Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opensmtpd: 6.7.1p1 -> 6.8.0p2 #109628

Merged
merged 1 commit into from Jan 17, 2021
Merged

opensmtpd: 6.7.1p1 -> 6.8.0p2 #109628

merged 1 commit into from Jan 17, 2021

Conversation

LeSuisse
Copy link
Contributor

Motivation for this change

The 6.8.0p2 release includes the fixes for CVE-2020-35679 and CVE-2020-35680.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot requested review from obadz and Ekleog January 17, 2021 12:54
@SuperSandro2000
Copy link
Member

This is a semi-automatic executed nixpkgs-review which does not build all packages (e.g. lumo, tensorflow or pytorch)
If you find some bugs or got suggestions for further things to search or run please reach out to SuperSandro2000 on IRC.

Result of nixpkgs-review pr 109628 run on x86_64-linux 1

1 package built:
  • opensmtpd

@SuperSandro2000
Copy link
Member

Does that require a port to stable?

@SuperSandro2000 SuperSandro2000 merged commit 641f22e into NixOS:master Jan 17, 2021
@LeSuisse LeSuisse deleted the opensmtpd-6.8.0p2 branch January 19, 2021 12:30
@Ekleog
Copy link
Member

Ekleog commented Jan 20, 2021

The CVEs look to me like, while they may be problematic in certain limited scenarios, are not worth the backwards-compatibility breakage of backporting the update to stable wholesale (OpenSMTPD regularly changes behavior in point-releases, though in this specific case I can't say for sure that it did).

So overall I'd say if someone can make the effort of figuring out which patches to use to fix just the CVEs it'd definitely be worth a merge, but backporting the whole update sounds like a negative to me, though a tiny one as they are still CVEs. (My opinion being based on the fact that they appear to “only” be DoS vulns that trigger only on some specific non-default configurations)

@LeSuisse LeSuisse mentioned this pull request Jan 20, 2021
Closed
2 tasks
@LeSuisse LeSuisse added the 8.has: port to stable A PR already has a backport to the stable release. label Jan 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@obadz obadz Awaiting requested review from obadz

@Ekleog Ekleog Awaiting requested review from Ekleog

Assignees
No one assigned
Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@LeSuisse @SuperSandro2000 @Ekleog