keepalived: 1.4.2 -> 1.4.5, patch CVE-2018-19115 #72278
Conversation
c0bw3b
added
1.severity: security
9.needs: port to stable
|
I think we should backport patch and version bump here. This is an old enough codebase, surely there is some bugfixes worth shipping in the release. Note that upstream calls for distros updating to 2.x on its homepage :
In our case it would also mean revamping the associated service module. Although it's not a highly complex service, it's probably best done by someone actually using it. |
|
Re: new maintainer - Absolutely - I was asking around on IRC and |
|
A start would be to have a nixos test for it so we can easily see if we're breaking the module. |
(cherry picked from commit 03d6145)
|
/cc @mbrgm, as I see several keepalived bumps from them. I know almost nothing about it; for now I just picked the patch to stables. If "you" feel like it, add more. |
(cherry picked from commit 03d6145)
|
It's quite some time since I used keepalived on NixOS... and back then, it was only in a test environment, no production usage. PR looks good to me... however, I currently don't have anything in place to properly test the behavior besides running the binary. As @risicle suggested, a NixOS test could prove quite valuable. |
TredwellGit
added
8.has: port to stable
Motivation for this change
Patches https://nvd.nist.gov/vuln/detail/CVE-2018-19115
Also bumped to last release of 1.4.x series. Why not the newer 2.x series? I have never used keepalived and this package has no maintainer listed, so I'm being conservative, not wanting to break anything...
Will probably backport the patch without the bump.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @