Vulnerability Roundup 10 #20647
Comments
|
PHP and wireshark were updated recently to fix the mentioned issues. Patch for #706735 is in Linux kernel 4.8.10 (which we already have) but looks like the other issue isn't patched already. |
|
Oh hrm I already marked the kernel as done. Unchecked 706735. (I marked it done b/c we had all the up to date kernels, is how I usually approach those.) Qemu looks like we need an additional patch for |
|
I'm building qemu right now with the patch for CVE-2016-7907. 😉 |
|
A bit occupied atm, will get to these as soon as I can, can take a while. Since this is my first, it may take some time for me to familiarize myself with the process. Also @grahamc, Edit: NixOS/security#1 (first pr! yayyy :P) |
|
According to https://security-tracker.debian.org/tracker/CVE-2016-8862, the graphicsmagick issue here is due to a bad patch for another CVE. |
|
Libarchive needs an update, have it staged here: #20668 |
|
Gnuchess in the rollup. |
|
w3m in the rollup. |
|
krb5 was an old announcement we already patched against. |
|
Mongodb needs updating to .11, about to push a patch to my rollup. |
|
I was mistaken, our version is not impacted by the mongodb issue reported. |
|
The Akonadi issue appears to be configuration related on debian. |
|
@fpletz I just pushed your qemu patch to my roundup branch, and will backport it as well. |
|
Updated libtiff to 4.0.7 which fixed all our patches + some more CVEs. |
|
Good work guys. Sorry, I could not be of any help this time around... |
|
That is OK, @NeQuissimus :) can you check in to the kernel thing? |
|
That CVE was fixed in 4.8.7 (https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.7) and 4.4.31 (https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31), respectively. We are good on both 4.8.x and 4.4.x kernels. |
|
graphicsmagick seems to be fine. |
|
@grahamc I did the gstreamer update to 1.10.1 due to the security issues in 7a6185d but didn't backport it yet because I wasn't sure if it breaks anything. I did some testing but didn't have the time to build every dependency. The changelog doesn't mention any breaking or incompatible changes, though, just additions to the API. The note about packaging is not relevant for us because we don't have architecture-independent expressions. So this might actually be quite safe. 👍 |
|
All done. Good work, everyone! |
|
https://abi-laboratory.pro/tracker/ thinks the gstreamer update is safe API+ABI-wise. |
cc NixOS#20647 (cherry picked from commit 336bacf)
This is a special roundup!
This is also special because it is the first time the tooling I've written can be open source, AND LWN has given me written permission to be using their database for this purpose. This tooling now lives at https://github.com/NixOS/security.
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @FRidh, @fpletz, @NeQuissimus, and @phanimahesh.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup. If you
would like to be CC'd on all roundups, leave a comment and tell
@grahamc so.
Permanent CC's: @joepie91, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
For example, there are sometimes problems that impact thunderbird,
and firefox. LWN might report in one vulnerability "thunderbird
firefox". These names have been split to make sure both packages get
addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
detailsblock below.Upon Completion ...
reformatone last timesummary.
Without further ado...
Assorted (23 issues)
#706586(search, files) gst-plugins-bad0.10: code execution#706842(search, files) gst-plugins-bad: code execution#706851(search, files) graphicsmagick: denial of service#706582(search, files) akonadi: denial of service#706577(search, files) atomic-openshift: redirect network traffic#706846(search, files) libtiff: multiple vulnerabilities#707046(search, files) qemu: denial of service#707037(search, files) ipsilon: information leak/denial of service#663078(search, files) krb5: multiple vulnerabilities#638448(search, files) mongodb: denial of service#707043(search, files) sniffit: privilege escalation#707040(search, files) w3m: multiple vulnerabilities#706844(search, files) gnuchess: code execution#706588(search, files) libarchive: unspecified#635283(search, files) libuv: privilege escalation#706852(search, files) otrs: code execution#707038(search, files) drupal: multiple vulnerabilities#706734(search, files) firefox: timing side channel#707045(search, files) moodle: multiple vulnerabilities#706581(search, files) nss, nss-util: two vulnerabilities#706581(search, files) nss, nss-util: two vulnerabilities#707039(search, files) php: code execution#706848(search, files) wireshark: multiple vulnerabilitiesdrupal7 (2 issues)
#707041(search, files) drupal7: URL injection#706841(search, files) drupal: multiple vulnerabilitiesfirefox (3 issues)
#707047(search, files) mozilla: code execution#706580(search, files) firefox: multiple vulnerabilities#706731(search, files) firefox: multiple vulnerabilitieskernel (2 issues)
#706735(search, files) kernel: denial of service#707044(search, files) kernel: denial of serviceThe text was updated successfully, but these errors were encountered: