Skip to content

caprine-bin: 2.58.0 -> 2.58.3#257372

Merged
delroth merged 1 commit intoNixOS:masterfrom
ShamrockLee:caprine-bin-update-security
Sep 26, 2023
Merged

caprine-bin: 2.58.0 -> 2.58.3#257372
delroth merged 1 commit intoNixOS:masterfrom
ShamrockLee:caprine-bin-update-security

Conversation

@ShamrockLee
Copy link
Contributor

@ShamrockLee ShamrockLee commented Sep 26, 2023

Description of changes

Bump to patch for CVE-2023-4863

Vulnerability details:
https://github.com/advisories/GHSA-j7hp-h8jx-5pp

Upstream release notes:
https://github.com/sindresorhus/caprine/releases/tag/v2.58.2
https://github.com/sindresorhus/caprine/releases/tag/v2.58.3

This PR needs to be backported to 23.05.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot added 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. labels Sep 26, 2023
@ShamrockLee
Copy link
Contributor Author

ShamrockLee commented Sep 26, 2023

Unfortunately, the Electron update made by the upstream renders the app unusable. See sindresorhus/caprine#2074.

@ShamrockLee ShamrockLee force-pushed the caprine-bin-update-security branch from cce35ae to 7fd3c0b Compare September 26, 2023 15:08
@ShamrockLee ShamrockLee changed the title caprine-bin: 2.58.0 -> 2.58.2 caprine-bin: 2.58.0 -> 2.58.3 Sep 26, 2023
@ShamrockLee ShamrockLee force-pushed the caprine-bin-update-security branch from 7fd3c0b to 07107cf Compare September 26, 2023 15:13
@ShamrockLee ShamrockLee marked this pull request as ready for review September 26, 2023 15:20
@ShamrockLee
Copy link
Contributor Author

ShamrockLee commented Sep 26, 2023

The above issue is addressed in 2.58.3.

This PR contains an emergency security update. Please help test it if you're available, and update caprine-bin to this version ASAP.

Cc: @n3oney @khaneliman

@n3oney
Copy link
Contributor

n3oney commented Sep 26, 2023

lgtm

@delroth delroth added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-23.05 labels Sep 26, 2023
Copy link
Contributor

@delroth delroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM, didn't test running the app.

@delroth
Copy link
Contributor

delroth commented Sep 26, 2023

lgtm

FYI it's better to use the GitHub review feature and explicitly mark as approved - it helps automation set the right labels for the PR and gives it better visibility (for example, it would show this one as "approved by package maintainer").

@delroth delroth merged commit 50dad20 into NixOS:master Sep 26, 2023
@github-actions
Copy link
Contributor

Backport failed for release-23.05, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally.

git fetch origin release-23.05
git worktree add -d .worktree/backport-257372-to-release-23.05 origin/release-23.05
cd .worktree/backport-257372-to-release-23.05
git checkout -b backport-257372-to-release-23.05
ancref=$(git merge-base b95afaec5a602daa50888c2213e0a11566256f87 07107cfb1fbcc2c28952b35bd7d0cb3360c6e8e2)
git cherry-pick -x $ancref..07107cfb1fbcc2c28952b35bd7d0cb3360c6e8e2

@delroth
Copy link
Contributor

delroth commented Sep 26, 2023

This needs a manual backport since the version on 23.05 wasn't kept up to date. @ShamrockLee can you also take care of this? Thanks!

@ShamrockLee ShamrockLee deleted the caprine-bin-update-security branch September 26, 2023 17:03
@ShamrockLee
Copy link
Contributor Author

@delroth It's at #257472.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 1 This PR causes 1 package to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants