Vulnerability Roundup 15 #21457
Comments
grahamc
added
the
1.severity: security
|
I tried updating botan with commit 81879537edc27b40075563fff55a59ad06526d17
Author: Graham Christensen <graham@grahamc.com>
Date: Wed Dec 28 07:08:13 2016 -0500
botan: 1.10.13 -> 1.10.14
CVE-2016-9132
diff --git a/pkgs/development/libraries/botan/default.nix b/pkgs/development/libraries/botan/default.nix
index 6e8a8cd..69e8f17 100644
--- a/pkgs/development/libraries/botan/default.nix
+++ b/pkgs/development/libraries/botan/default.nix
@@ -2,7 +2,7 @@
callPackage ./generic.nix (args // {
baseVersion = "1.10";
- revision = "13";
- sha256 = "144vl65z7bys43sxgb09mbisyf2nmh49wh0d957y0ksa9cyrgv13";
+ revision = "14";
+ sha256 = "072czy26vfjcqjww4qccsd29fzkb6mb8czamr4x76rdi9lwhpv8h";
extraConfigureFlags = "--with-gnump";
})but get a build error: |
|
@grahamc Can you add me to the permanent-CC list please? |
|
Done, @the-kenny: NixOS/security@686a57a |
|
@wkennington second bump on Ceph, we're 2 major versions behind, 9.x hasn't seen an update in ages, and there don't seem to be any distros I can take the security patches from. I may mark as broken soon. |
|
re: |
|
Thank you, @7c6f434c! botan patches: 04736ae...21d4d54 |
|
|
|
image magick: 9ec867f...de99dc5 |
|
Also updated |
|
dovecot: 35e3ea0 |
/cc #21457. The rebuild impact is probably only a few thousand. The new utility is put into $out/bin/.
/cc #21457. The rebuild impact is probably only a few thousand. The new utility is put into $out/bin/. (cherry picked from commit 421a7f3) Full bump done, as API+ABI only added new symbols in the meantime. https://abi-laboratory.pro/tracker/timeline/gdk-pixbuf/
|
@vcunat any idea what's going wrong with the openssh test? |
|
No idea. That's why I had reverted that update in 661b5a9. |
|
re SSH: I was able to reproduce the issue locally. |
|
qemu CVE-2016-9911 adressed by #21482. |
should fix shellinabox vulnarabilities from NixOS#21457
|
applying: diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 073391f..80659f1 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -264,8 +264,7 @@ in
StandardInput = "socket";
} else {
Restart = "always";
- Type = "forking";
- PIDFile = "/run/sshd.pid";
+ Type = "simple";
});
};
@@ -322,8 +321,6 @@ in
services.openssh.extraConfig = mkOrder 0
''
- PidFile /run/sshd.pid
-
Protocol 2
UsePAM yeshas fixed it for me:
what do you think of this solution / backporting? |
should fix shellinabox vulnarabilities from #21457
|
I know little about this stuff. In master it'll be good to switch to |
|
@vcunat / @aneeshusa -- they don't create any sort of |
|
That's also how I understood it, if simple also works with |
|
I marked ceph as broken. |
|
Thank you, everyone, for their work! |
/cc NixOS#21457. The rebuild impact is probably only a few thousand. The new utility is put into $out/bin/. (cherry picked from commit 421a7f3) Full bump done, as API+ABI only added new symbols in the meantime. https://abi-laboratory.pro/tracker/timeline/gdk-pixbuf/
should fix shellinabox vulnarabilities from NixOS#21457 (cherry picked from commit d6254e0)
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @joachifm @michalpalka @abbradar @bachp @LnL7 @the-kenny @Mic92 @FRidh @bjornfor @vcunat.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
If you would like to be CC'd on all roundups, leave a comment and
tell @grahamc so.
Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
detailsblock below.Upon Completion ...
reformatone last timeWithout further ado...
Assorted (17 issues)
#710086(search, files) kernel: denial of service#710210(search, files) libcrypto++: denial of service#710082(search, files) openssh: multiple vulnerabilities#709844(search, files) ceph: denial of service#710085(search, files) gdk-pixbuf2: unspecified#709987(search, files) graphicsmagick: denial of service#709988(search, files) imagemagick: code execution#710084(search, files) botan: integer overflow#710209(search, files) exim4: information leak#710214(search, files) httpd: three vulnerabilities#709984(search, files) imagemagick: code execution#709986(search, files) msgpuck: two denial of service flaws#710212(search, files) qemu: denial of service#671098(search, files) shellinabox: DNS rebinding#710213(search, files) spip: two vulnerabilities#710087(search, files) squid: two vulnerabilities#709993(search, files) xen: two vulnerabilitiesgstreamer-plugins-good (2 issues)
#318382(search, files) gstreamer-plugins-good: heap buffer overflows#709839(search, files) gstreamer-plugins-good: denial of serviceThe text was updated successfully, but these errors were encountered: