Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 43 (master) #41748

Closed
26 tasks done
ckauhaus opened this issue Jun 9, 2018 · 5 comments
Closed
26 tasks done

Vulnerability roundup 43 (master) #41748

ckauhaus opened this issue Jun 9, 2018 · 5 comments
Labels
1.severity: security

Comments

@ckauhaus
Copy link
Contributor

ckauhaus commented Jun 9, 2018
edited
Loading

Scanned nixos/release-combined.nix @ 41cdec2. Filtered out previously reported CVEs. May contain false positives.

binutils-2.30 (search, files)

jasper-2.0.14 (search, files)

libtiff-4.0.9 (search, files)

libvorbis-1.3.6 (search, files)

libxml2-2.9.8 (search, files)

lua-5.1.5 (search, files)

mupdf-1.13.0 (search, files)

qpdf-8.0.2 (search, files)

Cc: @joepie91, @phanimahesh, @the-kenny, @7c6f434c, @k0001, @peterhoeg, @nh2, @LnL7, @grahamc, @adisbladis, @fpletz, @vcunat

Contact @ckauhaus for any questions.
This was referenced Jun 9, 2018
Closed
Closed
Merged
@dtzWill
Copy link
Member

dtzWill commented Jun 10, 2018

I think our libxml2 is okay since we don't build it with xz/lzma support.

@dtzWill dtzWill mentioned this issue Jun 10, 2018
Closed
8 tasks
bhipple added a commit to bhipple/nixpkgs that referenced this issue Jun 10, 2018
@bhipple
mupdf: apply CVE-2018-10289 patch
dc994f6 
Fixes mupdf issue in NixOS#41748 by applying
patch from https://bugs.ghostscript.com/show_bug.cgi?id=699271
@bhipple bhipple mentioned this issue Jun 10, 2018
Merged
8 tasks
xeji pushed a commit that referenced this issue Jun 10, 2018
Get libtiff on the same patch level as Debian. The imported patch fil…
cca45cc 
…e contains:

CVE-2017-9935
CVE-2017-11613
CVE-2017-17095
CVE-2017-18013
CVE-2018-5784
CVE-2018-7456

Re #41748 (master)
Re #41749 (release-18.03 - needs to be cherry-picked)
xeji pushed a commit that referenced this issue Jun 10, 2018
@xeji
libtiff: 4.0.9 update ptches
0338ce0 
Get libtiff on the same patch level as Debian. The imported patch file contains:

CVE-2017-9935
CVE-2017-11613
CVE-2017-17095
CVE-2017-18013
CVE-2018-5784
CVE-2018-7456

Re #41748 (master)
Re #41749 (release-18.03 - needs to be cherry-picked)

(cherry picked from commit cca45cc)
xeji pushed a commit that referenced this issue Jun 10, 2018
@bhipple @xeji
mupdf: apply CVE-2018-10289 patch (#41802)
17d7650 
Fixes mupdf issue in #41748 by applying
patch from https://bugs.ghostscript.com/show_bug.cgi?id=699271
vcunat added a commit that referenced this issue Jun 17, 2018
@vcunat
libvorbis: upstream patch for CVE-2018-10392
7ccece3 
/cc #41748.
@vcunat
Copy link
Member

vcunat commented Jun 17, 2018

vorbis CVE-2018-10393: upstream claims that's already fixed in one patch we apply, so I'm just ticking this checkbox

vcunat added a commit that referenced this issue Jun 17, 2018
@vcunat
libvorbis: upstream patch for CVE-2018-10392
04c80fe 
/cc #41748.

(cherry picked from commit 7ccece3)
pSub added a commit that referenced this issue Jun 17, 2018
@pSub
qpdf: apply patch for CVE-2018-9918
20ee8fb 
in context of #41748
pSub pushed a commit that referenced this issue Jun 17, 2018
@vcunat @pSub
libvorbis: upstream patch for CVE-2018-10392
be3ac85 
/cc #41748.

(cherry picked from commit 7ccece3)
@ckauhaus ckauhaus mentioned this issue Sep 21, 2018
Closed
3 tasks
@ckauhaus ckauhaus mentioned this issue Oct 30, 2018
Closed
9 tasks
@ckauhaus ckauhaus mentioned this issue Dec 8, 2018
Closed
6 tasks
@ckauhaus
Copy link
Contributor Author

binutils-2.30 is not used anymore

@ckauhaus
Copy link
Contributor Author

jasper-2.0.14 is not used anymore

@ckauhaus
Copy link
Contributor Author

lua-5.1.5 / CVE 2014-5461 fixed in 17f5001

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dtzWill @ckauhaus @vcunat