limesurvey: mark as insecure #111218
limesurvey: mark as insecure #111218
Conversation
dotlambda
added
1.severity: security
9.needs: port to stable
|
@dotlambda I'm under the impression this software hasn't really been maintained in nixpkgs for many years now... we might simply consider removing this package and the module 🤷♂️ I'm good either way. |
You're right, that's the cleaner solution. Let's wait for @davidak to chime in and tell us whether he plans to finish his work on upgraded limesurvey. |
|
I don't have time to upgrade or maintain it. It is the best free software for the task, so it would be valuable to keep it. In general, i don't like when we remove packages. Someone has put work into it. We should always try to find a new maintainer first. I think there aren't formal rules for that yet. I will try do find a new maintainer. |
There was a problem hiding this comment.
also visible here https://repology.org/project/limesurvey/cves?version=3.23.7%2B201006
pkgs/servers/limesurvey/default.nix
Outdated
| "CVE-2020-11455" | ||
| "CVE-2020-11456" |
There was a problem hiding this comment.
I am not against marking this package as insecure, but I am not clear on whether:
- These particlar CVEs are not fixed in the version that we currently have; our current version seems to be from the LTS branch after these CVEs;
- or whether the CVE bounds of Repology are too greedy (since they mark every version <= 4.1.11 vulnerable).
We should not put CVEs in this attribute that the current version is not vulnerable to.
There was a problem hiding this comment.
I think it was a topic in the last update issue that it is not really visible if it is vulnerable and we would have to ask the projects maintainers.
There was a problem hiding this comment.
We could write
knownVulnerabilities = [
"Unauthorized access to statistics of a survey with certain permission configurations"
"Persistent XSS in browse response"
];
I got this info from https://github.com/LimeSurvey/LimeSurvey/blob/3.x-LTS/docs/release_notes.txt.
There was a problem hiding this comment.
@dotlambda: Sounds good.
There was a problem hiding this comment.
I think it was a topic in the last update issue that it is not really visible if it is vulnerable and we would have to ask the projects maintainers.
Indeed, I tried to go through the commit history, but it's very hard to what is addressed both in the commit logs and in the release notes.
By keeping around packages that are unmaintained, we set the the wrong expectations and expose unknowing users to known vulnerabilities (which is at least solved by marking the package insecure). |
|
I think we have two sensible options:
|
dotlambda
force-pushed
the
limesurvey-insecure
branch
from
28d4b4f
to
ed5acb0
Compare
|
We should not keep around unmaintained, insecure or broken packages, but we should have a formal workflow to TRY to find a new maintainer. |
Let's mark it insecure until a new maintainer is found. I agree on needing a workflow. |
I guess asking on discourse whether anyone is using this could be a first step. |
If anyone needs the software, marking it as insecure will automatically make them step up and update it. |
dotlambda
force-pushed
the
limesurvey-insecure
branch
from
ed5acb0
to
a03847e
Compare
|
backport: #111291 |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/packages-looking-for-a-maintainer/5442/6 |
TredwellGit
added
8.has: port to stable
Motivation for this change
closes #101163
https://github.com/LimeSurvey/LimeSurvey/blob/3.x-LTS/docs/release_notes.txt lists many security fixes that our version is lacking.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)cc @offlinehacker @davidak @aanderse