Skip to content

expat: 2.4.2 -> 2.4.3 (security)#155253

Merged
vcunat merged 1 commit intoNixOS:stagingfrom
hartwork:expat-2-4-3
Jan 22, 2022
Merged

expat: 2.4.2 -> 2.4.3 (security)#155253
vcunat merged 1 commit intoNixOS:stagingfrom
hartwork:expat-2-4-3

Conversation

@hartwork
Copy link
Contributor

@hartwork hartwork commented Jan 16, 2022
edited by mweinelt
Loading

Motivation for this change

libexpat 2.4.3 with security fixes has been released, the upstream change log has more details.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@hartwork hartwork mentioned this pull request Jan 16, 2022
Closed
27 tasks
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jan 16, 2022
@hartwork hartwork changed the base branch from master to staging January 17, 2022 02:00
@veprbl veprbl added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-21.11 labels Jan 17, 2022
@veprbl veprbl mentioned this pull request Jan 17, 2022
Merged
vcunat referenced this pull request Jan 17, 2022
@trofi @veprbl
expat: 2.4.1 -> 2.4.2 (#151445)
34e50e2 
(cherry picked from commit 5400fb8)
@vcunat
Copy link
Member

vcunat commented Jan 17, 2022

The security issues are not very urgent, I assume?

@hartwork
Copy link
Contributor Author

hartwork commented Jan 17, 2022

The security issues are not very urgent, I assume?

It depends on your threat model. I could argue for both sides — not to underestimate or not to over-panic. I cannot rule out that some of these may lead to more than denial of service (e.g. code execution) and some parties have assigned 8 out of 10. At the same time, I'm not aware of exploitability without large files and exploits beyond DoS are not something I know of. There is one individual on Twitter, who commented that one of these was a past zero-day of them, but I have not heard back from them, if they got more than DoS out of them. @vcunat does that answer the question?

@vcunat
Copy link
Member

vcunat commented Jan 17, 2022

Well perhaps. With the usual way through the staging branch and our current resources, I expect it can take even something like a month to get into nixos-unstable channel. (Stable 21.11 tends to iterate faster.)

@risicle
Copy link
Contributor

risicle commented Jan 18, 2022

Think we should get this merged to staging ASAP and then consider if we do a forward-port. Staging will give us a chance to discover any show-stoppers.

@risicle
Copy link
Contributor

risicle commented Jan 18, 2022
edited
Loading

(have also successfully built python39 with this against master on macos 10.15, nixos x86_64 along with pkgsMusl and pkgsCross.aarch64-multiplatform variants)

@vcunat
Copy link
Member

vcunat commented Jan 18, 2022

staging-next seems the only other realistic option, and the sooner the less rebuilds we'd waste. It would get into nixos-unstable a couple weeks sooner but push back other changes about one week later (or more if we decide later).

staging is the cheaper option, and the timing doesn't really matter, as long as the merge happens before the next iteration starts.

@vcunat vcunat merged commit f0c1c06 into NixOS:staging Jan 22, 2022
@github-actions github-actions bot mentioned this pull request Jan 22, 2022
Merged
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Jan 22, 2022

Successfully created backport PR #156149 for staging-21.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mweinelt mweinelt mweinelt approved these changes

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hartwork @vcunat @risicle @mweinelt @veprbl