New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.09] python3Packages.pygments: add patch for CVE-2021-27291 #117810
[20.09] python3Packages.pygments: add patch for CVE-2021-27291 #117810
Conversation
We should probably add Everything else lgtm. |
Hold on I got so caught up in the whole pytest cycle thing I completely forgot about 2.5.x.. sure enough, the patch works fine there too and the tests pass. Will push another commit. |
Except |
Ah yes I'll yank it from here and do that. |
9fee868
to
ae81faa
Compare
Sigh. And this looks staging-bound too. |
ae81faa
to
a5ed349
Compare
Result of 563 packages marked as broken and skipped:
18673 packages skipped due to time constraints:
105 packages built successfully:
3 suggestions:
Result of 674 packages marked as broken and skipped:
16924 packages skipped due to time constraints:
86 packages built successfully:
3 suggestions:
|
if the 2.5 bump doesn't have breaking changes, I would much rather just take that. |
Between 2.6.1 and 2.7.4 there are a lot of "updated lexers", it's hard to know what lies behind all of those. There is a
in there |
Not sure what the "2.5 bump" means. We have 2.5 as the last version with python2 support. We either backport that patch or mark it as vulnerable IMO. |
sorry, I meant a non breaking bump. I'm also okay with a patch. |
Motivation for this change
https://nvd.nist.gov/vuln/detail/CVE-2021-27291
I'm quite confident in patching this:
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)