Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] curl: 7.68.0 -> 7.70.0; apply patches for CVE-2020-8169 and CVE-2020-8177 #91408

Merged
merged 3 commits into from Jun 24, 2020
Merged

[20.03] curl: 7.68.0 -> 7.70.0; apply patches for CVE-2020-8169 and CVE-2020-8177 #91408

merged 3 commits into from Jun 24, 2020

Conversation

mweinelt
Copy link
Member

Motivation for this change

Two security advisories were published today:

Master fixes them in #91399
@NinjaTrappeur tried applying the patches to 7.68.0, which did not work.

So I cherry-picked the bumps up to 7.70.0, a known good version that was used on master, and applied the patches there.

This additionally unblocks #86999, where a WolfSSL security bump was stuck because it required an API change to cURL.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

r-ryantm and others added 2 commits June 24, 2020 15:45
@r-ryantm @mweinelt
curl: 7.68.0 -> 7.69.1
9188171 
(cherry picked from commit e4df9d6)
@peterhoeg @mweinelt
curl: 7.69.1 -> 7.70.0
f1693d6 
(cherry picked from commit 9efd23e)
@mweinelt mweinelt changed the title [20.03] curl: 7-68.0 -> 7.70.0; apply patches for CVE-2020-8169 and CVE-2020-8177 [20.03] curl: 7.68.0 -> 7.70.0; apply patches for CVE-2020-8169 and CVE-2020-8177 Jun 24, 2020
@ofborg ofborg bot requested a review from lovek323 June 24, 2020 14:09
picnoir
picnoir approved these changes Jun 24, 2020
View reviewed changes
Copy link
Member

@picnoir picnoir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just had a look to the changelog, I did not see any breaking change that could affect us.

LGTM.

pkgs/tools/networking/curl/default.nix Show resolved Hide resolved
pkgs/tools/networking/curl/default.nix Show resolved Hide resolved
vcunat
vcunat approved these changes Jun 24, 2020
View reviewed changes
Copy link
Member

@vcunat vcunat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at all non-bugfix changes in the range.

@vcunat vcunat merged commit aa5c726 into NixOS:staging-20.03 Jun 24, 2020
@mweinelt mweinelt deleted the 20.03/curl branch June 24, 2020 22:23
@mweinelt mweinelt mentioned this pull request Jun 24, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnoir picnoir picnoir approved these changes

@vcunat vcunat vcunat approved these changes

@lovek323 lovek323 Awaiting requested review from lovek323

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mweinelt @picnoir @vcunat @r-ryantm @peterhoeg