Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backport oauth2_proxy: 6.0.0 -> 7.0.1 [security] #119795

Closed
wants to merge 3 commits into from
Closed

backport oauth2_proxy: 6.0.0 -> 7.0.1 [security] #119795

wants to merge 3 commits into from

Conversation

yorickvP
Copy link
Contributor

Motivation for this change

Security backport, fixes #113489

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

AndersonTorres and others added 3 commits April 18, 2021 14:05
@AndersonTorres @yorickvP
Merge pull request NixOS#97083 from bbigras/oauth2-proxy
13773b3 
oauth2_proxy: 6.0.0 -> 6.1.1

(cherry picked from commit 5f4b381)
@marsam @yorickvP
Merge pull request NixOS#111987 from r-ryantm/auto-update/oauth2-proxy
3c6a289 
oauth2_proxy: 6.1.1 -> 7.0.0

(cherry picked from commit 9126e58)
@ryantm @yorickvP
Merge pull request NixOS#112953 from r-ryantm/auto-update/oauth2-proxy
a9de286 
oauth2_proxy: 7.0.0 -> 7.0.1

(cherry picked from commit 344243b)
@yorickvP yorickvP requested a review from knl April 18, 2021 12:17
@ofborg ofborg bot requested a review from kalbasit April 18, 2021 12:22
@SuperSandro2000
Copy link
Member

Is this major update backwards compatible?

@yorickvP
Copy link
Contributor Author

Sadly, no: https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0
Our alternative is keeping this bug and/or marking oauth2-proxy as insecure.

@knl
Copy link
Contributor

knl commented Apr 18, 2021
edited
Loading

I think we'll either have to mark it as insecure or backport that particular security fix. The issue is that (to the best to my recollection) backward incompatible changes are disallowed on the release branches.

Reading the changelog suggests that 6.1.1 should be good to use: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md#changes-since-v611

@knl
Copy link
Contributor

knl commented Apr 18, 2021

Also, 7.0.1 should use Go 1.16: oauth2-proxy/oauth2-proxy#1054 (nixpkgs code forces Go 1.15)

@yorickvP
Copy link
Contributor Author

6.1.1 would be vulnerable to CVE-2021-21291. Maybe it's possible to backport oauth2-proxy/oauth2-proxy@780ae4f ?

@SuperSandro2000
Copy link
Member

Also, 7.0.1 should use Go 1.16: oauth2-proxy/oauth2-proxy#1054 (nixpkgs code forces Go 1.15)

We can change that version but 1.16 is not yet available in 20.09.

@risicle
Copy link
Contributor

risicle commented Apr 19, 2021

Maybe it's possible to backport oauth2-proxy/oauth2-proxy@780ae4f ?

The function in question hasn't been touched in 13 months previous to the patch, other than being relocated in the same file. The interface around it looks to be the same judging by its tests. OAuthProxy.whitelistDomains is still an array of strings in the same format. And sure enough the patch applies without a hitch and the added test passes. #119899

@risicle
Copy link
Contributor

risicle commented Apr 19, 2021

We can change that version but 1.16 is not yet available in 20.09.

You're going to have to stop giving me opportunities to plug #116665

@yorickvP
Copy link
Contributor Author

Closing in favor of #119899

@yorickvP yorickvP closed this Apr 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knl knl Awaiting requested review from knl

@kalbasit kalbasit Awaiting requested review from kalbasit

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@yorickvP @SuperSandro2000 @knl @risicle @AndersonTorres @marsam @ryantm