New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
weechat: 2.7 -> 2.7.1 #80672
weechat: 2.7 -> 2.7.1 #80672
Conversation
Release notes: irc: fix crash when receiving a malformed message 352 (who) irc: fix crash when a new message 005 is received with longer nick prefixes irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955)
cc06c9d
to
2d77fc3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Built and tested. All fine for me.
Security fixes should be backported to release-19.09
:
@mweinelt Yes I saw thew after finishing my review 😅 We should probably check if it is possible to backport security fixes to 2.6 on |
Unless upstream provides security fixes for the older version we should try to avoid maintaining custom patch sets. Those will likely be incomplete since we lack the complete picture. I think that has also been done in the past unless there was some real breakage that wouldn't be acceptable. In the past weechat upgrades weren't that intrusive but only the changelog / git log can tell that. |
There is no branch for the 2.6 release, so I don't think they're patching older versions. |
I was just checking if the commits the refer to (https://weechat.org/doc/security/) are trivially applicable (they are not). Then no problem porting the update to 19.09 ! |
Just make sure to mention those CVEs in the backports. Makes it easier to discover. I'd also like them in the commit messages for each of the changes. Git log will be forever. GitHub might go away :-) |
The one CVE is part of the commit message, here and in the backports. |
Motivation for this change
https://github.com/weechat/weechat/releases/tag/v2.7.1
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)@andir @flokli @lovek323 @the-kenny @lheckemann @Ma27