Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.03] wolfssl: v4.3.0 → v4.4.0 #86999

Merged
merged 1 commit into from Jun 25, 2020
Merged

Conversation

@mweinelt
Copy link
Member

mweinelt commented May 5, 2020

Motivation for this change

Backport #86997

Fixes: CVE-2020-11713
(cherry picked from commit 6baa4e7)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Copy link
Contributor

mcmtroffaes left a comment

Looks good to me. Tested with a wolfssl build of curl 7.70.0 (slightly more recent than the current nixpkgs version which is needed due to some API changes).

@ryantm
Copy link
Member

ryantm commented May 7, 2020

@mcmtroffaes Do we need to wait for #86799 to be backported before backporting this?

@mcmtroffaes
Copy link
Contributor

mcmtroffaes commented May 9, 2020

@ryantm I don't think we need to wait for the curl update to get merged, as this wolfssl update doesn't break any existing builds currently in nixpkgs.

@ryantm
Copy link
Member

ryantm commented May 9, 2020

@mcmtroffaes That is true, but some people might be building curl with wolfsslSupport set to true, won't they be messed up?

@mcmtroffaes
Copy link
Contributor

mcmtroffaes commented May 11, 2020

@ryantm You're completely right. I had missed that curl had grown an option in nixpkgs to officially support the wolfssl build and was still doing my own local override. I've tested the new nixpkgs option, and yes, I agree, we should probably hold off merging this until curl has been updated.

@Mic92
Copy link
Contributor

Mic92 commented Jun 12, 2020

Curl was merged. Is this good to go?

@ryantm
Copy link
Member

ryantm commented Jun 12, 2020

@mweinelt
Copy link
Member Author

mweinelt commented Jun 16, 2020

ccing @lovek323 as curl maintainer.

Fixes: CVE-2020-11713
(cherry picked from commit 6baa4e7)
@mweinelt mweinelt changed the base branch from release-20.03 to staging-20.03 Jun 24, 2020
@mweinelt mweinelt force-pushed the mweinelt:20.03/pr/wolfssl branch from e5c3910 to 29f44d0 Jun 24, 2020
@mweinelt
Copy link
Member Author

mweinelt commented Jun 24, 2020

Rebased on top of staging-20.03 where the curl version has been bumped. Can someone merge this, please?

Ref. #91408

@ofborg ofborg bot requested a review from mcmtroffaes Jun 24, 2020
@Mic92
Copy link
Contributor

Mic92 commented Jun 25, 2020

Is the curl issue resolved? Ah. looks like it.

@Mic92 Mic92 merged commit 3f21f10 into NixOS:staging-20.03 Jun 25, 2020
16 checks passed
16 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="29f44d0"; rev="29f44d005e662cdc110d5eda1c66f369f0d56121"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
wolfssl, wolfssl.passthru.tests on aarch64-linux Success
Details
wolfssl, wolfssl.passthru.tests on x86_64-linux Success
Details
@mweinelt mweinelt deleted the mweinelt:20.03/pr/wolfssl branch Jun 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.