-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssl: fix CVE-2016-2177 #17928
openssl: fix CVE-2016-2177 #17928
Conversation
@rasendubi, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @dezgeg and @nathan7 to be potential reviewers |
This issue has a very low priority upstream. Even Debian and Red Hat (who don't have the rebuild all dependent packages) didn't update their openssl packages for this issue. See https://bugzilla.redhat.com/show_bug.cgi?id=1341705 & https://security-tracker.debian.org/tracker/CVE-2016-2177. So 👎 from me. |
@@ -8,7 +8,7 @@ let | |||
opensslCrossSystem = stdenv.cross.openssl.system or | |||
(throw "openssl needs its platform name cross building"); | |||
|
|||
common = { version, sha256 }: stdenv.mkDerivation rec { | |||
common = args@{ version, sha256, patches ? [] }: stdenv.mkDerivation rec { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the args@
? You can references the patches via patches
instead of args.patches
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it's rec
and referencing as patches
will produce infinite recursion.
We can merge this into |
Has this been merged in to staging? |
@grahamc it hasn't |
(cherry picked from commit 801692c)
Now in staging and 16.03. |
Why was this backported to 16.03 if it's low impact (see #17928 (comment))? |
I didn't understand low priority as not worth fixing/cherry-picking. |
I think this issue can be closed, since it is good as done? |
(cherry picked from commit 801692c)
Things done
(nix.useChroot on NixOS,
or option
build-use-chroot
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)Note we can't use
fetchpatch
because that leads to cyclic dependency.