Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libgit2_0_27: mark as insecure #111319

Merged
merged 1 commit into from Feb 7, 2021
Merged

libgit2_0_27: mark as insecure #111319

merged 1 commit into from Feb 7, 2021

Conversation

dotlambda
Copy link
Member

Motivation for this change

closes #90855

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

This affects julia_10 (cc @doronbehar @ninjin @rbvermaa) and gitin (cc @kimat)

@dotlambda dotlambda added 1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. labels Jan 30, 2021
@prusnak
Copy link
Member

prusnak commented Jan 30, 2021

gitin should be updated to 0.2.5 - the latest stable version which supports go modules and does not require obsolete libgit2

taku0
taku0 approved these changes Jan 31, 2021
View reviewed changes
Copy link
Contributor

@taku0 taku0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

It is used by gitin and gitaly. I'm not sure the latest gitaly 13.8.1 works with newer libgit.

@taku0
Copy link
Contributor

taku0 commented Jan 31, 2021

cc: @roblabla, @globin, @fpletz, @talyz

@dotlambda
Copy link
Member Author

dotlambda commented Jan 31, 2021
edited

gitin should be updated to 0.2.5 - the latest stable version which supports go modules and does not require obsolete libgit2

Gitin 0.2.5 requires libgit2 1.0, but we have 1.1. Feel free to package the update yourself or file an upstream bug.

@dotlambda dotlambda merged commit f69fe44 into NixOS:master Feb 7, 2021
@dotlambda dotlambda deleted the libgit2_0_27-insecure branch February 7, 2021 09:39
dotlambda added a commit that referenced this pull request Feb 7, 2021
@dotlambda
libgit2_0_27: mark as insecure (#111319)
2b973d2 
(cherry picked from commit f69fe44)
@dotlambda dotlambda added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Feb 7, 2021
@FlorianFranzen
Copy link
Contributor

This also effects julia (which is aliased to julia-lts and finally julia_10). Maybe it is time to alias julia to julia-stable instead.

@ghost
Copy link

ghost commented May 22, 2021 via email
edited by ghost

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taku0 taku0 taku0 approved these changes

Assignees
No one assigned
Labels
1.severity: security 8.has: clean-up 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 85: libgit2-0.27.10: 2 advisories [9.8]
4 participants
@dotlambda @prusnak @taku0 @FlorianFranzen