openssl: fix CVE-2016-2177 #17928
openssl: fix CVE-2016-2177 #17928
Conversation
|
@rasendubi, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @dezgeg and @nathan7 to be potential reviewers |
|
This issue has a very low priority upstream. Even Debian and Red Hat (who don't have the rebuild all dependent packages) didn't update their openssl packages for this issue. See https://bugzilla.redhat.com/show_bug.cgi?id=1341705 & https://security-tracker.debian.org/tracker/CVE-2016-2177. So 👎 from me. |
| @@ -8,7 +8,7 @@ let | |||
| opensslCrossSystem = stdenv.cross.openssl.system or | |||
| (throw "openssl needs its platform name cross building"); | |||
|
|
|||
| common = { version, sha256 }: stdenv.mkDerivation rec { | |||
| common = args@{ version, sha256, patches ? [] }: stdenv.mkDerivation rec { | |||
There was a problem hiding this comment.
Why the args@? You can references the patches via patches instead of args.patches.
There was a problem hiding this comment.
Because it's rec and referencing as patches will produce infinite recursion.
|
We can merge this into |
|
Has this been merged in to staging? |
|
@grahamc it hasn't |
(cherry picked from commit 801692c)
|
Now in staging and 16.03. |
|
Why was this backported to 16.03 if it's low impact (see #17928 (comment))? |
|
I didn't understand low priority as not worth fixing/cherry-picking. |
|
I think this issue can be closed, since it is good as done? |
(cherry picked from commit 801692c)
Things done
(nix.useChroot on NixOS,
or option
build-use-chrootinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)Note we can't use
fetchpatchbecause that leads to cyclic dependency.