Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

traefik: 3.1.2 -> 3.1.4 #344149

Merged
merged 1 commit into from
Sep 24, 2024
Merged

traefik: 3.1.2 -> 3.1.4 #344149

merged 1 commit into from
Sep 24, 2024

Conversation

Scrumplex
Copy link
Member

@Scrumplex Scrumplex commented Sep 24, 2024
edited
Loading

Description of changes

This fixes CVE-2024-45410[0] (GHSA-62c8-mh53-4cqv[1]).

Closes #344144

Relevant Releases:

https://github.com/traefik/traefik/releases/tag/v3.1.3 (actual vulnerability fix)
https://github.com/traefik/traefik/releases/tag/v3.1.4 (latest release)

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@Scrumplex
traefik: 3.1.2 -> 3.1.4
78dc108 
This fixes CVE-2024-45410[0] (GHSA-62c8-mh53-4cqv[1]).

[0]: https://nvd.nist.gov/vuln/detail/CVE-2024-45410
[1]: GHSA-62c8-mh53-4cqv

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
@Scrumplex Scrumplex added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 24, 2024
@Scrumplex
Copy link
Member Author

Result of nixpkgs-review pr 344149 run on x86_64-linux 1

1 package built:
  • traefik

@ofborg ofborg bot requested a review from vdemeester September 24, 2024 08:28
@h7x4 h7x4 mentioned this pull request Sep 24, 2024
Closed
13 tasks
@h7x4 h7x4 linked an issue Sep 24, 2024 that may be closed by this pull request
Update request: traefik 3.1.2 → 3.1.4 #344144
Closed
1 task
@Scrumplex
Copy link
Member Author

@ofborg test traefik

@Scrumplex
Copy link
Member Author

CC @NixOS/security

This PR fixes a critical vulnerability in Traefik. See https://nvd.nist.gov/vuln/detail/CVE-2024-45410 GHSA-62c8-mh53-4cqv

@mweinelt mweinelt merged commit 3db77ab into NixOS:master Sep 24, 2024
50 of 53 checks passed
@mweinelt
Copy link
Member

mweinelt commented Sep 24, 2024
edited
Loading

@Scrumplex Are you planning to apply a patch for NixOS 24.05?

@mweinelt mweinelt added the 9.needs: port to stable A PR needs a backport to the stable release. label Sep 24, 2024
@mweinelt
Copy link
Member

By which I mean a patch application should be investigated!

@Scrumplex
Copy link
Member Author

According to GHSA-62c8-mh53-4cqv, any Traefik v3 version before 3.1.3 is affected. As 24.05 is on 3.0.4 it should probably also be updated. I will prepare a PR.

@Scrumplex
Copy link
Member Author

I just noticed that we don't have go_1_23 on 24.05

@mweinelt
Copy link
Member

Could be traefik/traefik@5841441

This was referenced Sep 24, 2024
Open
Merged
@Scrumplex
Copy link
Member Author

Scrumplex commented Sep 24, 2024
edited
Loading

traefik/traefik@5841441 can't be applied onto v3. That change was merged into v2 and then merged into v3 in traefik/traefik@093989f

which is a much larger merge as well.

@mweinelt
Copy link
Member

Gross.

@mweinelt
Copy link
Member

mweinelt commented Sep 24, 2024
edited
Loading

traefik/traefik@093989f#diff-164089fbccd1553baf9568ff75818f506cc9d96c524d6b9454b672e0f959a33d (pkg/middlewares/forwardedheaders/forwarded_header.go) looks like the relevant bits.

@Scrumplex
Copy link
Member Author

Scrumplex commented Sep 24, 2024
edited
Loading

I have prepared Scrumplex/traefik@21f0062 which is traefik/traefik@5841441 but merged into v3.1.2 (the last version before upstream updated to Go 1.23)

What I had to merge:

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   pkg/middlewares/auth/forward.go
	both modified:   pkg/middlewares/forwardedheaders/forwarded_header.go
	both modified:   pkg/middlewares/headers/headers.go

Edit: I corrected the patch just now. I didn't merge one line properly (variable declaration instead of assignment in headers.go)

@Scrumplex
Copy link
Member Author

See #344222

@Scrumplex Scrumplex mentioned this pull request Sep 28, 2024
Merged
13 tasks
@Scrumplex Scrumplex deleted the pkgs/traefik/3.1.4 branch September 29, 2024 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester Awaiting requested review from vdemeester

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update request: traefik 3.1.2 → 3.1.4
2 participants
@Scrumplex @mweinelt