New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
limesurvey: mark as insecure #111218
limesurvey: mark as insecure #111218
Conversation
@dotlambda I'm under the impression this software hasn't really been maintained in nixpkgs for many years now... we might simply consider removing this package and the module 🤷♂️ I'm good either way. |
You're right, that's the cleaner solution. Let's wait for @davidak to chime in and tell us whether he plans to finish his work on upgraded limesurvey. |
I don't have time to upgrade or maintain it. It is the best free software for the task, so it would be valuable to keep it. In general, i don't like when we remove packages. Someone has put work into it. We should always try to find a new maintainer first. I think there aren't formal rules for that yet. I will try do find a new maintainer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also visible here https://repology.org/project/limesurvey/cves?version=3.23.7%2B201006
pkgs/servers/limesurvey/default.nix
Outdated
"CVE-2020-11455" | ||
"CVE-2020-11456" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not against marking this package as insecure, but I am not clear on whether:
- These particlar CVEs are not fixed in the version that we currently have; our current version seems to be from the LTS branch after these CVEs;
- or whether the CVE bounds of Repology are too greedy (since they mark every version <= 4.1.11 vulnerable).
We should not put CVEs in this attribute that the current version is not vulnerable to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was a topic in the last update issue that it is not really visible if it is vulnerable and we would have to ask the projects maintainers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could write
knownVulnerabilities = [
"Unauthorized access to statistics of a survey with certain permission configurations"
"Persistent XSS in browse response"
];
I got this info from https://github.com/LimeSurvey/LimeSurvey/blob/3.x-LTS/docs/release_notes.txt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dotlambda: Sounds good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was a topic in the last update issue that it is not really visible if it is vulnerable and we would have to ask the projects maintainers.
Indeed, I tried to go through the commit history, but it's very hard to what is addressed both in the commit logs and in the release notes.
By keeping around packages that are unmaintained, we set the the wrong expectations and expose unknowing users to known vulnerabilities (which is at least solved by marking the package insecure). |
I think we have two sensible options:
|
28d4b4f
to
ed5acb0
Compare
We should not keep around unmaintained, insecure or broken packages, but we should have a formal workflow to TRY to find a new maintainer. |
Let's mark it insecure until a new maintainer is found. I agree on needing a workflow. |
I guess asking on discourse whether anyone is using this could be a first step. |
If anyone needs the software, marking it as insecure will automatically make them step up and update it. |
ed5acb0
to
a03847e
Compare
backport: #111291 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/packages-looking-for-a-maintainer/5442/6 |
Motivation for this change
closes #101163
https://github.com/LimeSurvey/LimeSurvey/blob/3.x-LTS/docs/release_notes.txt lists many security fixes that our version is lacking.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc @offlinehacker @davidak @aanderse