Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

caprine-bin: 2.58.0 -> 2.58.3 #257372

Merged
merged 1 commit into from
Sep 26, 2023
Merged

caprine-bin: 2.58.0 -> 2.58.3 #257372

merged 1 commit into from
Sep 26, 2023

Conversation

ShamrockLee
Copy link
Contributor

@ShamrockLee ShamrockLee commented Sep 26, 2023
edited

Description of changes

Bump to patch for CVE-2023-4863

Vulnerability details:
https://github.com/advisories/GHSA-j7hp-h8jx-5pp

Upstream release notes:
https://github.com/sindresorhus/caprine/releases/tag/v2.58.2
https://github.com/sindresorhus/caprine/releases/tag/v2.58.3

This PR needs to be backported to 23.05.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@ShamrockLee ShamrockLee mentioned this pull request Sep 26, 2023
Closed
@ShamrockLee
Copy link
Contributor Author

ShamrockLee commented Sep 26, 2023
edited

Unfortunately, the Electron update made by the upstream renders the app unusable. See sindresorhus/caprine#2074.

@ShamrockLee ShamrockLee mentioned this pull request Sep 26, 2023
Closed
90 tasks
@ShamrockLee ShamrockLee changed the title caprine-bin: 2.58.0 -> 2.58.2 caprine-bin: 2.58.0 -> 2.58.3 Sep 26, 2023
@ShamrockLee ShamrockLee marked this pull request as ready for review September 26, 2023 15:20
@ShamrockLee
Copy link
Contributor Author

ShamrockLee commented Sep 26, 2023
edited

The above issue is addressed in 2.58.3.

This PR contains an emergency security update. Please help test it if you're available, and update caprine-bin to this version ASAP.

Cc: @n3oney @khaneliman

@n3oney
Copy link
Contributor

n3oney commented Sep 26, 2023

lgtm

delroth
delroth approved these changes Sep 26, 2023
View reviewed changes
Copy link
Contributor

@delroth delroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM, didn't test running the app.

@delroth
Copy link
Contributor

delroth commented Sep 26, 2023

lgtm

FYI it's better to use the GitHub review feature and explicitly mark as approved - it helps automation set the right labels for the PR and gives it better visibility (for example, it would show this one as "approved by package maintainer").

@delroth delroth merged commit 50dad20 into NixOS:master Sep 26, 2023
26 of 27 checks passed
@github-actions
Copy link
Contributor

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-257372-to-release-23.05 origin/release-23.05
cd .worktree/backport-257372-to-release-23.05
git checkout -b backport-257372-to-release-23.05
ancref=$(git merge-base b95afaec5a602daa50888c2213e0a11566256f87 07107cfb1fbcc2c28952b35bd7d0cb3360c6e8e2)
git cherry-pick -x $ancref..07107cfb1fbcc2c28952b35bd7d0cb3360c6e8e2

@delroth
Copy link
Contributor

delroth commented Sep 26, 2023

This needs a manual backport since the version on 23.05 wasn't kept up to date. @ShamrockLee can you also take care of this? Thanks!

@ShamrockLee ShamrockLee mentioned this pull request Sep 26, 2023
Merged
12 tasks
@ShamrockLee ShamrockLee deleted the caprine-bin-update-security branch September 26, 2023 17:03
@ShamrockLee
Copy link
Contributor Author

@delroth It's at #257472.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@delroth delroth delroth approved these changes

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ShamrockLee @n3oney @delroth