Skip to content

Commit

Permalink
vulnix whitelists: add entries, fix CVE identifiers
Browse files Browse the repository at this point in the history
  • Loading branch information
@dermetfan
dermetfan committed Sep 24, 2021
1 parent 58ed8e7 commit 016ee13
Showing 1 changed file with 43 additions and 24 deletions.
67 changes: 43 additions & 24 deletions modules/vulnix-whitelists.nix
View file
Expand Up @@ -10,25 +10,23 @@ let
};
in {
options.services.vulnix.defaultWhitelists = {
# fix about to be deployed
ephemeral.whitelist = resultOption // {
default = {
"openssl-1.1.1k" = {
until = "2021-09-15";
"binutils-2.35.1" = {
until = "2021-10-10";
comment = "has active PR to upgrade binutils";
cve = [
"CVE-2021-3711"
"CVE-2021-3712"
"CVE-2021-20294"
"CVE-2021-3487"
"CVE-2021-20284"
];
issue_url = "https://github.com/NixOS/nixpkgs/pull/135611";
issue_url = "https://github.com/NixOS/nixpkgs/pull/134917";
};
"libsndfile-1.0.30" = {
until = "2021-09-15";
cve = [ "2021-3246" ];
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/132138"
"https://github.com/NixOS/nixpkgs/pull/132689"
"https://github.com/NixOS/nixpkgs/pull/134004"
];
"libgcrypt-1.9.3" = {
until = "2021-10-10";
comment = "in staging-21.05";
cve = [ "CVE-2021-40528" ];
issue_url = "https://github.com/NixOS/nixpkgs/pull/137025#issuecomment-914725087";
};
};
};
Expand All @@ -49,7 +47,7 @@ in {
];
};
"zip-3.0" = { # comes up as version "3" in Grafana, not sure why
cve = [ "2018-13410" ];
cve = [ "CVE-2018-13410" ];
comment = "disputed";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/88417"
Expand All @@ -58,15 +56,28 @@ in {
];
};
"gnulib" = {
cve = [ "2018-17942" ];
comment = "fixed long ago";
cve = [ "CVE-2018-17942" ];
comment = "fixed long ago"; # TODO really? check again
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/34787"
"https://github.com/NixOS/nixpkgs/issues/88310"
];
};
"bash-4.4-p23" = {
cve = [ "CVE-2019-18276" ];
comment = "version not affected";
issue_url = "https://github.com/NixOS/nixpkgs/issues/88269#issuecomment-722169817";
};
"glibc-2.33-49" = {
cve = [ "CVE-2021-38604" ];
comment = "version not affected";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/138667#issuecomment-923991137"
"https://github.com/NixOS/nixpkgs/pull/134765"
];
};
} // lib.genAttrs [ "shellcheck" "ShellCheck" ] (pname: {
cve = [ "2021-28794" ];
cve = [ "CVE-2021-28794" ];
comment = "CVE is about a Visual Studio Code extension";
});
};
Expand All @@ -84,7 +95,7 @@ in {
in (
lib.optionalAttrs (!nixosConfig.services.xserver.enable) {
"libX11-1.7.0" = {
cve = [ "2021-31535" ];
cve = [ "CVE-2021-31535" ];
# XXX nomad jobs might, though very unlikely
comment = "we don't run a graphical session";
};
Expand All @@ -99,16 +110,24 @@ in {
)
) {
"ripgrep" = {
cve = [ "2021-3013" ];
cve = [ "CVE-2021-3013" ];
comment = "we're not on windows";
};
} // lib.optionalAttrs (!nixosConfig.services.httpd.enable) {
} // (let
disabled = !nixosConfig.services.httpd.enable;
fixed = lib.versionAtLeast nixosConfig.services.httpd.package.version "2.4.49";
in lib.optionalAttrs (disabled || fixed) {
"openssl-1.1.1k" = {
cve = [ "CVE-2019-0190" ];
comment = "we don't use Apache";
issue_url = "https://github.com/NixOS/nixpkgs/issues/88371";
comment =
lib.optional disabled "we don't use Apache" ++
lib.optional fixed "version not affected";
issue_url = [
"https://github.com/NixOS/nixpkgs/issues/88371"
"https://httpd.apache.org/security/vulnerabilities_24.html"
];
};
}
})
);
};
};
Expand Down

0 comments on commit 016ee13

Please sign in to comment.