Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upVulnerability Roundup 10 #20647
Vulnerability Roundup 10 #20647
Comments
This comment has been minimized.
This comment has been minimized.
|
PHP and wireshark were updated recently to fix the mentioned issues. Patch for #706735 is in Linux kernel 4.8.10 (which we already have) but looks like the other issue isn't patched already. |
This comment has been minimized.
This comment has been minimized.
|
Oh hrm I already marked the kernel as done. Unchecked 706735. (I marked it done b/c we had all the up to date kernels, is how I usually approach those.) Qemu looks like we need an additional patch for |
This comment has been minimized.
This comment has been minimized.
|
I'm building qemu right now with the patch for CVE-2016-7907. |
This comment has been minimized.
This comment has been minimized.
|
A bit occupied atm, will get to these as soon as I can, can take a while. Since this is my first, it may take some time for me to familiarize myself with the process. Also @grahamc, Edit: NixOS/security#1 (first pr! yayyy :P) |
This comment has been minimized.
This comment has been minimized.
|
According to https://security-tracker.debian.org/tracker/CVE-2016-8862, the graphicsmagick issue here is due to a bad patch for another CVE. |
This comment has been minimized.
This comment has been minimized.
|
Libarchive needs an update, have it staged here: #20668 |
This comment has been minimized.
This comment has been minimized.
|
Gnuchess in the rollup. |
This comment has been minimized.
This comment has been minimized.
|
w3m in the rollup. |
This comment has been minimized.
This comment has been minimized.
|
krb5 was an old announcement we already patched against. |
This comment has been minimized.
This comment has been minimized.
|
Mongodb needs updating to .11, about to push a patch to my rollup. |
This comment has been minimized.
This comment has been minimized.
|
I was mistaken, our version is not impacted by the mongodb issue reported. |
This comment has been minimized.
This comment has been minimized.
|
The Akonadi issue appears to be configuration related on debian. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@fpletz I just pushed your qemu patch to my roundup branch, and will backport it as well. |
This comment has been minimized.
This comment has been minimized.
|
Updated libtiff to 4.0.7 which fixed all our patches + some more CVEs. |
This comment has been minimized.
This comment has been minimized.
|
Good work guys. Sorry, I could not be of any help this time around... |
This comment has been minimized.
This comment has been minimized.
|
That is OK, @NeQuissimus :) can you check in to the kernel thing? |
This comment has been minimized.
This comment has been minimized.
|
That CVE was fixed in 4.8.7 (https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.7) and 4.4.31 (https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31), respectively. We are good on both 4.8.x and 4.4.x kernels. |
This comment has been minimized.
This comment has been minimized.
|
graphicsmagick seems to be fine. |
This comment has been minimized.
This comment has been minimized.
|
@grahamc I did the gstreamer update to 1.10.1 due to the security issues in 7a6185d but didn't backport it yet because I wasn't sure if it breaks anything. I did some testing but didn't have the time to build every dependency. The changelog doesn't mention any breaking or incompatible changes, though, just additions to the API. The note about packaging is not relevant for us because we don't have architecture-independent expressions. So this might actually be quite safe. |
This comment has been minimized.
This comment has been minimized.
|
All done. Good work, everyone! |
This comment has been minimized.
This comment has been minimized.
|
https://abi-laboratory.pro/tracker/ thinks the gstreamer update is safe API+ABI-wise. |
This is a special roundup!
This is also special because it is the first time the tooling I've written can be open source, AND LWN has given me written permission to be using their database for this purpose. This tooling now lives at https://github.com/NixOS/security.
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @FRidh, @fpletz, @NeQuissimus, and @phanimahesh.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup. If you
would like to be CC'd on all roundups, leave a comment and tell
@grahamc so.
Permanent CC's: @joepie91, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
detailsblock below.Upon Completion ...
reformatone last timesummary.
Without further ado...
Assorted (23 issues)
#706586(search, files) gst-plugins-bad0.10: code execution#706842(search, files) gst-plugins-bad: code execution#706851(search, files) graphicsmagick: denial of service#706582(search, files) akonadi: denial of service#706577(search, files) atomic-openshift: redirect network traffic#706846(search, files) libtiff: multiple vulnerabilities#707046(search, files) qemu: denial of service#707037(search, files) ipsilon: information leak/denial of service#663078(search, files) krb5: multiple vulnerabilities#638448(search, files) mongodb: denial of service#707043(search, files) sniffit: privilege escalation#707040(search, files) w3m: multiple vulnerabilities#706844(search, files) gnuchess: code execution#706588(search, files) libarchive: unspecified#635283(search, files) libuv: privilege escalation#706852(search, files) otrs: code execution#707038(search, files) drupal: multiple vulnerabilities#706734(search, files) firefox: timing side channel#707045(search, files) moodle: multiple vulnerabilities#706581(search, files) nss, nss-util: two vulnerabilities#706581(search, files) nss, nss-util: two vulnerabilities#707039(search, files) php: code execution#706848(search, files) wireshark: multiple vulnerabilitiesdrupal7 (2 issues)
#707041(search, files) drupal7: URL injection#706841(search, files) drupal: multiple vulnerabilitiesfirefox (3 issues)
#707047(search, files) mozilla: code execution#706580(search, files) firefox: multiple vulnerabilities#706731(search, files) firefox: multiple vulnerabilitieskernel (2 issues)
#706735(search, files) kernel: denial of service#707044(search, files) kernel: denial of service