Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.09] traefik: 2.2.8 -> 2.4.6 #116942

Closed
wants to merge 3 commits into from
Closed

[20.09] traefik: 2.2.8 -> 2.4.6 #116942

wants to merge 3 commits into from

Conversation

Pamplemousse
Copy link
Member

Motivation for this change

Solves #116928 .

Note that there were 8 commits updating the package from the version in unstable VS the one in release-20.09. I squashed as many as possible within the latest cherry-pick not to pollute the history too much, but I am not sure that's the adequate strategy.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
    (cherry picked from commit d7fade2)

@ofborg ofborg bot requested review from vdemeester and kalbasit March 19, 2021 17:03
@risicle
Copy link
Contributor

risicle commented Mar 21, 2021

I think it's possible to get away with applying the patch:


  patches = [
    (fetchpatch {
      name = "CVE-2021-27375.patch";
      url = "https://github.com/traefik/traefik/commit/bae28c5f5717ea3a80423f107fefe6948c14b7cd.patch";
      sha256 = "0gbygblzc6l0rywznbl6in2h5mjk5d0x0aq6pqgag2vrjbyk9kfi";
    })
  ];

builds for me, even if I enable the tests (unsure why they're disabled). And I'm fairly confident the fix is applied because the patch includes a test for the issue.

@Pamplemousse
Copy link
Member Author

@risicle, is there a reason to favor applying a patch VS updating the package?
From the maintenance perspective, it feels simpler to favor the latter...

@risicle
Copy link
Contributor

risicle commented Mar 22, 2021
edited

If possible, it's nice to be able to stick to the same version in the stable branch as it means there's much less chance of introducing behaviour change, which is what users of the stable release are often trying to avoid. As for maintainability, it's much less of a concern because the stable branch doesn't have a long-term future. It will be out of support by autumn.

@risicle risicle mentioned this pull request Mar 24, 2021
Merged
10 tasks
@Pamplemousse
Copy link
Member Author

Superseded by #117536 .
Thanks @risicle :)

@Pamplemousse Pamplemousse deleted the backport_traefik branch March 28, 2021 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester Awaiting requested review from vdemeester

@kalbasit kalbasit Awaiting requested review from kalbasit

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Pamplemousse @risicle @amaxine @zowoq