cd  24cd670  thunderbird-bin: 45.5.0 -> 45.5.1                   n/a
eba91fa  8b7a082  tomcat6: 6.0.45 -> 6.0.48                           n/a
3d0310d  1a0f5f8  tomcat7: 7.0.72 -> 7.0.73                           n/a
42f1ae1  b036ad5  tomcat85: 8.5.5 -> 8.5.8                            n/a
80a4750  c67cec2  tomcat8: 8.0.37 -> 8.0.39                           n/a
5f78980  00fb14b  tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13              n/a
75cdbf4  805022c  torbrowser: 6.0.6 -> 6.0.7                          n/a

[vcunat]

Shall we close this issue? It's relatively long and seems resolved – people now can subscribe to that list.

[grahamc]

Good question, @vcunat, but I don't think so. Here are the remaining steps:

• Publish the mailing list on the website.
• Publish GPG keys of people sending vulnerability announcements.
• Document a way to report security issues, privately
• Document our security update policy, re: unstable, stable, and older versions.

I think it should probably be a separate page on the nixos.org/nixos website. I've written up the following to this effect:

[% WRAPPER layout.tt title="NixOS Security" menu='nixos' %]

Updates:

1. Stable releases receive security updates until the next stable
release. After this point, diligent support ends and it falls in to
community support. Patches for security issues will be accepted, but
the security team generally doesn't work to continue support.
2. Unstable receives all security updates, however will sometimes be
quite behind due to being unstable.

You can subscribe to announcements at
https://groups.google.com/forum/#!forum/nix-security-announce or by
emailing emailing `nix-security-announce+subscribe@googlegroups.com
with the subject "subscribe".

These messages will be signed by a member of the security team, who
is currently comprised of the following people:

 - Graham Christensen (fingerprint: 0xfe918c3a98c1030f)

If you would like to report a security issue with NixOS, please email
any or all of these people privately. We will ensure the issue gets
handled.


[% END %]

This needs editing and formatting as HTML, and preferably someone else added to that list with a key :)

[dckc]

There's still the question of

• How can I tell if a given set of packages is vulnerable?

Perhaps I should open a separate issue about this.

The process above is largely about source code, not compiled / installed packages. The line is more blurry in nix than other distributions, but it's still relevant.

[grahamc]

Yes, I think that should be a separate issue. :)

[vcunat]

And the use case is not to update unless your system is (potentially) vulnerable, I guess?

The problem there is that you currently can't know from the binaries themselves (in general), as e.g. applying a patch isn't observable in the name-version tuple. @domenkozar once suggested we added some files describing fixed CVEs in each binary path, but I can't see that in open tickets anymore and I don't remember why exactly it wasn't pursued in the end.

I personally believe that if you're on the level that you care for vulnerabilities of your binaries, you want to track the nix-sources for them as well (and the configuration), as it's just practical in multiple ways.

[vcunat]

Found the thread I meant: #15660

[grahamc]

👆 🎉 🥂 😮 👍 🥇 💯 So thrilling that this took less than a year to close.

[dckc]

Very satisfying indeed.

Great work, everybody!

[dckc]

Hmm... the "Stable releases receive security updates ..." policy text isn't on the new security page.

There hasn't been a decision against that, has there? Some variation of it will appear in due course, yes?

[grahamc]

@dckc looks like the decision has been in place for a few years now: https://nixos.org/nixos/manual/#sec-upgrading do you think we should duplicate this policy on the security page as well? (sorry I didn't note that I found those docs here)

[dckc]

I didn't mean to refer to the issue of how far back security patches get ported but rather to the fact that there's a security update policy at all. That manual section has very little to say about security.

Perhaps it suffices to say "As noted in Upgrading NixOS, we provide security updates to stable releases."

But it would be nicer to elaborate, as in "We regularly review the LWN vulnerability list and make a best effort to see that these are addressed in stable releases of nixpkgs."

[vcunat]

There's nothing about security explicitly, so it could be more explicit, as security updates seem (currently) to be main purpose of the stable branch(es).

[vincentbernat]

The mailing list has gone silent since last year. The website only mentions this list. Is there a replacement to subscribe advisories somewhere?

[vcunat]

I see not much really, beyond what you get from the github label. Christian has stopped doing the roundups a few week ago (you can see them on that link), apparently, but the tool itself if public IIRC.

[ghuntley]

Have opened #65105. What if we used GitHub for NixOS security advisories?