Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.09]: Jellyfin 10.7.1 backport #120523

Closed
wants to merge 9 commits into from
Closed

[20.09]: Jellyfin 10.7.1 backport #120523

wants to merge 9 commits into from

Conversation

minijackson
Copy link
Member

Motivation for this change

Jellyfin <10.7.1 contains a vulnerability:

See #120388 and #120387. The jellyfin_10_5 package removal will be backported once #120520 is merged.

Since Jellyfin now depends on dotnet 5+, I've also had to backport dotnet / aspnetcore, I hope this is the correct way to do this

cc @nyanloutre, @purcell

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested review from nyanloutre and purcell April 24, 2021 12:55
@r-rmcgibbo
Copy link

r-rmcgibbo commented Apr 24, 2021
edited

Result of nixpkgs-review pr 120523 at 871b6a03 run on aarch64-linux 1

3 packages built successfully:
  • dotnetCorePackages.aspnetcore_5_0
  • dotnetCorePackages.net_5_0
  • dotnetCorePackages.sdk_5_0

Result of nixpkgs-review pr 120523 at 871b6a03 run on x86_64-linux 1

4 packages built successfully:
  • dotnetCorePackages.aspnetcore_5_0
  • dotnetCorePackages.net_5_0
  • dotnetCorePackages.sdk_5_0
  • jellyfin

@dotlambda dotlambda linked an issue Apr 25, 2021 that may be closed by this pull request
Vulnerability roundup 101: jellyfin-10.6.4: 1 advisory [6.5] #120388
Closed
1 task
minijackson and others added 9 commits May 30, 2021 11:25
@minijackson
jellyfin: 10.6.4 -> 10.7.0
ed2fc77 
https://github.com/jellyfin/jellyfin/releases/tag/v10.7.0
(cherry picked from commit da94be3)
@r-ryantm @minijackson
jellyfin: 10.7.0 -> 10.7.1
51d0438 
(cherry picked from commit 8a487ea)
@JamieMagee @minijackson
dotnetCorePackages.sdk_5_0: init at version 5.0.100-preview.8.20417.9
b57e250 
(cherry picked from commit 7b3d1d6)
@JamieMagee @minijackson
dotnetCorePackages.sdk_5_0: init at version 5.0.100-rc.1.20452.10
6adcd56 
Co-authored-by: Felix Tenley <felschr@pm.me>
(cherry picked from commit 074e05c)
@felschr @minijackson
dotnetCorePackages.net_5_0: init at version 5.0.0
6b00c14 
(cherry picked from commit c112ab2)
@felschr @minijackson
dotnetCorePackages.aspnetcore_5_0: init at version 5.0.0
6f83be5 
(cherry picked from commit a3604fc)
@felschr @minijackson
dotnetCorePackages.sdk_5_0: 5.0.100-rc.1.20452.10 -> 5.0.100
914a71f 
(cherry picked from commit e60fc2c)
@minijackson
jellyfin: 10.7.1 -> 10.7.5
3706e1e 
fixes advisory GHSA-rgjw-4fwc-9v96
@minijackson
nixos/tests/jellyfin: enhanced test
1c2bd84 
(cherry picked from commit 2ab88a3)
@minijackson
Copy link
Member Author

Updated Jellyfin version to 10.7.5 due to GHSA-rgjw-4fwc-9v96.

I couldn't cherry-pick #120344 due to what I think are changes in node2nix, so the commit jellyfin: 10.7.1 -> 10.7.5 is not a backport. I backported the enhanced test for some further guarantees.

This fixes also #124643

@mweinelt
Copy link
Member

Have you tried applying these changes as patches on top of the 10.6 series? This looks like quite some changes to backport otherwise.

@mweinelt
Copy link
Member

mweinelt commented Jul 5, 2021

Unfortunately NixOS 20.09 has reached its end-of-life status on 2021-07-01, one
month after the release of NixOS 21.05.

Since we do not accept any changes to its branches anymore, I'm closing this pull
request.

@mweinelt mweinelt closed this Jul 5, 2021
@minijackson minijackson deleted the jellyfin-10.7.1-backport branch July 7, 2021 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@purcell purcell purcell approved these changes

@nyanloutre nyanloutre Awaiting requested review from nyanloutre

Assignees
No one assigned
Labels
1.severity: security 6.topic: nixos 8.has: package (new) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 101: jellyfin-10.6.4: 1 advisory [6.5]
8 participants
@minijackson @r-rmcgibbo @mweinelt @purcell @dotlambda @r-ryantm @JamieMagee @felschr