Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mbedtls: add patch for CVE-2019-16910 #71452

Closed
wants to merge 1 commit into from
Closed

mbedtls: add patch for CVE-2019-16910 #71452

wants to merge 1 commit into from

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Oct 20, 2019

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2019-16910

The real fix for this is bumping to >2.19.0, but attempting to bump to 2.19.1 causes a number of downstream build failures which look like they could take a bit of effort to fix.

The only downstream failures I get with this patch are those already failing for me on macos.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@ofborg ofborg bot requested a review from fpletz October 20, 2019 17:12
fpletz added a commit that referenced this pull request Oct 21, 2019
@fpletz
Revert "mbedtls: 2.16.0 -> 2.17.0"
bf2f1c8 
This reverts commit ba3b9c0.

cc #60625 #71452
@fpletz fpletz closed this in 360e57a Oct 21, 2019
@fpletz
Copy link
Member

fpletz commented Oct 21, 2019

That package shouldn't have been bumped past 2.16 because that's the current stable branch. Reverted the bump and bumped to 2.16.3 to fix this issue. Thanks for looking into this!

fpletz added a commit that referenced this pull request Oct 21, 2019
@fpletz
mbedtls: 2.16.0 -> 2.16.3
8cc0abc 
Fixes CVE-2019-16910. Fixes #71452.

(cherry picked from commit 360e57a)
fpletz added a commit that referenced this pull request Oct 21, 2019
@fpletz
Revert "mbedtls: 2.16.0 -> 2.17.0"
ffb830c 
This reverts commit ba3b9c0.

cc #60625 #71452

(cherry picked from commit bf2f1c8)
fpletz added a commit that referenced this pull request Oct 21, 2019
@fpletz
mbedtls: 2.16.0 -> 2.16.3
69e6d73 
Fixes CVE-2019-16910. Fixes #71452.

(cherry picked from commit 360e57a)
peti pushed a commit that referenced this pull request Oct 21, 2019
@fpletz @peti
Revert "mbedtls: 2.16.0 -> 2.17.0"
7ef636b 
This reverts commit ba3b9c0.

cc #60625 #71452
peti pushed a commit that referenced this pull request Oct 21, 2019
@fpletz @peti
mbedtls: 2.16.0 -> 2.16.3
effca58 
Fixes CVE-2019-16910. Fixes #71452.
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Feb 19, 2020
@fpletz @dtzWill
Revert "mbedtls: 2.16.0 -> 2.17.0"
04f50b8 
This reverts commit ba3b9c0.

cc NixOS#60625 NixOS#71452

(cherry picked from commit bf2f1c8)
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Feb 19, 2020
@fpletz @dtzWill
mbedtls: 2.16.0 -> 2.16.3
7d0723d 
Fixes CVE-2019-16910. Fixes NixOS#71452.

(cherry picked from commit 360e57a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz Awaiting requested review from fpletz

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@risicle @fpletz @veprbl