You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
If you would like to be CC'd on all roundups, leave a comment and
tell @grahamc so.
Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
The reports have been roughly grouped by the package name. This
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
Some issues will be duplicated, because it affects multiple
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed.
By each issue is a link to code search for the package name, and
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Triage a report: If we don't have the software or our version isn't
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
Fix the issue: If we do have the software and it is vulnerable,
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
When an entire section is completed, move the section to the
"Triaged and Resolved Issues" details block below.
Upon Completion ...
Run the issue through reformat one last time
Review commits since last roundup for backport candidates
Here are all the vulnerabilities from https://lwn.net/Vulnerabilities
since our last roundup.
cc: @joachifm @michalpalka @abbradar @bachp @LnL7 @the-kenny @Mic92 @FRidh @bjornfor @vcunat.
Note: The list of people CC'd on this issue participated in the last
roundup. If you participate on this roundup, I'll cc you on the next
one. If you don't participate in the next one, you won't be CC'd on
the one after that. If you would like to be CC'd on the next roundup,
add a comment to the most recent vulnerability roundup.
If you would like to be CC'd on all roundups, leave a comment and
tell @grahamc so.
Permanent CC's: @joepie91, @phanimahesh, @NixOS/security-notifications
(if you no longer want to be CC'd, ask to be removed from this list)
Notes on the list
isn't perfect, but is intended to help identify if a whole group
of reports is resolved already.
packages. For example, there are sometimes problems that impact
thunderbird, and firefox. LWN might report in one vulnerability
"thunderbird firefox". These names have been split to make sure
both packages get addressed.
a Github search by filename. These are to help, but may not return
results when we do in fact package the software. If a search
doesn't turn up, please try altering the search criteria or
looking in nixpkgs manually before asserting we don't have it.
Instructions:
vulnerable, tick the box or add a comment with the report number,
stating it isn't vulnerable.
either leave a comment on this issue saying so, even open a pull
request with the fix. If you open a PR, make sure to tag this
issue so we can coordinate.
"Triaged and Resolved Issues"
detailsblock below.Upon Completion ...
reformatone last timeWithout further ado...
Assorted (17 issues)
#710086(search, files) kernel: denial of service#710210(search, files) libcrypto++: denial of service#710082(search, files) openssh: multiple vulnerabilities#709844(search, files) ceph: denial of service#710085(search, files) gdk-pixbuf2: unspecified#709987(search, files) graphicsmagick: denial of service#709988(search, files) imagemagick: code execution#710084(search, files) botan: integer overflow#710209(search, files) exim4: information leak#710214(search, files) httpd: three vulnerabilities#709984(search, files) imagemagick: code execution#709986(search, files) msgpuck: two denial of service flaws#710212(search, files) qemu: denial of service#671098(search, files) shellinabox: DNS rebinding#710213(search, files) spip: two vulnerabilities#710087(search, files) squid: two vulnerabilities#709993(search, files) xen: two vulnerabilitiesgstreamer-plugins-good (2 issues)
#318382(search, files) gstreamer-plugins-good: heap buffer overflows#709839(search, files) gstreamer-plugins-good: denial of service