New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Roundup 21 #22549
Comments
wordpress in master is already on 4.7.2 - only earlier versions are affected. Also ok on 16.09 |
iio-sensor-proxy is not packaged yet. I have a branch with the software and a nixos module, but it's not merged. |
Thank you! I ticked them off. Remember 17.03's branch-off is coming up, if you want to get that in to stable :) |
I'm plodding through the gstreamer updates :) |
w00t we had already patched jasper. |
deleted moodle in 7db1f72 |
Kernels are good |
wireshark is already on version 2.2.4 which fixes to the 2 vulnerabilities. Also ok on 16.09 |
Currently building the derivations depending on wavpack, so don't waste your time on this. wavpack is good with #22555 |
tiff is just a regular bug, not a vulnerability. Also ok on 16.09 |
php is ok in master and 16.09 |
mupdf is ok in master but not OK in 16.09. I'll handle this. |
@peterhoeg can you verify against stable (16.09) as well? |
@grahamc - only mupdf is not ok (of the ones I looked at). |
uicode-tool - we don't have it. |
The fixes have been backported (not to nixpkgs), but don't we consider pdf readers (and especially those that can run javascript) critical like browsers, so they need the latest version? |
Our RabbitMQ version is impacted while it is not the case for the latest one. I upgrade our rabbitmq version in #22573. |
@peterhoeg For now, I'd rather apply the backported patches to 16.09 for mupdf, especially if they're being so kind as to backport patches for us :) |
@codyopel, @viric, @spwhitt, @rbvermaa, would any of you like to update rtmpdump? Otherwise I'll probably mark it broken due to https://lwn.net/Vulnerabilities/713784/ |
@grahamc, we have another issue. Here are details: Specifically:
For emacs, if we simply only build the proper gtk UI, we should be fine and get rid of xwidgets. I don't know about the others though. |
|
Ah, |
|
libgd2 (gd) was already fixed. |
See https://kb.isc.org/article/AA-01453. cc #22549 (cherry picked from commit da5eaa3)
The graphicsmagick CVEs are weird. They seem to rather apply to imagemagick. As OpenSUSE is generally lagging behind on security updates a bit compared to other distros and graphicsmagick has a revamped codebase, I don't think all those issues also apply to graphicsmagick and OpenSUSE made some kind of error here. In the Debian security tracker those CVEs were assigned to imagemagick and not to graphicsmagick. |
From https://bugzilla.gnome.org/show_bug.cgi?id=752738: The page http://whatever.com has access to saved passwords of https://whatever.com. This was a very bad idea: it makes it easy to intercept passwords stored on secure websites, especially since we don't require any user interaction to fill in the password. No CVE has been assigned as of now. cc #22549
epiphany was fixed on master. The only relevant issue (https://bugzilla.gnome.org/show_bug.cgi?id=752738) seems to be present in 3.22.x only according to the bugtracker while we have 3.20 on 16.03. No CVE was assigned yet. |
What a treat to wake up to! @peterhoeg if we drop xwidgets, will that break emacs on darwin? ( @LnL7, @copumpkin ) After 17.03 releases, we should be in much closer shape to drop 24. I don't know that there is anything we can do about this for now :( maybe either: Debian has patches in this area? GraphicsMagick / ImageMagick is always weird. The only way I can tell the difference is via version numbers being very different. I'll try and figure it out, but frequently I just go back and try and find out if we're behind in versions. epiphany: "Thanks to Hussam for reporting this bug so quickly after it was introduced" seems to suggest it might not, indeed, be present in 3.20. |
Not sure about emacs. I did add |
It seems unlikely that removing xwidgets would break emacs on darwin. xwidgets is for embedding other windows inside emacs, surely darwin emacs does not rely on that to function? |
You're right, @joachifm -- it is an extra add-on, usually disabled by distributions. |
Yes it's optional, but I don't use emacs so I'm not sure what it's used for. We also have the emacs macport I assume that's what darwin people would prefer to use if they want a graphical version. |
I'm marking libplist as "fixed" for now ,assuming they'll release a new version soon. |
Done: So fast this time :D Thank you all, again! |
Hmm, new glibc claims to fix two CVEs and I can't see any reference to those around nixpkgs, so they might be new. |
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @nlewo @7c6f434c @bachp @vcunat @peterhoeg @fpletz @Szczyp @NeQuissimus @obadz @joachifm @shlevy.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
Permanent CC's: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001
@NixOS/security-notifications
If you would like to be CC'd on all roundups (or removed from the
list), open a PR editing
https://github.com/NixOS/security/blob/master/lwnvulns/src/bin/instructions.md.
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
details
block below.Upon Completion ...
reformat
one last timeWithout further ado...
Assorted (27 issues)
#713779
(search, files) epiphany: multiple vulnerabilities#713883
(search, files) irssi-otr: information leak#713270
(search, files) libgd2: two vulnerabilities#713272
(search, files) libplist: two vulnerabilities#713565
(search, files) mupdf: three vulnerabilities#713426
(search, files) bzrtp: man-in-the-middle vulnerability#713420
(search, files) ntfs-3g: privilege escalation#665254
(search, files) openldap: unintended cipher usage#713274
(search, files) openssh: denial of service#713569
(search, files) phpmyadmin: multiple vulnerabilities#713269
(search, files) salt: two vulnerabilities#713771
(search, files) spice: two vulnerabilities#713563
(search, files) svgsalamander: server-side request forgery#713564
(search, files) wavpack: multiple vulnerabilities#713772
(search, files) gst-plugins-bad: two vulnerabilities#713773
(search, files) gst-plugins-base-libs: multiple vulnerabilities#713774
(search, files) gst-plugins-good: multiple vulnerabilities#713775
(search, files) gst-plugins-ugly: two vulnerabilities#713776
(search, files) gstreamer: denial of service#713782
(search, files) iio-sensor-proxy: unspecified#713428
(search, files) iucode-tool: code execution#713423
(search, files) jasper: code execution#713424
(search, files) moodle: multiple vulnerabilities#713785
(search, files) php: multiple vulnerabilities#713409
(search, files) rabbitmq-server: denial of service#713425
(search, files) wireshark: two denial of service flaws#713271
(search, files) wordpress: multiple vulnerabilitiesGraphicsMagick (2 issues)
#713787
(search, files) GraphicsMagick: multiple vulnerabilities#713786
(search, files) GraphicsMagick: multiple vulnerabilitieskernel (3 issues)
#713884
(search, files) kernel: information leak#713881
(search, files) kernel: denial of service#713570
(search, files) kernel: two vulnerabilitieslibtiff (2 issues)
#713880
(search, files) tiff: can't write files#713268
(search, files) libtiff: information leakrtmpdump (2 issues)
#713784
(search, files) rtmpdump: multiple vulnerabilities#670061
(search, files) rtmpdump: code executionThe text was updated successfully, but these errors were encountered: