Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jasper: 2.0.14 -> 2.0.16 #57681

Merged
merged 1 commit into from Mar 23, 2019

Conversation

@pSub
Copy link
Member

pSub commented Mar 15, 2019

Motivation for this change

Release 2.0.16 fixes CVE-2018-19539. Should be backported to 18.09 and 19.03

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Mar 15, 2019

@GrahamcOfBorg build jasper

@ryantm

This comment has been minimized.

Copy link
Member

ryantm commented Mar 15, 2019

@pSub, please consider adding yourself to the GrahamcOfBorg known users so your PRs can be built automatically.

pSub added a commit to pSub/ofborg that referenced this pull request Mar 15, 2019

@pSub

This comment has been minimized.

Copy link
Member Author

pSub commented Mar 15, 2019

@ryantm Thank you for the hint. I've done so NixOS/ofborg#330.

@andir

This comment has been minimized.

Copy link
Member

andir commented Mar 23, 2019

@pSub Thanks for looking into this.

jasper looks a bit messy in general.. I am tempted to argue for just marking it as insecure with the list of known vulnerabilities. (CVE-2018-18873 CVE-2018-19139 CVE-2018-19539 CVE-2018-19540 CVE-2018-19541 CVE-2018-19542 CVE-2018-19543 CVE-2018-20570 CVE-2018-20584 CVE-2018-20622 CVE-2018-9252).

Looking through the mentioned issues there seem to be a few more patches available and some that can be improved upon. (e.g. mdadams/jasper#200, mdadams/jasper#182, mdadams/jasper#164).

I think we can safely merge and backport this change already but should keep an eye out on further patches and releases

@andir

andir approved these changes Mar 23, 2019

Copy link
Member

andir left a comment

Looks good, see my comment for some concerns / thoughts.

@pSub

This comment has been minimized.

Copy link
Member Author

pSub commented Mar 23, 2019

@andir Thanks for your feedback. I'll keep and eye on jasper and mark it as insecure if the list of open vulnerabilities stays that long for the longer term.

@pSub pSub merged commit 923cfbd into staging Mar 23, 2019

10 checks passed

grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details

@pSub pSub deleted the update-jasper branch Mar 23, 2019

@pSub

This comment has been minimized.

Copy link
Member Author

pSub commented Mar 23, 2019

I've cherry-picked the commit into staging-{18.09, 19.03}.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.